Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Fortinet. Show all posts
ThirdEye infostealer
FortiGuard FortiGuard Lab Fortinet Infostealer malware Open System information ThirdEye ThirdEye infostealer

ThirdEye: New Infostealer is Targeting Open System Information


FortiGuard Labs recently noted some suspicious-looking files during their cursory review. An investigation of the issue revealed the files were in fact malicious. This infostealer has been labeled as the “ThirdEye”.

While not particularly sophisticated, this malware is made to take different pieces of data from infected devices that can be used as a foundation for more attacks.

The ThirdEye 

The investigation on the infostealer began when the FortiGuard Lab researchers noticed an archive file named “Табель учета рабочего времени.zip” (English trans. “time sheet”). The zip file included two files immediately identified as “up to no good.”

Both files contain a double extension (.exe followed by a different document-related extension). One of the files is "CMK равила oормлени олнин листов.pdf.exe," which is an executable rather than a document and is labeled "QMS Rules for issuing sick leave" in English. f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494 is the file's SHA2 hash value.

The ThirdEye info stealer has comparatively simpler functionality. It contains a variety of system information based on compromised machines, like BIOS and hardware data. Additionally, it lists ongoing processes, folders and files, and network data. All of this information is gathered by the malware once it has been run, and it then sends it to its command-and-control (C2) server, which is located at (hxxp://shlalala[.]ru/general/ch3ckState). As compared to other infostealers, this one does nothing else.

An interesting string sequence unique to the ThirdEye infostealer family is the “3rd_eye”, which it decrypts and combines with another hash value to identify itself to the C2.

The second file in the archive is the “Табель учета рабочего времени.xls.exe”, which has the same name as its parent file. This file is a variant of the ThirdEye infostealer, created to achieve the same functions as f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494.

While there is no substantial evidence that could confirm that the ThirdEye infostealer was used in attacks, the malware however is created to steal valuable information from compromised machines, in order to have a better understanding of potential targets, and narrowing them down further. Moreover, there are speculations that the info stealer’s victims will be subject to future cyberattacks.

Since ThirdEye is not yet under the ‘severe’ radar, the FortiGuard investigation found that the threat actors involved have put efforts into strengthening the infostealer, such as recent samples collecting more system information compared to older variants, and it is anticipated to improve further.

Read more »
Training program
Cyber defense Cyber Security Cybersecurity awareness cybersecurity solutions FortiGuard Fortinet Training program

Cybersecurity Defense: Employee Cybersecurity Awareness Now a Priority


Fortinet’s FortiGuard Labs, in their recent reports, discovered that ransomware threats are still at the top of the list in terms of cyber threat, with the cases only growing on a global level. Likewise, Fortinet discovered that in 2022, 84% of firms faced one or more breaches.

The research by Fortinet reveals that more than 90% of the cybersecurity experts agree that the surging frequency of cyberattacks can be reduced if organizations focus on increasing their employees’ cybersecurity awareness.

The report emphasizes the critical role of employees in serving as an organization's first line of defense in defending their firm from cybercrime as it becomes more common for businesses to confront cyber threat incidents.

Lack of Cybersecurity Awareness Among Employees

The report further revealed that among all the organizations surveyed, 81% of them confirmed to have experienced at least one cyber incident, be it malware, phishing or password breach over the course of last year. Most of the attacks were primarily targeted at organization’s employees, who apparently has access to the firm’s systems. This emphasizes how a company's employees could either be its weakest link or one of its strongest defenses.

Nearly 85% of the organization leaders claims that their organization has adequate security awareness and training program provided to its employees. However, 50% believed that their employees, regardless of the training programs still lack a proper cybersecurity knowledge.

This variation shows that the existing training programs may not be as successful as they could be, leading to inconsistent use of appropriate cyber hygiene measures by staff, or that instruction may not be effectively reinforced.

Board of Directors Prioritizing Cybersecurity 

Given the fact that many of these cyber-attacks are targeted to users, it is likely that boards already recognize—or will do so soon—that employee cybersecurity awareness is an essential component of the "defense equation". 93% of businesses said their board of directors often questions them about their cyber security and strategy.

John Maddison, EVP of Products and CMO at Fortinet says, “Our 2023 Security Awareness and Training Global Research Brief underscores the crucial role employees play in preventing cyberattacks. It also highlights the critical need for organizations to prioritize security awareness and training services to ensure employees serve as the first line of defense.”

