Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Endpoint security. Show all posts
Vulnerability management
Chinese Hackers Cyber Security Data Privacy Endpoint security Vulnerability management

Chinese APT40 Can Exploit Flaws Within Hours of Public Release

 

A joint government advisory claims that APT40, a Chinese state-sponsored actor, is focusing on recently discovered software vulnerabilities in an attempt to exploit them in a matter of hours.

The advisory, authored by the Cybersecurity and Infrastructure Security Agency, FBI, and National Security Agency in the United States, as well as government agencies in Australia, the UK, Canada, New Zealand, Germany, South Korea, and Japan, stated that the cyber group has targeted organisations in a variety of arenas, employing techniques commonly employed by other state-sponsored actors in China. It has often targeted Australian networks, for instance, and remains a threat, the agencies warned. 

Rather than using strategies that involve user engagement, the gang seems to prefer exploiting vulnerable, public-facing infrastructure and prioritising the collection of valid credentials. It frequently latches on public exploits as soon as they become accessible, creating a "patching race" condition for organisations. 

"The focus on public-facing infrastructure is interesting. It shows they're looking for the path of least resistance; why bother with elaborate phishing campaigns when you can just hit exposed vulnerabilities directly?" stated Tal Mandel Bar, product manager at DoControl. 

The APT targets newly disclosed flaws, but it also has access to a large number of older exploits, according to the agencies. As a result, a comprehensive vulnerability management effort is necessary.

Comprehensive reconnaissance efforts 

APT40 conducts reconnaissance against networks of interest on a regular basis, "including networks in the authoring agencies' countries, looking for opportunities to compromise its targets," according to the joint advice. The group then employs Web shells for persistence and focuses on extracting data from sensitive repositories.

"The data stolen by APT40 serves dual purposes: It is used for state espionage and subsequently transferred to Chinese companies," Chris Grove, director of cybersecurity strategy at Nozomi Networks, stated. "Organizations with critical data or operations should take these government warnings seriously and strengthen their defenses accordingly. One capability that assists defenders in hunting down these types of threats is advanced anomaly detection systems, acting as intrusion detection for attackers able to 'live off the land' and avoid deploying malware that would reveal their presence.” 

APT40's methods have also advanced, with the group now adopting the use of compromised endpoints such as small-office/home-office (SOHO) devices for operations, allowing security agencies to better track it. Volt Typhoon's noted approach is just one of many parts of the group's operation that are comparable to other China-backed threat groups including Kryptonite Panda, Gingham Typhoon, Leviathan, and Bronze Mohawk, the advisory reads. 

The advisory provides mitigating approaches for APT40's four major types of tactics, techniques, and procedures (TTPs), which include initial access, execution, persistence, and privilege escalation.
Read more »
Software Security
Backdoor Courtroom Endpoint security malware Software Security

From Courtroom to Cyber Threat: The JAVS Viewer 8 Incident

From Courtroom to Cyber Threat: The JAVS Viewer 8 Incident

Hackers have broken into a popular brand of recording software used in courtrooms, jails, and prisons, allowing them to obtain complete control of the system via a backdoor implanted in an update to the application.

Software and its purpose

Justice AV Solutions (JAVS) uses its technologies to capture events such as lectures, court proceedings, and council meetings, and they have over 10,000 installations worldwide. It is available for download from the vendor's website and is a Windows installer package. 

The discovery 

However, the company announced this week that it had uncovered a security flaw in an earlier version of its JAVS Viewer program.

Through continuing monitoring and consultation with cyber authorities, the company discovered attempts to replace its Viewer 8.3.7 software with a tainted file.

The company removed all versions of Viewer 8.3.7 from the JAVS website, changed all passwords, and thoroughly assessed all JAVS systems. It also determined that all currently available files on the JAVS.com website are legitimate and free of malware. The company also confirmed that no JAVS source code, certificates, systems, or other software releases were affected during this event.

The backdoor

The malicious file, which contained malware, "did not originate from JAVS or any third party associated with JAVS," and the business advised users to ensure that any software they installed was digitally signed.

Rapid7, a cybersecurity firm, published an investigation of the vulnerability on Thursday, revealing that the compromised JAVS Viewer program — which opens media and logs files in the suite — contains a backdoored installer that allows attackers full access to an infected system. 

