Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security. Show all posts
Vulnerabilities and Exploits
China Exploit Hacker Groups Ivanti security flaws Researchers Security Vulnerabilities and Exploits

Researchers Uncover Numerous Chinese Hacker Collectives Exploiting Ivanti Security Vulnerabilities

 

Several threat actors with connections to China have been identified as responsible for exploiting three security vulnerabilities affecting Ivanti appliances. These vulnerabilities are identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

Mandiant, a cybersecurity firm, has been monitoring these clusters of threat actors, identifying them under the names UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Among them, UNC3886, a Chinese hacking group, has been previously known for exploiting zero-day bugs in Fortinet and VMware systems to infiltrate networks.

Financially motivated actors have also been observed exploiting CVE-2023-46805 and CVE-2024-21887, likely for cryptocurrency mining purposes.

UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments," Mandiant researchers said

Post-exploitation activities by these threat actors often involve deploying malicious tools such as the Sliver command-and-control framework, WARPWIRE credential stealer variant, and a new backdoor named TERRIBLETEA, which comes with various functionalities like command execution and keylogging.

UNC5330 has been combining CVE-2024-21893 and CVE-2024-21887 to target Ivanti Connect Secure VPN appliances, leveraging custom malware like TONERJAM and PHANTOMNET for further actions. These include reconnaissance, lateral movement, and compromising LDAP bind accounts for higher privileges.

UNC5337, another China-linked group, has been using CVE-2023-46805 and CVE-2024-218 to infiltrate Ivanti devices since January 2024, deploying a custom malware toolset known as SPAWN. This toolset includes components like SPAWNSNAIL, SPAWNMOLE, SPAWNANT, and SPAWNSLOTH, designed for stealthy and persistent backdoor access.

Mandiant assesses with medium confidence that UNC5337 and UNC5221 might be the same group, highlighting the sophistication of their tools aimed at avoiding detection.

UNC5221 has also been associated with various web shells and a Perl-based web shell called ROOTROT, which is embedded into legitimate files to evade detection. Successful deployment of these shells leads to network reconnaissance and lateral movement, potentially compromising vCenter servers with a Golang backdoor named BRICKSTORM.

Finally, UNC5291, likely associated with another group called UNC3236, has been targeting academic, energy, defense, and health sectors, focusing on Citrix Netscaler ADC initially before shifting to Ivanti Connect Secure devices.

These findings emphasize the ongoing threat posed by edge appliances, with threat actors utilizing a combination of zero-day vulnerabilities, open-source tools, and custom backdoors to evade detection and maintain access to networks for extended periods. access to target systems.
Read more »
Security
Cyberattacks CyberCrime Cybersecurity Cyberthreats Data Breach data security ID IntelBroker Pandabuy Passcodes Security

1.3 Million Customers Affected: Pandabuy Grapples with Data Breach Fallout

 


A data breach allegedly occurred on Sunday at Pandabuy, an online store that aggregates items from Chinese e-commerce sites. As a result, 1,348,307 accounts were affected. A large amount of information has been leaked, including user IDs, first and last names, phone numbers, emails, login IP addresses, full addresses, and order information. 

Sanggiero and IntelBroker both exploited multiple vulnerabilities to breach the company's systems, allegedly leading to the leakage of the company's data. People throughout the world can use Pandabuy’s marketplace to access products from Chinese online marketplaces, such as JD.com, Tmall, and Taobao. 

Approximately 1.3 million PandaBuy customers' data has been accessed after two threat actors exploited multiple vulnerabilities to gain access to PandaBuy's system, according to PandaBuy's website. In addition to allowing international customers to purchase goods from a variety of Chinese e-commerce platforms, including Tmall, Taobao, and JD.com, PandaBuy is offering international users to purchase products from different e-commerce platforms. 

There was a breach at PandaBuy yesterday claimed by an individual known as 'Sanggiero', allegedly performed by 'IntelBoker' in conjunction with the threat actor 'Sanggiero'. The breach, according to Sanggiero, was possible as a result of exploiting critical API vulnerabilities, which allowed unauthorized access to internal platform services.

It has been found that over 3 million unique user IDs are now available on underground forums. These data include personal information such as names, phone numbers, e-mail addresses, and even more. For interested parties to obtain this information, they will need to pay a nominal fee in cryptocurrency, further aggravated by the breach itself. 

PandaBuy has reported that 1,348,407 PandaBuy accounts are being compromised, according to data breach aggregation service Have I Been Pwned (HIBP), which confirmed the breach. Furthermore, Sanggiero has provided a sample of leaked data containing email addresses, customer names, transaction information, and order details as well as a sample of the leaked data to verify the authenticity of it. 

A password reset request that Troy Hunt, the creator of HIBP, submitted by PandaBuy users confirmed the breach, confirming that at least 1.3 million email addresses were indeed linked to PandaBuy accounts. In any case, the initial claim of three million entries made by the threat actors appears inflated, with some entries being manufactured or duplicates. 

There are several forums where PandaBuy shoppers' information was leaked, and any registered members can obtain it by paying a symbolic payment of cryptocurrency in exchange for the data. The PandaBuy company has not yet acknowledged an incident of this nature, but one of its administrators on the firm's Discord channel pointed out that the incident was a result of old information, which was already dealt with. 

As a precautionary measure, PandaBuy users have been urged to reset their passwords immediately and to be vigilant against scam attempts. Consequently, PandaBuy customers are facing a significant security threat since their customer data was leaked on underground forums. During the test period, threat actors provided a sample dataset containing email addresses, customer names, order details, and payment information as a means of verifying the authenticity of the breach. 

