Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
London, UK, 29 June 2023 — LogRhythm, the company helping security teams stop breaches by turning disconnected data and signals into trustworthy insights, has partnered with The Health Informatics Service (THIS), an innovative, collaborative NHS organization providing digital and IT services, to transform healthcare security in the UK with LogRhythm Axon. The partnership enables THIS to serve one of its key customers within the Bradford District and Craven Place with a 100% cloud-native security operations platform.
THIS gains a flexible security solution that minimizes expenses and provides a simple platform design for security teams to identify threats. Axon’s increasing adoption in Europe is strengthening enterprise’s hybrid IT security postures within the region and enhancing the analyst experience with complete visibility into network threats.
“The threat landscape in Europe is currently experiencing rapid growth, with more organizations featuring in headlines after falling victim to sophisticated attacks. Amongst these organizations, the healthcare industry is one of the biggest targets for threat actors due to the highly confidential patient data it is responsible for,” said Kev Eley, VP Sales UK and Europe at LogRhythm. “By deploying LogRhythm Axon, THIS gains a user-friendly security solution. This is just the beginning of Axon’s presence in Europe. We look forward to helping organizations overcome mounting security pressures with powerful security analytics.”
THIS offers a wide range of services to more than 100 organizations and 22,000 end users. Its proven, professional services are available to health, social care, social enterprise and third sector organizations throughout the UK. It chose Axon for its streamlined, user-friendly interface and affordable pricing model.
“We were looking for a cost-efficient security solution to support Bradford District & Craven without operational complexities. With this in mind, we selected Axon for its affordability and ease-of-use,” said Peter Howson, Commercial Director, at THIS. “LogRhythm Axon takes care of threat hunting so we can focus on what matters most – providing a consistent and reliable experience to our customers its deployed to.”
Built from the ground up, Axon’s intuitive interface gives analysts contextual analytics into
cybersecurity threats to reduce noise and quickly secure their environments. Axon reduces the burden of managing threats and operating infrastructure, providing overwhelmed security teams with a seamless security experience.
About THIS
Founded in 2006, The Health Informatics Service is a well-established, innovative and award-winning digital healthcare and IT specialist. We work with public, private and charitable health and care organizations across the UK and are hosted by Calderdale and Huddersfield NHS Foundation Trust.
We have over 200 expert staff leading and helping the digital transformation of primary, secondary and third sector care. Being linked to the NHS, our deep knowledge of public healthcare systems and values are unrivalled.
Charming Kitten, the nation-state actor affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), has been attributed to a bespoke spear-phishing campaign that delivers an updated version of a fully-featured PowerShell backdoor called POWERSTAR.
"There have been improved operational security measures placed in the malware to make it more difficult to analyze and collect intelligence," Volexity researchers Ankur Saini and Charlie Gardner said in a report published this week.
The threat actor is something of an expert when it comes to employing social engineering to lure targets, often crafting tailored fake personas on social media platforms and engaging in sustained conversations to build rapport before sending a malicious link. It's also tracked under the names APT35, Cobalt Illusion, Mint Sandstorm (formerly Phosphorus), and Yellow Garuda.
Recent intrusions orchestrated by Charming Kitten have made use of other implants such as PowerLess and BellaCiao, suggesting that the group is utilizing an array of espionage tools at its disposal to realize its strategic objectives.
POWERSTAR is another addition to the group's arsenal. Also called CharmPower, the backdoor was first publicly documented by Check Point in January 2022, uncovering its use in connection with attacks weaponizing the Log4Shell vulnerabilities in publicly-exposed Java applications.
It has since been put to use in at least two other campaigns, as documented by PwC in July 2022 and Microsoft in April 2023.
Volexity, which detected a rudimentary variant of POWERSTAR in 2021 distributed by a malicious macro embedded in DOCM file, said the May 2023 attack wave leverages an LNK file inside a password-protected RAR file to download the backdoor from Backblaze, while also taking steps to hinder analysis.
"With POWERSTAR, Charming Kitten sought to limit the risk of exposing their malware to analysis and detection by delivering the decryption method separately from the initial code and never writing it to disk," the researchers said.
"This has the added bonus of acting as an operational guardrail, as decoupling the decryption method from its command-and-control (C2) server prevents future successful decryption of the corresponding POWERSTAR payload."
The backdoor comes with an extensive set of features that enable it to remotely execute PowerShell and C# commands, set up persistence, collect system information, and download and execute more modules to enumerate running processes, capture screenshots, search for files matching specific extensions, and monitor if persistence components are still intact.
Also improved and expanded from the earlier version is the cleanup module that's designed to erase all traces of the malware's footprint as well as delete persistence-related registry keys. These updates point to Charming Kitten's continued efforts to refine its techniques and evade detection.
Volexity said it also detected a different variant of POWERSTAR that attempts to retrieve a hard-coded C2 server by decoding a file stored on the decentralized InterPlanetary Filesystem (IPFS), signaling an attempt to make its attack infrastructure more resilient.
The development coincides with a MuddyWater's (aka Static Kitten) use of previously undocumented command-and-control (C2) framework called PhonyC2 to deliver malicious payload to compromised hosts.
"The general phishing playbook used by Charming Kitten and the overall purpose of POWERSTAR remain consistent," the researchers said. "The references to persistence mechanisms and executable payloads within the POWERSTAR Cleanup module strongly suggests a broader set of tools used by Charming Kitten to conduct malware-enabled espionage."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/46ofHHP
via IFTTT
Hey there! ☀️ Check out the latest Xen Orchestra release. We've got some cool stuff like automatic XOA backups, a few neat tweaks to the REST API, and some solid progress on Project Pyrgos and XO Lite. We think you're gonna like what you see!
Ah and also, while you are here, we are proud to introduce you our new partner program, just take a look here:
In this release, we're excited to introduce our inaugural version of a new feature that promises significant enhancements in the future: automatic XOA configuration backups to your Vates/xen-orchestra.com account! In essence, this ensures that even if your XOA is lost - whether due to removal, destruction, or any other cause - you can effortlessly restore its configuration.
This includes all user information, backup jobs, connected hosts, and more, without requiring any additional input. This convenience and resilience extend even if you don't have any metadata backups within your infrastructure.
To activate the XO configuration backup, simply navigate to your XOA view from the left-hand menu and enable the "Automated backup XO configuration":
🔒
Obviously, before your XOA configuration is transmitted to our servers, it's subjected to robust encryption within your XOA. The data we store on our end remains entirely indecipherable without a decryption key that solely you possess locally. The decryption process occurs only when restoring your configuration on a new XOA, where you'll be prompted to enter your passphrase to decrypt and ultimately restore your data.