Installation and communication

The malware sends data about the host machine to the threat actors' command-and-control (C2) servers. Rapid7 identified the bug as CVE-2024-4978 and stated that it collaborated with the CISA to coordinate the disclosure of the problem. 

Rapid7 stated that the malicious copies of the software were signed by "Vanguard Tech Limited," which is reportedly headquartered in London. 

Rapid7's alert emphasized the importance to reimaging all endpoints where the software was installed, as well as resetting credentials on web browsers and any accounts authenticated into impacted endpoints, both local and remote. 

Data harvesting

Simply uninstalling the software is insufficient, as attackers could have installed further backdoors or malware. They wrote that reimagining allows for a fresh start.

"It is important to completely re-imagine compromised endpoints and reset associated passwords to guarantee that attackers have not persisted via backdoors or stolen credentials. 

A threat intelligence researcher originally raised the matter on X (previously Twitter) in April, claiming that "malware is being hosted on the official website of JAVS." 

On May 10, Rapid7 responded to a client's system warning and traced an infection to an installer downloaded from the JAVS website. The malicious file that the victim had downloaded appears to have been withdrawn from the website, and it is unclear who did so. 

Additional malware

A few days later, the researchers uncovered another installer file carrying malware on the JAVS website. 

Software updates have become a focus in cybersecurity because end users frequently click "update" when requested, or they have them enabled automatically. 

Several firms, most notably SolarWinds and 3CX, have grappled with nation-state intrusions that used the update process to secretly implant malware. 

Read more »
malware
Crypto Mining Cryptojacking Endpoint security GhostEngine malware

Cryptojacking Alert: GhostEngine Disables Endpoint Protections

Cryptojacking Alert: GhostEngine Disables Endpoint Protections

Recently found malware uses advanced techniques to defeat antivirus safeguards, delete signs of infection, and permanently infect devices with cryptocurrency-mining software, experts said. 

"The first goal of the GhostEngine malware is to disable endpoint security solutions and specific Windows event logs, such as Security and System logs, which record process creation and service registration," said Elastic Security Labs researchers, who found the attacks.

The Anatomy of GhostEngine

  • Targeting Endpoint Security Solutions: GhostEngine specifically aims at endpoint security solutions, which include antivirus software, intrusion detection systems, and endpoint detection and response (EDR) tools. By disabling these defenses, the attackers gain a foothold within the victim’s system.
  • Driver Exploitation: The attack exploits vulnerable drivers from popular security software providers, such as Avast and IOBit. These drivers are essential for communication between the operating system and hardware components. GhostEngine manipulates them to gain access to the kernel, a privileged area of the system.
  • Silent Disabling of EDR: Once inside, GhostEngine silently disables the EDR system. This step is crucial because EDR tools monitor system behavior, detect anomalies, and respond to threats. By neutralizing EDR, GhostEngine ensures that its activities remain undetected.
  • Cryptocurrency Mining Payload: With the defenses down, GhostEngine deploys its payload: XMRig, a popular Monero (XMR) mining software. Monero is favored by cybercriminals due to its privacy features, making it difficult to trace transactions. The compromised system becomes a silent miner, contributing computational power to the attacker’s mining pool.

About GhostEngine

A function in the primary payload called GhostEngine disables Microsoft Defender or any other antivirus or endpoint security software that may be running on the targeted computer, which is critical to the extraordinarily complicated malware system's operation. It also masks any signs of compromise. 

When GhostEngine first starts, it checks machines for any EDR, or endpoint protection and response, software that may be running. If it detects any, it loads drivers known to have vulnerabilities that allow attackers to gain access to the kernel, which is severely restricted to prevent manipulation. 

Modus operandi

One of the susceptible drivers is Avast's anti-rootkit file aswArPots.sys. GhostEngine utilizes it to shut down the EDR security agent. A malicious file named smartscreen.exe then deletes the security agent binary using “iobitunlockers.sys” IObit driver.

Once the susceptible drivers are loaded, detection opportunities diminish drastically, and businesses must identify affected endpoints that stop submitting logs to their SIEM, according to the researchers. SIEM stands for security information and event management. Their research is consistent with recent findings from Antiy.