One of the best solutions to avoid cybersecurity incidents an organization can adopt is by conducting better training program, setting the groundwork for a culture of cybersecurity that is ready and strong. This way, employees would attain a better cyber-risk awareness and further encourage them to defend their organization whenever the situation calls.

Organizations are aware that they require sophisticated cybersecurity solutions and that technological certifications help their IT employees' cybersecurity skills. Employee awareness may not have gotten the full attention it deserves up to this point, but it may become crucial in the years to come in the fight against cybercrime.  

Read more »
Zero-Day Attack
BoldMove Backdoor Chinese Actors Fortinet Fortinet FortiOS FortiOS Google Hackers Linux Mandiant Threat Intelligence Vulnerabilities and Exploits zero-day Zero-Day Attack

Hackers Designs Malware for Recently Patched Fortinet Zero-Day Vulnerability


Researchers who recently disclosed and patched the zero-day vulnerability in Fortinet's FortiOS SSL-VPN technology have identified a new backdoor, specifically created in order to run on Fortinet’s FortiGate firewalls. 

Initial evidence collected by Google-owned security firm Mandiant suggests that the exploitation occurred in October 2022, nearly two months before the vulnerability was patched. Targets included a government entity in Europe and a managed services provider in Africa. 

According to a report published by Mandiant, the malware appears to have been created by a China-based threat actor that conducts cyber-espionage operations against individuals and groups associated with the government. 

It is the most recent instance of attackers from the country attacking firewalls, IPS, IDS, and other technologies used by businesses to secure their networks that are internet-facing. 

BoldMove Backdoor 

The attacks involved the use of a sophisticated backdoor known as BOLDMOVE, a Linux variant created especially to run on Fortinet's FortiGate firewalls. 

The intrusion vector in question is the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw in FortiOS SSL-VPN that could allow for unauthenticated remote code execution through carefully constructed requests. 

Earlier this month, Fortinet revealed that the unidentified hacking groups had taken advantage of the flaw to attack governments and other major institutions with a generic Linux implant capable of delivering additional payloads and carrying out remote server commands. 

Mandiant findings also indicate that the hackers managed to exploit the zero-day vulnerability to their advantage, accessing target networks for espionage operations. "With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant added. 

The BoldMove Backdoor malware, written in C, is apparently available in both Windows and Linux versions, with the latter being able to read data from a Fortinet-exclusive file format. 

Moreover, according to Fortinet’s report, an extended Linux sample comes with a feature that allows attackers to disable and manipulate logging features in order to evade detection. Despite the fact that no copies of the backdoor have been found in the wild, metadata analysis of the Windows variations reveals that they were created as early as 2021. 

"The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices," Mandiant noted. 

Schooled in FortiOS 

Meanwhile, Fortinet itself described the malware as a variant of “generic” Linux backdoor designed by threat actors for FortiOS. According to the company's analysis, affected systems may have had the malicious file disguising itself as a part of Fortinet's IPS engine. 

According to Fortinet, one of the malware's more advanced features included manipulating FortiOS log-in to avoid detection. The malware can search FortiOS for event logs, decompress them in memory, and search for and delete a specific string that allows it to reconstruct the logs. The malware can also completely disable logging processes. 

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," says Fortinet. 

Fortinet adds that designing the malware would have required the threat actors to have a “deep understanding” of the FortiOS and its underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.  

Read more »
VPN
Fortinet malware phishing kit Ransomware VPN

Warning: Ransomware Attacks Spreading via Fortinet Kit

 

The eSentire’s Threat Research Unit (TRU) confirmed in its recent research that the threat actors are exploiting Fortinet Virtual Private Network (VPN) devices that remain vulnerable to critical authentication bypass vulnerability.  The VPNs were being controlled by third-party providers; thus, the company had no direct visibility into the devices. 

Fortinet is a security ecosystem, which provides a variety of different products including next-generation firewalls, antivirus, VPNs, and endpoint solutions, among other offerings. 

On October 10, 2022, Fortinet issued a public statement in which it disclosed the critical vulnerability (CVE-2022-40684) in the system impacting several of their products including FortiOS, FortiProxy, and FortiSwitchManager. 

If the vulnerability is successfully exploited, the hacker could gain access to the Fortinet device. Specifically, devices are often integrated with organization-wide authentication protocols such as Lightweight Directory Access Protocol (LDAP) and Active Directory (AD). 

The TRU further said that its team detected and shut down two attacks on its customers – one was a Canadian-based college and the other, was a global investment firm. 