📡 REST API
We're back with another round of REST API updates in this June release. Also, since we never had any issue with it, we can officially announce the REST API isn't an alpha feature anymore!
XOA Update
Just last month, we introduced the ability to update your hosts, even enabling Rolling Pool Updates directly from the REST API. The next natural progression? Triggering XOA updates straight from this very API!
To engage the XOA updater and verify the availability of any new versions, use the following method:
This should returns { "isUpToDate": true } when your XOA is up to date. You can imagine using this with your alerting system (eg UptimeKuma) to detect when your XOA is NOT fully up-to-date!
To initiate the update itself, use this POST method:
curl \
-X POST \
-b authenticationToken=KQxFkTbs \
'https://xo.company.lan/rest/v0/appliance/updater/actions/upgrade'
That's all there is to it!
☸️ Project Pyrgos (k8s)
For those who might have missed our introduction to Project Pyrgos:
In this update, we've incorporated the functionality for you to select the Kubernetes version you'd like to deploy on your cluster:
This enhancement empowers you with greater control over your Kubernetes cluster assembly. Keep an eye out - we've got a wave of additional features set to roll out this summer!
🔭 XO Lite
Our dedication to enhancing the embedded web UI in XCP-ng continues unabated. As a refresher, the groundwork we're laying here will also form the foundation for Xen Orchestra 6. For those keen on the design elements surrounding it:
We refined the code to eliminate any confusion regarding UUIDs and OpaqueRef.
We introduced a 'closing confirmation' component, enabling a prompt for user confirmation before tab closure in the event of any pending actions.
We revamped XAPI subscriptions (the "events"). Now, record extensions are much simpler, and we've added an immediate option which defers the subscription until the first start() call.
We overhauled the pool dashboard to align it more closely with our original Figma design.
We upgraded the entire XO Lite project to Vue 3.3 and Vite 4. This translates to fresh features for developers and improved performance!
We also implemented minor changes, such as displaying an error when data loading fails, introducing enums for various VM power states and operations, fixing several bugs, and adding new keyboard shortcuts!
Although this effort plays out over the long haul, it's crucial for creating a consistent and appealing UI for both XO Lite and ultimately, XO 6. You can anticipate more noticeable changes in the coming months.
🆕 Misc
This section consolidates other enhancements made for this new XO release.
Allow importing ISO from URL
You can now directly paste the ISO URL into your SR ISO, which will handle the rest of the process and download it. There's no need to clutter your computer with a collection of various ISOs and then manually upload them via Xen Orchestra!
Raw VDI export/import
Although this feature was available in the backend, it was never exposed in the UI. With this release, you have the option to import and/or export any disk (VDI) using the raw format.
RRDs performance improvements
We've significantly improved the RRDs statistics performance from our web UI by addressing requests that bypassed our cache and properly closing certain fetching requests. For infrastructures with more than 20 hosts, this performance boost should be particularly noticeable.
Various dependencies improvements
We made progress with some indirect dependencies (dependencies of a dependency) by internalizing them (directly incorporating them), which gave us the opportunity to patch or update them directly. This approach helped us reduce the number of outdated versions indirectly affected by various security reports.
from Xen Orchestra https://bit.ly/3pttY5o
via IFTTT
The Good | Authorities Sentence 2020 Twitter Hacker For SIM Swap & Crypto Theft Schemes
Joseph James O’Connor (aka PlugWalkJoe) was sentenced this week to five years in prison for various cybercrimes including his role in the 2020 Twitter Hack. O’Connor is charged with stealing cryptocurrency, money laundering, cyberstalking, and unauthorized access to Twitter, TikTok, and Snapchat accounts. Further, he is ordered to return the $749,000 stolen from a New York-based cryptocurrency firm.
Source: Reuters
According to the DoJ, O’Connor and his co-conspirators conducted a mass SIM swap attack in 2019 to steal from a targeted cryptocurrency firm. In SIM swap attacks, a threat actor gains control of a victim’s mobile phone number by linking it to an SIM card controlled by the actors. The victim’s calls and messages are then routed to the actor-controlled device and used to access accounts registered with the victim’s number. Using this technique, O’Connor and his associates successfully targeted three of the cryptocurrency firm’s executives and obtained access to the company’s internal accounts and system.
In the 2020 Twitter Hack, O’Connor and his associates again used SIM swaps, along with social engineering tactics, to gain access to Twitter’s back-end tools and transfer control of high-profile accounts to various unauthorized users. While some accounts were hijacked by the actors themselves, O’Connor sold the access rights of several well-known accounts. Using similar techniques, O’Connor also hijacked TikTok and Snapchat accounts to participate in online extortion, harassment, and cyber stalking.
These attacks on social media platforms underscore the impact that cyber attacks have on everyday users. As the rate of digital identity theft skyrockets and threat actors continue to eye up popular apps and services, implementing strong identity-based controls remains a high-priority task for organizations in all industries.
The Bad | New Infostealer Malware Dubbed “ThirdEye” Targets Windows Devices
A newly discovered Windows-based infostealer dubbed “ThirdEye” has been spotted in the wild, harvesting sensitive data from infected hosts. Security researchers this week reported on an executable masquerading as a PDF file which hosts the info-stealing malware. While the arrival vector for the malware isn’t yet known, researchers believe it is used in phishing campaigns.
Based on an earlier version of ThirdEye that was uploaded to VirusTotal in early April, the infostealer is evolving and now shows capabilities of gathering system metadata such as BIOS release dates and vendors, total and free disk space on C: drives, volume information, and registered usernames. Details collected are then transmitted to a command-and-control (C2) server.
Though the malware is not considered technically sophisticated, researchers warn that its purpose-built design allows malicious users to gather critical information for use in future attacks. In the case of ThirdEye, the information stolen could be used by attackers as a way of narrowing down potential targets and planning unique campaigns.
There are no current indications that ThirdEye has been used in the wild. However, given the fact that the infostealer artifacts were uploaded to VirusTotal from Russia, researchers speculate that any malicious activity leveraging the malware is likely being aimed at Russian-speaking organizations. ThirdEye is the latest to make an appearance following a marked surge of infostealer malware being sold on Russian darknets.
As more infostealers become readily available, enabling cybercriminals to launch their ransomware campaigns, organizations should invest in machine learning algorithms and analytics to identify patterns indicating suspicious activity in real-time.
The Ugly | Emerging 8Base Ransomware Group Responsible For Uptick In Ransomware Attacks
First appearing in March, the emerging ransomware group called 8Base has accelerated its activity over the past two months, targeting small to medium-sized businesses worldwide in double extortion “name and shame” attacks. According to security analysts, ransomware attacks have spiked in May and June so far, up respectively 24% from this April and 56% compared to the same period last year. 8Base claims a significant role in this surge, responsible for more than 15% of all ransomware victims recorded last month.
