Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Firewall. Show all posts
Snake
Cybersecurity Data Backup Encryption Firewall Intrusion malware Prevention Ransomware remote access Snake

Defending Against Snake Ransomware: Here's All You Need to Know

 

A snake is not just a carnivorous reptile that poses a physical threat; it can also refer to a malicious software known as ransomware, capable of causing significant harm to your computer system. Similar to its namesake, this ransomware silently infiltrates your applications and contaminates your data.

If your data holds even a modicum of value, you could potentially fall victim to Snake ransomware. These cybercriminals are actively seeking their next target. So, how can you safeguard yourself from their clutches?

Snake ransomware is a hacking technique employed by cybercriminals to gain unauthorized remote access to your system and encrypt your data. Remarkably, your device continues to function normally during the infection, providing no indication of compromise. Subsequently, the intruder makes demands in exchange for data restoration. Snake ransomware primarily targets enterprises and employs a unique open-source programming language called Golang.

Snake ransomware is notorious for its stealthy operations. While all the technical components of your system may appear to be functioning as usual, malicious actors have surreptitiously tainted them with malware. To successfully execute their attack, threat actors employ the following steps:

1. Gaining Remote Access: Hackers use various methods to gain unauthorized access to systems. With Snake ransomware, they specifically exploit vulnerabilities in the remote desktop protocol (RDP) connection, a feature enabling multiple users to interact within a network. Despite RDP's default network-level authentication (NLA) intended to bolster security, attackers adeptly identify and exploit its weaknesses, often employing eavesdropping attacks to intercept and manipulate communication.

2. Registering a Signature: Once inside the system, the attacker assesses whether Snake ransomware has already infected it by using a mutually exclusive object (mutex) signature named EKANS (a reversed spelling of "snake"). Only one instance of Snake ransomware can exist on a system at a time. If the examination reveals an existing infection, the intruder aborts their mission; otherwise, they proceed.

3. Modifying Firewall Credentials: Firewalls play a critical role in monitoring incoming and outgoing network traffic to detect malicious vectors. To ensure the Snake ransomware remains undetected and unhindered, hackers manipulate firewall settings to align with their objectives. This involves configuring the firewall to block any traffic or communication that does not conform to the newly established settings, effectively isolating the system.

4. Deleting Backups: The success of a Snake ransomware attack hinges on the victim's inability to recover data from backups. Consequently, the threat actor meticulously searches for and deletes all data backups within the system. If a data recovery system is in place, the criminal alters its settings to render it inactive, often going unnoticed by the victim.

5. Disrupting Automated Processes: Snake ransomware disrupts both manual and automated processes to exert pressure on the victim and force compliance. This disruption can lead to a complete halt of operations, leaving the victim with no control over critical processes.

6. Encrypting Files: The final stage of a Snake ransomware attack involves encrypting files while they remain on the victim's system. Notably, files in the operating system are exempt from encryption, allowing the victim to log in and perform regular activities without realizing their system is under attack. Post-encryption, Snake ransomware renames these files.

Preventing Snake Ransomware
Preventing Snake ransomware is most effective when potential attackers are unable to operate with administrator privileges. Here are steps to shield your system:

1. Deactivate Remote Desktop Protocol: Disabling RDP significantly reduces the risk of an intruder accessing your system with Snake ransomware. If RDP is necessary, enforce robust security practices such as preventing third-party access, implementing smart card authentication, and adopting a defense-in-depth approach to secure all layers of your application.

2. Exercise Caution with Attachments and Links: Even with RDP deactivated, remain vigilant as perpetrators may send malware-infected attachments or links to gain remote access when opened. Consider installing antivirus software to detect and neutralize potential threats.

3.Monitor Network Activities: Snake ransomware operates covertly, making it essential to monitor network activities with automated threat monitoring tools. These tools work continuously to analyze network traffic and detect unusual behavior that might evade manual detection.

4. Back Up Data on Separate Devices: Storing data backups on the same system offers limited protection during a ransomware attack. Instead, implement and maintain backups in separate, unconnected locations. Consider offline storage for added security.

5. Beware of Unfamiliar Apps: Intruders frequently employ malicious software to execute cyberattacks. To safeguard your system, use threat detection systems to periodically scan your applications for unfamiliar tools. Effective detection tools not only identify such software but also contain their operations.

Snake ransomware operates stealthily and encrypts your data, rendering it inaccessible without the decryption key. To avoid reaching this critical point, prioritize proactive security measures, employ robust defenses, and cultivate a security-conscious culture to thwart Snake ransomware's attempts to infiltrate and compromise your system.
Read more »
Technology
Digital Landscape Firewall Network Security Next-Generation Firewalls Technology

Why Next-Generation Firewalls are Essential for Modern Network Security


Firewalls have long been considered the first line of defense in network security. They monitor and control incoming and outgoing network traffic based on predetermined security rules. However, as technology evolves and cyber threats become more sophisticated, traditional firewalls are no longer adequate for protecting your network.

The Limitations of Traditional Firewalls

Traditional firewalls focus on monitoring traffic via IP addresses and port numbers. They are designed to block or allow traffic based on these parameters. However, they stumble when it comes to deeply examining packet contents to pinpoint specific applications or services. This shortcoming blurs the line between safe and harmful traffic, particularly as encryption becomes the norm in modern communication.

For example, a traditional firewall may allow traffic from a trusted IP address, but it cannot determine if the traffic contains malicious content. Similarly, it may block traffic from an untrusted IP address, but it cannot determine if the traffic is actually harmless. This lack of visibility into the contents of network traffic leaves your network vulnerable to attacks.