After the EDR has been terminated, smartscreen.exe downloads and installs XMRig, a genuine tool for mining the Monero cryptocurrency, which is frequently abused by threat actors. A configuration file is included, which causes all money generated to be put into an attacker-controlled wallet.

The infection chain begins with the execution of a malicious binary masquerading as the genuine Windows file TiWorker.exe. That file executes a PowerShell script that obtains an obfuscated script called get.png, which downloads additional tools, modules, and configurations from an attacker-controlled server.

File execution to enable the virus

GhostEngine also executes various files that enable the virus to become persistent, which means it loads every time the infected machine restarts. 

To accomplish this, the file get.png creates the following scheduled tasks with SYSTEM, the highest system privileges in Windows:

  • OneDriveCloudSync uses msdtc to start the malicious service DLL C:\Windows\System32\oci.dll every 20 minutes.
  • DefaultBrowserUpdate will launch C:\Users\Public\run.bat, which downloads and executes the get.png script every 60 minutes.
  • OneDriveCloudBackup will run C:\Windows\Fonts\smartsscreen.exe every 40 minutes.

Why GhostEngine Matters

  • Financial Gain: GhostEngine’s primary motive is financial. By harnessing the victim’s computing resources, the attackers mine Monero, potentially yielding substantial profits. The longer the attack remains undetected, the more cryptocurrency they accumulate.
  • Resource Drain: Cryptojacking strains system resources—CPU, memory, and electricity—leading to slower performance and increased energy bills. Users may notice sluggishness but remain unaware of the underlying cause.
  • Corporate Impact: In corporate environments, widespread cryptojacking can disrupt business operations. Overloaded systems affect productivity, and IT teams must allocate resources to investigate and remediate the issue.

Read more »
LLM security
Cyber Security endpoint detection and response Endpoint security Garner LLM security

How are LLMs with Endpoint Data Boost Cybersecurity


The issue of capturing weak signals across endpoints and predicting possible patterns of intrusion attempts is ideally suited for Large Language Models (LLMs). The objective is to mine attack data in order to improve LLMs and models and discover new threat patterns and correlations.

Recently, some of the top endpoint detection and response (EDR) and extended detection and response (XDR) vendors were seen taking on the challenge. 

Palo Alto Network’s chairman and CEO Nikesh Arora says, “We collect the most amount of endpoint data in the industry from our XDR. We collect almost 200 megabytes per endpoint, which is, in many cases, 10 to 20 times more than most of the industry participants. Why do you do that? Because we take that raw data and cross-correlate or enhance most of our firewalls, we apply attack surface management with applied automation using XDR.” 

Co-founder and CEO of Crowdstrike, George Kurtz stated at the company’s annual Fal.Con event last year, “One of the areas that we’ve really pioneered is that we can take weak signals from across different endpoints. And we can link these together to find novel detections. We’re now extending that to our third-party partners so that we can look at other weak signals across not only endpoints but across domains and come up with a novel detection.” 

It has been demonstrated that XDR can produce better signals with fewer noise. Broadcom, Cisco, CrowdStrike, Fortinet, Microsoft, Palo Alto Networks, SentinelOne, Sophos, TEHTRIS, Trend Micro, and VMware being some of the top providers of XDR platforms.

Why LLMs are the new key element of Endpoint Security?

Endpoint security will evolve with the inclusion of telemetry and human-annotated data by enhancing LLMs. 

As per the authors of Gartner’s latest Hype Cycle for Endpoint Security, endpoint security technologies concentrate on faster, automated detection and prevention as well as remediation of attacks, to power integrated, extended detection and response (XDR), which correlates data points and telemetry from endpoint, network, emails, and identity solutions.

Compared to the larger information security and risk management market, spending on EDR and XDR is expanding more quickly. As a result, there is more intense competition across EDR and XDR providers.

According to Gartner, the market for endpoint security platforms will expand at a compound annual growth rate (CAGR) of 16.8% from its current $14.45 billion to $26.95 billion in 2027. With an 11% compound annual growth rate, the global market for information security and risk management is expected to reach $287 billion by 2027 from $164 billion in 2022.  