Troy Hunt's validation of the leaked email addresses further corroborated the breach's legitimacy, emphasizing the urgency of corrective action required for it. The PandaBuy users who have been affected by the breach should act immediately to mitigate the risks. Resetting their passwords will help protect their accounts from unauthorized access in the future. 

It is also important to be vigilant against potential scams and to be very sceptical when receiving unsolicited communications. In addition to timely notifications, Have I Been Pwned integrations with data breach aggregation services ensure users can take proactive measures to protect their online security when data exposure occurs? It is essential that companies, particularly those that handle large amounts of consumer data, prioritize the security of their platforms to prevent such incidents. 

Consumers should remain vigilant and adopt best practices in terms of digital security to keep themselves safe, including strong, unique passwords, and be wary of phishing attempts that may try to steal personal information.
Read more »
Tycoon
Gmail malware MFA Bypass Microsoft 365 multifactor authentication phishing kit Safety Security Tycoon

'Tycoon' Malware Kit Bypasses Microsoft and Google Multifactor Authentication

 

An emerging phishing kit called "Tycoon 2FA" is gaining widespread use among threat actors, who are employing it to target Microsoft 365 and Gmail email accounts. This kit, discovered by researchers at Sekoia, has been active since at least August and received updates as recent as last month to enhance its evasion techniques against multifactor authentication (MFA).

According to the researchers, Tycoon 2FA is extensively utilized in various phishing campaigns, primarily aimed at harvesting Microsoft 365 session cookies to bypass MFA processes during subsequent logins. The platform has amassed over 1,100 domain names between October 2023 and late February, with distribution facilitated through Telegram channels under different handles such as Tycoon Group, SaaadFridi, and Mr_XaaD.

Operating as a phishing-as-a-service (PhaaS) platform, Tycoon 2FA offers ready-made phishing pages for Microsoft 365 and Gmail accounts, along with attachment templates, starting at $120 for 10 days, with prices varying based on the domain extension. Transactions are conducted via Bitcoin wallets managed by the "Saad Tycoon Group," suspected to be the operator and developer of Tycoon 2FA, with over 1,800 recorded transactions as of mid-March.

The phishing technique employed by Tycoon 2FA involves an adversary-in-the-middle (AitM) approach, utilizing a reverse proxy server to host phishing webpages. This method intercepts user inputs, including MFA tokens, allowing attackers to bypass MFA even if credentials are changed between sessions.

Despite the security enhancements provided by MFA, sophisticated attacks like Tycoon 2FA pose significant threats by exploiting AitM techniques. The ease of use and relatively low cost of Tycoon 2FA make it appealing to threat actors, further compounded by its stealth capabilities that evade detection by security products.

Sekoia researchers outlined a six-stage process used by Tycoon 2FA to execute phishing attacks, including URL redirections, Cloudflare Turnstile challenges, JavaScript execution, and the presentation of fake authentication pages to victims.

The emergence of Tycoon 2FA underscores the evolving landscape of phishing attacks, challenging the effectiveness of traditional MFA methods. However, security experts suggest that certain forms of MFA, such as security keys implementing WebAuthn/FIDO2 standards, offer higher resistance against phishing attempts.

To assist organizations in identifying Tycoon 2FA activities, Sekoia has published a list of indicators of compromise (IoCs) on GitHub, including URLs associated with Tycoon 2FA phishing campaigns.
Read more »
Security
AI-powered tool auto-fixes vulnerabilities Code Code Scanning Autofix CodeQL coding Cyber Security GHAS GitHub GitHub Advanced Security GitHub Copilot JavaScript Security

GitHub Unveils AI-Driven Tool to Automatically Rectify Code Vulnerabilities

GitHub has unveiled a novel AI-driven feature aimed at expediting the resolution of vulnerabilities during the coding process. This new tool, named Code Scanning Autofix, is currently available in public beta and is automatically activated for all private repositories belonging to GitHub Advanced Security (GHAS) customers.

Utilizing the capabilities of GitHub Copilot and CodeQL, the feature is adept at handling over 90% of alert types in popular languages such as JavaScript, Typescript, Java, and Python.

Once activated, Code Scanning Autofix presents potential solutions that GitHub asserts can resolve more than two-thirds of identified vulnerabilities with minimal manual intervention. According to GitHub's representatives Pierre Tempel and Eric Tooley, upon detecting a vulnerability in a supported language, the tool suggests fixes accompanied by a natural language explanation and a code preview, offering developers the flexibility to accept, modify, or discard the suggestions.

The suggested fixes are not confined to the current file but can encompass modifications across multiple files and project dependencies. This approach holds the promise of substantially reducing the workload of security teams, allowing them to focus on bolstering organizational security rather than grappling with a constant influx of new vulnerabilities introduced during the development phase.

However, it is imperative for developers to independently verify the efficacy of the suggested fixes, as GitHub's AI-powered feature may only partially address security concerns or inadvertently disrupt the intended functionality of the code.

Tempel and Tooley emphasized that Code Scanning Autofix aids in mitigating the accumulation of "application security debt" by simplifying the process of addressing vulnerabilities during development. They likened its impact to GitHub Copilot's ability to alleviate developers from mundane tasks, allowing development teams to reclaim valuable time previously spent on remedial actions.

In the future, GitHub plans to expand language support, with forthcoming updates slated to include compatibility with C# and Go.

For further insights into the GitHub Copilot-powered code scanning autofix tool, interested parties can refer to GitHub's documentation website.

Additionally, the company recently implemented default push protection for all public repositories to prevent inadvertent exposure of sensitive information like access tokens and API keys during code updates.