In double extortion attacks, threat actors exfiltrate and encrypt all of a victim’s sensitive data, giving them extra leverage when demanding ransom payments. Actors then threaten to release or sell the data onto the dark web unless payment is made.
Like many other groups in the threat landscape though, 8Base accepts ransom payments in Bitcoin only and claims on its leak site to be “honest and simple pentesters”. The group employs multiple streams of communication, including an active Twitter profile and several encrypted Telegram channels. Latest findings on the group note that 8Base has compromised businesses across a large span of industries but has not shown allegiance to any one particular methodology or source of motivation.
8base ransomware group has exploded in victim postings. Their output rivals the big 3.
Prediction: in the coming months they will become a big player in the ransomware scene.
Based on the speed and effectiveness shown in recent attacks, security researchers believe this denotes a well-established and mature operation, indicating 8base may be comprised of members of some previously successful ransomware group. Malware research site vx-underground has compared 8Base’s recent attacks to those of the “Big 3”; namely, Conti, LockBit, and ALPHV ransomware groups. SentinelOne customers are autonomously protected from 8Base ransomware attacks.
In today's fast-paced digital landscape, the widespread adoption of AI (Artificial Intelligence) tools is transforming the way organizations operate. From chatbots to generative AI models, these SaaS-based applications offer numerous benefits, from enhanced productivity to improved decision-making. Employees using AI tools experience the advantages of quick answers and accurate results, enabling them to perform their jobs more effectively and efficiently. This popularity is reflected in the staggering numbers associated with AI tools.
OpenAI's viral chatbot, ChatGPT, has amassed approximately 100 million users worldwide, while other generative AI tools like DALL·E and Bard have also gained significant traction for their ability to generate impressive content effortlessly. The generative AI market is projected to exceed $22 billion by 2025, indicating the growing reliance on AI technologies.
However, amidst the enthusiasm surrounding AI adoption, it is imperative to address the concerns of security professionals in organizations. They raise legitimate questions about the usage and permissions of AI applications within their infrastructure: Who is using these applications, and for what purposes? Which AI applications have access to company data, and what level of access have they been granted? What is the information employees share with these applications? What are the compliance implications?
The importance of understanding which AI applications are in use, and the access they have cannot be overstated. It is the basic yet imperative first step to both understanding and controlling AI usage. Security professionals need to have full visibility into the AI tools utilized by employees.
This knowledge is crucial for three reasons:
1) Assessing Potential Risks and Protecting Against Threats
It enables organizations to assess the potential risks associated with AI applications. Without knowing which applications are being used, security teams cannot effectively evaluate and protect against potential threats. Each AI tool presents a potential attack surface that must be accounted for: Most AI applications are SaaS based and require OAuth tokens to connect with major business applications such as Google or O365. Through these tokens malicious players can use AI applications for lateral movement into the organization. Basic applications discovery is available with free SSPM tools and is the basis for securing AI usage.
Moreover, the knowledge of which AI applications are used within the organization helps prevent the inadvertent use of fake or malicious applications. The rising popularity of AI tools has attracted threat actors who create counterfeit versions to deceive employees and gain unauthorized access to sensitive data. By being aware of the legitimate AI applications and educating employees about them, organizations can minimize the risks associated with these malicious imitations.
2) Implementing Robust Security Measures based on Permissions
Identifying the permissions AI applications were granted by employees, helps organizations implement robust security measures. Different AI tools may have varying security requirements and potential risks. By understanding the permissions AI applications were granted, and whether or not these permissions present risk, security professionals can tailor their security protocols accordingly. Ensuring that appropriate measures are in place to protect sensitive data, and preventing excessive permissions is the natural second step to follow visibility.
3) Managing the SaaS Ecosystem Effectively
Understanding AI application usage allows organizations to take action and manage their SaaS ecosystem effectively. It provides insights into employee behavior, identifies potential security gaps, and enables proactive measures to mitigate risks (revoking permissions or employee access, for example). It also helps organizations comply with data privacy regulations by ensuring that data shared with AI applications is adequately protected. Monitoring for unusual AI onboarding, inconsistency in usage or simply revoking access to AI applications that should not be used are easily available security steps that CISOs and their teams can take today.
In conclusion, AI applications bring immense opportunities and benefits to organizations. However, they also introduce security challenges that must be addressed. While AI-specific security tools are still in their early stages, security professionals should utilize existing SaaS discovery capabilities and SaaS Security Posture Management (SSPM) solutions to address the fundamental question that serves as the foundation for secure AI usage: Who in my organization is using which AI application and with what permissions? Answering these fundamental questions can be easily accomplished using available SSPM tools, saving valuable hours of manual labor.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/3XyJBF1
via IFTTT
Introduction While managing a cloud infrastructure, it is sometimes necessary to make changes in network ranges or the reassign IP addresses to routers. Previously, all network addresses were changeable except for the Source NAT (Network Address Translation) address of a Virtual Private Cloud (VPC) or an Isolated Network. However, with Apache CloudStack 4.19, this will be possible. Feature Description In CloudStack 4.19, an extension has been implemented that enhances the functionality of the APIs (Application Programming Interfaces) for creating or updating networks and VPCs. The APIs `createNetwork`, `createVPC`, `updateNetwork`, and `updateVPC` have now been supplemented with a new parameter, `sourcenatipaddress`. […]
MITRE has released its annual list of the Top 25 "most dangerous software weaknesses" for the year 2023.
"These weaknesses lead to serious vulnerabilities in software," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. "An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working."
The list is based on an analysis of public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two years. A total of 43,996 CVE entries were examined and a score was attached to each of them based on prevalence and severity.
Coming out top is Out-of-bounds Write, followed by Cross-site Scripting, SQL Injection, Use After Free, OS Command Injection, Improper Input Validation, Out-of-bounds Read, Path Traversal, Cross-Site Request Forgery (CSRF), and Unrestricted Upload of File with Dangerous Type. Out-of-bounds Write also took the top spot in 2022.
70 vulnerabilities added to the Known Exploited Vulnerabilities (KEV) catalog in 2021 and 2022 were Out-of-bounds Write bugs. One weakness category that fell off the Top 25 is Improper Restriction of XML External Entity Reference.
"Trend analysis on vulnerability data like this enables organizations to make better investment and policy decisions in vulnerability management," the Common Weakness Enumeration (CWE) research team said.
Besides software, MITRE also maintains a list of important hardware weaknesses with an aim to "prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle."
