tag:blogger.com,1999:blog-79365860167429298152024-03-29T08:42:06.563-04:00CySecurity News - Latest Information Security and Hacking IncidentsCySecurity News is leading portal for IT Security and Hacker News. Get Cyber Security, hacker and cyber crime updates.The Enlightened soulshttp://www.blogger.com/profile/13074213201632490140noreply@blogger.comBlogger464125tag:blogger.com,1999:blog-7936586016742929815.post-49908571428248296452024-02-26T10:59:00.000-05:002024-02-26T10:59:46.044-05:00Ransomware Distributed Through Mass Exploitation of ConnectWise ScreenConnect<p> </p>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAVIpGD6wko91NCinOrFdQFp2jhdHLf_xwKoDfiAYYI6KEqKAHeLLXi4lquNRcPOAkxmRt4pdsQu7GnbOt9zFehTMtRP3ypcVJp5yiWdQJzD5gih0mmuyh3eJu4aaOoRP5FGpJexH-v6JJ99guaaeoV31WPs3M-L6iaBAP1x3YSLzsHePrI6CTiceSdLQ/s6000/pexels-vitaly-vlasov-1342460.jpg" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="4000" data-original-width="6000" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAVIpGD6wko91NCinOrFdQFp2jhdHLf_xwKoDfiAYYI6KEqKAHeLLXi4lquNRcPOAkxmRt4pdsQu7GnbOt9zFehTMtRP3ypcVJp5yiWdQJzD5gih0mmuyh3eJu4aaOoRP5FGpJexH-v6JJ99guaaeoV31WPs3M-L6iaBAP1x3YSLzsHePrI6CTiceSdLQ/s600/pexels-vitaly-vlasov-1342460.jpg" width="600" /></a></div><div style="text-align: justify;">Shortly after reports emerged regarding a significant security flaw in the ConnectWise ScreenConnect remote desktop management service, researchers are sounding the alarm about a potential large-scale supply chain attack.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Kyle Hanslovan, CEO of Huntress, expressed concerns about the exploitation of these vulnerabilities, warning that hackers could potentially infiltrate thousands of servers controlling numerous endpoints. He cautioned that this could lead to what might become the most significant cybersecurity incident of 2024. ScreenConnect's functionality, often used by tech support and others for remote authentication, poses a risk of unauthorized access to critical endpoints.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Compounding the issue is the widespread adoption of ScreenConnect by managed service providers (MSPs) to connect with customer environments. This mirrors previous incidents like the Kaseya attacks in 2021, where MSPs were exploited for broader access to downstream systems.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">ConnectWise addressed the vulnerabilities without assigning CVEs initially, but subsequent proof-of-concept exploits emerged swiftly. By Tuesday, ConnectWise acknowledged active cyberattacks exploiting these bugs, and by Wednesday, multiple researchers reported increasing cyber activity.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The vulnerabilities now have designated CVEs, including a severe authentication bypass flaw (CVE-2024-1709) and a path traversal issue (CVE-2024-1708) enabling unauthorized file access.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The Shadowserver Foundation reported thousands of vulnerable instances exposed online, primarily in the US, with significant exploitation observed in the wild.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to Huntress researchers, initial access brokers (IABs) are leveraging these bugs to gain access to various endpoints, intending to sell this access to ransomware groups. There have been instances of ransomware attacks targeting local governments, including endpoints potentially linked to critical systems like 911 services.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Bitdefender researchers corroborated these findings, noting the use of malicious extensions to deploy downloaders capable of installing additional malware.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The US Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities catalog.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Mitigation measures include applying patches released with ScreenConnect version 23.9.8 and monitoring for indicators of compromise (IoCs) as advised by ConnectWise. Additionally, organizations should vigilantly observe their systems for suspicious files and activities.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">ConnectWise's actions to revoke licenses for unpatched servers offer some hope, although the severity of the situation remains a concern for anyone running vulnerable versions or failing to patch promptly.</div>Shruti Jainhttp://www.blogger.com/profile/15370909068785813326noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-42312222781248882622023-08-24T13:32:00.000-04:002023-08-24T13:32:26.466-04:00Recent Vulnerability Puts 3,000 Openfire Servers at Risk of Attack<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyLBQ8wgmWa3CcUhI1NzDxoS52r05ftJYxjuO3s_rkwMmDWFlf9zQywAMKC1OuPQjQRCb8B8WIemU0X3Sfu3uu-hh3TwGfVHD_7G2TShtPOUyAqf5Hthi6blh2D5CbF3IIxqmm9RKXgroZugmXyVICkraZ9AIN5CwuzsBbbWhAjU9AWmu7E07sNdvrImk/s6000/pexels-negative-space-97077.jpg" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="4000" data-original-width="6000" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyLBQ8wgmWa3CcUhI1NzDxoS52r05ftJYxjuO3s_rkwMmDWFlf9zQywAMKC1OuPQjQRCb8B8WIemU0X3Sfu3uu-hh3TwGfVHD_7G2TShtPOUyAqf5Hthi6blh2D5CbF3IIxqmm9RKXgroZugmXyVICkraZ9AIN5CwuzsBbbWhAjU9AWmu7E07sNdvrImk/s600/pexels-negative-space-97077.jpg" width="600" /></a></div><p style="text-align: justify;">More than 3,000 instances of Openfire servers have not undergone patching to address a recent vulnerability, leaving them susceptible to potential attacks exploiting a newly discovered exploit, according to a report by VulnCheck, a firm specializing in vulnerability intelligence.</p><p style="text-align: justify;">Openfire, developed by Ignite Realtime, functions as a cross-platform real-time collaboration server written in Java. Operating on the XMPP protocol, it allows web interface administration.</p><p style="text-align: justify;">The vulnerability, identified as CVE-2023-32315, is classified as high-severity and pertains to Openfire's administration console. It is characterized as a path traversal flaw within the setup environment, enabling unauthorized attackers to gain entry to restricted sections of the admin console.</p><p style="text-align: justify;">The root of the problem stems from Openfire's inadequate protection against specific non-standard URL encoding for UTF-16 characters. The webserver's lack of support for these characters allowed the inclusion of the new encoding without an accompanying update to the protection measures.</p><p style="text-align: justify;">All iterations of Openfire, starting from version 3.10.0 launched in April 2015 up to versions 4.7.5 and 4.6.8 issued in May 2023 for vulnerability remediation, are impacted by this flaw.</p><p style="text-align: justify;">Exploitations of this vulnerability have been observed over a span of more than two months. Cyber threat actors have been establishing fresh user accounts in the admin console to introduce a new plugin. This plugin houses a remote web shell, affording the attackers the ability to execute arbitrary commands and infiltrate server data.</p><p style="text-align: justify;">Publicly available exploits targeting CVE-2023-32315 adhere to a uniform pattern. However, VulnCheck asserts the identification of a novel exploit path that doesn't necessitate the creation of an administrative user account.</p><p style="text-align: justify;">VulnCheck has identified a total of over 6,300 accessible Openfire servers on the internet. Of these, around half have either been patched against the vulnerability, run non-vulnerable older versions, or are divergent forks that might remain unaffected.</p><p style="text-align: justify;">The firm highlights that approximately 50% of externally facing Openfire servers operate on the impacted versions. Despite their relatively small number, the firm underscores the significance of this issue due to the trusted role these servers hold in connection with chat clients.</p><p style="text-align: justify;">The vulnerability's implications allow an attacker lacking authentication to access the plugin administration endpoint. This provides the attacker with the capability to directly upload the plugin and subsequently access the web shell, all without authentication.</p><p style="text-align: justify;">VulnCheck clarifies that this strategy avoids triggering login notifications in the security audit log, ensuring a discreet operation. The absence of a security audit log entry is notable, as it eliminates evidence of the breach. </p><p style="text-align: justify;">While signs of malicious activity might be present in the openfire.log file, the attacker can exploit the path traversal to eliminate the log through the web shell. This leaves the plugin as the sole compromise indicator, an aspect of the situation that VulnCheck warns about.</p><p style="text-align: justify;">“This vulnerability has already been exploited in the wild, likely even by a well-known botnet. With plenty of vulnerable internet-facing systems, we assume exploitation will continue into the future,” VulnCheck concludes.</p>Shruti Jainhttp://www.blogger.com/profile/15370909068785813326noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-70335685872908463752023-08-23T12:11:00.002-04:002023-08-23T12:11:48.465-04:00Cyberattack Strikes Australian Energy Software Company Energy One<p> </p>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtpXoBSkdrlzDR362bcNwAc5AVaKWxsAeGGU6A3T5wyqD_kiaye8pe7HSsajF-cNkA0J1UgIFQrJuqiTZFqxquEHZ-qHJcRd6ToBrXEyXhJMdmIeO0v2_lsvLaKywh6XDg1kSrALxbU-VQ1jrLqycLulqpWutIe9-5OhXKKnSmCHm_zyK2HdmtL6QSt18/s6000/pexels-negative-space-97077.jpg" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="4000" data-original-width="6000" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtpXoBSkdrlzDR362bcNwAc5AVaKWxsAeGGU6A3T5wyqD_kiaye8pe7HSsajF-cNkA0J1UgIFQrJuqiTZFqxquEHZ-qHJcRd6ToBrXEyXhJMdmIeO0v2_lsvLaKywh6XDg1kSrALxbU-VQ1jrLqycLulqpWutIe9-5OhXKKnSmCHm_zyK2HdmtL6QSt18/s600/pexels-negative-space-97077.jpg" width="600" /></a></div><div style="text-align: justify;">Energy One, an Australian company specializing in software solutions and services for the energy industry, has fallen victim to a cyber assault.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In an announcement made on Monday, the company revealed that the breach was identified on August 18 and had repercussions for certain internal systems both in Australia and the United Kingdom.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">“As part of its work to ensure customer security, Energy One has disabled some links between its corporate and customer-facing systems,” Energy One said.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Energy One is actively engaged in an inquiry to ascertain the extent of the impact on customer-related systems and personal data. The organization is also committed to tracing the initial point of intrusion employed by the attacker.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Though detailed specifics about the attack are presently undisclosed, the company's official statement strongly suggests the possibility of a deliberate ransomware attack.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">To facilitate the investigation, cybersecurity specialists have been enlisted, and competent authorities in both Australia and the UK have been informed about the incident.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to a recent report by Searchlight Cyber, a British threat intelligence firm, malevolent actors have been peddling opportunities for initial access into energy sector enterprises globally, with prices ranging from $20 to $2,500.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Perpetrators of cybercrime can exploit various avenues, including Remote Desktop Protocol (RDP) access, compromised login credentials, and vulnerabilities in devices like Fortinet products.</div>Shruti Jainhttp://www.blogger.com/profile/15370909068785813326noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-60123827794184714652023-08-08T14:30:00.001-04:002023-08-08T14:30:00.146-04:00This Ransomware Targets Several English-Speaking Nations<p> </p>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2WEtqoYS_XiMkInMJKMwPC_Kg5T9NFiCdIu645H3NDb4x_0mUa4020Hcs2k2NhTzyMNHy6Z5MMhL33cKKo_Nvv8JiVDgos9b0nIWU_O_RizbDXWeH-_Mw8nHoGTrPi2dzWtWEtZC08ZHCbaz-EUBpaKnVx_g82rZ8tgdoGB6Byl6QLPuaVXJvbIOL-B8/s4134/pexels-fernando-arcos-211151.jpg" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="2749" data-original-width="4134" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2WEtqoYS_XiMkInMJKMwPC_Kg5T9NFiCdIu645H3NDb4x_0mUa4020Hcs2k2NhTzyMNHy6Z5MMhL33cKKo_Nvv8JiVDgos9b0nIWU_O_RizbDXWeH-_Mw8nHoGTrPi2dzWtWEtZC08ZHCbaz-EUBpaKnVx_g82rZ8tgdoGB6Byl6QLPuaVXJvbIOL-B8/s600/pexels-fernando-arcos-211151.jpg" width="600" /></a></div><div style="text-align: justify;">According to findings by Cisco Talos, a group of researchers, a fresh variant of ransomware is suspected to be employed in a series of attacks on entities situated in China, Vietnam, Bulgaria, and a number of English-speaking nations. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The cybersecurity experts disclosed on Monday that they have come across a hitherto unidentified threat actor, reportedly based in Vietnam, who has been launching these attacks since as far back as June 4.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">This newly identified malware is a modified version of the Yashma ransomware. It's worth noting that the Yashma strain had become significantly less active following the release of a decryption tool last year.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">“Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, ‘nguyenvietphat,’ has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas,” the researchers said in a report.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">“The threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone.”</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The perpetrator's ransom note closely resembles that of WannaCry, a notorious ransomware that gained widespread attention in 2017 due to its high-profile attacks. The ransom note is available in multiple languages, including English, Bulgarian, Vietnamese, and Chinese.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">If victims fail to make the payment within three days, the ransom amount will double. The attackers have provided a Gmail address for communication. Interestingly, the ransom note lacks a specified ransom amount, and the Bitcoin account shared in the note doesn't contain any funds, suggesting that the operation might still be in its early stages.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Upon encrypting victim systems, the wallpaper is changed to display a message asserting that all files have been encrypted.