Additionally, once the threat actors had gained access to the target network, they exploited Microsoft’s Remote Desktop Protocol (RDP) to successfully get lateral movement and legitimate encryption utilities BestCrypt and BitLocker. 

Keegan Keplinger, research and reporting lead for the eSentire TRU, said “SSL VPNs are easy to misconfigure, and they are highly targeted for exploitation since they must be exposed to the internet and they provide access to credentials for the organization…” 

“Additionally, the tendency for these devices to be managed by a third party often means that the organization and their security providers have no direct visibility into activities being conducted on the device. This allows threat actors longer dwell times, as observed in the sale of these devices on the dark web, [making] SSL VPNs a prime target for initial access brokers [IABs].” 

Furthermore, Keplinger said the TRU’s research had shown that threat actors are always ready when it comes to exploiting vulnerabilities in well-used products. The attack is giving high singles to big tech companies if their technology is bing exploited in such a way.
Read more »
Windows Users
Antivirus System Data Breach Encrypted Files Fortinet Illegal Software Ransomware Attacks. Secret Keys Windows Windows Users

Using Blatant Code, a New Nokoyawa Variant Sneaks up on Peers

 

Nokoyawa is a new malware for Windows that first appeared early this year. The first samples gathered by FortiGuard researchers were constructed in February 2022 and contain significant coding similarities with Karma ransomware that can be traced back to Nemty via a long series of variants. 

NOKOYAWA is a ransomware-type piece of malware that the research team discovered and sampled from VirusTotal. It's made to encrypt data and then demands payment to decode it. 

FortiGuard Labs has seen versions constructed to run only on 64-bit Windows, unlike its precursor Karma, which runs on both 32-bit and 64-bit Windows. For customized executions, Nokoyawa provides many command-line options: help, network, document, and Encrypt a single file using the path and dir dirPath. 

Nokoyawa encrypts all local disks and volumes by default if no argument is provided. The "-help" argument is intriguing because it shows that the ransomware creators and the operators who deploy and execute the malware on affected PCs are two independent teams. Nokoyawa encrypts files that do not end in.exe,.dll, or.lnk extensions using multiple threads for speed and efficiency. Furthermore, by verifying the hash of its names with a list of hardcoded hashes, some folders, and their subdirectories are prohibited from encryption.

Nokoyawa produces a fresh ephemeral keypair (victim file keys) for each file before encrypting it. A 64-byte shared secret is produced with Elliptic-Curve Diffie-Hellmann using the victim file's private key and the threat actors' "master" public key (ECDH). For encrypting the contents of each file, the first 32 bytes of this secret key are used as a Salsa20 key, together with the hardcoded nonce 'lvcelvce.' 

RURansom, A1tft, Kashima, and pEaKyBlNdEr are just a few of the ransomware programs that have been looked into. The encryption algorithms they utilize (symmetric or asymmetric) and the ransom size are two key variations between malicious applications of this type. The magnitude of the requested sum can vary dramatically depending on the intended victim. 

How does ransomware get into my system? 

The majority of the additional code was taken exactly from publicly available sources, including the source of the now-defunct Babuk ransomware leaked in September 2021, according to FortiGuard Labs experts. 

Malware including ransomware is spread using phishing and social engineering techniques. Malicious software is frequently disguised as or integrated with legitimate files. 

The email addresses were eliminated and were replaced with directions to contact the ransomware authors using a TOR browser and a.onion URL. When you're at the Onion URL, you'll be taken to a page with an online chatbox where you can chat with the operators, negotiate and pay the ransom. 

Researchers from FortiGuard Labs detected a dialogue between a potential victim and the ransomware operator. The threat actors offer free decryption of up to three files based on this chat history to demonstrate that they can decrypt the victim's files.

The ransom amount, in this case, a whopping 1,500,000 (likely in USD), is displayed on the "Instructions" page and can be paid in either BTC (Bitcoin) or XMR(Monero). The operators claim to deliver the tool to decrypt the victim's files after payment.

Given the rising professionalism of certain ransomware efforts, this TOR website could be an attempt to better "branding" or a technique to delegate ransom discussions to a separate team. Surprisingly, the ransom note contains the following content. "Contact us to strike a deal or we'll publish your black s**t to the media," the message says, implying that the victim's data was stolen during the infection.

Drive-by (stealthy and deceptive) downloads, spam email (malicious files attached to or compromised websites linked in emails/messages), untrustworthy download channels (e.g., peer-to-peer sharing networks, unofficial and freeware sites, etc.), illegal software activation ("cracking") tools, online scams, and fake updates are among the most common distribution methods. 