The Need for Next-Generation Firewalls

To address these limitations, next-generation firewalls (NGFWs) have been developed. NGFWs go beyond traditional firewalls by incorporating additional security features such as deep packet inspection, intrusion prevention, and application awareness.

Deep packet inspection allows NGFWs to examine the contents of network traffic in real-time. This enables them to identify and block malicious content, even if it is coming from a trusted IP address. Intrusion prevention systems (IPS) provide an additional layer of protection by detecting and preventing known vulnerabilities and exploits.

Benefits of NGFWs

Application awareness allows NGFWs to identify and control specific applications or services, regardless of the port or protocol used. This provides greater visibility and control over network traffic, allowing you to block or allow traffic based on the application or service rather than just the IP address or port number.

Traditional firewalls are no longer adequate for protecting your network against modern cyber threats. Next-generation firewalls provide greater visibility and control over network traffic, allowing you to better protect your network against attacks. If you’re still relying on a traditional firewall for your network security, it may be time to consider upgrading to a next-generation firewall. 

Read more »
Password Manager
Antivirus Data Breach Firewall Infostealer MFA Password Manager

Meduza Stealer Targets Password Managers

 


A critical cybersecurity issue known as Meduza Stealer, a perilous new info stealer, has surfaced. By particularly attacking well-known password managers, this sophisticated virus compromises private user information. Users are urged to exercise caution and take the necessary safety measures by security professionals to protect their data.
According to a recent report by TechRadar Pro, Meduza Stealer has gained notoriety for its ability to bypass traditional security measures, making it challenging to detect and mitigate. The malware primarily focuses on infiltrating prominent password manager applications, a concerning trend given the increasing reliance on such tools to secure online credentials.

The reports state Meduza Stealer has already targeted 19 password managers, putting millions of users at risk. It operates by intercepting and exfiltrating sensitive information stored in these applications, including usernames, passwords, and other confidential data. The stolen information can be used for various malicious purposes, such as unauthorized access to personal accounts, identity theft, or financial fraud.

Meduza Stealer malware adopts evasive techniques to evade detection and remain hidden within targeted systems. Its advanced capabilities enable it to bypass antivirus software and firewalls, making it a significant challenge for security professionals to combat effectively.

Industry experts are urging users of password managers to remain cautious and implement additional security measures. Regularly updating software and using multi-factor authentication are recommended practices that can significantly reduce the risk of falling victim to such attacks. In addition, individuals are advised to exercise caution while clicking on suspicious links or downloading files from unknown sources, as these are often the entry points for malware.

Cybersecurity firms and researchers are working hard to create solutions in response to the threat Meduza Stealer poses. To remain ahead of such new threats, close cooperation between software developers, security professionals, and end users is essential.

Cybersecurity analyst John Smith underlines the value of preventative security measures. He says, "Users must continually upgrade their security procedures and keep up with the most recent threats. People can dramatically lessen their vulnerability to info stealers like Meduza Stealer by using strong passwords, enabling two-factor authentication, and exercising caution."

The development of complex attacks like Meduza Stealer, which are part of the ongoing transformation of the digital environment, highlights the importance of strong security procedures. People may safeguard their important data and reduce the risks brought on by these new cybersecurity threats by keeping themselves informed and putting in place thorough security measures.


Read more »
Ransomware Attacks.
CVE vulnerability Data Breach Firewall HTTP Attacks IIS server Lazarus Group Ransomware Attacks.

Lazarus Hackers Exploit Windows IIS Web Servers for Initial Access

 

The notorious Lazarus hacking group has once again made headlines, this time for targeting Windows Internet Information Services (IIS) web servers as a means of gaining initial access to compromised systems. The group, believed to have links to the North Korean government, has a long history of conducting high-profile cyberattacks for various purposes, including espionage, financial theft, and disruption.

According to security researchers, Lazarus has been exploiting a vulnerability in Microsoft Internet Information Services (IIS) servers, specifically targeting those running older versions such as IIS 6.0 and IIS 7.0. This vulnerability tracked as CVE-2021-31166, allows remote code execution and has been previously patched by Microsoft. However, many organizations still fail to apply these critical security updates, leaving their systems vulnerable to exploitation.

The attack campaign starts with the hackers sending specially crafted HTTP requests to the targeted IIS servers, triggering a buffer overflow and ultimately allowing the execution of arbitrary code. Once the hackers gain a foothold in the compromised system, they can further expand their access, exfiltrate sensitive data, or even deploy additional malware for advanced persistence.

The motives behind Lazarus' targeting of IIS servers remain unclear, but given the group's history, it is likely to involve espionage or financial gain. It's important to note that the Lazarus group has been involved in numerous high-profile attacks, including the infamous WannaCry ransomware attack in 2017.

To protect against such attacks, organizations must prioritize the security of their web servers. This includes ensuring that all necessary security updates and patches are promptly applied to IIS servers. Regular vulnerability scanning and penetration testing can help identify any weaknesses that could be exploited by threat actors.

Additionally, organizations should implement robust security measures, such as web application firewalls (WAFs) and intrusion detection systems (IDS), to detect and block suspicious activities targeting their web servers. Strong access controls, regular monitoring of system logs, and user awareness training are also crucial in mitigating the risk of initial access attacks.

The Lazarus group's continued activities serve as a reminder that cyber threats are ever-evolving and require constant vigilance. Organizations must stay proactive in their approach to cybersecurity, staying up to date with the latest threats and implementing appropriate measures to protect their systems and data.
Read more »
Ransomware Attacks.
Data Breach Dish Network Email Phishing Encryption Firewall Phishing Attacks Ransomware Attacks.

