Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Network. Show all posts
Software
Cyberattacks CyberCrime Cybersecurity Data Breach Microsoft Network Software

Apple's Alarming Data Breach: 2.5 Billion Records at Risk

 


Earlier this week, a report commissioned by Apple highlighted, yet again, why end-to-end encryption must be used when protecting sensitive data against theft and misuse, and why analysts have long recommended it. 

In the report, a professor at the Massachusetts Institute of Technology has conducted an independent review of publicly reported breaches which has been conducted for the tech giant in response to the report. The study found that ransomware campaigns and attacks on trusted technology vendors over the past two years have been responsible for a dramatic increase in data breaches and the number of records that have been compromised due to these breaches. 

The number of records exposed for the first time in 2021 and 2022 had reached a staggering 2.6 billion, with 1.5 billion of those records being exposed last year alone. Considering the trends so far this year, it is highly likely that this number will be even higher in 2023.

There have already been 20% more data breaches in the first nine months of 2023 alone, compared to all of 2022 combined, and the 2017 number is only 20% lower than the 17% increase in 2022. By the end of August 2023, it is estimated that 360 million sensitive records belong to around 360 companies and institutions that were exposed as a result of corporate and institutional breaches. 

A study published in the Apple report states that 95% of organizations that experienced a recent breach had experienced at least one other breach in the past, according to IBM's Cost of a Data Breach Study, as well as a Forrester study quoted in the Apple report. 

Within the last 12 months, 75 per cent of the respondents had experienced at least one incident involving data compromise. In addition to the study's findings, 98% of companies currently have a relationship with a technology vendor that has suffered at least one recent data breach as part of their contract with them. 

Fortra, 3CX, Progress Software, and Microsoft are just a few of the organizations and individuals that were affected by breaches involving vendors and vendor technologies. These breaches have impacted a wide range of organizations and individuals. When considering encryption plans, organizations should also be aware of the rapid growth and adoption of cloud computing.

In Apple's study, data that was analyzed showed that over 80% of breaches involved cloud-stored data. As a result of these issues, it may be more challenging to encrypt data on the cloud than to encrypt it in a physical location. In organizations with good security practices, Ken Dunham, director of Cyber Threats at Qualys, says that good security practices usually give organizations a good level of visibility over their legacy networks. 

Nevertheless, if they migrate to the cloud, they often lose the ability to be able to control, see, manage, and operate in a way that is similar to what they have in place in the past when it comes to encryption." He adds that maintaining a hybrid network that combines legacy and modern technologies is a new layer of complexity for organizations when they embark on digital transformation initiatives. 

Considering the cloud as a primary provider of data encryption can be a mistake for organizations, says Ben-Ari: "While cloud providers offer valuable security measures, it is the organizations' responsibility to ensure that they encrypt their data." In addition, he recommended that organizations prioritize technologies that are user-friendly and easy to implement so that any disruption to existing operations will be minimized when they are implemented in phases.

The last recommendation he makes is that organizations make use of the shared responsibility model that many cloud providers and leading SaaS vendors offer, which provides organizations with the capability to bring a wide range of advanced encryption features to their users at a single click right from their browsers.
Read more »
Trojan
Data Exfiltration malware MMRat Mobile Network Privacy Protobuf Technology threats Trojan

Rare Technique Deployed by Android Malware to Illicitly Harvest Banking Data

 

Trend Micro, a cybersecurity research firm, has recently unveiled a novel mobile Trojan that employs an innovative communication technique. This method, known as protobuf data serialization, enhances its ability to pilfer sensitive data from compromised devices.

Initially detected by Trend Micro in June 2023, this malware, named MMRat, primarily targets users in Southeast Asia. Surprisingly, when MMRat was first identified, popular antivirus scanning services like VirusTotal failed to flag it as malicious.

MMRat boasts a wide array of malicious functionalities. These include collecting network, screen, and battery data, pilfering contact lists, employing keylogging techniques, capturing real-time screen content, recording and live-streaming camera data, and even dumping screen data in text formats. Notably, MMRat possesses the ability to uninstall itself if required.

The capacity to capture real-time screen content necessitates efficient data transmission, and this is where the protobuf protocol shines. It serves as a customized protocol for data exfiltration, using distinct ports and protocols to exchange data with the Command and Control (C2) server.

