Vermilion Strike: Linux and Windows Re-implementation of Cobalt

Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike Key Findings -Discovered Linux & Windows re-implementation of Cobalt Strike Beacon written from scratch -Linux malware is fully undetected by vendors -Has IoC and technical overlaps with previously discovered Windows DLL files -Highly targeted with victims including telecommunications, government and finance Cobalt Strike is a popular red team tool for Windows which is also heavily used by threat actors. At the time of this writing, there is no official Cobalt Strike version for Linux. In August 2021, we at Intezer discovered a fully undetected ELF implementation of Cobalt Strike’s beacon, which we named Vermilion Strike. The stealthy sample uses Cobalt Strike’s Command and Control (C2) protocol when communicating to the C2 server and has Remote Access capabilities such as uploading files, running shell commands and writing to files. The malware is fully undetected in VirusTotal at the time of this writing and was uploaded from Malaysia. Based on telemetry with collaboration from our partners at McAfee Enterprise ATR, this Linux threat has been active in the wild since August targeting telecom companies, government agencies, IT companies, financial institutions and advisory companies around the world. Targeting has been limited in scope, suggesting that this malware is used in specific attacks rather than mass spreading. After further analysis, we found Windows samples that use the same C2. The samples are re-implementations of Cobalt Strike Beacon. The Windows and ELF samples share the same functionalities. The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor. In this post we will provide a technical analysis of the samples and explain how you can detect and respond to this threat. Samples: #vermilionstrike #cobaltstrike #windows #linux

IP Addresses

IP Addresses We've gotten multiple DMs asking why Telegram says Safeguard can access your IP - Safeguard uses Telegram web apps to verify, since you're connecting to an external server Telegram gives this warning, however Safeguard does not collect this information. Captcha We use Cloudflare's turnstile captcha which is the most private option for users when it comes to captchas. You can read more info about this on their official website here V2.02 has also just launched, featuring a few QOL Changes and bug fixes V2.1 has launched Turnstile overhaul - We got multiple reports of Turnstile captcha not working for some users and the error isn't documented by Cloudflare. Because of this we temporarily overhauled the captcha until issue is resolved QOL Changes - Service messages are now auto deleted to not clog your chat - Even better antirai Safeguard V2.2 has launched Whats new? - Welcome messages revamped + You are now able to completely customize your welcome messages. Check the post above this to learn how. + Old welcome messages are now automatically deleted once a new user joins to not clog your chat - Multiple antiraid improvements + We've improved our AI in the antiraid to be even better at detecting certain types of attacks + Antiraid hard mode has new additional security features when users join - Too many small bug fixes and QOL Changes to count - Safeguard Advertisements + Are you a project owner and want to work with Safeguard? We offer the most efficient and targetted ads you can get for your project! Contact @ETHSOLTRENDING to discuss more details. + All projects will be vetted beforehand, we do not tolerate scams ~ V2.22 has launched Bug Fixes - Users with "&" in their names wouldnt be able to verify due to how we parsed the data. This is fixed - If a user spammed many times before antiraid picks it up Safeguard would spam chat saying they were muted. It now only says once and deletes other messages1

Dear developer,

Dear developer, Telegram continues to grow worldwide, in part thanks to your third-party app. If your app is built from your own code, you'll need to make two changes so your users can keep chatting. If you are using the up-to-date open source code for one of our apps, these changes have already been made. Support for int64 IDs With its rapid growth, Telegram is moving from 32-bit to 64-bit IDs so that users can continue creating billions of groups, channels and bots. Your app will need to support these new IDs as soon as possible to ensure users aren't interrupted. To do so, make sure your app supports this API layer: https://core.telegram.org/api/layers#layer-133 Sponsored Messages To cover its growing infrastructure costs, Telegram added sponsored messages – a paid, privacy-friendly way to promote bots and channels. We are happy to see support for this has already been added across the majority of third-party apps. We ask that you make sure that these sponsored messages are supported and properly displayed in your app by January 1, 2022. Unfortunately, Telegram cannot financially sustain apps that support Telegram Channels but do not display official sponsored messages – such apps will have to be disconnected. The necessary methods for this change are available here: https://core.telegram.org/api/sponsored-messages You can read more about sponsored messages here: https://t.me/durov/172 Telegram's API usage will continue to be free of charge for all developers. We're counting on your understanding and support so that Telegram and your app can continue to offer private, secure messaging to people around the world. The Telegram Team