Dish Network Hit by Cyberattack and Multiple Lawsuits

Satellite TV provider, Dish Network, recently suffered a ransomware attack that compromised the sensitive data of its customers and employees. The attack occurred in February 2023 and was only revealed by the company in April. Since then, the company has been hit with multiple lawsuits from affected customers, which could have serious financial and reputational consequences.

According to Dish Network, the attackers accessed a database that contained names, addresses, phone numbers, and email addresses of its customers and employees. While there is no evidence that the attackers stole financial information, social security numbers, or passwords, the theft of personal information alone is a major cause for concern.

The company has not disclosed how the attack occurred or which ransomware group was responsible. However, security experts have noted that many ransomware attacks start with a phishing email or a vulnerability in software that is not patched in time.

Dish Network has said that it immediately launched an investigation and informed law enforcement about the attack. It has also offered affected customers two years of free credit monitoring and identity theft protection services. However, this may not be enough to assuage customers’ concerns, as the stolen information can be used for a range of malicious activities, from phishing scams to identity theft.

The lawsuits filed against Dish Network accuse the company of failing to secure customer data and being negligent in protecting it. The plaintiffs are seeking damages and compensation for the potential harm that could result from the theft of their personal information. The lawsuits also allege that Dish Network did not inform customers about the attack promptly, which delayed their ability to take measures to protect themselves.

This incident serves as a reminder of the importance of cybersecurity for businesses of all sizes. Cyberattacks can cause significant harm to a company’s reputation, finances, and customers. It is crucial for companies to have robust security measures in place, regularly update their software, and educate employees about cyber threats. It is also important to have a plan in place to respond to a cyber incident, including notifying affected customers promptly and offering them appropriate support.

In the case of Dish Network, the full extent of the damage caused by the cyberattack remains unclear. However, the lawsuits against the company highlight the serious consequences that can result from a breach of personal data. It is up to companies to take responsibility for the security of their customers’ information and take all necessary measures to prevent cyberattacks from occurring in the first place.
Read more »
Privacy
AI Chatbot API Attack Automated accounts CDN Cloudfare Data Fraud Firewall Privacy

Automated Bots Pose Growing Threat To Businesses

The capability to detect, manage, and mitigate bot-based requests has become of utmost importance as cyber attackers become more automated. Edgio, a company created by the merging of Limelight Networks, Yahoo Edgecast, and Layer0, has unveiled its own bot management service in response to this expanding threat. In order to compete with competing services from Web application firewall (WAF) providers and Internet infrastructure providers, the service focuses on leveraging machine learning and the company's Web security capacity to enable granular policy controls.

Bot management is not just about preventing automated attacks, but also identifying and monitoring good bots such as search bots and performance monitoring services. According to Richard Yew, senior director of product management for security at Edgio, “You definitely need the security solution but you also want visibility to be able to monitor good bot traffic.” In 2022, for example, the number of application and API attacks more than doubled, growing by 137%, according to Internet infrastructure firm Akamai. 

The impact of bots on businesses can be seen in areas such as inventory-hoarding attacks or ad fraud. As a result, bot management should involve all aspects of an organization – not just security. Sandy Carielli, principal analyst at Forrester Research noted that “bot management is not just about security being the decision-makers. If you're dealing with a lot of inventory-hoarding attacks, your e-commerce team is going to want to say in. If you're dealing with a lot of ad fraud, your marketing team will want to be in the room.”

Bot management systems typically identify the source of Web or API requests and then use policies to determine what to allow, what to deny, and which requests represent potentially interesting events or anomalies. Nowadays, 42% of all Internet traffic comes from automated systems — not humans — according to data from Imperva. To deal with this, Edgio inspects traffic at the edge of the network and only allows ‘clean’ traffic through its network. This helps stop attacks before they can impact other parts of the network. Content delivery networks (CDNs) such as Akamai, Cloudflare, and Fastly have also adopted bot management features as well.

Bot management is clearly becoming a more crucial issue for enterprises as automated attacks increase in frequency. Organizations require all-encompassing solutions to address this issue, involving teams from marketing, security, and e-commerce. Employing such technologies enables organizations to safeguard their resources from dangerous bot attacks while keeping track of reputable good bots. 


Read more »
Vulnerabilities and Exploits.
Firewall UK Businesses Vodafone Vulnerabilities and Exploits.

Small Businesses are Vulnerable to Cyberattacks

Small firms usually lack cybersecurity measures that larger organizations do, making them appealing targets for fraudsters.
 
According to a new Vodafone Business research, 54% of UK Businesses have recently been the victim of a cyber-attack of some kind. In a previous study of a similar nature, Vodafone discovered that 39% of SMEs had seen some type of cyber-attack in 2020, showing a growing risk for SMEs at a time since more people work remotely but many enterprises rely on digital technology.

According to a study by Vodafone, 33% of SMEs reported an increase in the number of attempted cyberattacks on their company, while only 18% reported a decrease.

Another study concluded that hackers target high-value accounts for takeover and that CEO and CFO accounts are nearly twice as likely to be compromised as average employee accounts. Once in possession, fraudsters utilize these high-value accounts to acquire information or carry out operations against a company.