Trend Micro's report highlights the uniqueness of the C&C protocol, which is customized based on Netty, a network application framework, and the aforementioned Protobuf. It incorporates well-designed message structures, utilizing an overarching structure to represent all message types and the "oneof" keyword to denote different data types.

Researchers have uncovered instances of this malware concealed within counterfeit mobile app stores, masquerading as government or dating applications. While they commend the overall sophistication of these efforts, it's essential to note that these apps still request permissions for Android's Accessibility Service, a common red flag that clearly signals their malicious nature.
Read more »
Wi-fi
Cyber Security Data Privacy Hacking Internet Safety Network Prevention Protection Security Wi-fi

Secure Your Wi-Fi: Spot Hacking Signs and Preventive Tips

 

The discussion around being cautious regarding security while utilizing public Wi-Fi networks is well-known due to the susceptibility of these networks to compromise by criminals. Yet, it's essential to recognize that private Wi-Fi networks are also vulnerable to hacking.

Cybercriminals possess the ability to breach private Wi-Fi networks and gain access to personal data. Gaining insight into their techniques is crucial for enhancing network security.

Methods Employed by Cybercriminals to Compromise Wi-Fi Networks

The inherent wireless nature of Wi-Fi networks allows numerous devices to connect concurrently. However, vulnerabilities exist that attackers exploit to illicitly access browsing sessions. Several tactics are employed to achieve this...

1. Obtaining Router's Default Password
Relying on the default password of your Wi-Fi router poses risks, as intruders can deduce it from the device's settings. It is advisable to change the password immediately upon setting up your connection. Once this step is taken, the default passcode becomes invalid.

2. Utilizing Brute-Force Attacks
Merely altering the default password doesn't guarantee immunity against hacking. Malevolent actors can utilize brute-force techniques, attempting multiple combinations of usernames and passwords until a match is found. This process is automated to expedite testing numerous login credentials.

3. Executing DNS Hijacking
Hackers might execute a DNS hijack, redirecting traffic from your device to their malicious websites. This manipulation involves altering the queries generated by your Wi-Fi's DNS. Consequently, you unknowingly connect to their sites, enabling them to extract your data.

Detecting Signs of Wi-Fi Breach

Cybercriminals endeavor to execute non-intrusive infiltration of your Wi-Fi network. However, by remaining vigilant, you can discern potential indications of compromise:

1. Unfamiliar IP Addresses Connected
Each internet-connected device possesses a distinctive IP address. Your Wi-Fi maintains a roster of connected IP addresses. Although these devices might not be readily visible, they are stored in a designated area. Reviewing the IP address section in your device settings can reveal unfamiliar devices.

2. Browser Redirection
Hacked Wi-Fi networks often prompt web browsers to perform unintended functions. For instance, inputting a specific URL may result in redirection to unfamiliar websites. Such alterations indicate a DNS setting change, redirecting browsers to malicious sites for data extraction.

3. Modified Wi-Fi Password
Observing sudden password inaccuracies indicates potential intrusion. If you haven't modified the password, a hacker likely has. Changing the password is among the first steps taken by scammers post-breach, denying your immediate access and facilitating their control.

4. Sluggish Internet Connection
While occasional internet slowdowns are common, persistent sluggishness can denote unauthorized network access. Intruders could engage in bandwidth-intensive activities, causing noticeable network degradation.

Preventive Measures Against Wi-Fi Hacking

Despite Wi-Fi's associated security risks, several proactive steps can thwart potential attacks:

1. Enable Encryption Mode
Utilizing encryption safeguards against eavesdropping attacks that intercept communications. Encryption obfuscates data, rendering it indecipherable to external parties even if acquired. Contemporary Wi-Fi routers typically include default encryption options like WPA and WPA2, enhancing security.

2. Regular Password Changes
The security of your Wi-Fi network hinges on your password's strength. While robust passwords are advised, their invulnerability is uncertain. To preempt this, periodically alter your router's password. This continual modification deters intruders. Employing a password manager can alleviate the inconvenience while boosting security.

3. VPN Usage in Public Spaces
Public Wi-Fi networks are susceptible to intrusions. Utilizing a virtual private network (VPN) conceals your IP address, rendering you inconspicuous while browsing. This measure safeguards against criminal attempts to compromise your connectivity.

