Search This Blog

Showing posts with label Network. Show all posts

Here’s List of the World’s Riskiest Connected Devices

 

IoT devices ranging from video conferencing systems to IP cameras are among the five riskiest IoT devices connected to networks, according to research highlighted by Forescout's cybersecurity research arm, Vedere Labs. 

In their recent research, the company identified recurring themes, showcasing the increasing attack surface as more devices are connected to enterprise networks, as well as how threat actors are able to leverage these devices to achieve their goals. 

“IP cameras, VoIP and video-conferencing systems are the riskiest IoT devices because they are commonly exposed on the internet, and there is a long history of threat actor activity targeting them,” The Forescout report said.

With the addition of IoMT in healthcare, the attack surface now includes IT, IoT, and OT in almost every organisation. Organizations must be aware of dangerous devices in all categories. Forescout recommends that companies implement automated controls and that they do not rely on siloed security in the IT network, OT network, or for specific types of IoT devices.

This latest study updates the company's findings from 2020, in which networking equipment, VoIP, IP cameras, and programmable logic controllers (PLCs) were listed as the riskiest devices across IT, IoT, OT, and IoMT in 2022.

New entrants, such as hypervisors and human-machine interfaces (HMIs), however, are indicative of trends such as critical vulnerabilities and increased OT connectivity.

Vedere Labs examined device data in Forescout's Device Cloud between January 1 and April 30. The anonymized data comes from Forescout customer deployments and contains information on nearly 19 million devices, which the company claims are growing on a daily basis.

A device's overall risk was calculated based on three factors: configuration, function, and behaviour. Vedered Labs calculated averages per device type after measuring the risk of each individual device to determine which are the riskiest.

Cyberspies Drop New Infostealer Malware on Govt Networks in Asia

 

Security researchers have discovered new cyber-espionage activity targeting Asian governments, as well as state-owned aerospace and defence companies, telecom companies, and IT organisations.
The threat group behind this action is a different cluster earlier associated with the "ShadowPad" RAT (remote access trojan) (remote access trojan). In recent campaigns, the threat actor used a much broader set of tools.

As per a report by Symantec's Threat Hunter team that dives into the activity, the intelligence-gathering attacks have been underway since at least early 2021 and are still ongoing. The current campaign appears to be almost entirely focused on Asian governments or public entities, such as:
  • Head of government/Prime Minister's office
  • Government institutions linked to finance
  • Government-owned aerospace and defense companies
  • State-owned telecoms companies
  • State-owned IT organizations
  • State-owned media companies
Symantec uses an example of an April 2022 attack to demonstrate how the espionage group breaches its government targets. The attack starts with the installation of a malicious DLL that is side-loaded by launching the executable of a legitimate application in order to load a.dat file.

The legitimate application abused by the hackers, in this case, was an 11-year-old Bitdefender Crash Handler executable. The initial.dat payload contains encrypted shellcode that can be used to directly execute commands or additional payloads from memory.

The threat actors installed ProcDump three days after gaining backdoor access to steal user credentials from the Local Security Authority Server Service (LSASS). The LadonGo penetration testing framework was side-loaded via DLL hijacking on the same day and used for network reconnaissance.

The attackers returned to the compromised machine two weeks later to install Mimikatz, a popular credential stealing tool.
Furthermore, the hackers attempted to elevate their privileges by exploiting CVE-2020-1472 (Netlogon) against two computers on the same network.

To load payloads on additional computers in the network, the attackers used PsExec to execute Crash Handler and the DLL order hijacking trick. A month after the intrusion, the threat actors gained access to the active directory server and mounted a snapshot to access user credentials and log files.

Finally, Symantec observed the use of Fscan to attempt CVE-2021-26855 (Proxylogon) exploitation against Exchange Servers in the compromised network.

Chinese Hackers Targeted Dozens of Industrial Enterprises and Public Institutions

 

Since January 2022, over a dozen military-industrial complex firms and governmental organisations in Afghanistan and Europe have been targeted in order to acquire private data via six distinct backdoors. The assaults were attributed "with a high degree of confidence" to a China-linked threat actor identified by Proofpoint as TA428, noting commonalities in tactics, techniques, and processes (TTPs). 