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to Cisco Talos, the Yashma ransomware is essentially a rebranded version of Chaos ransomware, which first emerged in May 2022. After a thorough examination of Yashma's features by BlackBerry security researchers last year, Cisco Talos observed that the new variant mostly retains the core elements of the original ransomware.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">One significant change highlighted by Cisco Talos is that this new variant no longer embeds the ransom note within the ransomware itself. Instead, it retrieves the ransom note from a GitHub repository controlled by the threat actors. This modification is intended to evade endpoint detection solutions and antivirus software, which typically detect ransom note strings embedded in the binary.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Another noteworthy characteristic preserved in this variant is Yashma's anti-recovery capability. This involves wiping the content of the original unencrypted files, replacing them with a single character '?' before deleting the file altogether. This tactic complicates efforts by incident responders and forensic analysts to recover deleted files from the victim's hard drive.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Various organizations monitoring ransomware attacks have noted a substantial increase in the emergence of different strains. FortiGuard Labs reported a significant uptick in the growth of ransomware variants, largely attributed to the adoption of Ransomware-as-a-Service (RaaS).</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Ransomware expert Allan Liska from Recorded Future pointed out that many so-called "new" ransomware strains are essentially variations of previously released versions. Data gathered by his team demonstrated that fewer than 25% of the supposed 328 "new" ransomware variants are genuinely novel.</div>Shruti Jainhttp://www.blogger.com/profile/15370909068785813326noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-91883939759995943682023-07-01T09:04:00.000-04:002023-07-01T09:04:09.243-04:00ESXi Servers are Targeted by Linux-Based Akira Ransomware<p style="text-align: justify;"> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcVvOHQo5AQM0A-EeTIDHnOGN-9kdc1bNp7FU8JDizVtRZQqjWuA4Tr8PygI8rMC17PjtHtDGVi2qIhQBe_Ly3GgLay0xgZ3TLjMPXQU2RDLR0y9Zy41BbS6hANI16BoDvv8svpEqm-AqbTknZfPCh_4A7Rwjw_1OTRRj9L8U2kyrkGotPwS1KJb6_Yq9I/s1280/hacker-8003395_1280.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="717" data-original-width="1280" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcVvOHQo5AQM0A-EeTIDHnOGN-9kdc1bNp7FU8JDizVtRZQqjWuA4Tr8PygI8rMC17PjtHtDGVi2qIhQBe_Ly3GgLay0xgZ3TLjMPXQU2RDLR0y9Zy41BbS6hANI16BoDvv8svpEqm-AqbTknZfPCh_4A7Rwjw_1OTRRj9L8U2kyrkGotPwS1KJb6_Yq9I/w640-h358/hacker-8003395_1280.jpg" width="640" /></a></div><br /><p></p><div style="text-align: justify;">As part of a ransomware operation called Akira, VMware ESXi virtual machines have been encrypted using a Linux encryption tool. This is to block access to the virtual machines. The attack comes after the company targeted Windows systems for a couple of months. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">To encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide, the Akira ransomware operations use a Linux encryptor to encrypt VMware ESXi virtual machines controlled by VMware. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">There has been a recent expansion of the Akira ransomware and it now targets VMware ESXi virtual machines using a Linux encryptor. It is because of this adaptation that Akira can now attack companies across the globe. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">This ransomware virus, Akira, was found in March 2023. As the most recent addition to the ransomware landscape, it is relatively less well-known. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In the short time that Akira ransomware has been in operation, it has been confirmed that 45 organizations have been affected. Most of the targets are based in the U.S. Organizations affected range from childcare centers to large financial institutions but all have been affected. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The threat actors are engaged in double extortion attacks against their victims, demanding several million dollars and stealing data from breached networks, encrypting files, and encrypting the data until they reach the point of demanding payouts.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In addition to asset managers, the gang's blog lists several victims of the gang's crimes. Akira will encrypt the files of an organization after an attack has been launched, appending the name of the encrypted files to the file names. The desktop screen will display a ransom note, explaining in a condescending tone that it is the quickest way back to the state where the company functions normally if you pay the ransom. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The Development Bank of Southern Africa and London Capital Group are completely aware of the damage they have caused. There are many US-based companies on the gang's black web blog. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">This computer virus, known as Akira, uses double extortion techniques to pressure its victims into paying a ransom. This means that Akira copies the data before encrypting it to make sure the information can not be released, as well as selling the description key, and using these techniques to force a company into paying the ransom. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In some cases, the ransoms amount to more than a million dollars, while in others it is less. It has focused on professional services, education, manufacturing, and research and development so far.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In sectors as diverse as education and finance, the threat of ransomware has disrupted corporate networks and encrypted stolen data from breached networks. These compromised files are marked with the extension .akira, which signifies compromise. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">It is important to note that, after the Akira ransomware has been activated, many different file extensions and names will become encrypted, as well as renamed files with the .akira extension. There will also be a ransom note titled akira_readme.txt left in each folder on the encrypted device. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">It is possible to customize how Akira works on Linux, which includes specifying the percentage of data that will be encrypted on each file, which allows threat actors to better customize their attacks. The propensity of this version of Akira to skip folders and files that are usually associated with Windows seems to indicate that it has been ported from the Windows version of the game.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Despite Akira's increasing scope, the fact that the threat now faces organizations around the world illustrates the urgency of action. Sadly, ransomware groups are increasingly expanding their operations to include Linux platforms as well. Many of them are leveraging readily available tools to do so due to the trend toward expanding their operations. To maximize their profits, they have turned this strategy into a simple and lucrative one. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Among the most notable ransomware operations, some of which predominantly target VMware ESXi servers with their ransomware encryptors, include Royal, Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, RansomEXX, and Hive. These operations use Linux-based encryption methods. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b><span style="font-size: medium;">Spreads Rapidly, is Widely Popular, and is Unsecured </span></b></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">During a ransomware attack, servers are popular due to their ability to spread ransomware rapidly. Hackers need only one run to launch the ransomware attack, which means the ransomware attack becomes extremely fast for the first time in history. ESXi servers have gained popularity in the enterprise world, as they are among the most widely used hypervisors on the planet. Lastly, the devices do not have any security solutions installed on them, which leads to a lack of security. CrowdStrike published a report previously that focused on the fact that antivirus software simply isn't supported by the manufacturer. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">During the weekend of February 2-6, ESXi servers were targeted by thousands of attacks taking place simultaneously. The attackers were able to exploit an outdated vulnerability that had existed two years ago. As a result, good cyber security for servers is very important because research can take a long time and is not always easy.
A problem that had not yet been exploited massively had been discovered by Mandiant in 2022, but the problem was still unknown.</div>Trapti Rajputhttp://www.blogger.com/profile/17164006516937398466noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-44699159513333371802023-06-11T09:34:00.001-04:002023-06-11T09:34:23.347-04:00Uncovered: Clop Ransomware's Lengthy Zero-Day Testing on the MOVEit Platform<p style="text-align: justify;"> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioY_ZyVJ-wexeXaYRNqum2eKDJTT54lDf_UY_lIJyKJmUv492L7qw8VJLbH_gCBD4WpobhZBic-ergqbM_Z8g8T1-uWN9jtgZe94Mv7bV5J3o5Irj9JUQwpV33Hi0QSuVibs7Hhs4aogDT9ZuosbLUKkrIQEe_5myh-TMTlPrnxHkgHAAB6KYhhM9S2Q/s1280/computer-2038627_1280.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="960" data-original-width="1280" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioY_ZyVJ-wexeXaYRNqum2eKDJTT54lDf_UY_lIJyKJmUv492L7qw8VJLbH_gCBD4WpobhZBic-ergqbM_Z8g8T1-uWN9jtgZe94Mv7bV5J3o5Irj9JUQwpV33Hi0QSuVibs7Hhs4aogDT9ZuosbLUKkrIQEe_5myh-TMTlPrnxHkgHAAB6KYhhM9S2Q/w640-h480/computer-2038627_1280.jpg" width="640" /></a></div><br /><p></p><div style="text-align: justify;">Security experts have uncovered shocking evidence that the notorious Clop ransomware group has been spending extensive amounts of time testing zero-day vulnerabilities on the popular MOVEit platform since 2021, according to recent reports. This study has raised a lot of concerns about cybersecurity systems' vulnerability. For this reason, affected organizations and security agencies have taken urgent action to prevent these vulnerabilities. In light of this discovery, it only highlights the fact that ransomware attacks are becoming increasingly sophisticated. The need for robust defense measures to mitigate various types of cyber threats is critical. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">There is now close work collaboration between authorities and the parties affected by the breach to investigate this incident and develop appropriate countermeasures. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">A recent Clop data theft attack aimed at weak MOVEit Transfer instances was examined, and it was discovered that the technique employed by the group to deploy the recently revealed LemurLoot web shell can be matched with the technique used by the gang to target weak MOVEit Transfer instances. Using logs from some affected clients' networks, they determined which clients were affected. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">As a result of a joint advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) regarding the active exploitation of a recently discovered critical vulnerability in Progress Software's MOVEit Transfer application, ransomware is now being dropped on the internet. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Kroll researchers performed a forensic review of the exploit carried out by the Clop cybergang in July 2021. They determined that they may have experimented with the now-patched file transfer vulnerability (CVE-2023-34362) that month. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">BBC, British Airways, Boots, a UK drugstore chain and the Halifax provincial government are some of the organizations that have reported that their data was exfiltrated by the group at the end of last month as well as payroll company Zellis. There was a breach of employee data by three organizations, Vodafone, BBC, and Boots, which used Zellis' services to store employee data. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The Russian-backed Clop organization, also known as Lace Tempest, TA505, and FIN11, has claimed responsibility for attacks that exploited Fortra’s GoAnywhere Managed File Transfer solution by exploiting a zero-day vulnerability. Over 130 organizations have been targeted and over one million patients' data has been compromised as a result. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">It has been reported that the MOVEit Transfer SQL injection vulnerability exploit on Wednesday was similar to a 2020-21 campaign in which the group installed a DEWMODE web shell on Accellion FTA servers in a joint advisory issued by the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">It has also been discovered that threat actors were testing methods for gathering and extracting sensitive data from compromised MOVEit Transfer servers as far back as April of 2022. These methods were probably using automated tools and these methods may have been used to gain access to servers. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">It is possible that actors tested access to organizations using automated means and pulled back information from MOVEit Transfer servers. This was in the weeks leading up to last month's attacks. This is in addition to the 2022 activity. They also did this to determine which organizations they were accessing using information obtained from the MOVEit Transfer servers. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">During the malicious activity, it appeared that specific MOVEit Transfer users' Organization IDs ("Org IDs") were being exfiltrated, which in turn would have allowed Clop to determine which organizations to access. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">It has been reported on Clop's website that it has claimed responsibility for the MOVEit attacks and that victims are invited to contact it until July 14 if they do not wish that their names be posted on the site. Because a ransom deal would not guarantee that the stolen data would remain secure, the company has offered examples of data that has been exfiltrated and data that has been publicly published as part of an unresolvable ransom deal. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In a LinkedIn post, Charles Carmakal, CEO of Mandiant Consulting, expressed surprise at the number of victims MOVEit has provided. Carmakal characterized MOVEit as "overwhelming.".