4. Deactivate Remote Administration
Remote access to Wi-Fi networks, though convenient, is exploited by attackers. Disabling remote administration, unless necessary, closes an exploitable gap.

5. Turn Off Wi-Fi When Inactive
Inactive Wi-Fi is impervious to hacking. Switching off your router during periods of inactivity eliminates immediate threats and prevents unauthorized usage by neighbors.

6. Fortify Wi-Fi Security Settings
Private Wi-Fi networks offer substantial user and security controls. Activation of multiple security features is advisable. Layers of security present formidable challenges for criminals attempting unauthorized entry.

In conclusion, while discussions often center on the vulnerability of public Wi-Fi networks, it's vital to recognize that private networks are not immune to hacking. Understanding the tactics employed by cybercriminals, recognizing breach indicators, and implementing comprehensive security measures are pivotal in safeguarding your Wi-Fi network and personal data.
Read more »
Threat actors
Cyber Attacks cybercriminals Cybersecurity Internet Security Awareness LockBit Network Ransomware Threat actors

Northern European Criminals Copy the Lockbit Gang

 


The threat group, known as LockBit, is one of the most notorious ransomware groups operating currently. As a result, they have become very active on dark web forums. In addition, they are exploiting the negative publicity created by other ransomware groups to recruit more hardened cybercriminals for their agenda. 

The rate at which ransomware attacks have targeted companies in northern Europe has increased significantly. It appears that these attacks are being conducted using a device known as the LockBit locker. This is believed to be one of the tools used by a criminal affiliation program dubbed Gangrel. 

There is a wide range of industries that have been targeted by the LockBit group. It has caused significant disruptions and financial losses for a wide range of companies, from small to multinational. 

As a result of the nature of these new attacks, one of the most concerning characteristics is how they are being undertaken. A company's network is at risk from the LockBit Locker group. This group exploits a variety of advanced security techniques to gain initial access to the network through phishing and social engineering, among others. Having gained access to a network, attackers use a wide variety of tools and techniques to reach various parts of the network and steal sensitive information. These include sensitive system information. 

There has been an increase in attacks on small and medium-sized businesses in Belgium, as reported by Computerland in the country. There was, however, a report by the company that explained that the company was targeted by a group of cybercriminals using a variant of the LockBit locker malware. This variant appeared to have been used by the company. Following a thorough investigation, it was discovered that these attackers were unlikely to be connected with the LockBit group but rather were "wannabes" who had gained access to leaked versions of the malware. Despite not being the real LockBit Locker group, these micro-criminals were still able to inflict significant damage by encrypting a large number of internal files. 

There was, however, no impact on the company's computer system as a result of the intrusion, as backups had been made, and none of the client workstations were lost. 

The incident is one of many highlighting the dangers of outdated software and systems. This is true especially for less sophisticated actors, even in the criminal underground, where extortion practices seem to be gaining popularity. 

According to the report, in this case, the attackers were able to utilize the company's FortiGate firewall to gain access to the company's sensitive data. They did this by taking advantage of unpatched vulnerabilities. According to the Known Exploited Vulnerabilities Catalog maintained by the Center for Internet Security Awareness, unpatched FortiGate firewalls are prone to several vulnerabilities currently being exploited by cybercriminals. However, in these recent cases, the flaws exploited were the infamous "Fortifuck" flaws that date back as far as 2018. 

Unattended exposure through a branch internet gateway has allowed exploits to be made of these flaws to be discovered and exploited. As a result, these gateway sites are usually less well-protected than the central network, which may put attackers at an advantage in terms of gaining access to the network. 

The recent ransomware attacks against small and medium-sized businesses in North Europe are highly concerning for several reasons. Even though the criminal operators' lack of experience reduced their effectiveness, extended outages and data exfiltration were experienced by the targeted industries despite the reduced effectiveness of the criminal operators. 

Briefing on Threat Actors   

There is a well-known ransomware affiliation program known as LockBit, which started in September of 2019 and involves the developers of the malicious software hiring unethical penetration testing teams to spread the ransomware as a third party. There are a few gangs that have established double-extortion practices. The Stealbit malware was part of the toolkits used by this gang to support such attacks.

It is well known that during Lockbit's infamous career, a large number of small and medium businesses and large corporations such as Accenture and Royal Mail were targeted. During the infection process, the victim will be redirected to a gang payment site managed by the ransomware developers once they have infected the environment. The attackers threatened the victim that they would leak the victim's data to get her to pay more money.
Read more »
Technology
6G Network Safety Security Server Technology

What's 6G & its Way Forward?

