Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Proxy Server. Show all posts

Proxyjacking Threat: Exploited SSH Servers for Sale on the Dark Web

A new attack targeting Secure Shell (SSH) servers has surfaced in the constantly changing world of cybersecurity. Concerningly, exploited SSH servers are now being provided as proxy pools on the dark web, which is a worrying trend. The integrity of global digital infrastructures as well as the security of sensitive data are seriously jeopardized by this trend.

The Proxyjacking Menace

Proxyjacking, as it is now termed, involves cybercriminals compromising SSH servers and selling them on the dark web as part of proxy pools. These servers are then used as a gateway for malicious activities, bypassing traditional security measures and gaining unauthorized access to networks. This technique allows attackers to conceal their true identity and location, making it difficult for cybersecurity professionals to trace and mitigate the threat.

Cloudflare, a prominent cybersecurity firm, highlights the significance of SSH in secure networking. SSH tunneling is a powerful tool for encrypting connections and safeguarding sensitive data during transmission. However, when these tunnels are breached, they become a potential point of vulnerability. Cloudflare emphasizes the need for robust security measures to protect against SSH-related threats.

SSH Tunneling and its Vulnerabilities

SSH tunneling is widely used to establish secure connections over untrusted networks. However, when improperly configured or outdated, SSH servers become susceptible to exploitation. Cybercriminals are quick to capitalize on these vulnerabilities, using compromised servers to launch attacks that can lead to data breaches, unauthorized access, and network compromise.

The exploitation of SSH servers for proxy jacking poses a significant risk to organizations and individuals alike. By leveraging these compromised servers, attackers can gain access to sensitive information, compromise critical systems, and disrupt operations. The consequences of such breaches can be severe, ranging from financial losses to reputational damage.

To defend against this emerging threat, organizations must prioritize the security of their SSH servers. Regularly updating and patching systems, implementing strong access controls, and employing advanced intrusion detection systems are essential to fortifying defenses against proxy jacking attacks. Furthermore, organizations should consider monitoring the dark web for any indications of compromised servers associated with their domains.

Proxyjacking has become more prevalent due to vulnerable SSH servers, which emphasizes the constant necessity for cybersecurity awareness. Being knowledgeable about new strategies and bolstering defenses are essential as cyber threats continue to change. Organizations may preserve their digital assets and shield themselves from the sneaky threat of proxyjacking by putting in place strong security measures and being diligent in monitoring for any breaches.



WhatsApp Allows Communication Amid Internet Outages

On January 5, WhatsApp revealed a new feature that enables users to connect via proxy servers so they may continue using the service even when the internet is restricted or disrupted by shutdowns.

Concept of Whatsapp proxy 

When selecting a proxy, users can connect to WhatsApp via servers run by individuals and groups devoted to promoting free speech throughout the world. According to WhatsApp, using a proxy connection preserves the app's privacy and security settings, and end-to-end encryption will continue to secure private conversations. As per the firm, neither the proxy servers, WhatsApp, nor Meta will be able to see the communications that are sent between them.

When it comes to assisting users when WhatsApp is prohibited in a country, the messaging service stated, "If WhatsApp is restricted in your nation, you can utilize a proxy to connect and communicate with loved ones. End-to-end encryption will still be used to protect private communications while using a proxy connection to WhatsApp."

In accordance with the new rules, internet service providers had to remove anything that law enforcement regarded to be illegal and cooperate with police investigations, which included locating the authors of malicious materials.WhatsApp countered this claim by saying that it will continue to secure users' private messages and would not compromise their security for any government.

According to Juras Jurnas of the proxy and online data collecting company Oxylabs, "For persons with government restrictions on internet access, such as was the situation with Iran, utilization of a proxy server can help people keep a connection to WhatsApp as well as the rest of the public, internet free."

After activists in response to the death of Mahsa Amini, 22, while in police detention, the Iranian government restricted access to Instagram and WhatsApp last year. The suspension of Article 370 of the Indian Constitution by the Indian Parliament resulted in a shutdown of the internet in the state of Jammu & Kashmir. This state-imposed lockdown was implemented as a precautionary measure. Only two districts, Ganderbal and Udampur, have 4G availability. After 552 days without internet or with slow internet, the former state was finally connected to 4G on February 6th, 2021.

The business stated it is working to ensure that internet shutdowns never occur and that individuals are not denied human rights or prevented from seeking immediate assistance as these scenarios arise in various locations throughout the world. 