This move comes in response to a notable issue in 2023, during which GitHub users inadvertently disclosed 12.8 million authentication and sensitive secrets across more than 3 million public repositories. These exposed credentials have been exploited in several high-impact breaches in recent years, as reported by BleepingComputer.

Read more »
third-party provider
Cyber Security Data fast food chain Global Outage McDonald's Safety Security technical issues third-party provider

McDonald's Attributes Worldwide Outage to Third-Party Provider

McDonald's faced significant disruptions in its fast-food operations on Friday, attributing the widespread technical issues to a third-party provider rather than a cyber attack. The outage, which occurred during a "configuration change," affected stores in various countries including the UK, Australia, and Japan.

According to McDonald's, the problem led to the inability to process orders, prompting closures and service interruptions across affected regions. However, the company clarified that it swiftly identified and resolved the global technology system outage.

Brian Rice, McDonald's chief information officer, emphasized that the incident was an anomaly not directly linked to cybersecurity threats but rather stemmed from a third-party provider's actions during a system configuration change. He assured that efforts were underway to address the situation urgently.

Reports indicated that numerous McDonald's outlets, particularly in the UK and Australia, experienced disruptions, causing frustration among customers unable to place orders. The impact varied across regions, with some locations forced to close temporarily.

Despite the challenges, McDonald's reported progress in restoring operations across affected countries. Stores in Japan, initially hit by the outage, began resuming operations, albeit with temporary cash-only transactions and manual calculations.

While the disruption garnered attention on social media platforms, including complaints from customers unable to order through the McDonald's app, the company thanked customers and staff for their patience as services gradually resumed.

The outage affected McDonald's restaurants worldwide, highlighting the scale of the incident across its extensive network of approximately 40,000 outlets globally, with significant footprints in the UK, Ireland, the United States, Japan, and Australia.
Read more »
system spread
AI Worms Cyber Security Data Safety Data Theft Private Data Researchers Security system spread

Researchers Develop AI "Worms" Capable of Inter-System Spread, Enabling Data Theft Along the Way

 

A team of researchers has developed a self-replicating computer worm designed to target AI-powered applications like Gemini Pro, ChatGPT 4.0, and LLaVA. The aim of this project was to showcase the vulnerabilities in AI-enabled systems, particularly how interconnections between generative-AI platforms can facilitate the spread of malware.

The researchers, consisting of Stav Cohen from the Israel Institute of Technology, Ben Nassi from Cornell Tech, and Ron Bitton from Intuit, dubbed their creation 'Morris II', drawing inspiration from the infamous 1988 internet worm.

Their worm was designed with three main objectives. Firstly, it was engineered to replicate itself using adversarial self-replicating prompts, which exploit the AI applications' tendency to output the original prompt, thereby perpetuating the worm. 

Secondly, it aimed to carry out various malicious activities, ranging from data theft to the creation of inflammatory emails for propagandistic purposes. Lastly, it needed the capability to traverse hosts and AI applications to proliferate within the AI ecosystem.

The worm utilizes two primary methods for propagation. The first method targets AI-assisted email applications employing retrieval-augmented generation (RAG), where a poisoned email triggers the generation of a reply containing the worm, subsequently spreading it to other hosts. The second method involves inputs to generative-AI models, prompting them to create outputs that further disseminate the worm to new hosts.

During testing, the worm successfully pilfered sensitive information such as social security numbers and credit card details.

To raise awareness about the potential risks posed by such worms, the researchers shared their findings with Google and OpenAI. While Google declined to comment, an OpenAI spokesperson acknowledged the potential exploitability of prompt-injection vulnerabilities resulting from unchecked or unfiltered user inputs.

Instances like these underscore the imperative for increased research, testing, and regulation in the deployment of generative-AI applications.
Read more »
Security
Cyber Attacks Data Data Safety Hamilton Safety Security

Cyberattack on Hamilton City Hall Expands to Impact Additional Services

 

Hamilton is currently facing a ransomware attack, causing widespread disruptions to city services for more than a week. City manager Marnie Cluckie disclosed the nature of the cyber attack during a virtual press conference on Monday, marking the first public acknowledgment of the incident since it began on February 25. 

The attack has resulted in the shutdown of almost all city phone lines, hampering city council operations and affecting numerous services such as the bus schedule app, library WiFi, and permit applications.

Cluckie mentioned that the city has not provided a specific timeframe for resolving the situation, emphasizing that systems will only be restored once deemed safe and secure. While the city has not detected any unauthorized access to personal data, Hamilton police have been alerted and will conduct an investigation.

Regarding the attackers' demands, Cluckie remained cautious, refraining from disclosing details such as the requested amount of money or their location due to the sensitive nature of the situation. However, she mentioned that the city is covered by insurance for cybersecurity breaches and has enlisted the expertise of cybersecurity firm Cypfer to manage the incident response.

Ransomware attacks, characterized by denying access to systems or data until a ransom is paid, can have devastating consequences, as highlighted by the Canadian Centre for Cyber Security. Although paying the ransom does not guarantee system restoration, it is sometimes deemed necessary, as seen in previous cases involving other municipalities like St. Marys and Stratford.

Once the city's systems are restored, Cluckie will oversee a comprehensive review to understand the breach's cause and implement preventive measures. Council meetings have been postponed until at least March 15 due to operational constraints, with plans to resume once the situation stabilizes.

The impact of the attack on various city services is extensive. Phone lines for programs, councillors, and essential facilities like long-term care homes are down. Online systems for payments and services related to fire prevention, permits, and property are inaccessible. Engineering services, cemeteries, libraries, public health, property taxes, Ontario Works, vendor payments, waste management, child care, transit, Hamilton Water, city mapping, and recreation facilities are all affected to varying degrees, with disruptions in communication, payments, and service availability.