 

Mobile connectivity has come a long way since 1979 when NTT initiated the first generation of cellular networks in Tokyo. 2G and 3G quickly followed 1G. These were voice and text communication networks. The more recent 4G and 5G networks enabled advanced content and massive data consumption. 

By 2023, after more than four decades, mobile operators, telcos, and providers will be back at the design table, shaping the next generation of mobile networks: 6G. The term 6G refers to the sixth generation of mobile networks. Why do networks change? Technology advancements and the amount of data that must be transferred from data centers to devices have increased exponentially. Furthermore, networks improve in more ways than one. They reduce latency or delay as well as energy consumption during data transmissions while improving reliability, security, and performance.

5G networks will be widely available worldwide by 2023. The virtualization of network hardware, which is now operating in the cloud with Open RAN standards, is making deployment easier. However, 5G is expected to become obsolete soon as the digital and physical worlds integrate with virtual and augmented reality. Furthermore, the Internet of Things and Industrial IoT are gaining traction to support the fourth industrial revolution.

These new technologies, as well as the volume of data that must be instantly communicated between devices, necessitate a faster, more reliable, and more robust generation of mobile networks — enter 6G.

6G is still in its early stages of development and, like all mobile networks, will rely on radio transmissions. 6G is also anticipated to improve connectivity in rural and remote areas, thereby affecting populations affected by the digital divide. Because of its high capacity and low cost, the technology has the potential to connect the space and satellite sectors.

To outperform 5G in terms of capacity, latency, and connectivity, 6G will need to use new high-frequency bands, such as sub-terahertz bands above 100 GHz. These radio waves are more sensitive to obstacles, posing technological challenges that must still be addressed.

Antennas, nodes, edge centers, gateways, and Open RAN virtual machines running in the cloud are used to connect devices in engineering network areas. Because radio waves require a direct line of sight for transmission, several factors must be considered, including urban blockage, refraction, diffraction, scattering, absorption, and reflection of radio waves.

To overcome these challenges, the industry intends to build multipath environments in which sensible high-frequency waves can travel without losing strength, consuming too much power, or experiencing latency. AI computing applications will be critical in calculating the shortest and most optimal paths for 6G radio waves.

The Advantages of 6G

1. 6G provides improved connectivity: The most obvious and direct benefit of 6G is that it will boost connectivity by providing instantaneous communications for any device, including smartphones, computers, wearables, robotics, and IoT. 6G will connect industrial IoT devices and drive the fourth industrial revolution with a core structure of automation and intelligence in the industrial sector, which is undergoing digital acceleration by deploying smart factories, production, and distribution systems.

Improved connectivity will benefit every industry. Healthcare, remote and robotic surgery, and telehealth, for example, are expected to be transformed by 6G. Similarly, sectors such as finance, retail, manufacturing, and others that are undergoing significant digitalization and modernization will utilize 6G to continue disruptive transformations.

2. 6G will propel technological advancement: 6G mobile networks are a game changer in terms of innovation. Supercomputers, quantum computing, machine learning, AI, global cloud data centers, the metaverse, and new devices will be able to operate only with 6G connectivity.

3. 6G is low energy and efficient: Low energy consumption and energy efficiency are critical advantages of 6G. Organizations and businesses are aiming for net-zero emission targets and reducing energy consumption for economic and environmental reasons. The 6G energy economy has become appealing to all industries. Low-energy connections are also required to extend the battery life of IoT and mobile devices.

4. 6G has low latency: With its extremely low latency, 6G will benefit society. Latency is the amount of time it takes for a digital system to transfer data. The greater the amount of data, the greater the effort required by the network; thus, the threat of latency uptick. However, thanks to 6G innovation, connectivity should be immediate.
 
Disadvantages of 6G 

1. 6G is still in the early stages of development: 6G technology is currently in the development phase, which is its most significant disadvantage. While Nokia, NTT, and other companies have plans to test small 6G networks, these are only pilot projects. 6G is expected to be available globally by 2030. 