The disclosure comes as CISA, together with the U.S. National Security Agency (NSA), released recommendations and best practices for organizations to harden their Continuous Integration/Continuous Delivery (CI/CD) environments against malicious cyber actors.
This includes the implementation of strong cryptographic algorithms when configuring cloud applications, minimizing the use of long-term credentials, adding secure code signing, utilizing two-person rules (2PR) to review developer code commits, adopting the principle of least privilege (PoLP), using network segmentation, and regularly audit accounts, secrets, and systems.
"By implementing the proposed mitigations, organizations can reduce the number of exploitation vectors into their CI/CD environments and create a challenging environment for the adversary to penetrate," the agencies said.
The development also follows new findings from Censys that nearly 250 devices running on various U.S. government networks have exposed remote management interfaces on the open web, many of which run remote protocols such as SSH and TELNET.
"FCEB agencies are required to take action in compliance with BOD 23-02 within 14 days of identifying one of these devices, either by securing it according to Zero Trust Architecture concepts or removing the device from the public internet," Censys researchers said.
Publicly accessible remote management interfaces have emerged as one of the most common avenues for attacks by nation-state hackers and cybercriminals, with the exploitation of remote desktop protocol (RDP) and VPNs becoming a preferred initial access technique over the past year, according to a new report from ReliaQuest.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/3NVjzcb
via IFTTT
Android-based phone monitoring app LetMeSpy has disclosed a security breach that allowed an unauthorized third-party to steal sensitive data associated with thousands of Android users.
"As a result of the attack, the criminals gained access to email addresses, telephone numbers and the content of messages collected on accounts," LetMeSpy said in an announcement on its website, noting the incident took place on June 21, 2023.
Following the discovery of the hack, LetMeSpy said it notified law enforcement and data protection authorities. It's also taking steps to suspend all account-related functions until further notice. The identity of the threat actor and their motives are currently unknown.
The work of a Polish company named Radeal, LetMeSpy is offered as a monthly subscription ($6 for Standard or $12 for Pro), allowing its customers to snoop on others simply by installing the software on their devices. An Internet Archive snapshot from December 2013 shows that it's billed as a tool for parental or employee control.
LetMeSpy comes with a wide range of features to collect call logs, SMS messages, and geolocations, all of which can be accessed from the website. In an attempt to evade detection and removal, the app's icon can be hidden from the device's home screen launcher.
As of January 2023, the stalkerware app has been used to track 236,322 phones across the world, harvesting over 63.5 million text messages, 39.7 million call logs, and 43.2 million locations.
Polish security research blog Niebezpiecznik, which first reported the breach and analyzed a dump of the stolen data, said it includes about 26,000 email addresses, 16,000 SMS messages, and a database of victims' locations.
A further review of the leaked information by TechCrunch has revealed that the data goes all the way back to 2013, when LetMeSpy became operational. The records also contain data from at least 13,000 compromised devices. A majority of the victims are located in the U.S., India, and parts of Africa.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/3Xu5LbA
via IFTTT
Introduction Diving into the ever-evolving world of Apache CloudStack, it is undeniable that its continuous enhancement has led it to become an influential infrastructure management platform. The recent feature addition, ‘Host Control Plane Status’, further refines this powerful tool by extending the hypervisor host control state in the listing of Virtual Machines / VMs (ie. user Instances, Virtual Routers, and System VMs). Specifically, it permits users to evaluate the feasibility of VM lifecycle actions like start / stop / restart / migrate, and to cross-verify the accuracy of VM metrics. Host State and Resource State Each Host in the Apache […]
A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.
Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK Rules for issuing sick leaves.pdf.exe."
The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features.
The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. The amassed details are then transmitted to a command-and-control (C2) server.
A notable trait of the malware is that it uses the string "3rd_eye" to beacon its presence to the C2 server.
There are no signs to suggest that ThirdEye has been utilized in the wild. That having said, given that a majority of the stealer artifacts were uploaded to VirusTotal from Russia, it's likely that the malicious activity is aimed at Russian-speaking organizations.
"While this malware is not considered sophisticated, it's designed to steal various information from compromised machines that can be used as stepping-stones for future attacks," Fortinet researchers said, adding the collected data is "valuable for understanding and narrowing down potential targets."
The development comes as trojanized installers for the popular Super Mario Bros video game franchise hosted on sketchy torrent sites are being used to propagate cryptocurrency miners and an open-source stealer written in C# called Umbral that exfiltrates data of interest using Discord Webhooks.
"The combination of mining and stealing activities leads to financial losses, a substantial decline in the victim's system performance, and the depletion of valuable system resources," Cyble said.
SeroXen infection chain
Video game users have also been targeted with Python-based ransomware and a remote access trojan dubbed SeroXen, which has been found to take advantage of a commercial batch file obfuscation engine known as ScrubCrypt (aka BatCloak) to evade detection. Evidence shows that actors associated with SeroXen's development have also contributed to the creation of ScrubCrypt.
The malware, which was advertised for sale on a clearnet website that was registered on March 27, 2023 prior to its shutdown in late May, has further been promoted on Discord, TikTok, Twitter, and YouTube. A cracked version of SeroXen has since found its way to criminal forums.
"Individuals are strongly advised to adopt a skeptical stance when encountering links and software packages associated with terms such as 'cheats,' 'hacks,' 'cracks,' and other pieces of software related to gaining a competitive edge," Trend Micro noted in a new analysis of SeroXen.
"The addition of SeroXen and BatCloak to the malware arsenal of malicious actors highlights the evolution of FUD obfuscators with a low barrier to entry. The almost-amateur approach of using social media for aggressive promotion, considering how it can be easily traced, makes these developers seem like novices by advanced threat actors' standards."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/3PzzNbW
via IFTTT
Responding to incidents quickly and shielding organizations from harm are basic objectives that make networks more secure and resilient. This blog post explores how HP Wolf Security’s threat containment technology helps achieve these security objectives, compared to a detection and response strategy.
Security Objective: Quick Response
In security operations, speed is critical. Time metrics are a common way to measure the effectiveness of security controls and processes by seeing how quickly teams detect and respond to threats. Many teams use metrics like mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) to track their performance over time. The reasoning is the quicker the detection and response, the lower the impact and recovery cost of an incident on an organization. Today, human-operated ransomware can move from initial access to a full network compromise in hours, so reacting quickly is crucial to limit the impact.
During an investigation, network defenders search for suspicious activity across multiple data sources – such as email, network and host – and then correlate the data they’ve gathered into a coherent story that explains what happened and what needs to be done. Unimpeded, a capable analyst can complete an investigation in minutes. But common choke points in the investigation workflow could cost the organization valuable time.