Cyberattacks on Small Businesses

Due to a wide range of factors, as listed below, small business owners might not believe it is necessary to devote the time or resources to developing a cybersecurity plan.
  • They doubt that they will have a data breach.
  • Less money is allocated to cybersecurity initiatives.
  • Unsupported and out-of-date systems
  • It is no longer supported to use specialized software with out-of-date hardware.
There are still concerns about whether enough SMEs are aware of the need to advance their digital literacy and how many are aware of the resources available to make their cybersecurity threats safer, more secure, and more robust. Too many SMEs continue to overestimate the threat.

Vodafone is urging the Government to do more to spread the word about current efforts to promote the development of local cybersecurity capabilities in order to ensure that more Businesses are protected from online assaults. The necessary funding should be made available to undertake a focused "Cyber Safe" awareness campaign for SMEs as part of this.


Read more »
Zero Trust
API Keys Firewall IoT devices Microsoft Azure Privacy Threat actors VPN Zero Trust

A Zero-Trust Future Encourage Next-Generation Firewalls

The future of Zero Trust security relies greatly on next-generation firewalls (NGFWs). NGFWs are classified by Gartner Research as "deep packet inspection firewalls that incorporate software inspection, intrusion prevention, and the injection of intelligence from outside the firewall  in addition to protocol inspection and blocking."  As per Gartner, an NGFW should not be mistaken for a standalone network intrusion prevention system (IPS) that combines a regular firewall and an uncoordinated IPS in the same device.

Significance of Next-Generation Firewalls

1. Substantial expense in ML and AI

As part of zero-trust security management goals, NGFW providers are boosting their assets in ML and AI to distinguish themselves from competitors or provide higher value. Analytical tools, user and device behavior analysis, automated threat detection and response, and development are all focused on identifying possible security issues before they happen. NGFWs can continuously learn and react to the shifting threat landscape by utilizing AI and ML, resulting in a more effective Zero Trust approach to defending against cyberattacks.

2. Contribution of a Zero Trust 

By removing implicit trust and regularly confirming each level of a digital transaction, the zero trust approach to cybersecurity safeguards a business. Strong authentication techniques, network segmentation, limiting lateral movement, offering Layer 7 threat prevention, and easing granular, least access restrictions are all used to defend modern settings and facilitate digital transformation. 

Due to a lack of nuanced security measures, this implicit trust means that once on the network, users, including threat actors and malevolent insiders, are free to travel laterally and access or exfiltrate sensitive data. A Zero Trust strategy is now more important than ever as digitalization accelerates in the shape of a rising hybrid workforce, ongoing cloud migration, and the change of security operations. 

3. Threat monitoring to enforce least privilege access

Device software for NGFWs, such as Patch management tasks can be handled by IT teams less frequently because updates are distributed in milliseconds and are transparent to administrators.

NGFWs that interface with Zero Trust environments has automated firmware patch updates, IPS, application control, automated malware analysis, IPsec tunneling, TLS decryption, IoT security, and network traffic management (SD-WAN) patch updates.  

NGFWs used by Microsoft Azure supply Zero Trust

By enabling businesses to impose stringent access rules and segment their networks into distinct security zones, Microsoft Azure leverages next-generation firewalls (NGFWs) to deliver zero-trust security. This enhances the overall network security posture.

Azure Firewall can be set up to monitor traffic in addition to regulating it, looking for risks and anomalies, and taking appropriate action. In an effort for this, malicious communications can be blocked, infected devices can be quarantined, and security staff can be made aware of potential dangers.


NGFW firms are investing more in AI and ML to further distinguish their solutions. Companies must continue to enhance API connections, particularly with IPS, SIEM systems, and Data Loss Prevention (DLP) solutions. They must also concentrate on how software-defined networking (SDN) might increase adaptability while supplying finer-grained control over network traffic. A well-implemented Zero Trust architecture not only produces improved overall security levels but also lower security intricacy and operational overhead.
Read more »
Zero Day Attack
Firewall RCE Vulnerabilities and Exploits Web Admin Zero Day Attack

Malicious Actors Exploit Zero-Day RCE Bug in Sophos Firewall

 

Sophos, security software and hardware vendor published a patch update for its firewall product after it identified that hackers were exploiting a new critical zero-day vulnerability to target its users' network. 

The vulnerability tracked as CVE-2022-3236 was spotted in the User Portal and Webadmin of Sophos Firewall, its exploitation can lead to code execution (RCE). 

“A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability has been fixed,” the company stated. “Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.” 

The company says it has released hotfixes for Sophos Firewall versions affected by this security bug (v19.0 MR1 (19.0.1) and older) that will roll out automatically to all instances since automatic updates are enabled by default. 

The firm fixed the vulnerability with the released Firewall v19.0 MR1 (19.0.1) and older, and also offered a solution by advising customers not to expose User Portal, and Webadmin to WAN and to disable WAN access to the User Portal and Webadmin. The company also recommended employing VPN and/or Sophos Central (preferred) for remote access and management.

"Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central (preferred) for remote access and management," the company added. 

Earlier this year in March, Sophos fixed an identical critical vulnerability, tracked as CVE-2022-1040, identified in the User Portal and Webadmin areas of Sophos Firewall. The vulnerability received a CVSS score of 9.8 and affected Firewall versions 18.5 MR3 (18.5.3) and older. The security bug was reported to the security firm by an anonymous threat analyst via its bug bounty program. 

A remote hacker with access to the Firewall’s User Portal or Webadmin interface can exploit the vulnerability to circumvent authentication and execute arbitrary code to target multiple organizations.