</div>Trapti Rajputhttp://www.blogger.com/profile/17164006516937398466noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-68492779342086899602023-05-01T11:56:00.002-04:002023-05-01T11:56:16.924-04:00Targeted: Hackers Exploit Vulnerable Veeam Backup Servers with FIN7 Tactics<h3 style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwFFPZLda1NWksEIcRodSsITqb7cIST82DgeKds732psJ9-tYAcN4Tbb0U3HMzCHpRL_sOTu43dljSK9eLpODEEKZHXmTTgUMRe9R-JeIf2CnR1uJVGZYOGvuiZ-oZHjNmZJi6-c5qShZnkudIHfB-wsKOqjZwwQ6DStHGS46LVlIMQ1Z797xSdtA1pQ/s960/matrix-4747148_960_720.jpg" style="margin-left: 1em; margin-right: 1em;"><img alt="Hackers Exploit Vulnerable Veeam Backup Servers with FIN7 Tactics" border="0" data-original-height="540" data-original-width="960" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwFFPZLda1NWksEIcRodSsITqb7cIST82DgeKds732psJ9-tYAcN4Tbb0U3HMzCHpRL_sOTu43dljSK9eLpODEEKZHXmTTgUMRe9R-JeIf2CnR1uJVGZYOGvuiZ-oZHjNmZJi6-c5qShZnkudIHfB-wsKOqjZwwQ6DStHGS46LVlIMQ1Z797xSdtA1pQ/w640-h360/matrix-4747148_960_720.jpg" title="Hackers Exploit Vulnerable Veeam Backup Servers with FIN7 Tactics" width="640" /></a></div><br /><div style="text-align: justify;">Cyberattacks on vulnerable Veeam backup servers exposed online</div></h3><p style="text-align: justify;">Veeam Backup and Replication software is a popular choice for many organizations to protect their critical data. However, recent reports have revealed that hackers are targeting vulnerable Veeam backup servers that are exposed online, leaving organizations at risk of data theft and other cyberattacks. </p><p style="text-align: justify;">There is evidence that at least one group of threat actors, who have been associated with several high-profile ransomware gangs, are targeting Veeam backup servers. </p><p style="text-align: justify;">Starting from March 28th, there have been reported incidents of malicious activity and tools similar to FIN7 attacks being used to exploit a high-severity vulnerability in the Veeam Backup and Replication (VBR) software. </p><p style="text-align: justify;">This vulnerability, tracked as CVE-2023-27532, exposes encrypted credentials stored in the VBR configuration to unauthenticated users, potentially allowing unauthorized access to the backup infrastructure hosts.</p><p style="text-align: justify;">The software vendor addressed the vulnerability on March 7 and offered instructions for implementing workarounds. However, on March 23, a pentesting company named Horizon3 released an exploit for CVE-2023-27532, which showed how the credentials could be extracted in plain text using an unsecured API endpoint. </p><p style="text-align: justify;">The exploit also allowed attackers to run code remotely with the highest privileges. Despite the fix, Huntress Labs reported that roughly 7,500 internet-exposed VBR hosts were still susceptible to the vulnerability.</p><h3 style="text-align: justify;">Evidence of FIN7 tactics used in recent attacks</h3><p style="text-align: justify;">A recent report by cybersecurity and privacy company WithSecure reveals that attacks in late March targeted servers running Veeam Backup and Replication software that was publicly accessible. The techniques used in these attacks were similar to those previously associated with FIN7. </p><p style="text-align: justify;">The researchers deduced that the attacker exploited the CVE-2023-27532 vulnerability, given the timing of the campaign, the presence of open TCP port 9401 on compromised servers, and the vulnerable version of VBR running on the affected hosts. </p><p style="text-align: justify;">During a threat hunt exercise using telemetry data from WithSecure's Endpoint Detection and Response (EDR), the researchers discovered Veeam servers generating suspicious alerts such as sqlservr.exe spawning cmd.exe and downloading PowerShell scripts.</p><p style="text-align: justify;">The reason behind the vulnerability is that some organizations use insecure configurations when setting up their Veeam backup servers, making them accessible over the Internet. Hackers can then exploit these weaknesses to gain access to sensitive data and files.</p><p style="text-align: justify;">One of the most common attack methods is through brute-force attacks. In this method, hackers use automated tools to try different username and password combinations until they gain access to the Veeam backup server. They can also use other methods like social engineering or spear-phishing to get hold of credentials or trick users into installing malware on their systems.</p><p style="text-align: justify;">Once the hackers have gained access, they can steal the backup files, modify or delete them, or use them to launch further attacks on the organization's systems. The impact of such attacks can be severe, causing loss of critical data, disruption to business operations, and significant financial losses.</p><h3 style="text-align: justify;">Mitigating the risk of cyberattacks on Veeam backup servers</h3><p style="text-align: justify;">To prevent such attacks, organizations need to ensure that their Veeam backup servers are properly secured. This includes configuring the server to only allow access from trusted networks, implementing strong password policies, and keeping the software up-to-date with the latest security patches.</p><p style="text-align: justify;">Additionally, organizations should consider implementing multi-factor authentication (MFA) to provide an extra layer of security. MFA requires users to provide more than one form of identification, such as a password and a one-time code sent to their mobile device, making it more difficult for hackers to gain access even if they have obtained login credentials.</p><p style="text-align: justify;">Regular security audits and vulnerability assessments can also help identify potential weaknesses and enable organizations to take proactive measures to mitigate them before hackers can exploit them.</p><p style="text-align: justify;">Veeam backup servers are a critical component of an organization's data protection strategy, and securing them should be a top priority. Organizations must take necessary steps to ensure that their Veeam backup servers are properly secured and not exposed to the internet. </p><p style="text-align: justify;">By taking these necessary steps, organizations can significantly reduce the risk of a security breach and protect their critical data from falling into the wrong hands. It is always better to be proactive and take preventive measures rather than deal with the aftermath of a cyberattack.</p><p style="text-align: justify;"><br /></p>Samarth Mishrahttp://www.blogger.com/profile/06894478828562538725noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-31456477212161427922023-04-01T10:20:00.003-04:002023-04-01T10:20:34.729-04:00The Urgent Need to Address the Critical Bug in IBM's Aspera Faspex <h3 style="text-align: justify;"><span style="font-weight: normal;"><a href="https://www.ibm.com/support/pages/node/6952319" target="_blank">IBM's </a>widely used Aspera Faspex has been found to have a critical vulnerability with a 9.8 CVSS rating, which could have serious consequences for organizations using the software. This blog will discuss the vulnerability in detail and the importance of taking prompt action to mitigate the risk.</span></h3><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMNM0TYjv16KMWuYeI4s_PXJweE2GEWDprvvOJV3Xrl2CfOxd-ePQ_SI2GcCJ6Wl0laA-VRHjcuJtFcNWHwk_MLgBOI-3S8Jy3GaWcMY0nEv_h3RHjQiOYv8tJxch2dVmAFIYx9T9YY1DpS6nl_7nJU2UdlGkFDYhljNgC-cRCAVzRKzQu3kVK95n40g/s960/wifi-4086902_960_720.jpg" style="margin-left: 1em; margin-right: 1em;"><img alt="Aspera Faspex vulnerability" border="0" data-original-height="619" data-original-width="960" height="412" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMNM0TYjv16KMWuYeI4s_PXJweE2GEWDprvvOJV3Xrl2CfOxd-ePQ_SI2GcCJ6Wl0laA-VRHjcuJtFcNWHwk_MLgBOI-3S8Jy3GaWcMY0nEv_h3RHjQiOYv8tJxch2dVmAFIYx9T9YY1DpS6nl_7nJU2UdlGkFDYhljNgC-cRCAVzRKzQu3kVK95n40g/w640-h412/wifi-4086902_960_720.jpg" title="The Urgent Need to Address the Critical Bug in IBM's Aspera Faspex" width="640" /></a></div><span style="font-weight: normal;"><br /></span></div><h3 style="text-align: justify;">IBM Vulnerability | An Overview</h3><p style="text-align: justify;">IBM's widely used Aspera Faspex file transfer system has a serious problem. A critical bug that could allow hackers to run any code they want is being used by cybercriminals, including ransomware groups. Even though IBM has released a patch to fix the issue, many organizations have failed to install it. </p><p style="text-align: justify;">Researchers are warning that this vulnerability is being exploited, and one of their customers was recently hacked due to this problem. It's important to take immediate action to fix this vulnerability to avoid being targeted by hackers.</p><h3 style="text-align: justify;">What is Aspera Faspex?</h3><p style="text-align: justify;">Aspera Faspex is a software application that provides secure file transfer capabilities to businesses and organizations. It is widely used across various industries, including media and entertainment, healthcare, finance, and government agencies.</p><h3 style="text-align: justify;">Understanding the Vulnerability</h3><p style="text-align: justify;">The vulnerability (CVE-2022-5859) in <a href="https://www.ibm.com/downloads/cas/7D3KBL9Z" target="_blank">Aspera Faspex</a> version 4.1.3 and earlier versions arises from insufficient validation of user-supplied input in the software. Attackers could exploit this vulnerability by sending specially crafted data to the application, leading to arbitrary code execution. This could enable attackers to bypass authentication and execute code on the vulnerable system, which could result in significant data breaches and other security incidents.</p><h3 style="text-align: justify;">The Impact of the Vulnerability</h3><p style="text-align: justify;">The vulnerability in Aspera Faspex is considered critical, with a CVSS rating of 9.8 out of 10. This means that it is highly exploitable and could have severe consequences for organizations using the software. Attackers could gain unauthorized access to sensitive data, execute malicious code, and cause significant disruptions to business operations.</p><h3 style="text-align: justify;">The Importance of Timely Patching</h3><p style="text-align: justify;">IBM has recommended that organizations using the affected version of the software should upgrade to a patched version as soon as possible to address the vulnerability. Timely patching is critical in mitigating the risk of cyberattacks and data breaches. Organizations that delay patching are putting themselves at increased risk of cyberattacks and other security incidents.</p><h3 style="text-align: justify;">The Role of Security Hygiene</h3><p style="text-align: justify;">In addition to timely patching, implementing robust security measures is crucial in preventing cyberattacks and minimizing the <a href="https://therecord.media/ibm-aspera-faspex-bug-cisa-known-vulnerability-list" target="_blank">impact of security incidents</a>. IBM has emphasized the importance of following standard security practices, including network segmentation and monitoring for unusual behavior. These security measures can help organizations detect and respond to security incidents in a timely manner.</p><h3 style="text-align: justify;">The Significance of the Aspera Faspex Vulnerability</h3><p style="text-align: justify;">The Aspera Faspex vulnerability is a reminder of the importance of prioritizing security in any organization. With the evolving security landscape, organizations must remain vigilant and continuously update their security measures to mitigate the risk of cyberattacks and other security incidents. Failure to take prompt action in addressing vulnerabilities could have severe consequences for organizations, including financial losses, reputational damage, and legal implications.</p>Samarth Mishrahttp://www.blogger.com/profile/06894478828562538725noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-48198042153733386242023-03-28T11:15:00.000-04:002023-03-28T11:15:07.282-04:00Microsoft Conduct an Emergency Fix for the Notorious ‘Acropalypse’ Bug<p style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEtbTsY5h5pg9z9fb8eAprnzd5YvTbEPhVrp5ZBUHYl88J8JE9G5rvaB9eqxJuvMteaStGAFruU85XXQEBOGqkY_R8Nk0-x5vf-sO4s3MFd45vcx3aLDh4WHyo_b7l3R2bxopd3xyt2L9iSHzwBHf3W5iL0mvMwfCa40xpo6gOL44yUr3_n5r4nBrE/s1280/microsoft.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="960" data-original-width="1280" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEtbTsY5h5pg9z9fb8eAprnzd5YvTbEPhVrp5ZBUHYl88J8JE9G5rvaB9eqxJuvMteaStGAFruU85XXQEBOGqkY_R8Nk0-x5vf-sO4s3MFd45vcx3aLDh4WHyo_b7l3R2bxopd3xyt2L9iSHzwBHf3W5iL0mvMwfCa40xpo6gOL44yUr3_n5r4nBrE/w640-h480/microsoft.jpg" width="640" /></a></div><br /><div style="text-align: justify;">Recently, Microsoft has acted quickly in patching up the ‘acropalypse’ bug that was discovered earlier this week. The bug could apparently enable information cropped out of images via the Windows screenshot tools to be recovered. </div><p></p><p style="text-align: justify;">According to BleepingComputer, Microsoft has now issued an OOB (out-of-band or emergency) update that patches the aforementioned issue, technically named CVE-2023-28303. Microsoft is now urging users to apply the update as soon as possible. </p><p style="text-align: justify;">Furthermore, the update is not difficult to apply. All that the user has to do is click the Library icon in Microsoft Store, then pick Get updates (top right). Doing so will enable the patch to be applied if it has not already been installed automatically. </p><h3 style="text-align: justify;">Carry on Cropping </h3><p style="text-align: justify;">The acropalypse bug shares some similarities with the vulnerability that targeted the Markup feature on Google Pixel phones, i.e. images and screenshots cropped in the Windows 11 Snipping Tool and the Windows 10 Snip and Sketch tool could well be compromised. </p><p style="text-align: justify;">The CVE-2023-28303 bug signifies that parts of a PNG or JPEG image that has been cropped out are not completely removed from the file after it is saved again. These cropped sections could include a variety of sensitive information, like bank account credentials or medical records. </p><p style="text-align: justify;">Moreover, it is important to note that applying the patch would not be able to fix any file that has already been cropped and exploited. It will only be applied to the ones that will be edited in the future. Users must re-crop any existing images to ensure that the excess parts of the picture have been appropriately removed. </p><h3 style="text-align: justify;">Analysis: A Quick Fix for a Worrying Bug </h3><p style="text-align: justify;">Initially, recovering cropped out part of images may not appear to be a significantly severe security vulnerability- after all, who would care if someone manages to recover some empty sky that you have removed from that one photo from one of your vacations? </p><p style="text-align: justify;">However, there are a lot of reasons that makes cropping is a serious problem, as tech journalists know all too well. One could compromise their personal and important information from these cropped images, like email address, bank account numbers and contact details. Thus, it is well advised to users to cut off any information as such information before sharing it widely over the internet. </p><p style="text-align: justify;">In today’s era, where one shares so many photos with others and on the web at large, it is important from a security perspective that these images do not, in any way, expose more than we want them to, something that was a case of concern with CVE-2023-28303. </p><p style="text-align: justify;">Although, Microsoft has acted quickly to patch the issue, it is still concerning to note that the same bug was being exposed to two completely separated software from both Microsoft and Google in recent days. </p>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-62021000961722873532023-03-05T10:16:00.002-05:002023-03-05T10:16:40.097-05:00A GoAnywhere MFT hack Exposes Hatch Bank's Data Breach<p style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrvvB0ZCgK7qw0X81JK1SmWbUp3wwsv4u5ruwWnB-YrMBU6Z2-HcKSuOzWXQQ0ijCGbq3zGee41WlG3oqVMtAptvFIUeKyUEJDCvWxOehYEfVDt1bU6xFKJnR-Icq3BZndH31mCz5G3xtGt6TL4es-TCANytD9rYokjqDfBP0XNedappVbsghJOTRpQw/s1920/cyber-security-1805246.