Consider this scenario:
An analyst spots an endpoint detection and response (EDR) alert for malicious processes spawning from a document opened on a laptop. It’s unclear from the alert whether all the processes were stopped. To decide what to do next, the analyst must confirm if the laptop, and perhaps others, have been compromised.
To do this, they need to understand what the threat would have done and then look for those signs in their environment. In other words, they need to gather indicators of compromise (IOCs). The analyst issues a command to the EDR agent running on the laptop to retrieve the document that triggered the alert. Fortunately, the laptop is online and the file is pulled over the network after a couple of minutes.
Next, the analyst must examine the file to understand what it does. They run the file in a sandbox and observe its behaviors. A few minutes later, they obtain a trace containing suspicious URLs that the malware communicates with post-installation and the hash of a file that is dropped to disk.
The analyst logs into the organization’s web proxy and checks if the laptop has communicated with any of the suspicious URLs. Fortunately, it appears not. To be confident of their assessment, they also check the laptop’s event logs and confirm that no malicious processes are running, nor are there signs of the suspicious file being dropped to disk. The analyst breathes a sigh of relief – but other devices in the organization may be infected.
They note the file originated as an email attachment. They log into the email gateway, search for the file’s hash and discover emails sent to other employees containing the malware. They identify other sender addresses, subject lines and attachments related to the same malicious spam campaign and write up their findings.
You likely noticed several choke points:
EDR works by stopping malicious activity as quickly as possible at the expense of capturing a complete trace of how the threat works. The analyst is left with incomplete IOCs and unanswered questions about the threat’s tactics, techniques and procedures (TTPs).
EDR file retrieval takes time and relies on the host being online. The analyst won’t have access to the file if the laptop is turned off, which is likely if the investigation occurs outside of working hours, the user is travelling or is in a wildly different time zone.
Running the sample in a sandbox takes time and may not fully simulate the laptop’s environment. Therefore, the malware might produce incomplete IOCs because it does not behave in the same way in the sandbox.
The analyst must log into multiple appliances and manually search for and correlate the data they are looking for.
EDR provides limited assurance that all the malicious processes were stopped because they ran on the host and were stopped after the fact.
HP Wolf Security helps speed up this workflow by automating many steps, freeing up analysts’ time. This time when the user opens the document, it runs inside of HP Sure Click Enterprise, HP Wolf Security’s threat containment product. The user interacts with the document in all the ways they expect. However, in the background, the document is running inside a virtualized environment isolated from the host using micro-virtualization technology. The guest environment mimics the laptop, except it does not contain the user’s files and credentials (so any malware has nothing to steal) and has locked down network access to prevent lateral movement.
The guest environment is monitored, so when the user opens the document, Sure Click starts recording a report of any suspicious activity. Since the threat is already isolated in a virtual machine and poses no risk to the host, stopping the threat as quickly as possible is unnecessary. Instead, the malware is allowed to play out like in a traditional sandbox, recording IOCs for the analyst to review. The sample and any files it tries to write to disk are also made available to the analyst in the alert, meaning they don’t need to retrieve the document from the laptop. Lastly, HP Wolf Security automatically correlates email, host and network data into a timeline for the analyst.
Figure 1 – HP Wolf Security threat overview
Figure 2 – Process interaction graph of threat
Figure 3 – Email information connected to threat
Security Objective: Minimizing Exposure to Harm
Besides reacting quickly, another fundamental security objective is minimizing exposure to harmful behaviors likely to hamper an organization’s ability to operate normally. Examples of behaviors could be an attacker exploiting a vulnerability in a software component or an employee doing something risky on a corporate device.
One of the most common undesirable behaviors is users opening malicious links and files – as seen in the scenario above. In the 2023 Data Breach Investigations Report, researchers at Verizon comment that malware is still mostly distributed by email in malicious file attachments, a trend we’ve also tracked for years.
While organizations can’t easily control the threats outside their environments, they can control the conditions under which threats occur in their environments and their response to them.
HP Wolf Security minimizes exposure to harmful behaviors using micro-virtualization to isolate risky user tasks like clicking on links, opening email attachments and downloading files from the web. Robust security means having the right mix of preventative and detective controls based on the behaviors you want to minimize.
To illustrate this, imagine you are a zookeeper tasked with keeping your animals from escaping. What security measures would you use? One strategy that relies on detection would be installing CCTV cameras around the zoo’s perimeter to spot if the animals run loose. Alternatively, a prevention strategy would have you install a fence around the animals to stop them from escaping. Of the two approaches, the more effective strategy relies on prevention because it minimizes exposure to harmful behavior.
If you’re a network defender, you may find it helpful to think about the security controls in your organization in terms of whether they are detective or preventative. Another useful question is to ask, “How are we minimizing the exposure of our endpoints/servers to harmful behaviors initiated intentionally and unintentionally by attackers and our employees?”
As part of the Subscription Services team, our Analytic Co-Pilot Service consultants worked on a variety of security use cases in Q2 2023 within our own internal environments, as well as our customers. These collaborative efforts continue to grow the library of use cases that strengthen our arsenal to help secure organizations across the globe.
This quarter, vulnerabilities were identified in well-known software where we had to quickly investigate how to monitor against such attacks. Our team looked for indicators of compromise (IOCs) for that CVE. We also researched the resulting activity to see how the threat could be monitored in a more general sense, proving better coverage for any similar vulnerabilities in the future.
In this blog we are going to look at some custom use cases around different phases of attack, from initial access and persistence, as well as lateral movement. Here’s what to expect for each use case explained below:
Where the use case originated from, either a custom rule from our team or based upon a Knowledge Base Threat module.
The log sources required to successfully implement a use case.
Difficulty score to set up the use case and how complex it may be.
Impact rating to assess how a use case can positively impact threat monitoring.
1. T0847: Replication Through Removable Media
Operational Technology (OT) and Industrial Control Systems (ICS) form the backbone of modern industrial environments, from energy grids to manufacturing plants. However, these critical systems face significant cybersecurity threats, including the risk associated with USB usage. USB drives, while convenient, can be a potent vector for malware and can result in data leakage if not appropriately managed.
A prime example of an OT/ICS compromise due to a USB is the infamous Stuxnet worm. Believed to have been developed by nation-states, Stuxnet was designed to attack specific industrial systems. It was reportedly spread via a USB drive and was responsible for causing significant damage to Iran’s nuclear program.
In the context of Windows 10 and Server 2016 operating systems, activating the “Audit PNP Activity” setting initiates a process of systematic logging. This includes recording events associated with the usage of Universal Serial Bus (USB) devices, among other related activities. By enabling this audit feature, you gain a comprehensive view of peripheral device interactions with your system, aiding in both system management and security oversight.