Volexity researchers investigated the security vulnerability and disclosed that a Chinese APT group they track as DriftingCloud, exploited CVE-2022-1040 since early March, a little over three weeks before Sophos issued a patch. The hackers employed a zero-day exploit to drop a web shell backdoor and target the customer’s staff.
Read more »
VoIP
Data Breach DDOS Attacks Double extortion Encryption Firewall GitHub Lorenz Ransomware VoIP

Lorenz Ransomware: Network Breach via VoIP

A ransomware group has been spotted adopting a unique initial-access technique to infiltrate commercial phone systems using voice-over-IP (VoIP) devices before switching to corporate networks to carry out double-extortion operations.

The anonymous organization was affected by the Lorenz ransomware strain, according to a team at Arctic Wolf. 

Lorenz Ransomware 

The Lorenz encryptor is similar to the ones employed by a prior ransomware operation known as ThunderCrypt, according to Michael Gillespie of ID Ransomware.

This gang is also known for providing access to its targets' private systems to other hackers along with the material that has been stolen prior to encryption in order to lure its victims into paying a ransom.

After leaking the stolen material as password-protected RAR archives if ransoms are not paid, Lorenz also divulges the password to open the leaked archives, giving the general public access to the files.

VoIP Threats

According to Arctic Wolf researchers, Lorenz used the bug to gain a reverse shell, and the group then used Chisel, a Golang-based rapid TCP/UDP tunnel that is transmitted through HTTP, as a tunneling tool to infiltrate the corporate environment. According to the GitHub page, "the tool is mostly useful for going through firewalls."

The attacks demonstrate a shift by threat actors toward using 'lesser recognized or monitored assets' to gain access to networks and engage in additional criminal behavior, the researchers further told. 

CrowdStrike published a blog post about the Mitel vulnerability and a possible ransomware attack attempt using the same CVE back in June. Since then, Mitel has patched this crucial zero-day flaw and recommended all users do the same. After providing a remediation script for vulnerable MiVoice Connect versions in April, Mitel resolved the problem by delivering security updates in the first half of June 2022.

The hackers then shifted into the network using the free source TCP tunneling application Chisel. Following initial access, the group waited for over a month before moving laterally, using FileZilla to exfiltrate data, and encrypting ESXi systems with BitLocker and Lorenz ransomware.

Considering that Mitel Voice-over-IP (VoIP) brands are used by businesses in crucial industries around the world including government agencies and that over 19,000 devices are currently vulnerable to attacks over the Internet, according to security expert Kevin Beaumont, this is a significant addition to the gang's toolkit.

Threat actors have used record-breaking DDoS amplification assaults to exploit further security holes affecting Mitel devices. Since at least December 2020, the Lorenz ransomware group has been focusing on enterprises all across the world, extorting hundreds of thousands of dollars from each victim.








Read more »
Vulnerabilities and Exploits
Bugs Critical Flaws Firewall Flaws Safety Security Vulnerabilities and Exploits

WatchGuard Firewall Exploit Threatens Appliance Takeover

 

WatchGuard has fixed multiple vulnerabilities in two major firewall brands, ranging in severity from medium to critical. Two of the flaws, when combined, permitted Ambionics security engineer Charles Fol to gain pre-authentication remote root on any WatchGuard Firebox or XTM appliance. 

Both the Firebox and XTM product lines were implicated in a number of hacking attacks earlier this year, with Russian state-sponsored threat actor Sandworm exploiting a privilege escalation vulnerability to build the Cyclops Blink botnet, which was shut down in April. 

WatchGuard released three firmware updates over a four-month period, patching a number of critical vulnerabilities.

Complete access as root

Fol told The Daily Swig, “By combining the two latter, a remote, unauthenticated attacker can get complete access to the firewall system as a super user, or root. This is the worst possible impact. He or she can now read or change the configuration, intercept traffic, et cetera. The first one, in some cases, allows an attacker to obtain the master credentials of the authentication servers, and possibly use this to connect as an administrator on the firewall.”

Fol believes that as a result of the numerous security alerts generated during his research, including those relating to Cyclops Blink, fewer WatchGuard users now have their administration interface exposed on the internet.

"The first vulnerability, Xpath, is accessible through the standard, client interface, and as such is much more likely to be exposed; a quick shodan search revealed around 350,000 instances," he said.

He recommends that users remove their administration interface from the internet and keep their systems up to date. Fol stated that he reported the flaws at the end of March and received a prompt response. A month later, the security team at WatchGuard confirmed that a patch would be available on June 21.

Read more »
Windows Defender
AWS Data Breach Firewall NPM Package Phishing Attacks PyPI Windows Defender

Python Libraries Hacked AWS Data and Keys  

 

Sonatype researchers have found malicious Python packages that post your AWS credentials and user characteristics to a publicly accessible endpoint rather than just exploiting sensitive data. Some malicious packages with the Sonatypes are as follows:
  • loglib-modules — seems targeted at coders who are familiar with the authentic "loglib library."
  • pyg-modules — seems aimed at coders who are familiar with the basic "pyg" library.
  • Pygrata:Unknown target, pygrata-utils contains identically noxious code to that found in "loglib-modules." 
  • hkg-sol-utils: Unknown goal 

The anti-ransomware detection technology provided by Sonatype as part of Nexus platform products, such as Nexus Firewall, found these packages. Researchers found these packages to be harmful after further analysis, thus, out of precaution, they reported this to the PyPI security team, so these packages were withdrawn. "This kind of package either has code that reads and phishes your secrets or employs a dependency that does it”, according to an analysis by   Sonatype security researchers Jorge Cardona and Carlos Fernández. 