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1280" data-original-width="1920" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrvvB0ZCgK7qw0X81JK1SmWbUp3wwsv4u5ruwWnB-YrMBU6Z2-HcKSuOzWXQQ0ijCGbq3zGee41WlG3oqVMtAptvFIUeKyUEJDCvWxOehYEfVDt1bU6xFKJnR-Icq3BZndH31mCz5G3xtGt6TL4es-TCANytD9rYokjqDfBP0XNedappVbsghJOTRpQw/w640-h426/cyber-security-1805246.png" width="640" /></a></div><br /> <p></p><div style="text-align: justify;">Hackers exploited a zero-day vulnerability in Hatch Bank's internal file transfer software, allowing access to thousands of Social Security numbers from customers, according to Hatch Bank, a digital-first bank that provides infrastructure for fintech companies offering their brand credit cards. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to Hatch Bank, security breaches have affected almost 140,000 customers as hackers were able to access sensitive customer information from its Fortra GoAnywhere MFT secure file-sharing platform, which allows customers to access their online accounts from anywhere. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In addition to providing small businesses with access to a variety of banking services, Hatch Bank is also a financial technology company. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">TechCrunch reported today that 139,493 of the customer data of someone impacted by a data breach had been stolen by hackers who exploited a vulnerability in GoAnywhere MFT software which was submitted to the Attorney General's office for investigation. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Fortran experienced a cyber incident on January 29, 2023, after discovering that there was a vulnerability in their software. Based on the notification that Hatch Bank sent out, the company experienced a cyber incident. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Fortra notified Hatch Bank of the incident on February 3, 2023, informing them that files contained on Fortra's GoAnywhere site had been compromised.
According to Hatch, they were able to get hold of the data stolen and conducted a review of the data and found that the attackers had gotten hold of customer names as well as social security numbers. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Affected customers of the bank are entitled to a free twelve-month credit monitoring service from the bank as part of their compensation package. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Earlier this month, Community Health Systems (CHS) revealed it had suffered a data breach caused by the GoAnywhere MFT attack, making this the second confirmed breach in the past month. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b><span style="font-size: medium;">GoAnywhere Breaches Linked to Clop Ransomware</span></b></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Despite Hatch Bank not disclosing which threat actor was responsible for the attack, BleepingComputer was told that the Clop ransomware gang conducted these attacks. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Approximately 130 organizations were breached and their data was stolen.
It has been claimed that Fortra's GoAnywhere MFT platform was exploited by the ransomware group to steal data for over ten days, exploiting the zero-day vulnerability in its platform. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">There is now a CVE-2023-0669 vulnerability that is being tracked and allows remote threat actors to access servers through a remote code execution vulnerability. After learning that the vulnerability in GoAnywhere was being actively exploited in attacks, GoAnywhere disclosed its vulnerability to its customers in early February. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">It was revealed that there was an exploit exploited in the platform on February 7th, only a day before it was patched. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Fortra did not respond to our emails requesting more information about the attacks, and BleepingComputer was unable to independently confirm Clop's assertions that the attackers were behind them. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">It has been discovered that the GoAnywhere MFT was also linked to TA505, the hacking group well known for the deployment of Clop ransomware, according to Huntress Threat Intelligence Manager Joe Slowik. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In December 2020, Clop utilized a similar tactic to steal data from companies worldwide by exploiting a zero-day vulnerability in Accellion's File Transfer Appliance (FTA) system, and the hacker was identified as Clop. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">With Accellion FTA, organizations have a secure way of sharing files with their clients, much like they would with GoAnywhere MFT. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The Clop ransomware gang gave an ultimatum to the victims of these attacks, demanding a $10 million ransom in return. Data was intended to be protected from being published because it had been stolen. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Numerous organizations have disclosed related breaches; Morgan Stanley, Qualys, Shell, and Kroger are a few of the most notable companies that published their reports related to the Accellion FTA attacks. Several other universities around the world, including Stanford Medicine, the University of Colorado, UCLA, and the University of Colorado-Boulder were also affected by the incident. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In the event of a GoAnywhere MFT attack, Clop may well demand a similar ransom from those who are attacked by his code. The stolen data, however, will soon appear on the data leak site of the gang if the gang follows similar tactics in the future.</div>Trapti Rajputhttp://www.blogger.com/profile/17164006516937398466noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-45351731058677834052023-02-08T13:30:00.001-05:002023-02-08T13:30:00.239-05:00Clop Ransomware Flaw Permitted Linux Victims to Restore Files for Months<p> </p>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh50sNf7DndS-UQNBj5AB-5Q89IHUa7ehYqslHPUqxJs1t0Ch7xwoV10_CyZfhje9HFjdOABQUeTIsU4cE68iQmRbR9EoOYpJwnHQshPW81PytXvLoimgSH5s6USNeqM0h2k8e1p0ZzjhvfMaaKnFWVbitDPkLinwNluCEeSkGsvMRHQhHahThLzzZ8/s6016/pexels-panumas-nikhomkhai-1148820%20%282%29.jpg" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="4016" data-original-width="6016" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh50sNf7DndS-UQNBj5AB-5Q89IHUa7ehYqslHPUqxJs1t0Ch7xwoV10_CyZfhje9HFjdOABQUeTIsU4cE68iQmRbR9EoOYpJwnHQshPW81PytXvLoimgSH5s6USNeqM0h2k8e1p0ZzjhvfMaaKnFWVbitDPkLinwNluCEeSkGsvMRHQhHahThLzzZ8/s600/pexels-panumas-nikhomkhai-1148820%20%282%29.jpg" width="600" /></a></div><div style="text-align: justify;">The first Linux version of the Clop ransomware has been discovered in the wild, but with a flawed encryption algorithm that enables the process to be reverse-engineered. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">"The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom," SentinelOne researcher Antonis Terefos said in a report shared with The Hacker News.</div><div style="text-align: justify;"><br /></div><div><div style="text-align: justify;">The cybersecurity firm, which has created a decryptor available, stated that it discovered the ELF version on December 26, 2022, while also mentioning similarities to the Windows flavor in terms of employing the same encryption method.
Around the same time, the detected sample is said to be a component of a larger attack targeting educational institutions in Colombia, including La Salle University. As per FalconFeedsio, the university was added to the criminal group's leak site in early January 2023.</div><div style="text-align: justify;"><br /></div><div><div style="text-align: justify;">The Clop (stylized as Cl0p) ransomware operation, which has been active since 2019, dealt a major blow in June 2021 when six members of the group were arrested by police as part of an international law enforcement operation codenamed Operation Cyclone.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">However, the cybercrime group made a "explosive and unexpected" comeback in early 2022, claiming dozens of victims from the industrial and technology sectors. SentinelOne classified the Linux version as an early-stage version due to the absence of some functions found in the Windows counterpart.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">This lack of feature parity is also explained by the malware authors' decision to create a custom Linux payload rather than simply porting over the Windows version, implying that future Clop variants may close the gap.</div></div><div style="text-align: justify;"><br /></div><div><div style="text-align: justify;">"A reason for this could be that the threat actor has not needed to dedicate time and resources to improve obfuscation or evasiveness due to the fact that it is currently undetected by all 64 security engines on VirusTotal," Terefos explained.</div><div style="text-align: justify;"><br /></div><div><div style="text-align: justify;">The Linux version is intended to encrypt specific folders and file types, with the ransomware containing a hard-coded master key that can be used to recover the original files without paying the threat actors. If anything, the development indicates a growing trend of threat actors branching out beyond Windows to target other platforms.</div></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Terefos concluded, "While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward," </div></div></div>Shruti Jainhttp://www.blogger.com/profile/15370909068785813326noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-32415237242543174612023-01-29T22:36:00.000-05:002023-01-29T22:36:19.221-05:00Government Issues High-risk Warning for iPhone Users<p> </p>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjASngDTqVvK04rltg68_WLynYiJ7rPxHbfnNMTn6LhJuYOI5MgVr75qDvukxbiQF0AdsH702SaH4Q0ygqUEDOQjBhrIR9F0NDSnx5yIGpq-tEreYr-AjhiAOmh_7oanRfFHHYjhF2XUeVvEhwxJlwy3pvwx8gnmCXcWQ0_iWyCAyqcO45SZFkhQch5/s6000/pexels-sora-shimazaki-5935787%20%283%29.jpg" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="4000" data-original-width="6000" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjASngDTqVvK04rltg68_WLynYiJ7rPxHbfnNMTn6LhJuYOI5MgVr75qDvukxbiQF0AdsH702SaH4Q0ygqUEDOQjBhrIR9F0NDSnx5yIGpq-tEreYr-AjhiAOmh_7oanRfFHHYjhF2XUeVvEhwxJlwy3pvwx8gnmCXcWQ0_iWyCAyqcO45SZFkhQch5/s600/pexels-sora-shimazaki-5935787%20%283%29.jpg" width="600" /></a></div><div style="text-align: justify;">Apple iPhones are known for their strength and security features. The Cupertino-based tech behemoth releases security updates for its devices on a regular basis. Although Apple recommends that people install the most recent builds of iOS on their iPhones in order to have a more protected and feature-rich operating system, older iPhone models are incapable to deploy the most recent updates due to hardware limitations. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Some users prefer to run older versions of iOS for simplicity of use, but it's important to note that older iOS versions are easier to exploit. One such flaw has been discovered in Apple's iOS, and the Indian government has issued a warning to iPhone users.</div><div style="text-align: justify;"><br /></div><div><div style="text-align: justify;">According to the Indian Computer Emergency Response Team (CERT-In) of the Ministry of Electronics and Information Technology, a vulnerability in iOS has been disclosed that could permit an attacker to implement arbitrary code on the targeted device. Apple iOS versions prior to 12.5.7 are vulnerable for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">This vulnerability exists in Apple IOS due to a type of confusion flaw in the WebKit component, according to CERT-In. An attacker could utilize this vulnerability by luring the victim to a maliciously crafted website. An attacker who successfully exploits this vulnerability may be able to execute arbitrary code on the targeted system. </div></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The security flaw is actively being exploited against iOS versions prior to iOS 15.1. To avoid being duped, install the new iOS 12.5.7 patch, which Apple released earlier this week.</div>Shruti Jainhttp://www.blogger.com/profile/15370909068785813326noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-78935759215215554532022-12-27T12:39:00.003-05:002022-12-27T12:39:35.159-05:00Kubernetes can be Hacked due to a Container Verification Bug<p style="text-align: justify;"> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7-JeLAWftlyIvISuNOaOKWhYcZ11e5gCBxwgAe9mefG_GXrbp62fTbHFHQvrTRQdzf-7w78QtN-UVKbP0uRSephspxcfQqcHsG-yDFpshtdEEHHaoVnLb2fGDUv5Jzio2BOZuYr_bOtcagJtZsaw0DKhp79kCOSzpqy4afDMkvfUUNjgCGWTbPeX78g/s3100/audit-4576720.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1999" data-original-width="3100" height="412" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7-JeLAWftlyIvISuNOaOKWhYcZ11e5gCBxwgAe9mefG_GXrbp62fTbHFHQvrTRQdzf-7w78QtN-UVKbP0uRSephspxcfQqcHsG-yDFpshtdEEHHaoVnLb2fGDUv5Jzio2BOZuYr_bOtcagJtZsaw0DKhp79kCOSzpqy4afDMkvfUUNjgCGWTbPeX78g/w640-h412/audit-4576720.jpg" width="640" /></a></div><br /><p></p><div style="text-align: justify;">An extremely serious vulnerability in the Kyverno admission controller for container images could permit malicious actors to import a raft of malicious code into the production environments of cloud providers by exploiting this vulnerability. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Using the Kyverno admission controller, the ability to verify signatures is provided as a mechanism for ensuring that only validated and signed containers are pulled into a given cluster running Kubernetes. Many potentially disastrous scenarios can be averted by doing this. There are a lot of malicious payloads that can be found in booby-trapped container images. These include cryptominers, rootkits, container escapes, lateral movement exploit kits, credential stealers, and more. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">However, there is a bug (CVE-2022-47633) that can be exploited to undermine the functionality of this mechanism. It has been revealed that an attacker could take advantage of this vulnerability and inject unsigned images into any protected cluster, bypassing the policy of image verification. This was stated in a blog post on Dec. 21 by researchers at ARMO. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">There are high stakes here: an attacker can effectively take control of a victim's pod, and let themselves access all of the assets, credentials, and service account tokens of the pod, including the token of the service account, used to access the API server, the researchers cautioned. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Taking advantage of the vulnerability, one can completely bypass the verification process for image signatures. This gives an attacker a wide range of target options when it comes to an attack on a Kubernetes cluster. Ben Hirschberg, CTO, and co-founder of ARMO describe how any workload can mount cluster secrets and data volumes. By having access to the vulnerability of the Kubernetes cluster of the victim of the attack, the attacker can inject code into the cluster. This code steals data and credentials from the cluster. Additionally, the attacker is also able to inject his or her own code, thus allowing the attacker to take advantage of the victim's CPU for cryptocurrency mining. </div><div style="text-align: justify;"><b><span style="font-size: medium;"><br /></span></b></div><div style="text-align: justify;"><b><span style="font-size: medium;">Subverting the Container Admission Controller: An inside look at the bug</span></b> </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">When a new workload is requested from a Kubernetes API server that is defined via an image with a tag, that API server sends a request to the Kyverno admission controller to validate the new workload as defined in the image. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">There are several ways in which the admission controller determines whether a workload is admissible to the cluster. This includes requesting the image manifest and the container registry's signature.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The container runtime starts a new workload based on the image. This is true if the image is checked out, and if the image is not checked out, the image does not proceed. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to the advisory, the vulnerability was discovered as a result of the controller's signature validation process downloading the image manifest twice - but only verifying the signature for one of those downloads. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Hence, the attack looks like this: a malicious registry or proxy is used to socially engineer an administrator into pulling a container image from an infected registry or proxy. In the initial import of the malicious registry file, the admission controller receives a valid, benign, signed image that has been imported by the malicious registry. As of now, everything seems to be working well. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">This is followed by a second request from the admission controller for the manifest of the signed image so that the digest for mutation can be retrieved - and it can then be used to alter the human-readable tag associated with the container. In this instance, no signing validation is performed. This allows a different, unsigned and malicious image to be returned by the malicious registry. This image is ultimately the one that will run on your system if you push the button to start it. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">This is a classic example of a TOCTOU problem, which means a time-of-check-to-time-of-use problem, in which an attacker can bait and switch their victim, according to a research paper published by ARMO. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Because the image manifest which is going to be used in the end is a different one from the one that was verified, it gives the attacker the chance to trick the client. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Kyverno users should update to version 1.8.5 as soon as possible since this vulnerability was introduced in version 1.8.3 and has been fixed in the updated version. It is ensured that the same hash of the image will be used for modifying the workload specification and verifying the signature in the patch. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In particular, this vulnerability affects only Kubernetes with the Kyverno container manager. Hirschberg warned that other methods of verifying image signatures also need to take care not to be vulnerable to this technique. </div><div style="text-align: justify;"><b><span style="font-size: medium;"><br /></span></b></div><div style="text-align: justify;"><b><span style="font-size: medium;">Concerns About Container Security are on the Rise </span></b></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Hirschberg has noted that containers are an excellent target for cybercriminals because they are typically hosted in the cloud. This gives them access to a huge amount of computational resources, which are extremely valuable and expensive. This enables hackers to steal computational resources and data in a relatively short time while also staying unnoticed for a long period. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to him, there are no exact statistics. However, based on the current trend of containers being widely adopted, it is clear that this type of problem is becoming more prevalent in the industry. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">"Security teams are learning how to handle them, and Kubernetes in general. I don't think that it is a true 'blind spot,' but container security teams are still learning the whole environment with many neglected areas", Hirschberg added.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Even though image signature verification has just begun to take off, admission controllers still represent one of those potential areas that may have been neglected due to the early stages of its adoption. Nonetheless, they are also part of a broader dialogue that should be conducted about supply chain software security in a way that considers them an imperative issue. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">During the SolarWinds attack, Hirschberg indicated that the world saw how sensitive this issue is when it comes to trusting the security of external code. Kyverno is a security tool that includes signature validation for the first time in the Kubernetes world, and with this, it introduces additional vulnerabilities. However, it does seem that with these vulnerabilities come security improvements that will enable users to overcome this issue in the future.
</div>Trapti Rajputhttp://www.blogger.com/profile/17164006516937398466noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-38872200564815005772022-11-28T10:45:00.001-05:002022-11-28T10:45:12.848-05:00Researchers Updated Twitter Data Breach as “More Harmful” Than Reported<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUnbr2K-VsEfnEkQ-_mDWun_Gf5SSrJY5_REBNdNpGs5UgtQjN2kRpLlQEnXBaoxwTxU5rzO2tsMQlXL89iqy4VhAWtNM3giIDbN1MzzLMdUs4hzXjyzD153P3NrJw-z8yqJ8hvDsZ6JkDpt6AwkODBZ6-rjZtxiTbDWRro2R7tKAhTISLF7f6DSd0wA/s1920/social-media-1795578_1920.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1280" data-original-width="1920" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUnbr2K-VsEfnEkQ-_mDWun_Gf5SSrJY5_REBNdNpGs5UgtQjN2kRpLlQEnXBaoxwTxU5rzO2tsMQlXL89iqy4VhAWtNM3giIDbN1MzzLMdUs4hzXjyzD153P3NrJw-z8yqJ8hvDsZ6JkDpt6AwkODBZ6-rjZtxiTbDWRro2R7tKAhTISLF7f6DSd0wA/w640-h426/social-media-1795578_1920.jpg" width="640" /></a></div><p style="text-align: justify;"><br /></p><div style="text-align: justify;">Last year, Twitter exposed more than five million phone numbers and email addresses following a massive data breach. The research team of 9TO5Mac has been provided with evidence that suggests the same security vulnerability was exploited by multiple threat actors at the same time. Additionally, several sources have advertised the availability of the hacked data on the dark web for sale as well. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">This vulnerability was first reported back in January by HackerOne. Using this tool, anyone could enter a phone number or e-mail address and then find the Twitter account associated with that number or email address. A Twitter handle can be easily converted into an internal identifier used by Twitter, even though it is an internal identifier utilized by Twitter. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In reality, a threat actor would be able to construct a single database that would contain Twitter handles, email addresses, and phone numbers accumulated from the web. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">When Twitter released an announcement in May, it confirmed that the vulnerability existed and had been patched, but it did not mention that anyone had exploited it. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to the restoration privacy report, a hacker had indeed used the vulnerability to gain access to millions of accounts around the world. He had gotten access to personal information as a result. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>There has been a massive breach of Twitter data, and not just one</b></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In a Twitter thread yesterday, there was a suggestion that some threat actors had accessed the same personal data in more than one way. Having seen evidence of multiple breaches, 9to5Mac can now verify that this is indeed the case. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The security researchers explained that, in a previous report, they had seen a dataset that contained the same information in a different format, and the source told researchers that it was "definitely a different threat actor." This was just one of several files that they had seen. The researchers at 9TO5Mac found that the dataset was just one of several similar files. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The majority of the data is based on Twitter users in the UK, most EU member countries, and several US states. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Essentially, the setting the security researchers are referring to here refers to a setting that is quite deeply buried within the settings of Twitter. This setting appears to be on by default if you open Twitter's settings. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">An estimated 500k record was downloaded within one hour by the bad actors, it has been reported. On the dark web, multiple sources have offered this data for sale for a price between $5,000 and $10,000. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">It has been reported that a security expert's account has been suspended after tweeting about it. There was also another security specialist whose Twitter account was suspended the same day. Chad Loder, a well-recognized computer security expert, predicted Twitter's reaction within minutes of it being announced and it was confirmed by other experts. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">There is evidence that multiple hackers have obtained the same data and combined it with other data sourced from other breaches to steal the information.</div>Trapti Rajputhttp://www.blogger.com/profile/17164006516937398466noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-340090736344492792022-10-14T11:28:00.003-04:002022-10-14T11:28:48.086-04:00Cyber-Spy Exploits are Being Dropped by Drones<p style="text-align: justify;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6Ws2F5EKBIgkIj_OQWFEKhmnxtCEQyOXfDXkECinscj8JzvIr4NTojE3C_SqDtIDCQRw1CrF5a6D_KiPiPAYornxophKgMK-X8zC33NoU_xGAcjk6jvKVuzUgvh1yDQZzBs7aclHhS3SwLMYN1WlWPIEoKe3t9igRAEySg_qKeL-wZ0n9OmfmVNDCYA/s2304/pexels-photo-724921.jpeg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1500" data-original-width="2304" height="416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6Ws2F5EKBIgkIj_OQWFEKhmnxtCEQyOXfDXkECinscj8JzvIr4NTojE3C_SqDtIDCQRw1CrF5a6D_KiPiPAYornxophKgMK-X8zC33NoU_xGAcjk6jvKVuzUgvh1yDQZzBs7aclHhS3SwLMYN1WlWPIEoKe3t9igRAEySg_qKeL-wZ0n9OmfmVNDCYA/w640-h416/pexels-photo-724921.jpeg" width="640" /></a></div><br /><p></p><div style="text-align: justify;">The use of drones equipped with cyber-spying equipment was previously limited to abstract academic discussions among cybersecurity enthusiasts, but now, drones can be used in the real world to penetrate networks and steal information. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">On October 10, cybersecurity researcher Greg Linares published a Twitter thread providing a brief overview of a drone-based cyberattack he had recently witnessed while working as a freelance researcher. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to Mr. Gohel, the incident began when an unnamed financial company picked up unusual traffic on its network as a result of the hack. In the process of tracing the Wi-Fi signal, the con men discovered two drones on the roof and alongside, they also discovered some other activity on the network. </div><div style="text-align: justify;"> </div><div style="text-align: justify;">Linares described one of the drones as being a modified DJI Phantom which carried what he called a "modified Wifi Pineapple device" and the other as being a similarly modified DJI Matrice 600 device which contained "a Raspberry Pi, batteries, GPD mini laptop, a 4G modem, and another Wi-Fi device," he explained. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In addition to the successful cyberattack, Linares explained that the attackers were also able to access devices connected to the Atlassian Confluence site from the internal page. This was done to steal credentials and other information. During the threat hunters' investigation, they discovered that one of the drones had been damaged but was still functional. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">"In light of the limited success of this attack, it appears that once the attackers were detected, they crashed the drone as they were recovering it from the ground," Linares claimed on Twitter.