2. The initial investment costs for 6G are high: Another obstacle is demonstrating the value of 6G as a low-cost connectivity technology. In the long run, 6G may lower end-user costs compared to 5G, but the initial investment required globally to get there is massive. Other technical challenges include optimizing terahertz-sensitive frequency paths, stabilizing visible light communication technology, and optimizing the AI, ML, and advanced computing resources required to run these futuristic networks.

3. 6G necessitates a rethinking of traditional cybersecurity: The security of 6G networks is a top priority. With network redesign, cybersecurity and privacy features must be reimagined, strengthened, and adapted. Traditional cybersecurity methods will become obsolete, and developers will need to innovate in areas such as authentication, encryption, access control, communication, and malicious activity.

6G is on the rising trend

The 6G race is well underway, with leading global operators already entering testing phases. Without a doubt, 6G is a foregone conclusion. 6G, on the other hand, is not a one-man show. A diverse range of companies, organizations and developers must collaborate to create the next generation of connectivity.

Read more »
Work Data
Cyber Security Data GitHub Network Privacy Safety Work Data

GitHub: Why it's a Hotspot of Attackers & How to Stay Secure?

 

Okta disclosed a security breach last week in which its GitHub-hosted source code was compromised by an attacker. That is merely the most recent instance in a long line of attacks that have succeeded in accessing corporate source code on GitHub. GitHub accounts for Dropbox, Gentoo Linux, and Microsoft have all previously been targeted. 

GitHub is the most well-liked source code management service for both private enterprise code repositories and open source code repositories, with 90 million active users. It is a significant component of the world's basic infrastructure and the custodian of some of the most sensitive resources and data. It makes sense why source code is becoming a more popular target for attackers. In other circumstances, like Okta, they might be attempting to obtain the source code.

If a hacker has access to private source code, they can review it for security holes and then take advantage of those flaws in subsequent attacks. To access databases and cloud services hosted by Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, attackers can also collect hard-coded keys, passwords, and other credentials that may be stored in GitHub (GCP). Intellectual property, legitimate login credentials, and a nice list of production software vulnerabilities that are ready to be exploited can all be found in a single stolen repository.

Using this method, the hacking organization Shiny Hunters, which is known to target private GitHub repositories in particular, has compromised a number of businesses and sold their data on several Dark Web marketplaces.

GitHub is without a doubt an essential component of the organization's infrastructure, but securing it is a difficult identity security issue. Unrestricted cooperation is one of the GitHub model's greatest strengths, but it also presents one of the largest challenges to contemporary IT security.

Just consider it: By 2022, everyone who is even vaguely technical has a GitHub account. Additionally, you can do everything with your GitHub account. These accounts allow us to work on side projects for ourselves, contribute to open source projects, and contribute to both public and private code repositories that are ultimately owned by our employers. That is a lot of laborious work for just one identity!

The "Sign in with GitHub" function also allows you to utilize your GitHub identity on websites and services other than GitHub itself. There's more, too: Being able to download, push, and clone code from GitHub's servers to your local machine using git operations over HTTPS and SSH, which require your GitHub identity, makes GitHub distinctive. Other services only require you to sign in to their websites.

When GitHub announced the deprecation of usernames and passwords for git operations last year, it was clear that they were aware of the security concerns. This was a positive step.

Tips for Securing Your GitHub

While GitHub offers tools to secure the environment, businesses must understand how to employ them. Unfortunately, GitHub Enterprise is necessary for some of the most crucial security features. Nonetheless, it's crucial to take measures like:
  • Don't allow personal accounts for work
  • Don't allow outside collaborators
  • Require authentication via company SSO
  • Require 2FA on all accounts
  • Audit, analyze, and audit again
Although not the first instance, the hack of Okta's GitHub repository is a potent illustration of how difficult it is to safeguard identities within businesses. We witness account takeover incidents involving workers and contractors on a daily basis. Weak authentication, lenient rules for personal email accounts, and the identity attack surface's constant expansion all have an impact.

Read more »
Safety
Cyber Security Data Devices Network Research Risk Safety

Here’s List of the World’s Riskiest Connected Devices

 

IoT devices ranging from video conferencing systems to IP cameras are among the five riskiest IoT devices connected to networks, according to research highlighted by Forescout's cybersecurity research arm, Vedere Labs. 

In their recent research, the company identified recurring themes, showcasing the increasing attack surface as more devices are connected to enterprise networks, as well as how threat actors are able to leverage these devices to achieve their goals. 