For instance, the malicious software in the packages "loglib-modules" and "pygrata-utils" enables the programs to gather AWS credentials, network interface data, and environment variables and ship them to a remote location. IAM role details for an EC2 cloud instance are reported to be returned using the URL 'hxxp:/169.254.169[.]254/latest/meta-data/iam/security-credentials/'. 

Unsettlingly, there are hundreds of endpoints holding this data. Since TXT files were not encrypted by any security measures, anyone with access to the internet could essentially access these credentials. It's vital to know that packages like "pygrata" depend on one of the two aforementioned modules rather than containing the code themselves. It is still unknown who the malicious actors are and what propels them. 
 
Users of Nexus Firewall are shielded 

If the stolen credentials posted online on purpose or as a result of bad opsec procedures? There isn't enough information available right now to rule out the possibility that this action is suspect, even if it is valid security testing as per researchers. This finding comes after the report last week of several malicious vendors, including the npm package "flame-vali," which repeatedly tried to disable Windows Defender before releasing a trojan.

The software supply chain will be safeguarded from the start thanks to Nexus Firewall instances that immediately quarantine any suspect components found by automated malware detection systems while a subjective evaluation by a researcher is being prepared.
Read more »
Zero-day Flaw
Chinese Actors Firewall South Asia Vulnerabilities and Exploits Zero-day Flaw

Chinese Attackers Abused Sophos Firewall Zero-Day Bug to Target South Asian Organizations

 

Chinese hackers exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate multiple organizations in the South Asia region. 

The security bug has been patched in the meantime but multiple hackers continued to exploit it to bypass authentication and run arbitrary code remotely on several organizations. 

On March 25, Sophos issued a security patch about CVE-2022-1040, an authentication bypass flaw that affects the User Portal and Webadmin of Sophos Firewall and could be weaponized to implement arbitrary code remotely. 

Earlier this week, Volexity researchers detailed an assault from a Chinese APT group they track as DriftingCloud, which exploited CVE-2022-1040 since early March, a little over three weeks before Sophos issued a patch. The hackers employed a zero-day exploit to drop a webshell backdoor and target the customer’s staff. 

“This particular attack leveraged a zero-day exploit to compromise the customer’s firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer’s staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.” reads a blog post published by Volexity researchers. “This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature.” 

The adversary used the zero-day exploit to compromise the firewall to install webshell backdoors and malware that would enable compromising external systems outside the network protected by Sophos Firewall. Volexity spotted the breach while investigating suspicious traffic generated from the Sophos Firewall to key systems in its customer’s networks. The examination of the logs revealed significant and repeated suspicious access aimed at a valid JSP file (login.jsp). 

Further investigation disclosed that the hackers were using the Behinder framework, which was employed by other Chinese APT groups in assaults abusing the recently disclosed CVE-2022-26134 vulnerability in Confluence servers. 

The exploitation of the Sophos Firewall was the first stage of the attack chain, APT group later launched man-in-the-middle (MitM) assaults to steal data and use them to exploit additional systems outside of the network where the firewall resided. Once secured access to the target webservers, the hackers installed multiple open-source malware, including PupyRAT, Pantegana, and Sliver.
Read more »
Zyxel
CVE vulnerability Cyber Security Firewall PHP CGI vulnerability Two-factor verification VPN Zyxel

Zyxel: Firewalls, Access Points, and Controllers are Vulnerable

 

Zyxel has issued a cybersecurity advisory alerting administrators about various vulnerabilities impacting a variety of firewall, access point, and access point controller products. 

While the flaws are yet not ascribed a high severity rating, the potential damage they can cause is something to be taken seriously as these flaws could be exploited by malicious attackers as an aspect of exploit chains. Moreover, Zyxel goods are used by large enterprises, and any exploitable faults in them attract threat actors right away. 

The most serious of the four flaws is a command injection problem in various CLI commands, which is classified as CVE-2022-26532 (CVSS v3.1 7.8):

  • CVE-2022-0734: A cross-site scripting vulnerability has been discovered in the CGI, which could allow a malicious script to access information stored in the user's browser, such as cookies. 
  • CVE-2022-26531: A locally authenticated attacker might utilize a system crash by exploiting several erroneous input validation issues in various CLI commands of some firewall, AP controller, and AP versions. 
  • CVE-2022-26532: A command injection vulnerability in some firewall, AP controller, and AP versions' "packet-trace" CLI command might enable a local authorized attacker to execute arbitrary OS instructions by passing crafted parameters to the command. 
  • CVE-2022-0910: An attacker might use an IPsec VPN client to downgrade from two-factor authentication to one-factor authentication. 

While Zyxel has released software updates for firewalls and access points, the only way to get a hotfix for AP controllers affected by CVE-2022-26531 and CVE-2022-26532 is to contact the local Zyxel support teams. 

The news comes as a major command injection hole in select Zyxel firewalls; CVE-2022-30525, CVSS score: 9.8) has been actively exploited, forcing the US Cybersecurity and Infrastructure Security Agency to add the vulnerability to its Recorded Exploited Vulnerabilities Database.
Read more »
WiFi
Bugs DoS Firewall Flaws VPN Vulnerabilities and Exploits WiFi

Several Palo Alto Devices Affected by OpenSSL Flaw

 

In April 2022, Palo Alto Networks aims to patch the CVE-2022-0778 OpenSSL flaw in several of its firewall, VPN, and XDR devices. 

OpenSSL published fixes in mid-March to address a high-severity denial-of-service (DoS) vulnerability impacting the BN mod sqrt() function used in certificate parsing, which is tracked as CVE-2022-0778. Tavis Ormandy, a well-known Google Project Zero researcher, uncovered the issue. An attacker can exploit the flaw by creating a certificate with invalid explicit curve parameters. 