Read more »
Vulnerabilities and Exploits
Data Leak Endpoint security GPUs side-channel attacks Vulnerabilities and Exploits

Modern GPUs Susceptible to Latest GPU.zip Side-Channel Assault

 

Researchers from numerous American universities have discovered that nearly every contemporary graphics processing units (GPUs) are vulnerable to a brand-new kind of side-channel attack that could be employed to steal sensitive information. 

GPU.zip is a novel attack method discovered and reported by representatives from the University of Texas at Austin, Carnegie Mellon University, the University of Washington, and the University of Illinois Urbana-Champaign. 

The GPU.zip attack employs hardware-based graphical data compression, an optimization in modern GPUs that is created for enhancing performance.

"GPU.zip exploits software-transparent uses of compression. This is in contrast to prior compression side channels, which leak because of software-visible uses of compression and can be mitigated by disabling compression in software,” the researchers stated.

GPU.zip can be used to compromise a device by tricking the targeted user into visiting a malicious website, unlike many other recently revealed side-channel attacks that require physical access to the target device. Through this technique, the attacker's website is able to steal data from other websites that the victim is actively visiting. 

The method can specifically be used by the malicious website to steal individual pixels from another site that is open at the same time. This allows for the theft of visible information on the screen, such as usernames, which can be exploited to deanonymize a user.

While most websites that save sensitive information are designed to avoid this type of leakage, certain popular sites are still vulnerable. 

The researchers demonstrated the attack through stealing the targeted individual's username, which is displayed in the upper right corner of Wikipedia. It is worth mentioning, however, that obtaining the information via a GPU.zip attack takes a significant amount of time.

The researchers' two experiments took 30 minutes and 215 minutes to establish the Wikipedia login. Nevertheless, developers should verify that their websites are not vulnerable by configuring them to refuse being integrated by sites from other domains. 

In March 2023, AMD, Apple, Arm, Intel, Nvidia, and Qualcomm were given information on the discoveries and proof-of-concept (PoC) code, but none of them had committed to releasing updates by September 2023. 

The attack has been demonstrated to operate with the Chrome web browser. Other popular browsers, such as Safari and Firefox, are unaffected. Google was also alerted about the potential risk in March 2023, but the internet giant is currently debating whether and how to fix the issue, the researchers added.
Read more »
Technologies
Agriculture Agriculture industry Cyber Security Endpoint security farmers Food Supply Chain Hackers Technologies

Agriculture Industry Should be Prepared: Cyberattacks May Put Food Supply Chain at Risk


Technological advancement in the agriculture sector has really improved the lives of farmers in recent years. Along with improved crop yields and cutting input costs, farmers can keep an eye on their crops from anywhere in the world.

Now, farmers can even use drone technology without having to transverse countless acres. They can monitor the movements, feeding, and even chewing patterns of every cow in their herd. However, a greater reliance on technology could endanger our farmers. More technology means more potential for hacks that might put the food supply chain in danger. 

For more such technologies, like automated feeding and watering systems, autonomous soil treatment systems or even smart heat pumps or air conditioners, that enable connecting to the internet – known in the security circles as “endpoints” – there is a risk of their vulnerabilities being exploited by threat actors. 

It is crucial that software manufacturers in the agriculture industry give security a high priority in their components and products in order to proactively address these dangers. From the farm to the store, security must be integrated into every step of this supply chain to guarantee that entire systems are kept safe from any potential intrusions. These are not some simple threats, hackers are employing ransomware to target specific farms while jailbreaking tractors. More than 40,000 members of the Union des producteurs agricoles in Quebec were affected by a ransomware attack earlier this month. 

However, it could be difficult to stay protected from all sorts of risks, considering the complexity of new technologies and the diversity in applying them all. From enormous refrigeration units to industrial facilities with intricate operations and technology to networked and more autonomous farming equipment, all pose a potential security risk.

In order to minimize the risk, it is important for the endpoints to adopt the latest embedded security protocols and ensure that all the farm devices are updated with the latest security patches. 

It is interesting to note that humans proved to be a weak link in the cybersecurity chain. It will be easier to prevent some of the most frequent mistakes that let hostile actors in if businesses practice "cyber hygiene," such as adopting two-factor authentication and creating "long and strong" (and private) passwords for every user. Cybercriminals, unlike farmers, are often fairly sluggish, so even a tiny level of security can make them move their nefarious operations elsewhere.