“IP cameras, VoIP and video-conferencing systems are the riskiest IoT devices because they are commonly exposed on the internet, and there is a long history of threat actor activity targeting them,” The Forescout report said.

With the addition of IoMT in healthcare, the attack surface now includes IT, IoT, and OT in almost every organisation. Organizations must be aware of dangerous devices in all categories. Forescout recommends that companies implement automated controls and that they do not rely on siloed security in the IT network, OT network, or for specific types of IoT devices.

This latest study updates the company's findings from 2020, in which networking equipment, VoIP, IP cameras, and programmable logic controllers (PLCs) were listed as the riskiest devices across IT, IoT, OT, and IoMT in 2022.

New entrants, such as hypervisors and human-machine interfaces (HMIs), however, are indicative of trends such as critical vulnerabilities and increased OT connectivity.

Vedere Labs examined device data in Forescout's Device Cloud between January 1 and April 30. The anonymized data comes from Forescout customer deployments and contains information on nearly 19 million devices, which the company claims are growing on a daily basis.

A device's overall risk was calculated based on three factors: configuration, function, and behaviour. Vedered Labs calculated averages per device type after measuring the risk of each individual device to determine which are the riskiest.
Read more »
Security
Cyber Spy Data Government Hackers malware Network Researchers Safety Security

Cyberspies Drop New Infostealer Malware on Govt Networks in Asia

 

Security researchers have discovered new cyber-espionage activity targeting Asian governments, as well as state-owned aerospace and defence companies, telecom companies, and IT organisations.
The threat group behind this action is a different cluster earlier associated with the "ShadowPad" RAT (remote access trojan) (remote access trojan). In recent campaigns, the threat actor used a much broader set of tools.

As per a report by Symantec's Threat Hunter team that dives into the activity, the intelligence-gathering attacks have been underway since at least early 2021 and are still ongoing. The current campaign appears to be almost entirely focused on Asian governments or public entities, such as:
  • Head of government/Prime Minister's office
  • Government institutions linked to finance
  • Government-owned aerospace and defense companies
  • State-owned telecoms companies
  • State-owned IT organizations
  • State-owned media companies
Symantec uses an example of an April 2022 attack to demonstrate how the espionage group breaches its government targets. The attack starts with the installation of a malicious DLL that is side-loaded by launching the executable of a legitimate application in order to load a.dat file.

The legitimate application abused by the hackers, in this case, was an 11-year-old Bitdefender Crash Handler executable. The initial.dat payload contains encrypted shellcode that can be used to directly execute commands or additional payloads from memory.

The threat actors installed ProcDump three days after gaining backdoor access to steal user credentials from the Local Security Authority Server Service (LSASS). The LadonGo penetration testing framework was side-loaded via DLL hijacking on the same day and used for network reconnaissance.

The attackers returned to the compromised machine two weeks later to install Mimikatz, a popular credential stealing tool.
Furthermore, the hackers attempted to elevate their privileges by exploiting CVE-2020-1472 (Netlogon) against two computers on the same network.

To load payloads on additional computers in the network, the attackers used PsExec to execute Crash Handler and the DLL order hijacking trick. A month after the intrusion, the threat actors gained access to the active directory server and mounted a snapshot to access user credentials and log files.

Finally, Symantec observed the use of Fscan to attempt CVE-2021-26855 (Proxylogon) exploitation against Exchange Servers in the compromised network.
Read more »
Network
Bugs Chinese Cyber Attacks Flaws Hackers Network

Chinese Hackers Targeted Dozens of Industrial Enterprises and Public Institutions

 

Since January 2022, over a dozen military-industrial complex firms and governmental organisations in Afghanistan and Europe have been targeted in order to acquire private data via six distinct backdoors. The assaults were attributed "with a high degree of confidence" to a China-linked threat actor identified by Proofpoint as TA428, noting commonalities in tactics, techniques, and processes (TTPs). 

TA428, also known as Bronze Dudley, Temp.Hex, and Vicious Panda, has previously struck entities in Ukraine, Russia, Belarus, and Mongolia. It is thought to be linked to another hacker organisation known as Mustang Panda (aka Bronze President). The current cyber espionage effort targeted industrial units, design bureaus and research institutions, as well as government entities, ministries, and departments .departments in several East European countries and Afghanistan. 