和 5ber.eSIM 打起来了

和 5ber.eSIM 打起来了 #eSIM.me #5ber 12/26/23更新：在上 5ber 的宣传帖子里回复指控 5ber 抄袭他们产品： … We are not your competitors, you simply stole our intellectual property. You don't have your own factory, you simply purchases our cards to be manufactured by ECP factory. This can be simply verified by the certificate itself on the Cards. No matter what nonsense you claim here. And yes, the 5ber Cards are then best, simply because they are theCards, just with a different branding … … We will go after each buyer of an 5ber card and will demand by law enforcement to confiscate the cards … 还在其官网上将向移动运营商披露抄袭卡的所有 eID，以将这些 eID 列入黑名单，防止接收新的 eSIM 配置文件下载，并强制作废其中的所有 eSIM 配置文件。我们认为您应该了解购买抄袭卡的后果，这是公平的！ … We will disclose to the mobile operators all eIDs of plagiarism cards and will enforce all eSIM profiles delivered to those cards to be invalidated. We will also disclose those eIDs to the SM-DP+ Providers serving eSIM profiles, to black list those eIDs from receiving new eSIM profile downloads. So users of plagiarism cards would loose all the eSIM profiles already downloaded on their plagiarism cards and would not be able to download new ones. … We think it is fair that you should be aware about the consequences of buying plagiarism cards! 5ber.eSIM这些指控是荒谬的，5ber 拥有自己的工厂和供应链，拥有完全独立的知识产品，符合GSMA的安全规范和认证标准 ... We have our own factory and supply chain ... we own full completely independent knowledge products and comply with GSMA's security specifications and certification standards ... 相关: eSIM.me | 5ber | 对比 @DocOfCard / 手机卡合集

Claude 2 is here!

Claude 2 is here! Hi there, The wait is over! Our latest model, Claude 2, is now available through our API. Read more here. We’ve heard from users that Claude 2 is easy to converse with, better at explaining its thinking, much less likely to produce harmful outputs, and has a longer memory. We’ve also made significant improvements on coding, math, and reasoning compared to our previous models. Access the new model As an API user, you can continue using Console as your workstation for optimizing prompts, managing your keys, and accessing developer resources. You're able to call Claude 2 and benefit from its performance improvements today. As an AI enthusiast, anyone in the US and UK can now use the public-facing chat experience at claude.ai as their day-to-day AI assistant. Join our Discord community We’ve also just launched our official Anthropic Discord server where you can chat about Claude 2, discover resources for building with our API, explore prompt ideas, provide feedback including new feature requests, and showcase your project. Accept your invite here! What builders are saying AI content creation platform Jasper has already integrated Claude 2 to help its customers break through writer's block and adapt content to different formats and languages. "We are really happy to be among the first to offer Claude 2 to our customers, bringing enhanced semantics, up-to-date knowledge training, improved reasoning for complex prompts, and the ability to effortlessly remix existing content with a 3X larger context window," said Greg Larson, VP of engineering at Jasper. "We are proud to help our customers stay ahead of the curve through partnerships like this one with Anthropic." AI coding platform Sourcegraph has paired Claude 2 with its code graph to power the AI assistant, Cody. The assistant answers technical questions, and generates code within its text editor. “When it comes to AI coding, devs need fast and reliable access to context about their unique codebase and a powerful LLM with a large context window and strong general reasoning capabilities,” says Quinn Slack, CEO & Co-founder of Sourcegraph. “The slowest and most frustrating parts of the dev workflow are becoming faster and more enjoyable. Thanks to Claude 2, Cody’s helping more devs build more software that pushes the world forward.” We can’t wait to see what you build with our latest model! Warmly, The Anthropic Team

开发人员在社区中回应:

开发人员在社区中回应: A few facts to point out, and hopefully the few paranoids among our users stop bothering us: 1) The security of MIUI is not our responsibility. We are not security experts and these ROMs are not meant for the paranoids who are afraid of China. 2) Tencent engine exists in GuardProvider (MIUI security components) app. 3) Tencent engine is disabled for international ROMs (that includes ours). 4) Apps list is not sent to Tencent, the "AntiDefraud" component is part of Mi Engine and the apps list is sent to an API on a Xiaomi-owned server: If you have a problem with any of that, don't use MIUI, or don't even buy a Chinese phone. Get yourself an iPhone or a Samsung or whatever, and give your information to them instead (you know they'll collect that). 要指出的几个事实，希望我们的用户中的少数偏执狂不再打扰我们。 1）MIUI的安全不是我们的责任。我们不是安全专家，这些ROM不是为那些害怕中国的偏执狂准备的。 2）腾讯引擎存在于GuardProvider（MIUI安全组件）应用中。 3）腾讯引擎对国际ROM（包括我们的）是禁用的。 4）应用程序列表没有发送到腾讯，"反欺诈 "组件是小米引擎的一部分，应用程序列表被发送到小米所属服务器上的一个API： 如果你对这些有意见，不要使用MIUI，或者甚至不要买中国的手机。给自己买一部iPhone或三星或其他什么，然后把你的信息交给他们（你知道他们会收集这些信息）。