Search This Blog

Showing posts with label IBM. Show all posts

Malicious Actor Claims Targeting IBM & Stanford University


Jenkins was mentioned as one of the TTPs employed by spyware in a report on a British cybercrime forum found by CloudSEK's contextual AI digital risk platform XVigil. To boost ad clickthroughs, this module features stealth desktop takeover capabilities. Based on unofficial talks, CloudSEK experts anticipate that this harmful effort will increase attempts to infect bots. 

Evaluation of threats 

A malicious actor detailed how they hacked into a major organization by taking advantage of a flaw in the Jenkins dashboard in a post on a cybercrime site on May 7, 2022. 

Previously, the same threat actor was observed giving access to IBM. In addition, the actor provided evidence of a sample screenshot showing their alleged connection to a Jenkins dashboard. 

The malicious actors came upon a Jenkins dashboard bypass that had internal hosts, scripts, database logins, and credentials. They exploited the company's public asset port 9443 by using search engines like Shodan as per researchers. 

After receiving data, the actor employed a custom debugging script to find vulnerable targets for bypassing rproxy misconfiguration. 

Origin of the threat actor

The hacker claimed they previously targeted IBM Tech Company as well, in particular internal administrators' scripts and firewall configurations for internal networks, in other posts by the same person on the cybercrime site.

The actor also stated the following exploit narrative as to how to get into Stanford University in their future posts: 
  • The actor counted all the subdomains connected to the University using the Sudomy tool. 
  • The actor then applied a path, such as -path /wp-content/plugins/, to the domains using httpx. 
  • An attacker can execute RCE on the plugin by returning data from all of the subdomains that have a valid path with the susceptible zero-day vulnerability. 

According to CloudSEK, which reported the threats, other entities could execute similar exploits using the threat actor's TTP. "Modules like these can facilitate complex ransomware assaults and persistence," the security experts said while adding that threat actors "could migrate laterally, infecting the network, to retain persistence and steal credentials." 

Actors may utilize revealed credentials to access the user's other accounts because password reuse is standard practice. For reference, the malicious actors also took credit for hacking Stanford University and Jozef Safarik University in Slovakia. 

According to reports from XVigil, official access to the domains was reportedly found in several nations, including Ukraine, Pakistan, United Arab Emirates, and Nepal. 

Carrier's Industrial Access Control System has Critical Flaws


Carrier's LenelS2 HID Mercury access control system, which is widely used in healthcare, academic, transport, and federal buildings have eight zero-day vulnerabilities.

In a report shared by The Hacker News, Trellix security experts Steve Povolny and Sam Quinn wrote, "The vulnerabilities found to enable us to demonstrate the ability to remotely open and lock doors, manipulate alarms, and degrade logging and notification systems." 

The investigation begins at the hardware level; Researchers were able to change onboard components and connect with the device by using the manufacturer's built-in ports. 

They were able to gain root access to the device's operating system and extract its firmware for virtualization and vulnerability or other exploits using a combination of known and unique techniques. One of the issues (CVE-2022-31481) contains an unauthorized remote execution weakness with a CVSS severity rating of 10 out of 10. The following is the detailed list of flaws: 
  • Unauthenticated command injection vulnerability CVE-2022-31479. 
  • Unauthenticated denial-of-service vulnerability CVE-2022-31480.
  • CVSS 10 rated RCE vulnerability is CVE-2022-31481. 
  • Unauthenticated denial-of-service vulnerability CVE-2022-31482. 
  • An authenticated arbitrary file write vulnerability, CVE-2022-31483. 
  • Unauthenticated user modification vulnerability CVE-2022-31484.
  • Unauthenticated information spoofing vulnerability CVE-2022-31485. 
  • An authenticated command injection vulnerability, CVE-2022-31486 

Carrier has issued an alert in response to the revelation, which includes further details, mitigations, and firmware patches that consumers should apply right now. 

In locations where physical access to privileged facilities is required, LenelS2 is used to connect with more complicated building automation implementations. The following LenelS2 HID Mercury access or unauthorized access panels are affected: 
  • LNL-X2210 
  • LNL-X2220 
  • LNL-X3300 
  • LNL-X4420
  • LNL-4420 
  • S2-LP-1501 
  • S2-LP-1502 
  • S2-LP-2500, as well as 
  • S2-LP-4502 

According to a study conducted by IBM in 2021, the average cost of a physical data breach is 3.54 million dollars, with a detection time of 223 days. 

For companies that rely on access control systems to protect the security and safety of its facilities, the stakes are high. "ICS security presents unique issues," according to the US Cybersecurity and Infrastructure Security Agency (CISA). 