Efforts are underway to mitigate the effects of the attack, but until the situation is resolved, residents and city officials must navigate the challenges posed by the ransomware attack.
Read more »
wireless chargers
Academic attacks Cyber Security electromagnetic interference Researchers Security VoltSchemer Vulnerabilities wireless chargers

Researchers Develop 'VoltSchemer' Assaults Aimed at Wireless Charging Systems

 

A team of researchers from the University of Florida, collaborating with CertiK, a Web3 smart contract auditor, have uncovered potential security threats in wireless charging systems. Their research introduces new attack methods, named VoltSchemer, which exploit vulnerabilities in these systems by manipulating power supply voltages.

The VoltSchemer attacks, outlined in a research paper, target weaknesses in wireless charging setups, allowing attackers to disrupt charging devices, tamper with voice assistants, and override safety mechanisms outlined in the Qi standard. Notably, these attacks utilize voltage fluctuations from the power source, requiring no direct modifications to the chargers themselves.

While wireless chargers are generally considered more secure than wired alternatives due to their reliance on near-field magnetic coupling, the researchers argue that they are still susceptible to manipulation. By tampering with power signals, attackers could potentially compromise communication between the charger and the device being charged, leading to malicious actions.

The underlying issue lies in the susceptibility of wireless chargers to electromagnetic interference (EMI) caused by voltage fluctuations. This interference can modulate the power signals transmitted by the charger, enabling attackers to manipulate the magnetic field produced and issue unauthorized commands to connected devices.

In their experiments, the researchers tested the VoltSchemer attacks on nine commercially available wireless chargers, all of which were found to be vulnerable. By inserting a disguised voltage manipulation device, such as a modified power port, between the power adapter and the charger, the researchers successfully executed the attacks.

The consequences of these attacks were significant, with charging smartphones experiencing overheating and devices such as key fobs, USB drives, SSD drives, and NFC cards being permanently damaged or destroyed. The researchers emphasize that the root cause of these vulnerabilities lies in the lack of effective noise suppression in certain frequency bands within wireless charging systems.

Overall, the findings highlight the potential risks associated with wireless charging technologies and underscore the need for improved security measures, especially in high-power systems like electric vehicle (EV) wireless charging.
Read more »
travel account security
Cyber Security cybersecurity tips Data Safety preventing hacking Protecting online travel accounts Safety Security travel account security

Here's How to Safeguard Your Online Travel Accounts from Hackers

 

Just days following Kay Pedersen's hotel reservation in Chiang Mai, Thailand, via Booking.com, she received a troubling email. The email, poorly written in broken English, warned her of "malicious activities" within her account.

Subsequently, Kay and her husband, Steven, encountered issues. Steven noticed unauthorized reservations at different hotels, prompting them to report the fraudulent activity to Booking.com. In response, Booking.com cancelled all their bookings, including the one in Chiang Mai. Despite their immediate action, restoring their original reservation proved challenging. While Booking.com eventually reinstated the reservation, the new rate was more than double the original.

The Pedersens are not isolated cases. A recent surge in hacking incidents has targeted travellers. Criminals reportedly obtained Booking.com passwords through its internal messaging system. Loyalty program accounts and other online travel agencies have also been popular targets.

The susceptibility of travel accounts to attacks is attributed to the wealth of sensitive information they hold, including passports, driver’s licenses, and travel dates. Caroline McCaffery, CEO of ClearOPS, underscores the importance of safeguarding this information.

To mitigate the risk of hacking, travellers can employ several strategies:

1. Utilize two-factor authentication, preferably through an authenticator app, to enhance security.
2. Enable login notifications to receive alerts of any unauthorized account access.
3. Avoid reusing passwords and opt for strong, unique passwords for each account. Password management services like Google Password Manager can be helpful.
4. Exercise caution when using public Wi-Fi networks, and employ a Virtual Private Network (VPN) for added security.

However, travellers themselves also contribute to the problem by sharing excessive personal information and falling victim to phishing scams. Bob Bacheler, managing director of Flying Angels, highlights the risks associated with oversharing on social media and with unknown websites.

Phishing, in particular, remains a prevalent method for hacking attempts. Albert Martinek, a customer cyber threat intelligence analyst at Horizon3.ai, emphasizes the dangers of clicking on suspicious links.

The Pedersens' case underscores the challenges travellers face in resolving hacking incidents. While Booking.com investigated and secured their account, the couple endured uncertainty regarding their hotel reservation.

Ultimately, responsibility for addressing these security concerns lies with the companies that handle travellers' data. Implementing passwordless authentication systems like Passkeys could offer a solution to mitigate hacking risks. However, until travel companies prioritize safeguarding personal information, travellers will continue to bear the consequences.
Read more »
Security
Cyber Fraud CyberCrime Hackers Miami-Dade police officers prosecutors Safety Secure Security

Hackers Target Police Officers and Prosecutors in Miami-Dade

 

The police officers in North Miami Beach were misled by a counterfeit email masquerading as an official communication from the Miami Dade State Attorney's Office, as per sources knowledgeable about the scheme.

Utilizing the guise of an SAO investigator probing human trafficking, a scammer circulated the fraudulent email, successfully duping several employees of the North Miami Beach Police Department earlier this week, according to insiders.

Addressing the incident, city authorities issued a statement acknowledging that a handful of email accounts had fallen victim to a phishing scam, impacting multiple government entities. They assured that steps had been taken to regain control of the compromised accounts.