Moreover, education and a free flow of information turn out to be the best tool to safeguard the entire food supply chain. In order to maintain a reliable and resilient food supply chain, it has been suggested that stakeholders work together in sharing information in regard to the best measures ensuring better cybersecurity standards – which may include software manufacturers, farmers, food processors, retailers and regulators.  

Read more »
Web browsing
Cloud Computing Cyber Security Cybersecurity Endpoint security Remote Work Web browsing

The Rising Popularity of Remote Browser Isolation

Browser Isolation

The Importance of Browser Isolation in a Remote Work Environment

The COVID-19 pandemic has caused a seismic shift in the way we work, with remote work becoming the norm for many organizations. While this has brought numerous benefits, it has also presented new security challenges. In response, companies have turned to remote browser isolation as a solution. 

According to the "Innovation Insight for Remote Browser Isolation" report by Menlo Security, remote browser isolation is a rapidly evolving technology that is gaining popularity due to its ability to provide a secure browsing experience. In this blog, we will explore some of the key findings of this report and examine the growing importance of remote browser isolation in today's business landscape.

Amit Jain, who holds the position of Senior Director of Product Management at Zscaler, a cloud-based security company, suggests that due to the increasing number of remote employees utilizing cloud services, browser isolation has become essential in safeguarding both corporate cloud services and the employee's device.

He says, "For modern enterprises, the Internet is now the corporate network. This shift has enabled workers to work from anywhere while being able to access the information they need for their jobs through cloud-based apps and private apps via the Web, while this has provided maximum flexibility to workers, it has also significantly expanded the attack surface and has the potential to expose data."

Key Trends in Remote Browser Isolation: An Analysis of Menlo Security's Report

1. Growing Popularity of Remote Browser Isolation: It is quickly gaining traction as a key security technology, with many organizations recognizing its ability to protect against web-based threats.

2. Increased Need for Scalable Solutions: As more companies adopt remote work policies, the need for scalable remote browser isolation solutions has become more pressing. Many companies are exploring cloud-based solutions to meet this need.

3. The Importance of User Experience: Despite its security benefits, remote browser isolation can be challenging to implement in a way that provides a seamless user experience. The report highlights the importance of user experience in driving the adoption and suggests that solutions that prioritize ease of use are likely to gain traction.

4. New Threats and Attack Vectors: As with any security technology, remote browser isolation is not immune to evolving threats and attack vectors. The report discusses some of the emerging threats that remote browser isolation must contend with and suggests that ongoing innovation in this space will be critical in order to stay ahead of attackers.

5. Integration with Other Security Technologies: Remote browser isolation is most effective when integrated with other security technologies such as secure web gateways and endpoint security solutions. 

Browser Isolation Solutions: Will companies isolate?

Gartner says, "By 2022, 25% of enterprises will adopt browser isolation techniques for some high-risk users and use cases, up from less than 1% in 2017. By effectively isolating endpoints from browser-executable code, attacks that compromise end-user systems will be reduced by 70%, while eliminating the need to detect or identify malware."

Larger companies operating in regulated industries have tended to adopt remote browser isolation due to its ease of deployment and its physical air gap, which provides an additional layer of security. 

Small and medium-sized enterprises tend to opt for local browser isolation technology due to its flexibility. As expected, vendors have varying opinions on whether standalone or integrated solutions are preferable.

Mr. Jain from Zscaler said "The technology should be fully integrated into the zero trust platform providing threat protection for all Web activity and preventing data loss from sanctioned SaaS and corporate private apps. Moreover, HTML smuggling [and other] attacks can be better thwarted by an architecture which involves a tighter combination of browser isolation and sandbox technologies."

As cloud usage has increased, browser isolation has become even more important. Cloud services are often accessed through web browsers, and if a user's device is compromised, the sensitive data stored in the cloud is also at risk. However, using browser isolation significantly reduces the risk of a data breach.

Mark Guntrip, senior director at Menlo Security, said "It's not the fact of what we do — it's the fact that we do it without interfering with that digital experience of the end user." So they can interact with whatever they want. They can click on whatever they want, but we hold anything that's active away from them"



Read more »
Subscribe to: Posts (Atom)