Internet platforms had to comply with police investigations, including locating the authors of malicious information and destroying anything that authorities had determined to be illegal, according to the new legislation.WhatsApp countered that it would maintain the privacy of users' private messages and would not compromise its security for any government.






Microsoft: Large-Scale AiTM Phishing Attacks Against 10K+Organizations

 

More than 10,000 companies were targeted in a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites. Microsoft identified a large-scale phishing effort that employed adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user's sign-in session, and circumvent authentication even when the victim had activated MFA. 

Threat actors utilise AiTM phishing to set up a proxy server between a target user and the website the user desires to access, which is the phishing site controlled by the attackers. The proxy server enables attackers to intercept communications and steal the target's password and a session cookie. 

Threat actors started business email compromise (BEC) attacks against other targets after obtaining the credentials and session cookies needed to access users' mails. Since September 2021, Microsoft specialists think the AiTM phishing effort has targeted over 10,000 companies. 

Phishing using AITM 

By impersonating the Office online authentication page, the landing sites utilised in this campaign were meant to attack the Office 365 authentication process. Microsoft researchers discovered that the campaign's operators utilise the Evilginx2 phishing kit as its AiTM infrastructure. Threat actors utilised phishing emails with an HTML file attachment in several of the attacks seen by the experts. The message alerted recipients that they had a voice message in order to deceive them into opening the file.
 
The analysis published by Microsoft states, “This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable.”

“By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.” 

After capturing the session cookie, the attackers inserted it into their browser to bypass the authentication procedure, even if the receiver had activated MFA for his account. Microsoft advises organisations to use systems that enable Fast ID Online (FIDO) v2.0 and certificate-based authentication to make their MFA deployment "phish-resistant."

Microsoft also advises establishing conditional access controls if an attacker attempts to utilise a stolen session cookie and monitoring for suspicious or anomalous activity, such as sign-in attempts with suspicious features and odd mailbox operations. 

“This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organisations put in place to defend themselves against potential attacks. While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place," concludes the report.

2,77,000 Routers Vulnerable to 'Eternal Silence' Assaults via UPnP

 

'Eternal Silence,' a malicious campaign, is exploiting Universal Plug and Play (UPnP), which switches the router into a proxy server used to execute nefarious assaults while obscuring the threat actors' location. 

UPnP is a connection protocol that enables additional devices on a network to establish port forwarding rules on a router automatically and is optionally available in most modern routers. This allows remote devices to use a certain software function or device as needed, with minimal user configuration. 

However, it is another technology that compromises security for convenience, particularly when the UPnP implementation is subject to attacks that enable remote attackers to add UPnP port-forwarding entries over a device's exposed WAN connection. 

Akamai researchers discovered attackers exploiting this flaw to build proxies that conceal their harmful operations and termed the attack UPnProxy. 

277,000 of the 3,500,000 UPnP routers detected online are vulnerable to UPnProxy, with 45,113 already infected by hackers. 

Analysts at Akamai believe the perpetrators are attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, respectively. 

Exploiting these holes can result in a variety of issues, such as resource-intensive cryptominer infections, destructive worm-like attacks that quickly spread across entire corporate networks, or gaining initial access to corporate networks. 

The hackers' new rulesets include the phrase 'galleta silenciosa,' which means 'silent cookie'. 

The injections try to expose TCP ports 139 and 445 on devices connected to the targeted router, which totals around 1,700,000 machines that use SMB services. 

Although Akamai is unaware of the campaign's success rate, it did notice a methodical approach to the scans, focusing on devices that use static ports and routes for their UPnP daemons to inject port forwards.  

The perpetrators may be attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, according to Akamai's experts. 

"Because there is a decent possibility that (vulnerable) machines unaffected by the first round of EternalBlue and EternalRed attacks were safe only because they weren't exposed directly to the internet. They were in a relatively safe harbor living behind the NAT," explains Akamai's report 

"The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits." 

'Eternal Silence' is a clever attack since it makes the practice of network segmentation ineffective and provides no sign of what is happening to the victim. 

Scanning all endpoints and auditing the NAT table entries is the best technique to see if the devices have been captured. There are a variety of ways to achieve this, but Akamai has made it simple by providing a bash script that can be used to test a potentially vulnerable URL. 

Disabling UPnP won't erase existing NAT injections if someone found a device infected with Eternal Silence. Users will have to reset or flash the device instead. 

Applying the most recent firmware update should also be a priority, since the device vendor may have resolved any UPnP implementation problems via the system update.