The increasing convergence of information technology (IT) and operational technology (OT) presents chances for exploitation that could result in catastrophic repercussions, including loss of life, economic damage, and disruption of society's National Critical Functions (NCFs)."

Consumers should be aware that while the vulnerabilities revealed recently may appear to have minimal impact created by hackers, critical infrastructure assaults have a significant impact on our everyday lives.

Prometheus Ransomware's Bugs Inspired Researchers to Try to Build a Near-universal Decryption Tool


Prometheus, a ransomware variant based on Thanos that locked up victims' computers in the summer of 2021, contained a major "vulnerability" that prompted IBM security researchers to attempt to create a one-size-fits-all ransomware decryptor that could work against numerous ransomware variants, including Prometheus, AtomSilo, LockFile, Bandana, Chaos, and PartyTicket. 

Despite the fact that the IBM researchers were able to erase the work of many ransomware versions, the panacea decryptor never materialised. According to Andy Piazza, IBM worldwide head of threat intelligence, the team's efforts indicated that while some ransomware families may be reverse-engineered to produce a decryption tool, no organisation should rely on decryption alone as a response to a ransomware assault. 

“Hope is not a strategy,” Piazza said at RSA Conference 2022, held in San Francisco in person for the first time in two years. 

Aaron Gdanski, who was assisted by security researcher Anne Jobman, stated he became interested in developing a Prometheus decryption tool when one of IBM Security's clients got infected with the ransomware. He started by attempting to comprehend the ransomware's behaviour: Did it persist in the environment? Did it upload any files? And, more particularly, how did it produce the keys required to encrypt files? 

Gdanski discovered that Prometheus' encryption process relied on both "a hardcoded initialization vector that did not vary between samples" and the computer's uptime by using the DS-5 debugger and disassembler. Gdanski also discovered that Prometheus generated its seeds using a random number generator that defaulted to Environment.

“If I could obtain the seed at the time of encryption, I could use the same algorithm Prometheus did to regenerate the key it uses,” Gdanski stated. 

Gdanski had a starting point to focus his investigation after obtaining the startup time on an afflicted system and the recorded timestamp on an encrypted file. Gdanski developed a seed from Prometheus after some further computations and tested it on sections of encrypted data. Gdanski's efforts were rewarded with some fine-tuning. Gdanski also discovered that the seed changed based on when a file was encrypted. That meant that a single decryption key would not work, but he was able to gradually generate a series of seeds that could be used for decryption by sorting the encrypted files by the last write time on the system. 

Gdanski believes the result might be applied to other ransomware families that rely on similar flawed random number generators. “Any time a non-cryptographically secure random number generator is used, you’re probably able to recreate a key,” Gdanski stated. 

However, Gdanski stressed that this problem is unusual in his experience. As Piazza emphasised, the best protection against ransomware isn't hoping that the ransomware used in an assault is badly executed, it’s preventing a ransomware attack before it happens.

JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware


The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.

Researchers Learn from ITG18 Group's OpSec Mistakes


A team of IBM X-Force security experts analyzed attackers' operational security mistakes to disclose the core details of how the group functions and launches attacks in their analysis of a group known as ITG18, also identified as Charming Kitten and Phosphorous. 

ITG18 has a history of targeting high-profile victims, journalists, nuclear experts, and persons working on the COVID-19 vaccine research. It is linked to Iranian government operations. It was related to an assault in late 2019. 

Richard Emerson, senior threat hunt analyst with IBM X-Force stated, "How we define this group is they're primarily focused on phishing and targeting personal accounts, although there's evidence that they may also go after corporate accounts as well." Based on the amount of infrastructure it has registered, researchers believe it to be a "rather sizable organization" - Emerson adds that they have over 2,000 indicators connected to this group alone during the last couple of years. 

According to Allison Wikoff, a senior strategic cyber-threat analyst at IBM X-Force, the team achieved "a major breakthrough" in studying ITG18 behavior while examining an attack on executives at a COVID-19 research center. 

Researchers collected indicators that are linked with attackers' activities on a regular basis; when investigating ITG18's activity, the team discovered flaws in the attackers' infrastructure, resulting in a plethora of fresh information. 

"When we saw this open server, we collected videos and exfiltrated information. Over the course of the last 18 months, we've continually seen the same errors from this group," she added. 

Researchers discovered training videos used by the group among the data they gathered. These details include how the organization maintains access to hacked email accounts, how attackers exfiltrate data, and how they build on compromises with stolen data. The videos gave investigators a better understanding of the procedures, yet the mistakes persisted. 