Penetration of company IT networks is accomplished through the use of carefully prepared phishing emails, including those that mention non-public information about the companies, to fool recipients into opening rogue Microsoft Word documents. These decoy files include exploits for a 2017 memory corruption vulnerability in the Equation Editor component (CVE-2017-11882), which might allow arbitrary code to be executed in affected computers, eventually leading to the deployment of a backdoor known as PortDoor. 

In April 2021, Chinese state-sponsored hackers used PortDoor in spear-phishing efforts to breach into the computers of a defence firm that manufactures submarines for the Russian Navy. The use of six distinct implants, according to Kaspersky, is most likely an attempt by threat actors to develop redundant channels for managing infected hosts in the event that one of them should get recognised and removed from the networks.

The attacks culminate with the attacker hijacking the domain controller and taking total control of all of the organization's workstations and servers, using the privileged access to exfiltrate files of interest in the form of compressed ZIP packages to a remote server in China.

Other backdoors used in the assaults include nccTrojan, Cotx, DNSep, Logtu, and CotSam, a previously unreported malware named because of its resemblance to Cotx. Each offers significant capabilities for taking control of the systems and stealing sensitive data.

Ladon, a hacking framework that enables the adversary to scan for devices in the network as well as exploit security vulnerabilities in them to execute malicious code, is also included in the assaults.

"Spear-phishing remains one of the most relevant threats to industrial enterprises and public institutions," Kaspersky said. "The attackers used primarily known backdoor malware, as well as standard techniques for lateral movement and antivirus solution evasion."

"At the same time, they were able to penetrate dozens of enterprises and even take control of the entire IT infrastructure, and IT security solutions of some of the organizations attacked."
Read more »
Users
Cyber Security Network Outage Server Server Down Users

Microsoft Exchange Online And Outlook Email Service Hit By Outage

 

Microsoft is investigating an ongoing outage affecting Microsoft 365 services after users experienced problems signing into, accessing, and receiving emails via the outlook.com gateway and Exchange Online. 

"We're investigating an issue with users accessing or experiencing degraded functionality when using Exchange Online and http://outlook.com services," Microsoft stated in a tweet via the company's official Twitter account for updates on Microsoft 365 services. 

Admins were also warned that further information about these ongoing issues may be found in the admin centre under EX401976 and OL401977. 

"We suspect there may be unexpected network drops which are contributing to the degraded experience and are reviewing diagnostic logs to understand why," the company added. 

While Redmond did not indicate the scope of the problem, hundreds of reports on DownDetector have been reported in the last 24 hours by Outlook and Exchange Online customers who have been unable or experiencing difficulty while attempting to log in or email. In an update to the Outlook.com online site, Microsoft also noted that Microsoft 365 subscribers may be unable to access the web portal or any of its features. 

Microsoft explained, "Users may be unable to access or use outlook.com services or features. We're reviewing diagnostic information and support case data to understand the cause and establish a fix. We're investigating a potential issue and checking for impact to your organization. We'll provide an update within 30 minutes." 

Another Microsoft 365 outage occurred in June, affecting consumers worldwide who attempted to access Microsoft Teams and Exchange Online. Redmond rerouted traffic to another, healthy traffic management infrastructure and performed targeted infrastructure restarts to restore service access and functioning. On July 1, Microsoft stated it fixed the issue that caused this outage. 

"We identified a section of our network infrastructure that was performing below acceptable thresholds. We've rerouted connections to alternate infrastructure and that confirmed the issue is resolved," Redmond tweeted.
Read more »
Web browser
Browser Chrome Cyber Security data security Google IP Address Network PNA Privacy Security servers Upgrade Web browser

Due to Security Reasons, Chrome will Limit Access to Private Networks

 

Google has announced that its Chrome browser will soon ban websites from querying and interacting with devices and servers inside local private networks, due to security concerns and past abuse from malware. 

The transition will occur as a result of the deployment of a new W3C specification known as Private Network Access (PNA), which will be released in the first half of the year. The new PNA specification introduces a feature to the Chrome browser that allows websites to request permission from computers on local networks before creating a connection.

“Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true,” as perEiji Kitamura and Titouan Rigoudy, Google. 

Internet websites will be prohibited from connecting if local hardware such as servers or routers fails to respond. One of the most important security features incorporated into Chrome in recent years is the new PNA specification. 