TA428, also known as Bronze Dudley, Temp.Hex, and Vicious Panda, has previously struck entities in Ukraine, Russia, Belarus, and Mongolia. It is thought to be linked to another hacker organisation known as Mustang Panda (aka Bronze President). The current cyber espionage effort targeted industrial units, design bureaus and research institutions, as well as government entities, ministries, and departments .departments in several East European countries and Afghanistan. 

Penetration of company IT networks is accomplished through the use of carefully prepared phishing emails, including those that mention non-public information about the companies, to fool recipients into opening rogue Microsoft Word documents. These decoy files include exploits for a 2017 memory corruption vulnerability in the Equation Editor component (CVE-2017-11882), which might allow arbitrary code to be executed in affected computers, eventually leading to the deployment of a backdoor known as PortDoor. 

In April 2021, Chinese state-sponsored hackers used PortDoor in spear-phishing efforts to breach into the computers of a defence firm that manufactures submarines for the Russian Navy. The use of six distinct implants, according to Kaspersky, is most likely an attempt by threat actors to develop redundant channels for managing infected hosts in the event that one of them should get recognised and removed from the networks.

The attacks culminate with the attacker hijacking the domain controller and taking total control of all of the organization's workstations and servers, using the privileged access to exfiltrate files of interest in the form of compressed ZIP packages to a remote server in China.

Other backdoors used in the assaults include nccTrojan, Cotx, DNSep, Logtu, and CotSam, a previously unreported malware named because of its resemblance to Cotx. Each offers significant capabilities for taking control of the systems and stealing sensitive data.

Ladon, a hacking framework that enables the adversary to scan for devices in the network as well as exploit security vulnerabilities in them to execute malicious code, is also included in the assaults.

"Spear-phishing remains one of the most relevant threats to industrial enterprises and public institutions," Kaspersky said. "The attackers used primarily known backdoor malware, as well as standard techniques for lateral movement and antivirus solution evasion."

"At the same time, they were able to penetrate dozens of enterprises and even take control of the entire IT infrastructure, and IT security solutions of some of the organizations attacked."

Microsoft Exchange Online And Outlook Email Service Hit By Outage

 

Microsoft is investigating an ongoing outage affecting Microsoft 365 services after users experienced problems signing into, accessing, and receiving emails via the outlook.com gateway and Exchange Online. 

"We're investigating an issue with users accessing or experiencing degraded functionality when using Exchange Online and http://outlook.com services," Microsoft stated in a tweet via the company's official Twitter account for updates on Microsoft 365 services. 

Admins were also warned that further information about these ongoing issues may be found in the admin centre under EX401976 and OL401977. 

"We suspect there may be unexpected network drops which are contributing to the degraded experience and are reviewing diagnostic logs to understand why," the company added. 

While Redmond did not indicate the scope of the problem, hundreds of reports on DownDetector have been reported in the last 24 hours by Outlook and Exchange Online customers who have been unable or experiencing difficulty while attempting to log in or email. In an update to the Outlook.com online site, Microsoft also noted that Microsoft 365 subscribers may be unable to access the web portal or any of its features. 

Microsoft explained, "Users may be unable to access or use outlook.com services or features. We're reviewing diagnostic information and support case data to understand the cause and establish a fix. We're investigating a potential issue and checking for impact to your organization. We'll provide an update within 30 minutes." 

Another Microsoft 365 outage occurred in June, affecting consumers worldwide who attempted to access Microsoft Teams and Exchange Online. Redmond rerouted traffic to another, healthy traffic management infrastructure and performed targeted infrastructure restarts to restore service access and functioning. On July 1, Microsoft stated it fixed the issue that caused this outage. 

"We identified a section of our network infrastructure that was performing below acceptable thresholds. We've rerouted connections to alternate infrastructure and that confirmed the issue is resolved," Redmond tweeted.

Due to Security Reasons, Chrome will Limit Access to Private Networks

 

Google has announced that its Chrome browser will soon ban websites from querying and interacting with devices and servers inside local private networks, due to security concerns and past abuse from malware. 

The transition will occur as a result of the deployment of a new W3C specification known as Private Network Access (PNA), which will be released in the first half of the year. The new PNA specification introduces a feature to the Chrome browser that allows websites to request permission from computers on local networks before creating a connection.

“Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true,” as perEiji Kitamura and Titouan Rigoudy, Google. 