Once the logs are onboarded to the LogRhythm SIEM, monitoring for Event ID 400, 410 (Kernel PnP) and 6416 (Security) allows for monitoring of connected devices and information around the connected device.
2. CVE-2023-34362: Investigating the Exploitation of MOVEit Transfer Software
On June 1, 2023, cybersecurity firm Huntress detected an ongoing exploitation of a critical security loophole in the MOVEit Transfer software application, flagged by the software’s vendor, which progressed a day earlier. This vulnerability, later identified as CVE-2023-34362, prompted the immediate disabling of MOVEit Cloud during the investigation.
The fault appears to lie in the web application’s interface, providing potential unauthorized access to attackers.
Using AI Engine to monitor for process spawn from the w3wp.exe and MOVEit applications, we created use cases to monitor for the execution of the attack, as well as monitoring Web Server logs and File Integrity Monitoring to provide comprehensive cover of the IOCs pertaining to this vulnerability within MOVEit transfer software.
In the dynamic world of cybersecurity, adversaries are constantly seeking innovative ways to infiltrate computer systems. One such method involves using valid user accounts to exploit the Remote Desktop Protocol (RDP), a feature that enables remote access to a system’s graphical user interface.
While enabling RDP via the command line is a common task for system administrators, it’s crucial to consider the context. If an unknown or unauthorized user attempts to enable RDP, particularly in an environment where its use is uncommon or on a system where it’s typically disabled, it could signal suspicious activity.
Adversaries employ RDP with Accessibility Features or Terminal Services DLL, enabling them to maintain continued access to the system. This persistence makes it challenging for security measures to detect and eliminate the threat, underscoring the need for continuous monitoring and timely system updates.
In summary, while RDP provides valuable remote access capabilities, it can also serve as a potential entry point for adversaries. Therefore, it is crucial to ensure robust security measures, including secure credential management, continuous system monitoring, and regular updates, to mitigate the risk of unauthorized access. Always remember context is critical. Any activity that is not expected or authorized warrants further investigation.
4. T1003.001: LSASS Memory: WDigest Downgrade
Adversaries might try to gain access to credentials held in the Local Security Authority Subsystem Service (LSASS) process memory. Once a user logs in, the system creates and stores various credential information in this location. An administrator or SYSTEM user can extract these credentials to facilitate lateral movement within the network using alternate authentication materials. Additionally, the LSASS process memory can be dumped and transferred from the target host for local analysis, adding another layer to potential attack strategies.
When a user logs on, WDigest creates a Digest Access Authentication. This process avoids sending a password in plaintext over the network by using a hash function that produces a unique “digest.” This digest is then used to authenticate the user without revealing the password. However, for WDigest to construct the digest, it must keep a copy of the plaintext password in memory. This is where the potential for misuse arises.
Red Teams/Attackers always seek ways to gain unauthorized access to systems and networks. One method is credential dumping, extracting user credentials from a system’s memory. WDigest, due to its design, can inadvertently aid in this by storing plaintext passwords in memory.
Using tools like Mimikatz, an attacker can dump these credentials and use them to escalate their privileges or move laterally within a network. They can also maintain persistence, reusing valid credentials to access resources even after initial malware or backdoors are removed.
5. T1110.003: Password Spraying
Password spraying is a technique used by cyberattackers to gain unauthorized access to systems or accounts by systematically trying a small number of commonly used passwords against a large number of user accounts. Unlike traditional brute-force attacks that target a single account with multiple password attempts, password spraying involves trying a few commonly used passwords against multiple accounts, making it less likely to trigger account lockouts or trigger security alarms.
It’s important to implement anomaly detection mechanisms that identify abnormal login behavior. By establishing baselines of typical user behaviour, any deviation from these patterns, such as a sudden surge in failed login attempts from different accounts, can indicate a password spraying attack. Among the logical rule blocks of the AI engine components is the trend rule block which could be leveraged to compare current login activity with a determined baseline to alarm on any inconsistencies with account logins.
Another technique that can be implemented to detect for password spraying is the unique rule block, by setting the unique criteria to user origin and grouping by host origin
6. T1047: Windows Management Instrumentation
The rule is derived from Red Canary’s Global Threat Report, which ranks Windows Management Instrumentation (WMI) as the third most significant threat. WMI, an essential feature of the Windows operating system, is extensively utilized by administrators for various tasks, including system configuration, process execution, and task automation. Its capability to function on local and remote systems makes it a formidable tool for adversaries. These adversaries often exploit WMI to carry out malicious activities, which can easily be camouflaged amidst legitimate operations. The exploitation of WMI by adversaries encompasses a range of purposes, such as lateral movement across systems, gathering sensitive information, modifying system configurations, and establishing persistent access to compromised systems.
The detection rule looks for Microsoft Office applications spawning WMI processed, WMI reconnaissance activity, shadow copy deletion activity, WMI provider host spawning suspicious processed, as well as WMI related suspicious PowerShell commandlets. With this coverage of visibility, however WMI is being used nefariously, it can be picked up via the comprehensive detection techniques.
Where to Find Out More?
For customers with the Analytic Co-Pilot, Support Account Manager, or Technical Account Manager services, these use cases and others are available to download immediately within our Subscription Services Group Hub on the LogRhythm Community. Understanding that these use cases can be valuable, we do then share these to the wider Community after some time.
To glimpse over other use cases our Co-Pilot team has worked on in previous quarters, visit the following blogs below:
To learn more about our Analytic Co-Pilot Services and how we can improve your threat detection and response, learn more here. If you are a customer and you have questions, reach out to your customer success manager or account team to get more information about how we can help with your use cases and analytics!
Drones that don't have any known security weaknesses could be the target of electromagnetic fault injection (EMFI) attacks, potentially enabling a threat actor to achieve arbitrary code execution and compromise their functionality and safety.
The research comes from IOActive, which found that it is "feasible to compromise the targeted device by injecting a specific EM glitch at the right time during a firmware update."
"This would allow an attacker to gain code execution on the main processor, gaining access to the Android OS that implements the core functionality of the drone," Gabriel Gonzalez, director of hardware security at the company, said in a report published this month.
The study, which was undertaken to determine the current security posture of Unmanned Aerial Vehicles (UAVs), was carried out on Mavic Pro, a popular quadcopter drone manufactured by DJI that employs various security features like signed and encrypted firmware, Trusted Execution Environment (TEE), and Secure Boot.
Side-channel attacks typically work by indirectly gathering information about a target system by exploiting unintended information leakages arising from variations in power consumption, electromagnetic emanations, and the time it takes to perform different mathematical operations.