How can we defend from ransomware?

It is strongly advised you only use legitimate and trusted download sources. Furthermore, all apps must be activated and updated through tools given by genuine providers, as third-party tools may infect the system. 

Experts also recommend against opening attachments or links received in questionable emails or messages, as they may contain malware. It is critical to install and maintain a reliable anti-virus program. 

Regular system scans and threats/issues must be removed using security software. If the machine has already been infected with NOKOYAWA, we recommend using Combo Cleaner Antivirus for Windows to automatically remove it.
Read more »
Ransomware Attacks.
APT actors Cyber Attacks DLL Fortinet Iranian hackers Log4Shell Microsoft Exchange Server Ransomware Attacks.

Iranian Hackers Launch Cyberattack Against US and the UK 

 

Secureworks, a cybersecurity firm, has detected a new attack attributed to the Iranian hacker organization known as APT34 or Oilrig, which utilized custom-crafted tools to target a Jordanian diplomat. APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453 are advanced persistent threat (APT) actors known for targeting activists, government organizations, journalists, and other entities. 

A ransomware gang with an Iranian operational connection has been linked to a succession of file-encrypting malware operations targeting institutions in Israel, the United States, Europe, and Australia.

"Elements of Cobalt Mirage activities have been reported as Phosphorus and TunnelVision," Secureworks, which tracks the cyberespionage group, said today. "The group appears to have switched to financially motivated attacks, including the deployment of ransomware." 

The threat actor used recently obtained access to breach the network of a nonprofit organization in the United States in January 2022, where they built a web shell which was then used to drop further files, according to the researchers. 

The threat actor has seemingly carried out two types of intrusions, one of which involves opportunistic ransomware assaults using genuine tools like BitLocker and DiskCryptor for financial benefit. The second round of attacks is more focused, with the primary purpose of securing access and acquiring intelligence, with some ransomware thrown in for good measure.

Initial access routes are enabled by scanning internet-facing servers for web shells and exploiting them as a route to move laterally and activate the ransomware, which is vulnerable to widely reported holes in Fortinet appliances and Microsoft Exchange Servers. 

The spear-phishing email, which Fortinet discovered, was sent to a Jordanian diplomat and pretended to be from a government colleague, with the email address faked accordingly. The email included a malicious Excel attachment with VBA macro code that creates three files: a malicious binary, a configuration file, and a verified and clean DLL. The macro also adds a scheduled job that runs every four hours to provide the malicious application (update.exe) persistence. 

Another unique discovery concerns two anti-analysis methods used in the macro: the manipulating of sheet visibility in the spreadsheet and a check for the presence of a mouse, both of which may not be available on malware analysis sandbox services.

Secureworks detailed a January 2022 attack on an undisclosed US charity organization but said the exact means by which full volume encryption capability is triggered is unknown. In mid-March 2022, another attack aimed at a US local government network is thought to have used Log4Shell holes in the target's VMware Horizon architecture to perform reconnaissance and network scanning tasks. 

While the group has managed to breach a huge number of targets around the world, the security researchers believe that "their capacity to leverage on that access for financial gain or information collection is limited." Secureworks determines that the group's use of publicly available tools for ransomware activities proves that it is still a threat.
Read more »
Telegram
Botnet C2C Crypto Wallet Fortinet Mallicious URLs malware Russian Hacker Telegram

Telegram Abused By Raccoon Stealer

 

As per a post released by Avast Threat Labs this week, Raccoon Stealer, which was first identified in April 2019, has added the capacity to keep and update its own genuine C2 addresses on Telegram's infrastructure. According to researchers, this provides them with a "convenient and trustworthy" command center on the network which they can alter on the fly. 

The malware, which is thought to have been built and maintained by Russian-linked cybercriminals, is primarily a credential stealer, but it is also capable of a variety of other nefarious activities. Based on commands from its C2, it can collect not just passwords but also cookies, saved logins and input data from browsers, login credentials from email services and messengers, crypto wallet files, data from browser plug-ins and extensions, and arbitrary files. 

As per the reports, Buer Loader and GCleaner were used to distribute Raccoon. Experts suspect it is also being distributed in the guise of false game cheats, patches for cracked software (including Fortnite, Valorant, and NBA2K22 hacks and mods), or other applications, based on some samples. 