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">He further explained that a drone attack of this kind would probably not cost more than $15,000 to be put together, although he did not provide an exact figure. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">As he explained in his warning, attackers spend this amount of money on internal devices and do not care about destroying them. "This is the third real-world attack I have encountered from a drone in the last two years," he added. </div>Trapti Rajputhttp://www.blogger.com/profile/17164006516937398466noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-45331042553589405562022-10-05T13:29:00.001-04:002022-10-05T13:29:09.982-04:00Ransomware is Now the Top Attack Vector Due to Bug Exploitation<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvvpZmx5Cr3pVVmFAfTrwIYiW0PuNcG9HXrNBDTQbhbqJ0eIBm-TYt4JLZ7iYTts07kybcfUhl0iCptS8INEzB_PBjrtHu6cBDOVYsctlb1z74vWPF9vfoosX_WCYzDNCLLgL1Cw7u6ivfXZYnp5eYgyTqhjecp_bIJOeJbHqAxJ07fxWbM14jlCmLPQ/s1125/secureworks.jpeg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="750" data-original-width="1125" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvvpZmx5Cr3pVVmFAfTrwIYiW0PuNcG9HXrNBDTQbhbqJ0eIBm-TYt4JLZ7iYTts07kybcfUhl0iCptS8INEzB_PBjrtHu6cBDOVYsctlb1z74vWPF9vfoosX_WCYzDNCLLgL1Cw7u6ivfXZYnp5eYgyTqhjecp_bIJOeJbHqAxJ07fxWbM14jlCmLPQ/w640-h426/secureworks.jpeg" width="640" /></a></div><br /><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Security experts at Secureworks have revealed that vulnerability exploitation has accounted for 52% of ransomware incidents investigated by the company over the past 12 months. This makes it the number one initial access vector for attackers, according to a new report published by the company.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">As an annual report, the security firm's State of the Threat report is compiled based on the insight gathered from the anti-terrorism unit of the organization over the past year.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">A leading ransomware researcher has found that last year, ransomware actors mainly used vulnerabilities found in systems exposed to the Internet to increase their effectiveness, rather than to take advantage of credentials <span style="background-color: white; color: #4d5156; font-family: arial, sans-serif; font-size: 14px; text-align: left;">–</span> often associated with the compromise of Remote Desktop Protocol (RDP), and using malicious emails.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Reports suggested that this shift in tactics may directly result from a significant imbalance between the capabilities of threat actors and network defenders. This imbalance may explain this shift in tactics.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">At the same time as threats are rapidly weaponizing newly discovered vulnerabilities, developers of offensive security tools (OSTs) are also driven by the need to generate profit or keep their tools relevant <span style="background-color: white; color: #4d5156; font-family: arial, sans-serif; font-size: 14px; text-align: left;">–</span> to implement updated exploit code as soon as possible, the report illustrated. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">A lot of people often overlook the fact that responsible disclosure is often about not having to wait for patches to become available. Even if a patch is available, the process of patching a vulnerability in an enterprise environment is far more complicated and much slower than the process for threat actors or OST developers of weaponizing publicly accessible exploit code.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">As a result, vulnerability management teams must also take precautions against the persistent threat of credential-based attacks. In a recent report, Secureworks reported a 150% growth in the use of info-stealers that are designed to grab credentials from networks and gain access to them in an attempt to steal sensitive information.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">There has been an investigation launched by an anti-virus vendor on a single day in June, during which it claimed to have observed over 2.2 million credentials, which were collected by criminals who stole information and made them available for sale on an underground platform.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to Secureworks, ransomware continues to represent the number one threat to global organizations, accounting for more than a quarter of the attacks analyzed by the company. Among the threats that have been reported, most of them have been linked to Russian cybercrime groups.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">So far this year, the good news is that the median dwell time of attackers has dropped from 22 days in 2021 to 11 days. This is a decrease of two days from last year, but it still leaves attackers with plenty of time to steal data from organizations and deploy the payloads for ransomware attacks.</div><div style="text-align: justify;"><br /></div><h4 style="text-align: justify;"><b><span style="font-size: medium;">Preventions for ransomware attacks</span></b></h4><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Safeguarding your systems from malware attacks includes simple yet effective measures like</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">• Never click on unknown or unauthorized links or stores.</div><div style="text-align: justify;">• Never input your personal information on unofficial stores or websites.</div><div style="text-align: justify;">• Never click on any unknown attachments on emails.</div><div style="text-align: justify;">• Never plug into any unknown USB sticks.</div><div style="text-align: justify;">• Never download any software or application from unauthorized sources.</div><div style="text-align: justify;">• Always keep your systems up-to-date.</div><div style="text-align: justify;">• Always work under VPN security while using public wi-fi.</div><div style="text-align: justify;"> </div><div style="text-align: justify;">To ensure that the vulnerabilities do not get exploited, you need to identify and address them as soon as possible. Keeping track of your vital systems and their security is impossible without implementing an effective vulnerability management system (VM). </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Choosing the right VM tools is important as they provide accuracy, guidance in the right directions, and efficiency, to help your team in dealing with the most critical vulnerabilities. Once you establish a scalable and sustainable VM program you will be capable of defending your systems from ransomware attacks.</div>Trapti Rajputhttp://www.blogger.com/profile/17164006516937398466noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-82828841730693833742022-10-04T08:27:00.001-04:002022-10-04T08:27:20.887-04:00Moody's Intensifies its Scrutiny Of the 'Riskiest' Sectors Of the Economy<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUihKXuiSNmfC4p09U82jYIi7nC6HV36KOrRVzTRpWs9YvDPl5t9bib6vYHMUKv9z3tmOF28mgMA3QMCogXh_nNZGwoST897gFLvFCIiARAT1rZ_8u1rEFUEOhRt62JZ8afse6L1uJnvqk4Fla0Ht4mpCGKbOnvzRXFWuQqJXIQGNTqfZj8PjCdubmRg/s600/moddys.jpeg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="400" data-original-width="600" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUihKXuiSNmfC4p09U82jYIi7nC6HV36KOrRVzTRpWs9YvDPl5t9bib6vYHMUKv9z3tmOF28mgMA3QMCogXh_nNZGwoST897gFLvFCIiARAT1rZ_8u1rEFUEOhRt62JZ8afse6L1uJnvqk4Fla0Ht4mpCGKbOnvzRXFWuQqJXIQGNTqfZj8PjCdubmRg/w640-h426/moddys.jpeg" width="640" /></a></div><br /><div><br /></div><div style="text-align: justify;">According to Moody's Investors Service, nearly $22 trillion of global rated debt has a "high" or "very high" level of cyber-risk exposure. This includes electrical, gas, and water utilities, as well as hospitals, which are among the sectors with the greatest risk of cyberattacks.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In total, Moody's has rated nearly 80 trillion dollars in debt across 71 different sectors across the globe. This represents a quarter of Moody's $180 trillion in debt that Moody's has rated across 71 different sectors worldwide. This represents an increase of nearly a billion dollars from the firm's 2019 numbers.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to Moody, the Cyber Heatmap takes into account two factors, namely exposure and mitigation. It weighs both equally across all the sectors that it rates for this report.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">A major component of exposure is the industry's "systemic role" - the fact that it is appealing from an attacker's perspective in terms of disrupting a wide array of industries, along with its interconnectedness with other sectors. It has also been emphasized that "digitalization" has increased the attack surface by extending its digital footprint.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The mitigation plan will include measures to reduce perimeter vulnerability as well as basic cybersecurity practices based on financial loss estimates. While determining perimeter vulnerability, Moody's takes into account at-risk open ports and patching cadence, which it gathers from data and metrics provided by cyber-ratings company BitSight, in which Moody's owns a minority stake, which provides data and metrics about open ports and patching schedules.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">"It has been mentioned before that poor patches can have a significant impact on a company's risk of ransomware, as well as reports of a high rate of ransomware instances," BitSight chief risk officer Derek Vadala said in a press release.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to Moody's, this year's Heatmap provides insight into cyber risk within the 71 sectors. The information is based on exposures and mitigations, which Moody's has categorised as "low," "moderate," "high" and "very high" risk. Utility companies were found to have high levels of cyber risk.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In this sector, which has a total amount of $2.5 billion in collective debt rated by Moody's, there are both regulated and self-regulated electric utilities operating in the generation, transmission, and distribution of electricity and gas. There are also unregulated electric and power companies, as well as water and wastewater companies. Moody's noted, "this does not mean the issuers within these sectors have weak cybersecurity practices."</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Most economists believe that it has more to do with the "multiplier effect across an economy," as per the report. Cyberattacks that knock out a regional power grid, for example, will have far more consequences than simply for the utility itself. Hospitals may be unable to provide life-saving surgery or critical medicine to patients if a cyberattack knocks them out of service. For assisted living facilities, it would be extremely challenging for them to keep their elderly residents comfortable during heat waves or cold snaps. This is because they cannot provide heat or air conditioning.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">There is no doubt that this is why critical infrastructure has become such an attractive target for cybercriminals seeking to cause the most damage, as evidenced by the seemingly constant barrage of government warnings regarding nation-state threat groups targeting power systems and infrastructure.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">As far as cyber risk is concerned, non-profit hospitals also ranked extremely high when it comes to the threats they face. In Moody's view, non-profit hospitals are particularly attractive targets for attackers because of the huge amount of data that these institutions possess, as well as the average mitigation measures, they have in place to reduce the impact of potential cyber threats. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Banks, the technology sector, telecommunications, and midstream energy are some of the sectors with the highest levels of risk. Meanwhile, in the Heatmap, some sectors have moderate levels of risk, such as advanced economies and emerging regions, regional and local governments, manufacturing, retail, and apparel, and integrated oil.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In conclusion, low-risk sectors include structured finance, real estate, independent exploration and production, mining, and public housing, which are all low-risk sectors. The analysis evinces how there has been a significant increase in the number of ransomware attacks against hospitals and healthcare organizations over the last few years which in turn calls for strict cyber security measures. </div>Trapti Rajputhttp://www.blogger.com/profile/17164006516937398466noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-83522523456083611242022-06-19T01:55:00.000-04:002022-06-19T01:55:25.223-04:00Researchers Alert About Ransomware Attacks Targeting Microsoft Cloud ‘Versioning’ Feature<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU3QcCAkNdcypRAeXAFa3wnS7Z9FOV4ASZ83FBETisPgIaAAhjH5m325NZget6zaMwO7eTJy53vJUtD_lhw-k54tdBJBNDjKyNO6aSmZs0d7FnBBUWgBYF-RQBcCrNJvh8_L0VYe2c4iENSoKxUUmtB1MD1bDpWRfCLx8_tS_fQ9G0GkbWi_KnLHff/s6144/pexels-lukas-577210.jpg" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="4069" data-original-width="6144" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU3QcCAkNdcypRAeXAFa3wnS7Z9FOV4ASZ83FBETisPgIaAAhjH5m325NZget6zaMwO7eTJy53vJUtD_lhw-k54tdBJBNDjKyNO6aSmZs0d7FnBBUWgBYF-RQBcCrNJvh8_L0VYe2c4iENSoKxUUmtB1MD1bDpWRfCLx8_tS_fQ9G0GkbWi_KnLHff/s600/pexels-lukas-577210.jpg" width="600" /></a></div><p><span style="text-align: justify;">Researchers detected a functionality in <a href="https://www.cysecurity.news/2019/07/microsoft-office-365-exposing-users-ip.html">Office 365</a> that enables cybercriminals to ransom items stored on SharePoint and OneDrive. When the researchers informed Microsoft, they were assured that the system was functioning as designed and it is a feature rather than a vulnerability. </span></p><div style="text-align: justify;">Files stored and updated on the cloud have long been thought to be resistant to encryption extortion — the autosave and versioning capabilities should offer enough backup capability.
Researchers at Proofpoint have displayed that this is a false assumption. They reported, “Our research focused on… SharePoint Online and OneDrive… and shows that ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure.” </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">There are two ways to accomplish this using the Microsoft versioning feature (which allows the user to specify the maximum number of older versions to be stored). Older versions beyond this level are designed difficult, if not impossible to recover. The first attack is more theoretical than practical, while the second is undeniably practical.