ITG18 has a habit of misconfiguring its servers to leave listable folders, according to Emerson. Anyone with access to the IP address or domain can read the files without requiring authentication. The group keeps their stolen data on numerous of these servers, where anybody might find massive, archived files ranging from 1GB to 100–150GB — all of which could be related to a single targeted individual. Researchers have also discovered ITG18 storing tools on these misconfigured servers, some of which are genuine and others which are custom. 

According to Emerson and Wikoff, the group's new Android remote access Trojan is used to infect the targets they track on a regular basis. The code was dubbed "LittleLooter."  

ITG18's blunders have benefited Emerson and Wikoff in painting a more comprehensive view of how the organization functions and speculating on what its future activities would entail. Wikoff points out that the assaults aren't particularly complex, and that the study shows they aren't likely to evolve. 

"The interesting thing about this particular group is that the tactics haven't really changed all that much in the four to five years [we] have been laser-focused on it," she added. 

Others have previously reported on ITG18's misconfigured servers, so the attackers are likely aware of the problem but haven't rectified it. It appears that the group either does not want to fix the error, does not want to modify their operating tempo, or that another factor is at play. 

While many defensive suggestions aren't specific to ITG18, multifactor authentication is a significant deterrent for these attackers, Wikoff points out that this group is complicated because they primarily target personal resources. 

Even though companies control their workers' personal information, these attacks may compromise corporate security. Emerson advised that businesses should examine how they would respond if an employee is harmed in one of these assaults and how they can teach staff to be aware of the dangers they face.

IBM: Cyber attacks on Linux systems of Russian government agencies will increase

The problem will also affect Russian government agencies, which are switching to domestic Linux operating systems as part of import substitution. Businesses that have started actively using the cloud against the background of the pandemic face increased costs: attackers can hack their cloud environments and use them for mining cryptocurrencies and DDoS attacks.

According to the IBM report on the main information security risks in 2021, the number of attacks on cloud environments and open-source Linux operating systems will increase this year. Users of Russian operating systems on Linux can also suffer, said Oleg Bakshinsky, a leading information security adviser for IBM in Russia.

The attackers began using the extensible computing power of Linux-based cloud environments, said Mr. Bakshinsky.

The customer can enable the service in their cloud settings, and at times of peak loads, their resources will be expanded for an additional fee. Attackers take advantage of this by gaining unauthorized access to the victim's cloud environment, increasing the company's costs for paying for cloud services.

The authorities have already acknowledged the problem. So, to check the security of operating systems based on Linux, the Federal Service for Technical and Export Control of Russia will create a research center for 300 million rubles ($4 million).

Cybersecurity experts also confirmed the growing interest of hackers in Linux systems. Check Point records about 20 attacks on Linux-based cloud environments in Russia, which is 3.45% of the total number of such attacks worldwide.

The main targets of the attackers, according to Nikita Durov, technical director of Check Point in Russia, are the financial industry and the government.

Alexander Tyurnikov, head of software development at Cross Technologies, is convinced that attacks on cloud environments "will not be so large-scale as to lead to the collapse of state and commercial systems."

IBM announces 1000 STEM internship opportunities for students

Petrarch once said, "Sameness is the mother of disgust, variety the cure". And we as a society believe quite strongly in diversity, it is the core of our harmonious existence; even research proves that diverse companies produce 19% more revenue. Most companies today give considerable weightage to being diverse and inclusive, one of them being IBM.

IBM, a highly innovative and research-focused company has always been inclusive in its approach with its ingenious programs like "creating new pathways to science, technology, engineering and math careers with Pathways in Technology Early College High School also known as P-TECH".

 "The fight against racism and racial inequality is as urgent as ever. Despite much progress since the Civil Rights movement, Black people are still significantly affected by poverty, unemployment, segregated housing, and other injustices in the United States.", they wrote on their website.

And with the same thought, IBM has announced to provide 1000 internships for the United States P-TECH students instead of the 150 they used to earlier.

"At IBM, one way we are taking action in advocating for social justice and racial equality is by advancing education, skills, and jobs. Today, as part of our ongoing efforts, we are pleased to announce the creation of 1,000 paid internships for P-TECH students in the United States from now until December 31, 2021. This commitment is a 10x incremental increase from our most recent internship goals." announced the company.

P-TECH is a unique program by IBM, where students from grade 9-11 are prepared with STEM training, mentorship, and work experience. The students earn a high school diploma, a two-year associate degree and work experience, and ample opportunities to enter the tech field. STEM, a science, technology, engineering, and mathematics field has lead the global innovation bar but it is also a field where still minorities are much unrepresented and IBM steps to endeavor this issue with their 1000 free internships program.