Given since Raccoon Stealer is for sale, the only limit to its distribution methods is the imagination of the end-users. Some samples are spread unpacked, while others are protected by malware packers like Themida. It is worth mentioning whether certain samples were packed by the same packer five times in a row.

Within Telegram, the newest version of Raccoon Stealer talks with C2: According to the post, there are four "crucial" parameters for its C2 communication which are hardcoded in every Raccoon Stealer sample. Details are as follows:
  • MAIN KEY, which has changed four times throughout the year;
  • Telegram gate URLs with channel names; 
  • BotID, a hexadecimal string that is always sent to the C2; 
  • TELEGRAM KEY, a decryption key for the Telegram Gate C2 address. 

The malware decrypts MAIN KEY, which it uses to decrypt Telegram gates URLs and BotID, before hijacking Telegram for its C2. According to Martyanov, the stealer then utilizes the Telegram gate to connect to its real C2 via a series of inquiries to eventually allow it to save and change actual C2 addresses utilizing the Telegram infrastructure. 

The stealer can also transmit malware by downloading and executing arbitrary files in response to an instruction from C2. Raccoon Stealer spread roughly 185 files totaling 265 megabytes, including downloaders, clipboard crypto stealers, and the WhiteBlackCrypt ransomware, according to Avast Threat Labs.
Read more »
Vulnerabilities and Exploits
Fortinet Iranian hackers Microsoft Exchange United States Vulnerabilities and Exploits

Iranian Hackers are Exploiting Microsoft and Fortinet Flaws

 

Australia, the United Kingdom, and the United States issued a combined advisory on Wednesday of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored hackers. CVE-2021-34473, 2020-12812, 2019-5591, and 2018-13379 are the four vulnerabilities they urged administrators to fix right away.

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware," a joint release stated. "Australian Cyber Security Centre (ACSC) is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia."

Rather than targeting a specific industry, the authorities said that the attackers merely focused on exploiting vulnerabilities wherever they could and then attempting to convert that initial access into data exfiltration, a ransomware assault, or extortion. 

To maintain access, the attackers would use the Fortinet and Exchange vulnerabilities to add tasks to the Windows Task Scheduler and create new accounts on domain controllers and other systems that looked like existing accounts. The next step was to enable BitLocker, post a ransom note, and download the files through FTP. 

In May 2021, CISA and FBI noticed the adversary misusing a Fortigate appliance to acquire a foothold on a web server holding the domain for a US municipal government, in addition to exploiting the ProxyShell vulnerability to obtain access to vulnerable networks. The APT attackers "exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children," according to the advisory. 

This is the second time the US government has issued a warning on advanced persistent threat groups targeting Fortinet FortiOS servers by exploiting CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to attack government and commercial systems. 

The FBI and CISA released warnings in April that Fortinet gear vulnerabilities were being regularly exploited, and in July, the complete quartet of authorities listed Fortinet among the top 30 exploited vulnerabilities. Separately, Microsoft issued a warning on Wednesday about six Iranian groups that were utilizing vulnerabilities in the same set of products to spread ransomware.

Organizations should immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released as mitigations, according to the agencies.
Read more »
US Government
APT CISA & FBI Cyber Security DDOS Attacks Fortinet US Government

FBI says Attackers Breached US Local Govt After Hacking a Fortinet Appliance

 

After issuing a cybersecurity advisory warning that APT hacker groups are purposefully targeting vulnerabilities in Fortinet FortiOS, the FBI now warned that after hacking a Fortinet appliance, state-sponsored attackers compromised the webpage of a US local government. 

Fortinet is a multinational security company based in Sunnyvale, California. It creates and sells cybersecurity solutions, which include hardware like firewalls as well as software and services like anti-virus protection, intrusion prevention systems, and endpoint security components.

"As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a web-server hosting the domain for a U.S. municipal government," the FBI's Cyber Division said in a TLP:WHITE flash alert published on 27th May. 

The advanced persistent threat (APT) actors moved laterally around the network after gaining access to the local government organization's server, creating new domain controller, server, and workstation user identities that looked exactly like existing ones. On compromised systems, attackers linked to this ongoing APT harmful activity have created 'WADGUtilityAccount' and 'elie' accounts, according to the FBI.

This APT organization will most likely utilize this access to capture and exfiltrate data from the victims' network, according to the FBI. "The APT actors are actively targeting a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors," the FBI added.