The city affirmed that neither the network nor the data had been affected by the breach, which was confined to email accounts. Investigations into the security breach were ongoing. The SAO also released a statement detailing a "highly sophisticated phishing attempt" aimed at their computer information system, which was detected and neutralized on February 13th.

The perpetrator employed "exceptional electronic reproductions of genuine SAO materials" in the email, designed to entice users into opening what appeared to be authentic documents from SAO personnel, as stated in the SAO's statement.

The incident serves as a stark reminder of the importance of vigilance in cybersecurity. Despite appearances, malicious emails can be highly deceptive, emphasizing the need for users to scrutinize links and documents for authenticity before clicking on them.
Read more »
Security
$10 billion 2023 Americans Cyber Fraud Fraud FTC record loss Safety Security

FTC Issues Alert: Americans' Fraud Losses Soar to $10 Billion in 2023

 

The U.S. Federal Trade Commission (FTC) has disclosed that in 2023, Americans fell victim to scammers, resulting in losses exceeding $10 billion, indicating a 14% surge compared to the preceding year.

In tandem, Chainalysis has reported that ransomware groups had a lucrative year, with ransom payments surpassing $1.1 billion in 2023.

Approximately 2.6 million consumers submitted fraud complaints to the FTC in the previous year, a figure mirroring that of 2022. Notably, imposter scams dominated the reported fraud cases, with noticeable increases in instances of business and government impersonation. Following closely were online shopping scams, trailed by reports related to prizes, sweepstakes, lotteries, investment scams, and business or job opportunity schemes.

According to the FTC, consumers reported the highest financial losses to investment scams, totaling over $4.6 billion in 2023, representing a 21% hike from 2022. Imposter scams accounted for the second-highest reported loss amount, nearing $2.7 billion. In 2023, consumers cited losing more money to bank transfers and cryptocurrency transactions than through all other methods combined.

The FTC added 5.4 million consumer reports to its secure online database, the Consumer Sentinel Network (Sentinel), in the previous year. Identity theft complaints, exceeding 1.1 million, were received through the agency's IdentityTheft.gov website.

Nevertheless, the FTC's data only scratches the surface of the extensive damage inflicted by scammers in 2023, as many fraud cases go unreported.

Victims of fraud are encouraged to report incidents on ReportFraud.ftc.gov or file identity theft reports on IdentityTheft.gov. These reports, upon inclusion in the FTC's Sentinel database, are accessible to approximately 2,800 law enforcement professionals, aiding in tracking down fraudsters, identifying trends, and raising public awareness to thwart scam attempts.

Samuel Levine, Director of the FTC's Bureau of Consumer Protection, emphasized the growing threat facilitated by digital tools, underscoring the importance of the released data in understanding and combating fraudulent activities targeting hard-working Americans.
Read more »
Zero Trust
Active Directory Authentication Compromised Passwords Cyber Security Cybersecurity Least Privilege Multi-factor authentication Network Security Password Security Security Zero Trust

Implementing Zero Trust Principles in Your Active Directory

 

In the past, many organizations relied on secure perimeters to trust users and devices. However, this approach is no longer viable with the geographical dispersion of workers and the need for access from various locations and devices. End-users now require access to corporate systems and cloud applications outside traditional work boundaries, expecting seamless and fast authentication processes.

Consequently, numerous organizations have adopted a zero-trust model to verify users accessing their data, recognizing Active Directory as a critical component of network authentication. Ensuring the security of credentials stored within Active Directory is paramount, prompting the question of how zero trust principles can be applied to maintain security.

The zero trust model, characterized by the principle of "never trust, always verify," requires authentication and authorization of every user, device, and network component before accessing resources or data. Implementing this model involves constructing a multi-layered security framework encompassing various technologies, processes, and policies.

One fundamental step in securing Active Directory environments is enforcing the principle of least privilege, which restricts privileges to the minimum necessary for individuals or entities to perform their tasks. This mitigates the risks associated with privileged accounts, reducing the potential impact of security breaches or insider threats.

Implementing a zero trust model also entails granting elevated privileges, such as admin rights, only when necessary and for limited durations. Techniques for achieving "just-in-time" privilege escalation include the ESAE (Red Forest) model and temporary admin accounts.

Additionally, employing multi-factor authentication (MFA) for password resets enhances security by adding extra layers of authentication beyond passwords. This mitigates vulnerabilities in password reset processes, which are often targeted by hackers through social engineering tactics.

Moreover, scanning for compromised passwords is crucial for enhancing password security. Despite the implementation of zero trust principles, passwords remain vulnerable to various attacks such as phishing and data breaches. Continuous scanning for compromised passwords and promptly blocking them in Active Directory helps prevent unauthorized access to sensitive data and systems.

Specops Password Policy offers a solution for scanning and blocking compromised passwords, ensuring network protection from real-world password attacks. By integrating such services, organizations can enhance their password security measures and adapt them to their specific needs.

Solutions like Specops Software provide valuable tools and support through demos or free trials for organisations seeking to bolster their Active Directory security and password policies.
Read more »
WiFi
Gadgets Hacking devices OMG cables Security Technology USB Nugget WiFi

Is Your Gadget Secretly a Security Risk?

 


In our digital world where everything connects, keeping our devices safe is like building a strong fortress. We all know the basics – use strong passwords and be careful with downloads. But there's a hidden world of dangers that doesn't shout for attention. These dangers hide in plain sight, disguised as everyday gadgets we use. Imagine them as silent troublemakers wearing innocent masks. Today, we're going to see right through this world and discover the not-so-friendly surprises behind the gadgets we thought were harmless. 