The maximum number of revisions of a document that may be saved by default is 500. Simply said, the attacker modifies and encrypts the file 501 times. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The changes do not have to be significant - just enough to cause the system to save the new (encrypted) version. All versions of the document will be encrypted by the completion of the procedure, and the file will be unrecoverable without the decryption key.
This is a theoretical attack. In actuality, it would be loud and easily discovered. The second method is more practical: utilise the built-in user-controlled versioning tool to reduce the number of stored versions to one. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Every SharePoint and OneDrive document library includes a user-configurable parameter for the number of stored versions, which can be found under list settings for each document library.
Setting the version limit to zero does not help an attacker since it does not erase older versions that the user can still recover. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">If the limit is set to one, the file only has to be encrypted twice before the user loses access to its contents. If information is exfiltrated before encryption, the attacker has the option of launching a second extortion attempt.
The attack chain includes initial access via compromised or hijacked user identities, account takeover and discovery, versioning reduction, file exfiltration, and encryption, and extortion. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">If the file owner keeps a local copy of the file, the impact of this attack will be limited. In this case, the attacker must compromise both the endpoint and the cloud account to ensure success.
Proofpoint followed the Microsoft disclosure route and submitted the vulnerability to Microsoft before publicly revealing it. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Microsoft stated that, first, the versioning settings function properly, and that, second, previous versions of files can potentially be retrieved and restored for an additional 14 days with the aid of Microsoft Support. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">“However,”<u><span style="color: #2b00fe;"> <a href="https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality">write the researchers</a></span></u>, “Proofpoint attempted to retrieve and restore old versions through this process (i.e., with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.”</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Therefore, the conclusion of the story is straightforward do not think files saved and updated in the cloud are immune to extortion attempts. Ransomware mitigation procedures must still be in place.</div>Shruti Jainhttp://www.blogger.com/profile/15370909068785813326noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-6351453293395198562022-06-15T06:18:00.000-04:002022-06-15T06:18:03.855-04:00Researcher Demonstrated How Tesla Key Card Feature Can be Exploited to Steal Cars<p> </p>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYwYp6FUKGFp0qHIlSGTCl3yb2csB6tB38NiGWdvUSGfMRLTjEjuOPK7ao0Gt8Y07B7duoMgzFDfV18CbRoFB_jAGQSU-K9rltHl6mjkDLec9T-UtlnBcuNtk_GiwH5TbSqeSQ8iNvzmGGSN7p0bnKuRkmi1PYJeG7ZtaGQJB7TLbuIcb3vOF10qNs/s6016/pexels-pixabay-38275%20%287%29.jpg" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="4016" data-original-width="6016" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYwYp6FUKGFp0qHIlSGTCl3yb2csB6tB38NiGWdvUSGfMRLTjEjuOPK7ao0Gt8Y07B7duoMgzFDfV18CbRoFB_jAGQSU-K9rltHl6mjkDLec9T-UtlnBcuNtk_GiwH5TbSqeSQ8iNvzmGGSN7p0bnKuRkmi1PYJeG7ZtaGQJB7TLbuIcb3vOF10qNs/s600/pexels-pixabay-38275%20%287%29.jpg" width="600" /></a></div><div style="text-align: justify;">A researcher demonstrated how a Tesla key card functionality launched last year might be misused to add an unauthorised key that enables an attacker to access and start a vehicle. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Martin Herfurt, an Austria-based member of the Trifinite research group that specialises in <a href="https://www.cysecurity.news/2022/05/researchers-tesla-cars-bluetooth-locks.html">Bluetooth</a> security, conducted the study. Herfurt's research focused on key card access modifications made by Tesla in August 2021, which removed the necessity for customers to place the key card on the central console after using it to open the vehicle. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The researcher discovered that when a <a href="https://www.cysecurity.news/2022/03/tesla-ceo-musk-issues-warning-regarding.html">Tesla</a> is opened through NFC using the key card, there is a 130-second window during which an attacker within the Bluetooth range of the targeted vehicle may add their own key.
The attack exploits Tesla's VCSEC protocol, which manages communication between the automobile, the phone app, and the key fob. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>Findings by the researcher: </b></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">During such an assault, the infotainment system makes no attempt to warn the victim that a new key has been inserted.
According to the researcher, he tried the attack on the Tesla Model 3 and Model Y, but he believes it should also work on the newer Model S and Model X.
At the recent Pwn2Own 2022 hacking competition, hackers won $75,000 for an attack targeting Tesla's infotainment system. Herfurt intended to show off his attack at Pwn2Own, but relay attacks were not permitted. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In reality, he claimed to have identified the authorisation timer attack vector in September 2021 but had been keeping it for Pwn2Own.
The researcher stated that he did not inform Tesla about his recent findings before revealing them since he considered the company needed to be aware of the problem. </div><div style="text-align: justify;">Following his disclosure, he received confirmation from others who reported a very issue to Tesla months ago that Tesla was aware of the vulnerability. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to the researcher, Tesla recommends using the PIN2Drive function, which requires customers to input a PIN before driving away, but he produced a video last week demonstrating how an attacker may overcome PIN2Drive. Tesla is yet to react to a comment request.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><div>Herfurt is working on TeslaKee, a new smartphone application that is said to safeguard Tesla vehicles from these sorts of relay attacks. Herfurt demonstrated another approach to stealing a Tesla in May. The attacker utilised two Raspberry Pi devices to relay the radio signal between the Phone Key and an automobile over a considerable distance.</div></div>Shruti Jainhttp://www.blogger.com/profile/15370909068785813326noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-48417281149127282022-06-11T12:08:00.000-04:002022-06-11T12:08:07.474-04:00 New Confluence Remote Code Execution Flaw is Exploited by Cryptocurrency Miners<a href="https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html" rel="nofollow" target="_blank"></a><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCguJNtWjOPDCy721eZvAoyu9NSedYgxZMFVjPsQI6AlEEak_ThUsb9QWWoXHug0u6oCsy3u94oW5vUFaKxpINs08mT9dSNvPQSQj2yLZmpo0TT5y7bOrUcO9vHMBLutJza4YEO6C1-xdCo9OfFCpKA5QPY8pb_-nANFLFXxM9TrfGeYbgyKapLxwysw/s6720/pexels-cottonbro-8721342.jpg" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="4480" data-original-width="6720" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCguJNtWjOPDCy721eZvAoyu9NSedYgxZMFVjPsQI6AlEEak_ThUsb9QWWoXHug0u6oCsy3u94oW5vUFaKxpINs08mT9dSNvPQSQj2yLZmpo0TT5y7bOrUcO9vHMBLutJza4YEO6C1-xdCo9OfFCpKA5QPY8pb_-nANFLFXxM9TrfGeYbgyKapLxwysw/s600/pexels-cottonbro-8721342.jpg" width="600" /></a></div><p> </p><div style="text-align: justify;">Atlassian has issued a security advisory on a severe unpatched remote code execution vulnerability that affects Confluence Server and Data Center products and is being actively abused in the field, according to the company. The CVE-2022-26134 vulnerability was found as an extensively exploited zero-day towards the end of May, and the vendor issued a patch on June 3, 2022. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Several proof-of-concept (PoC) exploits for the CVE-2022-26134 bug have been made public.
Following the disclosure of the RCE, Check Point Research (CPR) researchers observed a large number of exploitation attempts, with some of the malicious payloads used in the attacks being used as part of the same campaign carried by a crypto mining gang known as the "8220 gang" by doing bulk net scans to discover vulnerable Windows and Linux endpoints to plant miners. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Miners are special-purpose programs that mine cryptocurrency like Monero for the threat actor using the host's available computational capabilities. Reduced server performance, increase hardware wear, greater operating costs, and even business disruption are all direct consequences of this action. These actors can also improve their attack at any time and dump more potent payloads because they have access to the system.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Multiple infection chains are used to target Linux and Windows operating systems.
The attack starts with a specially crafted HTTP request which exploits CVE-2022-26134 and dumps a base64-encoded payload on both Linux and Windows platforms. The payload then downloads an executable, a Linux malware injects script and a Windows child process spawner. Both scenarios try to set up reboot persistence, then delete all current devices before activating the miner. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The miner will deplete all system resources in both circumstances, therefore the "8220 gang" is aiming for maximum profit until the malware is uprooted, rather than silently mining on infected servers and attempting to remain undiscovered by using only a portion of the available processing capacity. Eventually, the Linux script looks for SSH keys on the host in an attempt to expand to other computers nearby. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The web shell is believed to have been used to distribute two further web shells to disk, namely China Chopper and a bespoke file upload shell for exfiltrating arbitrary files to a remote server. The news comes within a year of another severe remote code execution issue in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) was actively exploited in the open to install cryptocurrency miners on compromised servers (CVE-2021-26084, CVSS score: 9.8). </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">"Attackers can get direct access to highly valuable systems by exploiting such type of vulnerability," Volexity stated. "Furthermore, because they lack the necessary monitoring or logging capabilities, these systems can be difficult to investigate."
</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-39956472169695896802022-02-15T08:57:00.029-05:002022-02-15T11:59:14.456-05:00Mitigating Software Security Flaws with Automation<p> </p>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjlGAjHieWAhl5IW-aAcnwKYlJQDMFsHGJO-MvoMQxmt7YJc7vsvcATPT4twXa-q9YVpEh9RBOlC_Pb9ueFk6uHzVI_7RJlXrB1hsWHgziQsPyMOC__8ngWmnJlK0xuDdTfbHZLZJQu1MpwfbJpQCzRdYsChYs-fqOFWi-61_ynV4sqEbYzIzrn689f=s4576" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="3051" data-original-width="4576" src="https://blogger.googleusercontent.com/img/a/AVvXsEjlGAjHieWAhl5IW-aAcnwKYlJQDMFsHGJO-MvoMQxmt7YJc7vsvcATPT4twXa-q9YVpEh9RBOlC_Pb9ueFk6uHzVI_7RJlXrB1hsWHgziQsPyMOC__8ngWmnJlK0xuDdTfbHZLZJQu1MpwfbJpQCzRdYsChYs-fqOFWi-61_ynV4sqEbYzIzrn689f=s600" width="600" /></a></div><div style="text-align: justify;">A group of UTSA researchers is investigating how a new automated approach could be used to prevent software security vulnerabilities. The team intended to create a deep learning model that could train the software on how to automatically extract security policies. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Unlike traditional software development models, the agile software development process is intended to deliver software more quickly, eradicating the requirement for lengthy paperwork and changing software requirements. The only required documentation is user stories, which are specifications that define the software's requirements. However, the fundamental practises of this method, such as frequent code changes, restrict the capacity to perform security assurance evaluations.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Ram Krishnan, associate professor in the UTSA Department of Electrical and Computer Engineering stated, “The basic idea of addressing this disconnect between security policies and agile software development came from happenstance conversation with software leaders in the industry.” </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Before arriving on a deep learning strategy that can handle several formats of user stories, the researchers looked at various machine learning approaches.