EMFI aims to induce a hardware disruption by placing a metal coil in close physical proximity to the Android-based Control CPU of the drone, ultimately resulting in memory corruption, which could then be exploited to achieve code execution.
"This could allow an attacker to fully control one device, leak all of its sensitive content, enable ADB access, and potentially leak the encryption keys," Gonzalez said.
This is not the first time IOActive has highlighted uncommon attack vectors that could be weaponized to target systems. In June 2020, the company detailed a novel method that makes it possible to attack industrial control systems (ICS) using barcode scanners.
Other assessments have illustrated security misconfigurations in the Long Range Wide Area Network (LoRaWAN) protocol that make it susceptible to hacking and cyber attacks as well as vulnerabilities in the Power Line Communications (PLC) component used in tractor trailers.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/434Ey0r
via IFTTT
Cybersecurity researchers have exposed the workings of a scam ring called CryptosLabs that's estimated to have made €480 million in illegal profits by targeting users in French-speaking individuals in France, Belgium, and Luxembourg since April 2018.
The syndicate's massive fake investment schemes primarily involve impersonating 40 well-known banks, fin-techs, asset management firms, and crypto platforms, setting up a scam infrastructure spanning over 350 domains hosted on more than 80 servers, Group-IB said in a deep-dive report.
The Singapore-headquartered company described the criminal outfit as "operated by a hierarchy of kingpins, sales agents, developers, and call center operators" who are recruited to ensnare potential victims by promising high returns on their capital.
"CryptoLabs made their scam schemes more convincing through region-focused tactics, such as hiring French-speaking callers as 'managers' and creating fake landing pages, social media ads, documents, and investment platforms in the French language," Anton Ushakov, deputy head of Group-IB's high-tech crime investigation department in Amsterdam, said.
"They even impersonated French-dominant businesses to resonate with their target audience better and be successful in exploiting them."
It all starts with luring targets through advertisements on social media, search engines, and forums dedicated to online investments, masquerading as an "investment division" of the impersonated organization and presenting them with attractive investment plans in an attempt to part with their contact details.
In the next stage, they are approached by call center operators who provide additional details about the bogus platform and the credentials required to conduct trading.
"After logging in, the victims deposit funds on a virtual balance," Ushakov said. "They are then shown fictitious performance charts that trigger them to invest more for better profits until they realize they cannot withdraw any funds even when paying the 'release fees.'"
While the initial deposits are to the tune of €200-300, the scam is engineered to incentivize victims into depositing more funds by showcasing an illusion of good investment results.
Group-IB, which first shed light on the large-scale scam-as-a-service operation in December 2022, said it was able to trace the first signs of the group's activity dating back to 2015, when it was found experimenting with different landing pages. CryptosLabs' tryst with investment scams would begin in earnest around June 2018 after a two-month preparation.
A crucial selling point of the campaign is the use of a custom scam kit that allows the threat actors to run, manage, and scale their activities at different stages, right from rogue advertisements on social media to the website templates used to pull off the heist.
Also part of the kit are auxiliary tools to build landing pages, a customer relationship management (CRM) service that enables the addition of new managers to each domain, a leads control panel that could be used by scammers to onboard new customers to the trading platform, and a VoIP utility to communicate with victims in real-time.
"Analyzing CryptosLabs, it is evident that the threat group has given its activities a well-established structure in terms of operations and headcount, and is likely to expand the scope and scale of its illicit business in the coming years," Ushakov said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/3r6DR9y
via IFTTT
Can you install Kali Linux on Raspberry Pi and use it for ethical hacking and penetration testing? Kali Linux is a powerful hacking and penetration toolset used by security industry professionals worldwide, and the Raspberry Pi is a low-cost, single-board computer with many uses. Can it be done, and what are the benefits of doing it?
This article will investigate whether Kali Linux can be installed on a Raspberry Pi, what you will need to prepare for installation and use, and why you might want to do it in the first place.
By the conclusion of this article, you will understand the benefits and drawbacks of running Kali Linux on a Raspberry Pi and what can be achieved by doing it.
What Is a Raspberry Pi?
The Raspberry Pi Foundation started by Eben Upton from Cambridge, UK, as a community project in 2012 to produce a $10 single-board computer to enable children to learn to code and be creative with technology. The device was inspired by the single-box 8-bit computers of the 1980’s. It is designed to be easy to use and accessible to all. The standard operating system comes pre-installed with Python, and many projects use this language to great effect.
Raspberry Pi 4 Model B
Since its introduction, a huge community of developers, hobbyists, and educators have produced an impressive array of applications, hardware, and creative uses for the device. These applications include web filtering, light show controllers, and vehicle entertainment systems. Some examples of the amazing things people do with Raspberry Pi are on the All3DP website.
The development of an extensive list of hardware add-ons, such as cameras and LED screens, has placed the Raspberry Pi as the go-to single-board computer for many uses.
There is an interesting TED Talk by Philip Colligan, the Chief Executive of the Raspberry Pi Foundation, explaining how the Raspberry Pi project was started. He talks about how the project was inspired by wanting to give children access to low-cost technology to enhance their learning and creativity. From the evidence in the talk, it has been a huge success. You can watch below.
Several versions of the Raspberry Pi are available, ranging from the microcontroller Pico series for $4, through the Pi Zero, to the personal computer-style Pi 400 based on the Pi 4. The most powerful version is the Pi 4 Model B. The specs vary, but for such a small package, they can pack a punch and offer good performance for the roles they are designed for.
From its inception, the Raspberry Pi has used a version of Debian Linux called Raspbian as its default operating system. The device uses an ARM processor, so the standard x86 builds of Linux will not work. However, several distributions are available that work well, from the basic needs of a general OS to specific applications like Kali Linux, produced by Offsec.
The operating system is installed onto an SD memory card that can easily be removed and replaced with another. Many Raspberry Pi users have multiple memory cards for different purposes and swap between them when needed. Because the SD card is the main storage, the faster the card, the better the performance.
Why Would You Want to Run Kali Linux on a Raspberry Pi?
Traditionally Kali would be installed on a laptop and usually as a VM for ease of recovery from crashes, but this has the drawback of needing the laptop to be in place to use the Kali tools. Buying another laptop and dedicating it to Kali Linux is possible, but this will prove costly.
Using a low-cost Raspberry Pi can enable Kali to be used on a dedicated machine, freeing up your laptop. The Raspberry Pi can be left on-site if required for longer-term projects, such as packet capturing, man-in-the-middle attacks, remote-access persistence, and WiFi attacks.
