Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label VoIP. Show all posts
VoIP
Cisco Data Breach Employee Data Information Security Multi-Factor Authentication (MFA) SMS Supply chain vulnerability third party VoIP

Cisco Duo raises awareness over a breach in third-party data security, revealing the exposure of SMS MFA logs.

 

In the ever-evolving landscape of cybersecurity, safeguarding sensitive information and ensuring secure access to corporate networks are paramount concerns for organizations worldwide. Recently, Cisco Duo, a leading provider of multi-factor authentication (MFA) and Single Sign-On services, found itself grappling with a significant breach that shed light on the evolving threats confronting modern enterprises. 

On April 1, 2024, Cisco Duo's security team sent out a warning to its extensive customer base regarding a cyberattack targeting their telephony provider, which handles the transmission of SMS and VoIP MFA messages. According to reports, threat actors leveraged employee credentials acquired through a sophisticated phishing attack to infiltrate the provider's systems. 

Following the breach, the attackers successfully obtained and extracted SMS and VoIP MFA message logs linked to specific Duo accounts, covering the timeframe from March 1, 2024, to March 31, 2024. The ramifications of this breach are deeply concerning. While the provider assured that the threat actors did not access the contents of the messages or utilize their access to send messages to customers, the stolen message logs contain data that could be exploited in targeted phishing campaigns. 

This poses a significant risk to affected organizations, potentially resulting in unauthorized access to sensitive information, including corporate credentials. In response to the breach, Cisco Duo swiftly mobilized, collaborating closely with the telephony provider to conduct a thorough investigation and implement additional security measures. The compromised credentials were promptly invalidated, and robust measures were instituted to fortify defenses and mitigate the risk of recurrence. 

Additionally, the provider furnished Cisco Duo with comprehensive access to all exposed message logs, enabling a meticulous analysis of the breach's scope and impact. Despite these proactive measures, Cisco Duo has urged affected customers to exercise heightened vigilance against potential SMS phishing or social engineering attacks leveraging the stolen information. Organizations are advised to promptly notify users whose phone numbers were contained in the compromised logs, educating them about the risks associated with social engineering tactics. 

Furthermore, Cisco has emphasized the importance of promptly reporting any suspicious activity and implementing proactive measures to mitigate potential threats. This incident serves as a stark reminder of the persistent and evolving threat landscape faced by organizations in today's digital age. As reliance on MFA and other security solutions intensifies, proactive monitoring, regular security assessments, and ongoing user education are indispensable components of an effective cybersecurity posture. 

Moreover, the Cisco Duo breach underscores the broader issue of supply chain vulnerabilities in cybersecurity. While organizations diligently fortify their internal defenses, they remain susceptible to breaches through third-party service providers. Hence, it is imperative for businesses to meticulously evaluate the security practices of their vendors and establish robust protocols for managing third-party risks. 

As the cybersecurity landscape continues to evolve, organizations must remain agile, adaptive, and proactive in their approach to cybersecurity. By prioritizing robust security measures, fostering a culture of cyber resilience, and fostering close collaboration with trusted partners, organizations can effectively mitigate risks and safeguard their digital assets in the face of evolving threats.
Read more »
Windows Bug
3CX Update APT attacks APT27 Chinese Government malware Malware. Software Supply Chain Attack VoIP Windows Bug

Supply Chain Attack Targets 3CX App: What You Need to Know

A recently discovered supply chain attack has targeted the 3CX desktop app, compromising the security of thousands of users. According to reports, the attackers exploited a 10-year-old Windows bug that had an opt-in fix to gain access to the 3CX software.

The attack was first reported by Bleeping Computer, which noted that the malware had been distributed through an update to the 3CX app. The malware allowed the attackers to steal sensitive data and execute arbitrary code on the affected systems.

As The Hacker News reported, the attack was highly targeted, with the attackers seeking to compromise specific organizations. The attack has been linked to the APT27 group, which is believed to have links to the Chinese government.

The 3CX app is widely used by businesses and organizations for VoIP communication, and the attack has raised concerns about the security of supply chains. As a TechTarget article pointed out, "Supply chain attacks have become a go-to tactic for cybercriminals seeking to gain access to highly secured environments."

The attack on the 3CX app serves as a reminder of the importance of supply chain security. As a cybersecurity expert, Dr. Kevin Curran noted, "Organizations must vet their suppliers and ensure that they are following secure coding practices."

The incident also highlights the importance of patch management, as the 10-year-old Windows bug exploited by the attackers had an opt-in fix. In this regard, Dr. Curran emphasized, "Organizations must ensure that all software and systems are regularly updated and patched to prevent known vulnerabilities from being exploited."