 "We aspire to create more open and equitable pathways to employment for all regardless of background. It’s about generating the skills and training that lead to good jobs. We will continue the fight to bring new faces to the tech industry that truly reflect the demographics of our communities.", IBM writes on P-TECH programs announcing the new internship opportunities.

Researchers found Third-Party costs the Healthcare Industry $23.7 Billion a Year

The average cost of a data breach has increased to 12% over the past five years to US$3.92 million, according to a report sponsored by tech giant IBM.

The report released by Censinet and the Ponemon Institute which was funded by IBM, conducted research on more than 500 companies around the world that suffered a breach over the past year.

According to the report, 72 percent of respondents believe that the increasing dependence on third party medical devices to the network is most risky, while 68 percent say connecting medical devices to the internet increases the risk of cyberattack. 

“This research confirms that healthcare providers require a better, more cost-effective approach to third-party risk management,” said Ed Gaudet, CEO, and founder of Censinet. “The adoption of technology in healthcare is more rapid and complicated than ever before. As an industry, we must help providers safely enable cloud applications and medical devices optimized to deliver the quality of care hospitals and their patients expect.”

In India, on an average, 35,636 records were compromised in a data breach, and cost ₹12.8 crore to organizations from July 2018 and April 2019,

“It’s clear that healthcare providers are in a tough spot. The number of vendors they rely on is increasing at the same time the threats those vendors pose are escalating in frequency and severity, so it’s easy to see how managing these risks has become an overwhelming problem,” said Dr. Ponemon, chairman and founder of the Ponemon Institute. “But it’s not all bad news – we can very clearly see an opportunity with automation for healthcare providers to monitor, measure, and mitigate the scourge of third-party breaches that continues to plague their industry.”

Cybercriminal Gang behind $100million theft busted

An international cybercrime network that used Russian malware to steal $100 million from tens of thousands of victims have been busted by the joint operation of Unites States and European police.  

The gang used an extremely powerful GozNym banking malware to infect the computers which allowed them to steal the user’s bank login details, it involves "more than 41,000 victims, primarily businesses and their financial institutions," Europol said. 

The malware GozNym is a combination of two other malware — Gozi and Nymaim. According to the IBM X-Force Research team the malware took the most powerful elements of each one. “From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi parts add the banking Trojan’s capabilities to facilitate fraud via infected internet browsers,” the team said, adding: “The end result is a new banking Trojan in the wild.”

The prosecutions have been launched against the gang in Georgia, Moldova, Ukraine and the United States. While five Russians charged in the US remain on the run, the EU police agency Europol said.

Alexander Konovolov, 35, of Tbilisi, Georgia, is a prime accused and the leader of the network, and  is currently being prosecuted in Georgia.

Police in Germany and Bulgaria were also involved.

Hewlett Packard Enterprise and IBM Networks Breached by China; Clients Targeted

In order to gain access to the clients' computer, hackers of the China's Ministry of State Security breached the networks of Hewlett Packard Enterprise and IBM.

Being a part of the Chinese campaign Cloudhopper, the attacks tainted technology service providers in order to steal secrets from their clients. While the International Business Machines Corp said it had no proof regarding the sensitive corporate data being co promised, Hewlett Packard Enterprises (HPE) simply chose not to comment on the campaign.

Albeit multiple warnings were issued by numerous administration organizations in addition to many cybersecurity firms about the Cloudhopper danger since 2017, the identity of  the technology companies whose networks were imperilled has still not being revealed yet.

As indicated by a U.S. federal indictment of two Chinese nationals unsealed on the 20th of December, Cloudhopper was for the most part centered on targeting the MSPs in order to easily access the client networks and stealing corporate secrets from organizations around the world.

While both IBM and HPE refused to comment on the explicit claims made by the sources, however they did give a statement each,

"IBM has been aware of the reported attacks and already has taken extensive counter-measures worldwide as part of our continuous efforts to protect the company and our clients against constantly evolving threats. We take responsible stewardship of client data very seriously, and have no evidence that sensitive IBM or client data has been compromised by this threat."

HPE said,"The security of HPE customer data is our top priority. We are unable to comment on the specific details described in the indictment, but HPE's managed services provider business moved to DXC Technology in connection with HPE's divestiture of its Enterprise Services business in 2017." 

Reuters was neither able affirm the names of other breached technology firms nor recognize any affected users.

Cloudhopper, which has been focusing on technology services providers for quite a long while, is known to have been penetrated the systems of HPE and IBM on numerous occasions in breaches that have gone on for a considerable length of time.

While IBM examined an attack as of late as this mid-year, HPE was not far behind as it directed a huge breach investigation in mid-2017.