1. Flipper Zero

Disguised as an innocent child's toy, the Flipper Zero, with a price tag of $169, extends its capabilities far beyond its facade. This unassuming gadget boasts an impressive array of features, including the ability to clone RFID cards, control infrared devices, and even masquerade as a keyboard. Posing as a harmless plaything, it is equipped to send commands to connected computers or smartphones, showcasing its multifunctional yet discreet nature.

2. O.M.G Cables

Operating undercover as regular charging cables, O.MG cables reveal a hidden computer with malicious intent upon connection. These covert keyboards, camouflaged as everyday charging accessories, can stealthily pilfer Wi-Fi passwords, copy files, and execute various other malicious actions. The elite version takes deception to the next level by connecting to Wi-Fi, triggering remotely, and even self-destructing to erase any traces of its surreptitious activities.

3. USBKill

Presented as innocent USB flash drives, USBKill devices harbour the potential for disruptive electrical charges when connected to any unsuspecting device. Whether triggered by a button, Bluetooth, timed attack, or a covert magnetic ring, these seemingly harmless gadgets underscore the inherent risks associated with indiscriminately connecting unknown USB devices. Laptops, PCs, smartphones – no device is immune to their potentially destructive capabilities.

4. USB Nugget

Beyond its charming exterior resembling a kitty, the USB Nugget harbours a darker secret – the potential to drop malicious payloads onto any unsuspecting connected device. This seemingly innocent and adorable gadget serves as a stark reminder of how even the simplest-looking devices can conceal formidable threats, highlighting the need for cautiousness when dealing with seemingly harmless peripherals.

5. Wi-Fi Pineapple

The Wi-Fi Pineapple, presenting itself as a futuristic router, transcends its appearance, concealing sophisticated capabilities that can significantly compromise wireless networks. This discreet platform for wireless network attacks can create rogue access points, monitor data from nearby devices, and capture Wi-Fi handshakes. Its unassuming guise masks the potent yet discreet threats that exist in the technical world. 

6. USB Rubber Ducky

Camouflaged as a standard flash drive, the USB Rubber Ducky assumes the role of a covert typist, emulating human keystrokes into connected devices. Its discreet nature allows it to remain undetected for extended periods, emphasising the imperative need for caution when plugging in unknown devices.

7. LAN Turtle

It appears as a generic USB ethernet adapter, the LAN Turtle conceals powerful tools for network surveillance. With features such as network scanning, DNS spoofing, and alerts for specific network traffic, it operates discreetly, potentially eluding detection for extended periods. This unassuming device highlights the subtle yet potent threats associated with covert network monitoring.

8. O.MG Unblocker

Presenting itself as a data blocker, the O.MG Unblocker not only fails to fulfil its supposed function but also acts as an O.MG cable, enabling data theft or the delivery of malicious payloads. This deceptive device surfaces the importance of vigilance in an era where even seemingly protective accessories may harbour hidden dangers.

And that's the lowdown on our everyday gadgets – they might seem all harmless and friendly, but who knew they could have a mischievous side? So, the next time you plug in a cable or connect a device, remember, it could be up to something more than meets the eye. Stay cautious. 

Read more »
Security
blogger harassment case Cyber Safety Data Data Safety eBay fine settlement Security

eBay Settles Blogger Harassment Case with $3 Million Fine

 

eBay has agreed to pay a substantial fine of $3 million (£2.36 million) in order to settle charges related to the harassment of bloggers who were openly critical of the company. The disturbing details emerged in court documents, revealing that high-ranking eBay executives, including Jim Baugh, the former senior director of safety and security, orchestrated a targeted campaign against Ina and David Steiner, the couple behind the newsletter EcommerceBytes, which the company's leadership disapproved of.

The court papers outline a series of alarming incidents, including the dispatch of live spiders and cockroaches to the Steiners' residence in Natick, Massachusetts. This relentless campaign of intimidation left the couple, according to prosecutors, in a state of being "emotionally, psychologically, and physically" terrorized. Jim Baugh, alongside six associates, allegedly spearheaded this effort to silence the Steiners, going to extreme lengths.

The harassment tactics escalated to sending live insects, a foetal pig, and even a funeral wreath to the Steiners' home. Moreover, Baugh and his associates reportedly installed a GPS tracking device on the couple's car, infringing on their privacy. Additionally, the perpetrators created misleading posts on the popular website Craigslist, inviting strangers to engage in sexual encounters at the Steiners' residence.

The aftermath of these reprehensible actions saw the termination of the involved employees by eBay. In the legal proceedings, Philip Cooke, an eBay employee, received an 18-month prison sentence in 2021, while Jim Baugh was handed a nearly five-year sentence in the subsequent year.

Baugh's defense claimed that he faced pressure from eBay's former CEO, Devin Wenig, to rein in the Steiners and control their coverage of the company. However, Wenig, who resigned from his position in 2019, has not been charged in connection with the harassment campaign and vehemently denies any knowledge of it.

Acting Massachusetts US Attorney Josh Levy strongly condemned eBay's conduct, labeling it as "absolutely horrific, criminal conduct." Levy emphasized that the employees and contractors involved in this campaign created a petrifying environment for the victims, with the clear intention of stifling their reporting and safeguarding the eBay brand.
Read more »
Shadow IT
Cyber Attacks Cybersecurity Data Data Safety Employee Risk Indian Companies Security Shadow IT

Employee Use of 'Shadow IT' Elevates Cyber Attack Risks for Indian Firms

 

In India, a recent report indicates that approximately 89% of companies faced cyber incidents within the past two years. Alarmingly, 20% of these breaches were attributed to the utilization of shadow IT, as per findings from a study.