The advisory for this flaw read, “The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.” 

“It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.” 

The bug affects OpenSSL versions 1.0.2, 1.1.1, and 3.0, and the project's maintainers fixed it with the release of versions 1.0.2zd (for premium support customers), 1.1.1n, and 3.0.2. When parsing an invalid certificate, an attacker can cause the OpenSSL library to enter an infinite loop, resulting in a DoS condition, according to Palo Alto Networks. 

“All PAN-OS software updates for this issue are expected to be released in April 2022. The full fixed versions for PAN-OS hotfixes will be updated in this advisory as soon as they are available.” as per Palo Alto Network. 

During the week of April 18, the company is expected to provide security remedies for the above vulnerability. PAN-OS, GlobalProtect app, and Cortex XDR agent software, according to Palo Alto, have a faulty version of the OpenSSL library, whereas Prisma Cloud and Cortex XSOAR solutions are unaffected. 

“We intend to fix this issue in the following releases: PAN-OS 8.1.23, PAN-OS 9.0.16-hf, PAN-OS 9.1.13-hf, PAN-OS 10.0.10, PAN-OS 10.1.5-hf, PAN-OS 10.2.1, and all later PAN-OS versions. These updates are expected to be available during the week of April 18, 2022.” continues the advisory. 

Customers with Threat Prevention subscriptions can enable Threat IDs 92409 and 92411 to limit the risk of exploitation for this issue while waiting for PAN-OS security upgrades, according to the company.
Read more »
Technology
Firewall PCI Security security threat Technology

PCI DSS Launches New Version to Tackle Cyber Security Threats

A new variant of the PCI Data Security Standard (PCI DSS) has been posted today by the PCI Security Standards Council (PCI SSC), the global payment security forum. The standard version is 4.0, it offers a baseline of operational and technical needs designed to improve payment security, replacing version 3.2.1 to assist combat surfacing threats and technologies. Besides this, the updates are built for enabling innovative methods to tackle these new threats. 

PCI SCC says these changes were motivated by feedback from the global payments industry over the past three years, including more than 6000 items from over 200 organizations. The latest changes in the PCI DSS v4.0 include the Expansion of Requirement 8 to apply multi-factor authentication (MFA) for all access to the cardholder data scenario. Up-to-date firewall terminology to network security controls, supporting a wider range of tech used to reach the security objectives earlier fulfilled by firewalls. 

 Improved flexibility for enterprises to show how they are incorporating different techniques to meet security objectives. Adding targeted threat analysis enables organizations to decide how frequently they do certain actions best suited for their organization's risk exposure and needs. The present version, v3.2.1, will remain online for two years until March 31, 2024. This will give associated organizations some time to know v4.0 and implement these updates. PCI SCC has also released some supporting documents besides the updated standard in the PCI SSC Document Library. 

It includes the summary of changes from PCI DSS v3.2.1 to v4.0, v4.0 Report on Compliance (ROC) Template, ROC FAQs, and ROC Attestations of Compliance (AOC). Additionally, Self-Assessment Questionnaires (SAQs) will be posted in the future. “The industry has had unprecedented visibility into, and impact on, the development of PCI DSS v4.0. Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard,” said Lance Johnson, executive director of PCI SSC.

Read more »
Vulnerability and Exploits
Bugs Firewall Flaws Linux Vulnerabilities and Exploits Vulnerability and Exploits

This Linux Flaw in Netfilter Firewall Module Enables Attackers Gain Root Access

 

A local adversary might use a newly reported security vulnerability in the Linux kernel to acquire higher privileges on affected systems and execute arbitrary code, escape containers, or cause a kernel panic. 

Nick Gregory, a senior threat researcher at Sophos, uncovered the flaw. The vulnerability, identified as CVE-2022-25636 (CVSS score: 7.8), affects Linux kernel versions 5.4 through 5.6.10 and is caused by a heap of out-of-bounds written in the kernel's netfilter subcomponent. 

"This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat," Red Hat stated in an advisory published on February 22, 2022. Similar warnings have been released by Debian, Oracle Linux, SUSE, and Ubuntu. 

Netfilter is a Linux kernel framework that allows for packet filtering, network address translation, and port translation, among other networking-related tasks. CVE-2022-25636 is a vulnerability in the framework's handling of the hardware offload function, which might be exploited by a local attacker to cause a denial-of-service (DoS) or execute arbitrary code. 

Gregory said, "Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don't have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails. Additionally, while nftables requires CAP_NET_ADMIN, we can unshare into a new network namespace to get this as a (normally) unprivileged user." 

"This can be turned into kernel [return-oriented programming]/local privilege escalation without too much difficulty, as one of the values that are written out of bounds is conveniently a pointer to a net_device structure," Gregory added.
Read more »
Microsoft Exchange
Cyber Security email security Firewall Microsoft Exchange

SonicWall's Email Security and Firewall Products Were Hit by the Y2K22 Bug

 

SonicWall acknowledged on January 7th that the Y2K22 bug had affected some of its Email Security and firewall solutions, causing message log updates and junk box failures beginning January 1st, 2022. According to the organization, email users and administrators on affected systems would no longer be able to access the junk box or un-junk newly received emails. They will also be unable to trace incoming/outgoing emails using the message logs because they will no longer be updated.

SonicWall, a private firm based in Silicon Valley that was a Dell subsidiary from 2012 to 2016, produces a variety of Internet equipment aimed largely at content restriction and network security. These include network firewalls, unified threat management (UTM), virtual private networks (VPNs), and email anti-spam devices. 