FiveSys Rootkit Exploits Microsoft-Issued Digital Signature

 

A rootkit termed FiveSys can potentially avoid detection and enter Windows users' PCs by abusing a Microsoft-issued digital signature, as per the Bitdefender security experts, 

Microsoft introduced rigorous requirements for driver packages that aim to receive a WHQL (Windows Hardware Quality Labs) digital signature to prevent certain types of malicious attacks, and starting with Windows 10 build 1607, it prevents kernel-mode drivers from being loaded without such a certificate. 

Malware developers, on the other hand, seem to have discovered a way to bypass Microsoft's certification and obtain digital signatures for their rootkits, allowing them to target victims without raising suspicion. 

Microsoft confirmed in June that intruders had successfully submitted the Netfilter rootkit for certification via the Windows Hardware Compatibility Program. Now, Bitdefender's researchers warn that the FiveSys rootkit also has a Microsoft-issued digital signature, implying that this might soon become an emerging trend in which adversaries successfully verify their malicious drivers and signed by Microsoft. 

According to the researchers, FiveSys is comparable to the Undead malware that was first disclosed a few years ago. Furthermore, the rootkit, like Netfilter, is aimed towards the Chinese gaming industry. 

Bitdefender stated, “The attackers seem to originate from China and target several domestic games. We can confidently attribute this campaign to several threat actors, as their tools share the same functionality but are vastly different in implementation.” 

The rootkit directs Internet traffic to a custom proxy server using a frequently updated autoconfiguration script that comprises a list of domains/URLs. Furthermore, the rootkit can prohibit drivers from the Netfilter and fk_undead malware families from being loaded by using a list of digital signatures. 

Moreover, FiveSys offers a built-in list of 300 supposedly randomly created domains that are encrypted and are intended to circumvent possible takedown attempts. Bitdefender also claims to have discovered multiple user-mode binaries that are used to obtain and execute malicious drivers on target PCs. 

FiveSys appears to use four drivers in all, although only two of them were isolated by the security experts. After discovering the abuse, Microsoft cancelled FiveSys' signature.

While the rootkit is being used to steal login credentials from gaming accounts, it is likely that it may be utilised against other targets in the future. However, by following a few easy cybersecurity safeguards, one can prevent falling prey to such or similar assaults.

Botezatu recommended,  "In order to stay safe, we recommend that users only download software from the vendor's website or from trusted resources. Additionally, modern security solutions can help detect malware – including rootkits – and block their execution before they are able to start." 

ESET: FontOnLake Rootkit Malware Targets Linux Systems

 

Researchers have detected a new campaign that is potentially targeting businesses in Southeast Asia using previously unknown Linux malware that is designed to allow remote access to its administrators, as well as collect credentials and operate as a proxy server. 

The malware group, called "FontOnLake" by the Slovak cybersecurity firm ESET, is reported to entail "well-designed modules" that are constantly modified with a wide range of features, indicating an active development stage. 

According to samples uploaded to VirusTotal, the initial attacks employing this threat may have happened as early as May 2020. The same virus is being tracked by Avast and Lacework Labs under the name HCRootkit. 

ESET researcher Vladislav Hrčka stated, "The sneaky nature of FontOnLake's tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks." 

"To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake's presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism." 

FontOnLake's toolkit consists of three components: trojanized copies of genuine Linux utilities utilized to load kernel-mode rootkits and user-mode backdoors, all of which interact through virtual files. The C++-based implants themselves are programmed to monitor systems, discreetly perform commands on networks, and steal account passwords. 

A second variation of the backdoor also function as a proxy, modify files, and download arbitrary files, while a third variant, in addition to combining characteristics from the other two backdoors, can run Python scripts and shell commands. 

ESET discovered two variants of the Linux rootkit that are based on an open-source project called Suterusu and share features like hiding processes, files, network connections, and itself, as well as being able to perform file operations and obtain and run the user-mode backdoor. 

Enterprise Password Management 

It is yet unknown how the attackers gained initial network access but the cybersecurity firm highlighted that the malicious actor behind the assaults is "overly cautious" to avoid leaving any traces by depending on multiple, unique command-and-control (C2) servers with different non-standard ports. All the C2 servers observed in the VirusTotal artifacts are no longer working. 

Hrčka stated, "Their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns." 

"As most of the features are designed just to hide its presence, relay communication, and provide backdoor access, we believe that these tools are used mostly to maintain an infrastructure which serves some other, unknown, malicious purposes."