This surge in cyber threats is significantly linked to the adoption of shadow IT by employees, a trend catalyzed by the shift towards remote work setups, states a study conducted by Kaspersky, a cybersecurity firm.

Globally, over the last two years, 11% of companies experienced cyber incidents due to the unauthorized use of shadow IT by their workforce.

Shadow IT refers to the section of a company’s IT structure that operates outside the oversight of IT and Information Security departments. This includes applications, devices, and public cloud services used without compliance to information security protocols.

Alexey Vovk, Head of Information Security at Kaspersky, highlighted that employees using unapproved IT resources often assume that reputable providers guarantee safety. However, these third-party providers outline a 'shared responsibility model' in their terms, indicating that users must conduct regular software updates and take accountability for related incidents, including corporate data breaches.

Effectively managing shadow IT remains a critical need for businesses. Mishandling or operating outside IT protocols can lead to severe repercussions. The Kaspersky study noted that the IT industry bore the brunt, accounting for 16% of cyber incidents resulting from unauthorized shadow IT use between 2022 and 2023.

Additionally, critical infrastructure, transport, and logistics sectors were affected, with 13% of reported attacks attributed to this issue, as per the report's findings.
Read more »
Security
Attackes Cyber Security Data Data Safety Ransomware Security

Exploitation of Numerous Zero-Days in Windows CLFS Driver by Ransomware Attackers

 

Over the past 18 months, malevolent actors have taken advantage of a series of vulnerabilities, including four zero-day exploits, within a critical Windows kernel-level driver. Reports from Kaspersky's Securelist this week not only highlight specific flaws but underscore a broader, systemic issue within the current framework of the Windows Common Log File System (CLFS).

CLFS, designed as a high-performance logging system accessible for user- or kernel-mode software clients, possesses kernel-level access that proves enticing for hackers aiming to acquire low-level system privileges. Its performance-centric design, however, has resulted in multiple security vulnerabilities in recent years, with ransomware actors exploiting these weaknesses.

Boris Larin, principal security researcher at Kaspersky's Global Research and Analysis Team, emphasizes the need for caution in handling files within kernel drivers. He explains that the design choices in Windows CLFS have made it nearly impossible to securely parse CLFS files, leading to a surge in similar vulnerabilities.

Larin points out a noteworthy observation: while zero-days at the Win32k level are not uncommon, the prevalence of CLFS driver exploits in active attacks within a single year raises concerns. He questions whether there is an inherent flaw in the CLFS driver, suggesting that it might be excessively optimized for performance at the expense of security.

The crux of the issue, Larin notes, lies in the CLFS driver's heavy emphasis on performance optimization, resulting in a file format that prioritizes performance over a secure structure. The constant parsing of kernel structures using relative offsets creates vulnerabilities, especially if these offsets become corrupted in memory during execution. Furthermore, manipulation of offsets in the on-disk BLF file can lead to overlapping structures and unforeseen consequences.

Throughout 2023, several high-severity vulnerabilities—CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252—all with a 7.8 rating on the CVSS scale, were exploited as zero-days. Kaspersky identified malicious activity associated with these vulnerabilities, including the Nokoyawa ransomware group's exploitation of CVE-2023-28252.

Unless there is a redesign, CLFS remains susceptible to exploitation by hackers seeking escalation opportunities. Larin recommends organizations adopt best security practices, including timely installation of security updates, deploying security products on all endpoints, restricting server access, closely monitoring antivirus detections, and providing employee training to prevent falling victim to spear-phishing attacks.
Read more »
Technology
business growth Data No-code app building Platforms Security Tech platforms Technology

No Code Application Development Platforms Set to Propel Your Business in 2024

 

The ability to develop web applications without extensive coding knowledge is a significant advantage in today's AI-driven world. No-code web building platforms have become essential tools for entrepreneurs, businesses, and creative individuals seeking to swiftly launch web or mobile applications without the complexities of traditional coding.

Several top-tier no-code web building platforms have gained prominence in the industry. Webflow, for instance, is primarily a website builder with a visually appealing UI that can be extended into a web app builder when integrated with tools like Wist. It offers detailed design control and integrates with various apps, albeit with potential additional costs for advanced features. Webflow's no-code builder is particularly renowned for its strengths in design and aesthetics, providing users with precise control over their website's visual elements, including typography, color schemes, animations, and layout.

Another notable player is Backendless, functioning as a full-stack web app builder that supports native mobile apps. It emphasizes high performance, real-time databases, and a unique block-based approach to logic and APIs. Backendless excels in handling complex, real-time data, a crucial feature for applications requiring instantaneous updates, such as chat services, live streaming, or real-time analytics. Its support for native mobile app development enhances performance and user experience compared to web or hybrid apps.

Bubble, known as the industry standard for no-code web apps, features a drag-and-drop UI builder, workflow automation, API integration, and a robust community with templates and plugins. However, a limitation of Bubble is its inability to export source code, which can be a significant consideration for businesses or developers anticipating platform transitions or needing direct code access.

WeWeb stands out by specializing in front-end development with an intuitive builder and visual logic setup. While users must connect their own backend, the platform offers code exportability and a range of integrations. WeWeb's user-friendly front-end builder, combined with its flexibility in backend integration, makes it a unique and valuable tool for projects requiring a customized approach to both aspects of web development.