The limitation of using a Raspberry Pi for Kali is the relatively low power of the device. Even though they offer impressive performance for their size, even the highest spec model can’t match a laptop with reasonable specs.
Due to Kali Linux having some stability issues when running some tools, corruption of the operating system can occur. As Kali is running on the bare-metal SD card, such corruption will render it unusable as you can’t roll it back. However, if multiple memory cards are flashed with Kali Linux, the card can be swapped should this occur.
Requirements
There are several hardware devices and tools that are needed to get Kali installed on a Raspberry Pi. It is not difficult, and all of the software is free. The only costs are the hardware, and everything you need is listed below
SD Card
Micro SD, at least 16 GB, Class 10 recommended
SD Card Reader
A USB adaptor is recommended if your computer does not contain an SD card slot.
Raspberry Pi Model Compatibility
Pi 2, 3, 4, and 400 (32-bit)Pi 2 (v1.2), 3, 4, and 400 (64-bit)Pi 1 (Original)Pi Zero WPi Zero 2 W
Power Supply (USB-C or Micro-USB depending on Raspberry Pi model)
Varies depending on the Pi model - 12.5W to 15W, 5.1V, 700mA - 3A.
A Raspberry Pi 4 Model B with 2Gb RAM was used for testing the feasibility of using Kali Linux on a Raspberry Pi. Another option that was tested was the Raspberry Pi 400, but the ethernet network card was not detected on the first boot meaning only wireless connectivity was available. One benefit of the Pi 400 is that it does not require an external keyboard as it is a self-contained unit, but it might require more configuration to work reliably.
Raspberry Pi 4 Model B
The Raspberry Pi 400 and Pi 4 Model B have good connectivity as standard. Both come with two HDMI connectors, an ethernet port, and an SD card slot for the operating system media. Whereas the Pi 400 has 3 USB ports, two USB 3, and one USB 2, The Pi 4 model B has one extra USB 2 port. The Model B also has a headphone socket for external audio.
The Pi 4 Model B has a choice of RAM from 1Gb to 8Gb, whereas the Pi 400 has 4Gb of RAM that is not upgradeable. Wireless connectivity is built into both models, making connectivity possible without a wired network. A wired connection is recommended for use with Kali Linux due to its stability and speed.
Both models also come with a 40 PN GPIO header for attaching external peripherals, but the details are irrelevant to this article.
There are other models of Raspberry Pi available, from the tiny, IOT-like micro-controller Raspberry Pi Pico (not compatible with Kali Linux), through the Raspberry Pi Zero, to the Raspbery Pi 400 mentioned above.
The less powerful devices may have performance issues when running Kali Linux although they can be used for very specific applications, such as covert hacking tools, where power is not a priority. Details of the full range are available on the Raspberry Pi website, where specs can be compared.
The Kali Linux download page has options for various platforms. It is important to download the ARM image from the Kali website as it has been created to work with ARM processors and will work on the Raspberry Pi. Clicking on this will give you several options relating to the different Raspberry Pi models.
There are 32-bit and 64-bit options that are functionally identical, but be sure to use a 64-bit image if you have a Raspberry Pi with more than 4Gb RAM as the 32-bit operating system will not be able to use memory above 4Gb.
The ARM versions of Kali are identical to the standard version with the same toolset. However, there have been reports of certain tools experiencing problems and reliability issues when running Kali Linux on a Raspberry Pi, but these are rare.
Installing Kali Linux on a Raspberry Pi is straightforward as long as you have the right components.
First, download the Kali ARM image from the Kali Website onto your computer to create the bootable media. The image is around 2.3 GB, which will easily fit onto the recommended 16 GB SD card.
The micro-SD card will need to be mounted onto this computer, and an adapter will most likely be needed to allow the small card to be compatible with the standard SD card slot.
SD Card Reader and Adaptor
The operating system you are using will dictate the bootable media creator you will use. They all work in a similar way where you choose the image to create the bootable media, which will be the one you just downloaded from the Kali website, and point it at the SD card mounted on your computer.
This process can take around 15 minutes, and once it is complete, eject the device safely and slot the micro-sd card into the Raspberry Pi’s sd card slot.
You will also need to attach a keyboard and a mouse at his point. Connect the power to the Raspberry Pi, and it should automatically turn on and go through the boot process.
Once Kali is booted, using the operating system is exactly the same as on any other device, so you should feel at home instantly.
Last Steps
If a wireless connection is required, then it is a simple process. Click on the network icon in the top right of the screen, select available networks, and type in the password when prompted for the network you want to connect to.
Once a network connection is established, the best practice is to update Kali to ensure the latest patches and versions of the apps are installed. This is a simple process of typing in two commands:
sudo apt update && sudo apt upgrade -y
Running the upgrade can take quite a long time as there are hundreds of packages to install on the Kali build. It is important to perform these steps as vulnerabilities and stability issues are regularly patched. Regularly updating and upgrading your Kali Linux installation is also good practice to ensure compatibility and bug fixes are applied.
Conclusion
Kali Linux works well on Raspberry Pi hardware and is a very useful tool. There are, however, some caveats.
Some compatibility issues have been discovered with Raspberry Pi hardware, and it has been reported that some applications don’t work properly out of the box. These issues will be solvable with a bit of work, but one of the benefits of Kali Linux is that it should work without any configuration as soon as the boot media or VM is prepared.
Although performance is acceptable for running standard penetration testing and ethical hacking tasks, applications that require intensive processor use and lots of memory might run slower. For example, brute-force password cracking can take a long time, even on hardware with good specifications, so activities like this might not be the best use of a Raspberry Pi.
We advise experimenting with Kali Linux on a Raspberry Pi and finding a use that compliments the way you work. Get creative and see what uses you can find for this adaptable device.
The Raspberry Pi could be perfect for some specific uses. This might be enabling you to free up your laptop and leave the device attached to a network for a long time, use the device for long-term monitoring and analysis, or do quick jobs where using a high-powered machine is overkill.
As with the creative ways that enthusiasts have used the Raspberry Pi for various projects, there are many ways it can adapt to penetration testing and ethical hacking with Kali Linux.
It is possible to run Kali Linux on a Raspberry Pi Zero, although it is not recommended for general penetration testing use due to the low power of the device. Instead, they can be used as targeted wireless hacking devices with the advantages of being low-cost and easy to conceal due to their size.
Can Raspberry Pi run full Kali Linux?
The Kali Linux images available for the Raspberry Pi are the full version of the operating system.
Is Kali Linux on Raspberry Pi 32 or 64-bit?
32-bit and 64-bit images for the Raspberry Pi of Kali Linux are available. Be sure to use a 64-bit image if your Raspberry Pi has more than 4Gb RAM.