Last month, the FBI and the CISA issued a warning about state-sponsored hacking groups gaining access to Fortinet equipment by exploiting FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. The threat actors are also scanning for CVE-2018-13379 vulnerable devices on ports 4443, 8443, and 10443, and enumerating servers that haven't been patched against CVE-2020-12812 and CVE-2019-5591. 

Once they've gained access to a vulnerable server, they'll use it in subsequent attacks aimed at critical infrastructure networks. "APT actors may use other CVEs or common exploitation techniques—such as spear-phishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks," the two federal agencies said.

"APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns." They further told. 
Read more »
Youtube
Cyber Fraud Fortinet User Security Youtube

Threat Actors are Using YouTube to Lure Users into their Trap

 

Fortinet security researcher ‘accidentally discovered a unique way of tricking YouTube users. Due to Covid-19, as well as the recent surge in the value of the stock market and cryptocurrencies, more people than ever are at home looking for livestock market/crypto-related content on streaming platforms like YouTube, etc. This might be to compensate for the lack of in-person interactions that we would normally have in a non-Covid-19 world, as well as to perhaps make some quick income on the side. During a random midnight search for similar content, the researcher accidentally stumbled upon a LIVE Bitcoin scam on YouTube (yes, this time it was on YouTube and not on Twitter). 

YouTube has various labels/buttons on its home page to identify trending categories of videos, and this one indicated that several scams were streaming “live”. The first video researcher saw after clicking the Live button was titled, “Chamath Palihapitiya - What will be the New World of Finance? | SPACs, Coinbase IPO and NFT” with the URL link “hxxps://www[.]youtube[.]com/watch=cFstoyKl99s”. 

The next thing the researcher noticed was the video’s caption message, “Our mission is to advance humanity by solving the world’s hardest problems. We want to thank our supporters and also help crypto mass adoption, so 1000 BTC will be distributed among everyone who takes part in the event. You can find all the information on the website.” And also, unlike most content creators, the website link “More info: cham-event[.]com” did not include any video descriptions.

Another red flag was that while this YouTube channel had 252k subscribers, there was only ONE video on the channel. This could either be a case of a hacked YouTube channel that had all previous videos deleted, OR it could be that the malicious attacker somehow found a way to add fake subscribers to his/her channel. 

Earlier this month, hackers associated with these scams escalated their activity when they compromised two YouTube channels that maintain over eight million subscribers. In this particular case, the hackers modified these channels to impersonate our brand, using the Gemini name and logo. In light of these ongoing events, we want to share how these attacks work, discuss Gemini’s ongoing actions to protect our customers and provide some tips for YouTube channel owners to better secure. 
Read more »
Vulnerabilities and Exploits
Fortinet NCSC User Security VPN Vulnerabilities and Exploits

NCSC Warns of Exploited VPN Servers: Here are the Safety Tips to Fix Your VPN

 

The UK’s Nationwide Cyber Safety Centre (NCSC) has published a new advisory warning that cybercriminals as well as Advanced Persistent Threat (APT) actors are actively searching for unpatched VPN servers and trying to exploit the CVE-2018-13379 susceptibility.

According to NCSC, a significant number of organizations in the UK have not fixed a Fortinet VPN vulnerability found in May 2019, resulting in the credentials of 50,000 vulnerable VPNs being stolen and revealed on a hacker forum. As such, the NCSC recommended organizations that are using such devices to assume they are now compromised and to start incident management procedures, where security updates have not been downloaded.

“The NCSC is advising organizations which are using Fortinet VPN devices where security updates have not been installed, to assume they are now compromised and to begin incident management procedures. Users of all Fortinet VPN devices should check whether the 2019 updates have been installed. If not, the NCSC recommends that as soon as possible, the affected device should be removed from service, returned to a factory default, reconfigured, and then returned to service,” NCSC stated.

Safety tips for users & organizations 

The first step is to check whether the 2019 update is installed on all Fortinet VPN devices or not. If not, the NCSC recommends installing it as soon as possible. Secondly, the corrupt devices should be removed from service, returned to a factory default, reconfigured, and then restored to service. 

While fixing the security loophole, organizations should examine all connected hosts and networks to detect any further attacker movement and activities. Anomalous connections in access logs for the SSL VPN service may also indicate the use of compromised credentials. Organizations should then make it a high priority to upgrade to the latest FortiOS versions to prevent reinfection. 

"The security of our customers is our first priority. For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade," a Fortinet spokesperson told ZDNet.
Read more »
Subscribe to: Posts (Atom)