Additionally, each of these no-code web building platforms presents unique advantages, catering to different project requirements. Whether focusing on design, security, code control, or seamless integrations, choosing a platform aligned with your project's vision is crucial for a hassle-free web application development experience.
Read more »
transport
China Data Breaches geographic Military Safety Security transport

China Issues Alert on Geographical Information Data Breaches Impacting Transportation and Military

 

 China has recently issued a stern warning regarding the use of foreign geographic software, expressing serious concerns about the potential leakage of critical information related to its essential infrastructure and military. The Ministry of State Security, while refraining from directly attributing blame, has asserted that the identified software is equipped with "backdoors," designed to facilitate deliberate and unauthorized access to sensitive data.

This cautionary move comes at a time of heightened global tensions, with China prioritizing the reinforcement of security measures within key industries. This focus on security has been particularly accentuated amid increased saber rattling towards Taiwan and continued assurances from the United States to the island nation.

There is a growing suspicion that China may be involved in a series of recent cyberattacks aimed at probing the infrastructure of the United States. The alleged objective is to develop a comprehensive attack playbook, presumably in anticipation of potential hostilities between the two superpowers.

In response to these concerns, the United States has taken proactive steps to secure the domestic production of semiconductors, earmarking substantial investments under the CHIPS Act. The objective is to establish semiconductor manufacturing facilities across the country, a move considered essential for national security.

This strategic initiative by the United States is underscored by the perceived risk of Chinese espionage associated with the current reliance on semiconductor imports from production hubs in East Asia. The investment in domestic semiconductor production is thus framed as a crucial measure to mitigate vulnerabilities and safeguard national interests in the face of evolving geopolitical dynamics..
Read more »
Tracking
Android Apps Data Devices Google Information Location Mobile monitoring personalization Privacy Security Smartphone Tech Technology Tracking

Is Your Android Device Tracking You? Understanding its Monitoring Methods

 

In general discussions about how Android phones might collect location and personal data, the focus often falls on third-party apps rather than Google's built-in apps. This awareness has grown due to numerous apps gathering significant information about users, leading to concerns, especially when targeted ads start appearing. The worry persists about whether apps, despite OS permissions, eavesdrop on private in-person conversations, a concern even addressed by Instagram's head in a 2019 CBS News interview.

However, attention to third-party apps tends to overshadow the fact that Android and its integrated apps track users extensively. While much of this tracking aligns with user preferences, it results in a substantial accumulation of sensitive personal data on phones. Even for those trusting Google with their information, understanding the collected data and its usage remains crucial, especially considering the limited options available to opt out of this data collection.

For instance, a lesser-known feature involves Google Assistant's ability to identify a parked car and send a notification regarding its location. This functionality, primarily guesswork, varies in accuracy and isn't widely publicized by Google, reflecting how tech companies leverage personal data for results that might raise concerns about potential eavesdropping.

The ways Android phones track users were highlighted in an October 2021 Kaspersky blog post referencing a study by researchers from the University of Edinburgh and Trinity College. While seemingly innocuous, the compilation of installed apps, when coupled with other personal data, can reveal intimate details about users, such as their religion or mental health status. This fusion of app presence with location data exposes highly personal information through AI-based assumptions.

Another focal point was the extensive collection of unique identifiers by Google and OEMs, tying users to specific handsets. While standard data collection aids app troubleshooting, these unique identifiers, including Google Advertising IDs, device serial numbers, and SIM card details, can potentially associate users even after phone number changes, factory resets, or ROM installations.

The study also emphasized the potential invasiveness of data collection methods, such as Xiaomi uploading app window histories and Huawei's keyboard logging app usage. Details like call durations and keyboard activity could lead to inferences about users' activities and health, reflecting the extensive and often unnoticed data collection practices by smartphones, as highlighted by Trinity College's Prof. Doug Leith.
Read more »
Security
Cybersafety Data malware Ransomware Safety Security

Multiple Iterations of 'HeadCrab' Malware Seize Control of Numerous Servers

 

The HeadCrab malware, known for incorporating infected devices into a botnet for various cyber activities, has reappeared with a novel variant that grants root access to Redis open source servers.

According to findings by Aqua Security researchers, the second version of this cryptomining malware has impacted 1,100 servers, with the initial variant having already compromised a minimum of 1,200 servers.

Asaf Eitani, a security researcher from Team Nautilus, Aqua Security's research team, clarified that while HeadCrab doesn't conform to the typical rootkit, its creator has endowed it with the capability to manipulate a function and generate responses. In essence, this mirrors rootkit behavior as it gains control over responses, allowing it to modify and remain undetected.

Eitani explained, "The tradition of the term rootkit is malware that has root access and controls everything, but in this sense, you are able to control what the user sees."

The updated variant includes subtle adjustments enabling attackers to better conceal their activities. Custom commands have been removed, and encryption has been integrated into the command and control infrastructure, enhancing stealth.

A distinctive feature of HeadCrab is a "mini blog" within the malware, where the author, operating under the pseudonym Ice9, provides technical details about the malware and leaves a Proton Mail email address for anonymity. 

While Aqua Security researchers contacted Ice9, they were unable to ascertain his identity or location. Ice9 claimed they were the first to reach out and insisted that the malware doesn't impair server performance, asserting its ability to eliminate other malware infections. Ice9 praised the researchers in the mini blog after they discovered the second variant.

Notably, Ice9 is the sole user of HeadCrab and exclusively manages the command and control infrastructure.

HeadCrab infiltrates a Redis server when an attacker utilizes the SLAVEOF command, downloads a malicious module, and executes two new files—a cryptominer and a configuration file. Aqua Security researchers advise organizations to conduct scans for vulnerabilities and misconfigurations in their servers and implement protected mode in Redis to minimize the risk of HeadCrab infection.
Read more »
Subscribe to: Posts (Atom)