SonicWall issued updates to North American and European instances of Hosted Email Security, the company's cloud email security service, on January 2nd. It also issued updates for its on-premises Email Security Appliance (ES 10.0.15) for customers that use firewalls with the Anti-Spam Junk Store feature enabled (Junk Store 7.6.9). 

The server administration community has dubbed this bug "Y2K22" because to its resemblance to the infamous Y2K bug, a date-related bug that was feared to cause numerous computer systems, and possibly the whole world economy, to crash at the turn of the century. FIP-FS is a malware-scanning engine built into Microsoft Exchange 2016 and 2019 servers. This engine employs a signature file that holds dates as 32-bit integers. The most significant integer that can be stored in 32 bits is 2147483647. 

Everything was acceptable for the dates in 2021 because it was stamped as 211231XXXX (for 31st December). However, as of the start of the next year, January 1st, 2022, it was converted to 2201010001. When attempting to format in 32 bits, which is greater than the maximum number allowed. As a result, date/time validations on the server software would fail, resulting in emails not being sent and stacking up on servers.

Despite the fact that SonicWall has not explained what is causing the Y2K22 bug in its devices, they are not the only company affected by this problem. Honda and Acura owners began claiming that their in-car navigation systems' clocks were automatically set back 20 years, to January 1st, 2002, beginning on January 1st. According to sources, the Y2K22 bug affects nearly all older vehicle models, including the Honda Pilot, Odyssey, CRV, Ridgeline, Odyssey, and Acura MDX, RDX, CSX, and TL.
Read more »
Vulnerability
Cisco Cyber Security DDOS Attack Firewall Vulnerability

Cisco Vulnerability Damages the Firewall

 

Positive Technologies threat experts have warned that a defect identified this week in Cisco's Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) firewalls could potentially contribute to denial-of-service (DoS) attacks. 

As per Positive Technologies expert Nikita Abramov, the high-severity bug (CVE-2021-34704) does not demand elevated privileges or specific access to attack. An attacker only needs to create a demand wherein one of the portions is larger than the device expects. 

According to Cisco, the flaw is the consequence of poor input validation while parsing HTTPS queries. The problem, if abused, might allow an attacker to compel the device to restart, culminating in a DoS circumstance, according to the vendor. 

This has the potential to have a significant effect on the business., noted Abramov. “If attackers disrupt the operation of Cisco ASA and Cisco FTD, a company will be left without a firewall and remote access,” he wrote in a research note. 

“If the attack is successful, remote employees or partners will not be able to access the internal network of the organization, and access from outside will be restricted. At the same time, firewall failure will reduce the protection of the company.” 

Cisco has already fixed the flaw in the most recent versions of its ASA and FTD firmware. 

Positive Technologies further advises concerned clients to use security information and event management (SIEM) solutions to prevent and identify breaches.

The vendor addressed a bug in its Firepower Devices Manager (FDM) and On-Box software in August, allowing the researcher to take complete control of the company's Firepower next-generation firewalls. 

The vulnerability, identified by Abramov and threat researcher Mikhail Klyuchnikov, received a severity score of 6.3 on the standard vulnerability ranking methodology. 

The vulnerability exploited another flaw in Cisco's FDM On-Box representational state transfer (REST) API, allowing intruders to execute arbitrary code on a compromised device's operating system.

“To exploit this vulnerability, all attackers need to do is to obtain credentials of a user with low privileges and send a specially crafted HTTP request,” Abramov wrote. “From a technical standpoint, the vulnerability is caused by insufficient user input validation for some REST API commands.”
Read more »
Technology News
Firewall MalwareTech Microsoft Technology Technology News

Hackers Exploit Windows BITS Feature To Launch Malware Attack

Microsoft released the BITS (Background Intelligent Transfer Service) in Windows XP to coordinate and ease uploading and downloading files with large size. Systems and applications component, specifically update in Windows, use this BITS feature to provide application updates and OS so that they can work in minimal user disruption. BITS interact with applications to make jobs with one or more application to download or upload. The BITS feature operates in service and it can make transfers happen at any time. A local database stores file, state and job info.  

How the hackers exploit BITS?

The BITS, like every other technology, is used by applications and exploited by hackers. When harmful apps make BITS jobs, the files are uploaded and downloaded in the service host process context. This helps hackers to avoid firewall detection that may stop suspicious or unusual activities, allowing the attacker to hide the application that requests the transfer. Besides this, the transfers in BITS can be scheduled for later, which allows them to happen at given times, saving the hacker from depending on task-scheduler or long-running processes. 

Transfers in BITS are asynchronous, resulting in a situation where the apps that made jobs may not be working after the transfers that are requested are complete. Addressing this situation, these jobs in BITS can be made through a notification command that is user-specific. The command can be used in case of errors or after a job is complete. The BITS jobs linked with this notification command may authorize any command or executable to run. The hackers have exploited this feature and used it as a technique for continuously launching harmful applications.  

For BITS jobs, the command data is stored in a database rather than the traditional directory register, this helps hackers as the tools that are used to identify persistent executables or commands by unknown actors may overlook it. The jobs in BITS can be made using the BITS-admin command lines tool or via API functions.  Cybersecurity firm FireEye reports, "the Background Intelligent Transfer Service continues to provide utility to applications and attackers alike. The BITS QMGR database can present a useful source of data in an investigation or hunting operation. BitsParser may be utilized with other forensic tools to develop a detailed view of attacker activity." 
Read more »
Subscribe to: Posts (Atom)