To conduct the prediction, the model is composed of three parts: access control classifications, named entity recognition, and access type classification. The software uses access control classification to determine whether or not user stories contain access control information. The actors and data objects in the storey are identified by a named entity. The link between the two is determined by the access type classification. To evaluate their approach, the researchers used a data collection of 21 online applications, each with 50-130 user stories (a total of 1,600). </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Krishnan stated, “With a dataset of 1,600 user stories, we developed a learning model based on transformers, a powerful machine learning technique. We were able to extract security policies with good accuracy and visualize the results to help stakeholders better refine user stories and maintain an overview of the system’s access control.” </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to Krishnan, this unique new method will be a valuable tool in the modern agile software development life cycle. A manual method of extracting security policies would be error-prone and costly because agile software development focuses on incremental modifications to code. It is just another area where machine learning and artificial intelligence have proven to be effective. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">He further added, “We recognize that there is little additional information about access control that can be extracted or determined directly from user stories in a fully automated approach. That means it is difficult, or impossible, to determine a software’s exact access control from user stories without human involvement. We plan to extend our approach to make it interactive with stakeholders so that they can help refine the access control information.”</div>Shruti Jainhttp://www.blogger.com/profile/15370909068785813326noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-52712269332100745372021-12-29T05:42:00.000-05:002021-12-29T05:42:26.255-05:00Hackers Exploit Log4j Flaw to Attack Belgium Defense Ministry<p> </p>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgUqwOGtZ2g232yNOerLnI0Sm8fzWLWdzOhrtfNSc9xmi_tZlAoBuQ1lOC_i2yOLXv6YWwpKelGmAaD5np-Y0QcQEcVs11UlUgvwoAf9vgVv_sabfWvIdPOKq8OlOaf_oxyj6VtUPB1gINrxGcIRSGImM7tfZLf6FHPh8OjKDt5dDtWZJiu-q-sTRTQ=s4576" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="3051" data-original-width="4576" src="https://blogger.googleusercontent.com/img/a/AVvXsEgUqwOGtZ2g232yNOerLnI0Sm8fzWLWdzOhrtfNSc9xmi_tZlAoBuQ1lOC_i2yOLXv6YWwpKelGmAaD5np-Y0QcQEcVs11UlUgvwoAf9vgVv_sabfWvIdPOKq8OlOaf_oxyj6VtUPB1gINrxGcIRSGImM7tfZLf6FHPh8OjKDt5dDtWZJiu-q-sTRTQ=s600" width="600" /></a></div><div style="text-align: justify;">The Belgian Ministry of Defense has stated that the Log4j vulnerability was used in a cyberattack on its networks. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The Defense Ministry said in a statement that an attack on its computer network with internet access was identified on Thursday. They didn't disclose whether the attack was ransomware, but they did state that "quarantine measures" were swiftly implemented to "contain the affected elements." </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The Defense Ministry stated, "Priority was given to the operability of the network. Monitoring will continue. Throughout the weekend, our teams were mobilized to contain the problem, continue our operations and alert our partners." </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">"This attack follows the exploitation of the Log4j vulnerability, which was made public last week and for which IT specialists around the world are jumping into the breach. The Ministry of Defense will not provide any further information at this stage." </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Government hacking groups all across the world are using the Log4j vulnerability, according to multiple reports from firms like Google and Microsoft.
State-sponsored hackers from China, Turkey, Iran, and North Korea, according to Microsoft, have begun testing, exploiting, and abusing the Log4j issue to spread a range of malware, including ransomware. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to multiple sources, since the vulnerability was found over two weeks ago, cybercriminal organisations have attempted to exploit it not only to acquire a foothold in networks but also to sell that access to others. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">To avoid attacks and breaches, governments around the world have advised agencies and companies to fix their systems or devise mitigation strategies. Singapore conducted emergency meetings with vital information infrastructure sectors to prepare them for potential Log4j-related threats, and the US' Cybersecurity and Infrastructure Security Agency instructed all federal civilian agencies to fix systems before Christmas. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Katrien Eggers, a spokesperson for the Centre for Cybersecurity Belgium, told ZDNet that the organisation had also issued a warning to Belgian companies about the Apache Log4j software issue, stating that any organisation that had not already taken action should "expect major problems in the coming days and weeks." </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The Centre for Cybersecurity Belgium stated, adding that any affected organizations should contact them. "Because this software is so widely distributed, it is difficult to estimate how the discovered vulnerability will be exploited and on what scale. It goes without saying that this is a dangerous situation."</div>Shruti Jainhttp://www.blogger.com/profile/15370909068785813326noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-33232398184754339052021-12-23T03:11:00.000-05:002021-12-23T03:11:11.527-05:00Dridex Banking Malware is Now Being Installed Using a Log4j Vulnerability<p> </p><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj4HyKiIVu13JsmPADKuiQsAZsPILiz2L9ZNn_5oamMaig6ztt08sgmN18zUBdTyzpwiAOZMHC1UWgSIp1VFy3QOPs5BxkmyA6UJ4WfIlLeybVgtfr-OGbTlUio2in3Znj1dKHOJv41kbsVL3EvW0hqIxQc3mIrES-V9_L3bJHMW-Ct9UIiLA0kzCdLxA=s1920" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="1080" data-original-width="1920" src="https://blogger.googleusercontent.com/img/a/AVvXsEj4HyKiIVu13JsmPADKuiQsAZsPILiz2L9ZNn_5oamMaig6ztt08sgmN18zUBdTyzpwiAOZMHC1UWgSIp1VFy3QOPs5BxkmyA6UJ4WfIlLeybVgtfr-OGbTlUio2in3Znj1dKHOJv41kbsVL3EvW0hqIxQc3mIrES-V9_L3bJHMW-Ct9UIiLA0kzCdLxA=s600" width="600" /></a></div><div style="text-align: justify;">The Log4j vulnerability is presently being leveraged to infect Windows devices with the Dridex Trojan and Linux devices with Meterpreter, according to Cryptolaemus, a cybersecurity research firm. Dridex, also known as Bugat and Cridex, is a type of malware that specializes in obtaining bank credentials through a system that uses Microsoft Word macros. This malware targets Windows users who open an email attachment in Word or Excel, enabling macros to activate and download Dridex, infecting the computer and potentially exposing the victim to banking theft.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The major objective of this software is to steal banking information from users of infected PCs in order to conduct fraudulent transactions. Bank information is used by the software to install a keyboard listener and conduct injection attacks. The theft perpetrated by this software was estimated to be worth £20 million in the United Kingdom and $10 million in the United States in 2015. Dridex infections have been linked to ransomware assaults carried out by the Evil Corp hacker gang. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Log4j, an open-source logging library widely used by apps and services on the internet, was revealed to have a vulnerability. Attackers can breach into systems, steal passwords and logins, extract data, and infect networks with harmful software if they are not fixed. Log4j is widely used in software applications and internet services around the world, and exploiting the vulnerability needs no technical knowledge. As a result, Log4shell may be the most serious computer vulnerability in years. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Threat actors use the Log4j RMI (Remote Method Invocation) exploit version, according to Joseph Roosen, to force vulnerable devices to load and execute a Java class from an attacker-controlled remote server. When the Java class is launched, it will first attempt to download and launch an HTA file from several URLs, which will install the Dridex trojan, according to BleepingComputer. If the Windows instructions cannot be executed, the device will be assumed to be running Linux/Unix and a Python script to install Meterpreter will be downloaded and executed. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">On Windows, the Java class will download and open an HTA file, resulting in the creation of a VBS file in the C:ProgramData folder. This VBS program is the primary downloader for Dridex and has previously been spotted in Dridex email campaigns. When run, the VBS code will examine numerous environment variables to determine whether or not the user is a member of a Windows domain. If the user is a domain member, the VBS code will download and run the Dridex DLL with Rundll32.exe.
</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-35548866184959745082021-12-03T13:05:00.001-05:002021-12-03T13:05:15.936-05:00Hackers Use Insulin Pump Management Vulnerability To Compromise Device<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi90YXpZ8TdUmh83fNpvbM0LpZKCswS0-KDspdjj0k45zIRLONbR_Tu8FdfcYRcIdovxzETaY66jGSMs5fFmAz906u1SjPIG6JCxaONjpNSAey_2mDm3emhuNuPSEtzGFND9OnQ0oRLuae3z16K8jjAHaqFEe4IV4xQFrZJQ78R28j4CmtdxERgS9sndA=s960" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="624" data-original-width="960" src="https://blogger.googleusercontent.com/img/a/AVvXsEi90YXpZ8TdUmh83fNpvbM0LpZKCswS0-KDspdjj0k45zIRLONbR_Tu8FdfcYRcIdovxzETaY66jGSMs5fFmAz906u1SjPIG6JCxaONjpNSAey_2mDm3emhuNuPSEtzGFND9OnQ0oRLuae3z16K8jjAHaqFEe4IV4xQFrZJQ78R28j4CmtdxERgS9sndA=s600" width="600" /></a></div><p> </p><div style="text-align: justify;">A recent study by Lyrebirds, a cybersecurity consultancy organization from Denmark, reveals that a design protocol vulnerability in the Insulet Omnipod Insulin Management System, aka Omnipod Eros, allows a hacker to take command of the device and send programming commands, which includes instant insulin injection. The flaw was found in the communication protocol, that makes it possible for a threat attacker to cut the signal through jamming or via sending messages after the nonce transmission, without the nonce being invalidated by the device. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The nonce, alone, isn't linked to the device, meaning it can be used for any command the threat actor would like to execute and lets both devices to return to the anticipated, instant program flow, meanwhile continuing to send or set the harmful tactics. The controller and its pump communicate above 433 MHz radio with three packaging layers that exist on top of radio communication, which includes command and respond message and packet. The controller sends an order to the pump and it replies. The programming commands need a 4-byte nonce as the first parameter. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Upon setting off a pump, the pump and the controller exchange the LOT and serial identification of the pump used for seeding a pseudo-random generator within both the pump and the controller. Once paired, the generators stay in synchronization for the lifetime of a pump. If it gets out of sync, a re-sync process is done but the new seed depends on the identification number sent during pump setup. The device needs a message with a serial number to deliver any packet, but it doesn't involve encryption within the system comes. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Experts say that the information sent between controller and device isn't encrypted. As a result, the information in the message and packet headers can be exposed. "For example, the report shows a passive observer could parse the needed information from the pump status before a scheduled time. An attacker could also extract the data directly from the headers they’re trying to exploit from the programming command," SC Media. </div>Samarth Mishrahttp://www.blogger.com/profile/06894478828562538725noreply@blogger.comtag:blogger.com,1999:blog-7936586016742929815.post-25925628259422839012021-11-30T08:34:00.001-05:002021-11-30T08:34:55.738-05:00Linux Kernel Detected With New Side-Channel Vulnerability<p> </p><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgSTDXrFUCtJsli0XkZay5BrOpt-GrlE39eJbhTDGusfGiE-ArlKXgJEbecLC-ifxf9fyj_3hl_uxk_pzSWYLn9AVYFhTb1ZSpZIuxMIbm6BIhBwR4tc--jleGkt6Sbs5P0Pw2Br_pBkEtYEIRnYUUZVJIJXjwG85DmM7LrCQcbFf7JqgmCQ_BqJX8G=s1920" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="1281" data-original-width="1920" src="https://blogger.googleusercontent.com/img/a/AVvXsEgSTDXrFUCtJsli0XkZay5BrOpt-GrlE39eJbhTDGusfGiE-ArlKXgJEbecLC-ifxf9fyj_3hl_uxk_pzSWYLn9AVYFhTb1ZSpZIuxMIbm6BIhBwR4tc--jleGkt6Sbs5P0Pw2Br_pBkEtYEIRnYUUZVJIJXjwG85DmM7LrCQcbFf7JqgmCQ_BqJX8G=s600" width="600" /></a></div><div style="text-align: justify;">The latest research work published by a group at the University of California, Riverside, demonstrates the existence of formerly unnoticed side channels in Linux kernels that can be used to attack DNS servers. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">As per the researchers, the problem with DNS stems from its design, which never prioritized security and made it incredibly difficult to retrofit robust security features into it. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Although DNS security capabilities such as DNSSEC and DNS cookies are available, they are not generally used owing to backward compatibility, according to the researchers. However, the only way to make DNS more secured has always been to randomize UDP ports, known as ephemeral ports, intending to make it more difficult for an intruder to find them.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">As a consequence, various DNS attacks have been reported in the past, including the recently revealed SAD DNS, a variation of DNS cache poisoning which allows an attacker to insert harmful DNS records into a DNS cache, routing all traffic to their server and then becoming a man-in-the-middle (MITM). Subsequently, a few of the researchers that first reported SAD DNS discovered side-channel vulnerabilities in the Linux kernel that had gone unnoticed for over a decade. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The study focuses on two forms of ICMP error messages: ICMP fragment required (or ICMP packet too large in IPv6) and ICMP redirect. The Linux kernel analyzes the messages, as demonstrated by the researchers, utilizing shared resources that constitute side channels. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Essentially, this means that an attacker might send ICMP probes to a certain port. If somehow the targeted port is correct, there will be some modification in the shared resource state which can be detected indirectly, validating the correctness of the estimate. An attack, for example, may reduce a server's MTU, resulting in fragmented future answers. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">According to the investigators, the newly found side channels affect the most popular DNS software, like BIND, Unbound, and dnsmasq operating on top of Linux. An approximate 13.85% of open resolvers are impacted. Furthermore, the researchers demonstrate an end-to-end attack against one of the most recent BIND resolvers and a home router that just takes minutes to complete. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">This unique attack can be avoided by configuring suitable socket options, such as asking the operating system not to accept ICMP frag required messages, which eliminates the side-channel; randomizing the kernel shared caching structure itself, and refusing ICMP redirects. As a result of the revelation of this new vulnerability, the Linux kernel has indeed been fixed to randomize the shared kernel structure for both IPv4 and IPv6.</div>Unknownnoreply@blogger.com