Cybercriminals have known since the early 2010s that they can utilize browsers as a "proxy" to relay connections to a company's internal network. For example, malicious code on a website could attempt to reach an IP address such as 192.168.0.1, which is the standard address for most router administrative panels and is only reachable from a local network. 

When users visit a fraudulent site like this, their browser can issue an automatic request to their network without their permission, transmitting malicious code that can evade router authentication and change router settings. 

These types of attacks aren't simply theoretical; they've happened previously, as evidenced by the examples provided here and here. Other local systems, such as internal servers, domain controllers, firewalls, or even locally-hosted apps (through the http://localhost domain or other locally-defined domains), could be targeted by variations of these internet-to-local network attacks. Google aims to prevent such automated attacks by incorporating the PNA specification into Chrome and its permission negotiation system. 

According to Google, PNA was included in Chrome 96, which was published in November 2021, but complete support will be available in two parts this year, with Chrome 98 (early March) and Chrome 101 (late May).
Read more »
Zoho
APT Flaws Network Technical Issue Vulnerabilities and Exploits Zoho

Determined APT is Abusing ManageEngine ServiceDesk Plus Flaw

 

An APT gang is abusing a severe vulnerability in Zoho ManageEngine ServiceDesk Plus (CVE-2021-44077) to infiltrate enterprises in a range of industries, including defence and technology. 

The Cybersecurity and Infrastructure Security Agency (CISA) alerted, “Successful exploitation of the vulnerability allows an attacker to upload executable files and place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.” 

CVE-2021-44077 is an authentication bypass flaw in ManageEngine ServiceDesk Plus (on-premises) installations using versions 11305 and earlier. An incorrect security configuration process in ServiceDesk Plus is the root of the vulnerability, which allows an attacker to obtain unauthorised access to the application's information via a few of its application URLs. 

The company explained, “To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement. This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks.” 

On September 16, 2021, ManageEngine (a Zoho subsidiary) released version 11306 to address the issue. CVE-2021-44077 has been the target of attacks for quite some time. Unit 42 at Palo Alto Networks has linked the activity to a "persistent and determined APT actor" who first exploited a zero-day vulnerability in ADSelfService in August and September, then moved to leverage another vulnerability (CVE-2021-44077) impacting the same software in September and October, and is now (since late October) exploiting CVE-2021-44077 in the ServiceDesk Plus software. 

The researchers believe that the APT actor generated the exploit code for their assaults because there is no publicly available proof of concept exploit code for CVE-2021-44077. 

“Upon exploitation, the actor has been observed uploading a new dropper to victim systems. Similar to the previous tactics used against the ADSelfService software, this dropper deploys a Godzilla web shell which provides the actor with further access to and persistence in compromised systems,” they shared.

“Over the past three months, at least 13 organizations across the technology, energy, healthcare, education, finance and defence industries have been compromised [by this APT]. Of the four new victims, two were compromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk Plus software. We anticipate that this number will climb as the actor continues to conduct reconnaissance activities against these industries and others, including infrastructure associated with five U.S. states.” 

Unit 42's search for internet-facing ManageEngine ServiceDesk Plus installations found over 4,700 installations, with 2,900 of them vulnerable to exploitation. In the United States, there are about 600 of them. 

The researchers have released technical details and proofs of concept for the most recent attacks targeting CVE-2021-44077, as well as suggestions for companies on how to protect themselves. Similar information, as well as network indicators, TTPs, Yara rules, and mitigation advice, is available in the CISA advisory, and Zoho has offered additional details and a downloadable exploit detection tool that businesses can use to run a quick scan and explore any compromises in their installation. 

Finally, the Palo Alto researchers have issued an additional cautionary statement: “In continuing to track this actor’s activities, we believe it is also important to note that on Nov. 9, we observed the actor connecting to passwordmanagerpromsp[.]com. This domain is associated with another ManageEngine product that provides Managed Service Providers (MSPs) with the ability to manage passwords across multiple customers in a single instance. Earlier this year, Zoho released a patch for CVE-2021-33617 affecting this product. While we have not seen any exploitation attempts to date, given the actor’s emerging pattern of targeting ManageEngine products and the actor’s interest in this third product, we highly recommend organizations apply the relevant patches.”
Read more »
Subscribe to: Posts (Atom)