Internet websites will be prohibited from connecting if local hardware such as servers or routers fails to respond. One of the most important security features incorporated into Chrome in recent years is the new PNA specification. 

Cybercriminals have known since the early 2010s that they can utilize browsers as a "proxy" to relay connections to a company's internal network. For example, malicious code on a website could attempt to reach an IP address such as 192.168.0.1, which is the standard address for most router administrative panels and is only reachable from a local network. 

When users visit a fraudulent site like this, their browser can issue an automatic request to their network without their permission, transmitting malicious code that can evade router authentication and change router settings. 

These types of attacks aren't simply theoretical; they've happened previously, as evidenced by the examples provided here and here. Other local systems, such as internal servers, domain controllers, firewalls, or even locally-hosted apps (through the http://localhost domain or other locally-defined domains), could be targeted by variations of these internet-to-local network attacks. Google aims to prevent such automated attacks by incorporating the PNA specification into Chrome and its permission negotiation system. 

According to Google, PNA was included in Chrome 96, which was published in November 2021, but complete support will be available in two parts this year, with Chrome 98 (early March) and Chrome 101 (late May).

Determined APT is Abusing ManageEngine ServiceDesk Plus Flaw

 

An APT gang is abusing a severe vulnerability in Zoho ManageEngine ServiceDesk Plus (CVE-2021-44077) to infiltrate enterprises in a range of industries, including defence and technology. 

The Cybersecurity and Infrastructure Security Agency (CISA) alerted, “Successful exploitation of the vulnerability allows an attacker to upload executable files and place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.” 

CVE-2021-44077 is an authentication bypass flaw in ManageEngine ServiceDesk Plus (on-premises) installations using versions 11305 and earlier. An incorrect security configuration process in ServiceDesk Plus is the root of the vulnerability, which allows an attacker to obtain unauthorised access to the application's information via a few of its application URLs. 

The company explained, “To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement. This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks.” 

On September 16, 2021, ManageEngine (a Zoho subsidiary) released version 11306 to address the issue. CVE-2021-44077 has been the target of attacks for quite some time. Unit 42 at Palo Alto Networks has linked the activity to a "persistent and determined APT actor" who first exploited a zero-day vulnerability in ADSelfService in August and September, then moved to leverage another vulnerability (CVE-2021-44077) impacting the same software in September and October, and is now (since late October) exploiting CVE-2021-44077 in the ServiceDesk Plus software. 

The researchers believe that the APT actor generated the exploit code for their assaults because there is no publicly available proof of concept exploit code for CVE-2021-44077. 

“Upon exploitation, the actor has been observed uploading a new dropper to victim systems. Similar to the previous tactics used against the ADSelfService software, this dropper deploys a Godzilla web shell which provides the actor with further access to and persistence in compromised systems,” they shared.

“Over the past three months, at least 13 organizations across the technology, energy, healthcare, education, finance and defence industries have been compromised [by this APT]. Of the four new victims, two were compromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk Plus software. We anticipate that this number will climb as the actor continues to conduct reconnaissance activities against these industries and others, including infrastructure associated with five U.S. states.” 

Unit 42's search for internet-facing ManageEngine ServiceDesk Plus installations found over 4,700 installations, with 2,900 of them vulnerable to exploitation. In the United States, there are about 600 of them. 

The researchers have released technical details and proofs of concept for the most recent attacks targeting CVE-2021-44077, as well as suggestions for companies on how to protect themselves. Similar information, as well as network indicators, TTPs, Yara rules, and mitigation advice, is available in the CISA advisory, and Zoho has offered additional details and a downloadable exploit detection tool that businesses can use to run a quick scan and explore any compromises in their installation. 

Finally, the Palo Alto researchers have issued an additional cautionary statement: “In continuing to track this actor’s activities, we believe it is also important to note that on Nov. 9, we observed the actor connecting to passwordmanagerpromsp[.]com. This domain is associated with another ManageEngine product that provides Managed Service Providers (MSPs) with the ability to manage passwords across multiple customers in a single instance. Earlier this year, Zoho released a patch for CVE-2021-33617 affecting this product. While we have not seen any exploitation attempts to date, given the actor’s emerging pattern of targeting ManageEngine products and the actor’s interest in this third product, we highly recommend organizations apply the relevant patches.”