The supply chain attack on the 3CX app, in conclusion, serves as a clear reminder of the importance of strong supply chain security and efficient patch management. Organizations must be cautious and take preventive action to safeguard their systems and data as the possibility of supply chain assaults increases.
Read more »
VoIP
Data Breach DDOS Attacks Double extortion Encryption Firewall GitHub Lorenz Ransomware VoIP

Lorenz Ransomware: Network Breach via VoIP

A ransomware group has been spotted adopting a unique initial-access technique to infiltrate commercial phone systems using voice-over-IP (VoIP) devices before switching to corporate networks to carry out double-extortion operations.

The anonymous organization was affected by the Lorenz ransomware strain, according to a team at Arctic Wolf. 

Lorenz Ransomware 

The Lorenz encryptor is similar to the ones employed by a prior ransomware operation known as ThunderCrypt, according to Michael Gillespie of ID Ransomware.

This gang is also known for providing access to its targets' private systems to other hackers along with the material that has been stolen prior to encryption in order to lure its victims into paying a ransom.

After leaking the stolen material as password-protected RAR archives if ransoms are not paid, Lorenz also divulges the password to open the leaked archives, giving the general public access to the files.

VoIP Threats

According to Arctic Wolf researchers, Lorenz used the bug to gain a reverse shell, and the group then used Chisel, a Golang-based rapid TCP/UDP tunnel that is transmitted through HTTP, as a tunneling tool to infiltrate the corporate environment. According to the GitHub page, "the tool is mostly useful for going through firewalls."

The attacks demonstrate a shift by threat actors toward using 'lesser recognized or monitored assets' to gain access to networks and engage in additional criminal behavior, the researchers further told. 

CrowdStrike published a blog post about the Mitel vulnerability and a possible ransomware attack attempt using the same CVE back in June. Since then, Mitel has patched this crucial zero-day flaw and recommended all users do the same. After providing a remediation script for vulnerable MiVoice Connect versions in April, Mitel resolved the problem by delivering security updates in the first half of June 2022.

The hackers then shifted into the network using the free source TCP tunneling application Chisel. Following initial access, the group waited for over a month before moving laterally, using FileZilla to exfiltrate data, and encrypting ESXi systems with BitLocker and Lorenz ransomware.

Considering that Mitel Voice-over-IP (VoIP) brands are used by businesses in crucial industries around the world including government agencies and that over 19,000 devices are currently vulnerable to attacks over the Internet, according to security expert Kevin Beaumont, this is a significant addition to the gang's toolkit.

Threat actors have used record-breaking DDoS amplification assaults to exploit further security holes affecting Mitel devices. Since at least December 2020, the Lorenz ransomware group has been focusing on enterprises all across the world, extorting hundreds of thousands of dollars from each victim.








Read more »
VoIP
Cloud based services Code Execution Flaw CVE Cyber Security RCE Flaw SSRF Flaw VoIP

Businesse's Pascom Cloud Phone System Contains Severe RCE Flaws

 

Pascom's Cloud Phone System has been completely compromised since a combination of three unique vulnerabilities was discovered by security researchers. Daniel Eshetu of Ethiopian infosec firm Kerbit utilized a trio of less critical security issues to gain full pre-authenticated remote code execution (RCE) on the business-focused Voice over IP (VoIP) and generic communication platform. 

A path traversal vulnerability, a web server request forgery (SSRF) fault in an arbitrary piece of software, and a post-authentication RCE flaw were the three components of the successful exploit. 

The Pascom Cloud Phone Software is a complete collaboration and communication solution which enables enterprises to host and build up private telephone networks across several platforms, as well as manage, maintain, and upgrade virtual phone systems. 

According to the company's LinkedIn, "Pascom, which was founded in 1997 and is the creator of the unique pascom IP phone system software, has over 20 years of expertise providing custom VoIP telecommunications and network infrastructure solutions. By offering organizations a unique, highly professional software-based IP PBX solution, our VoIP phone systems help them add value to the communications."

An arbitrary path traversal flaw in the web interface, a server-side request forgery (SSRF) owing to an outdated third-party dependency (CVE-2019-18394), and a post-authentication command injection utilizing a daemon service are among the three flaws ("exd.pl"). 

  • The SSRF issue was caused by an out-of-date Openfire (XMPP server) jar it was vulnerable to CVE-2021-45967. This is related to CVE-2019-18394, a vulnerability in Openfire's technology that was found three years ago.
  • Instant messaging, presence, and contact list functions are all handled by XMPP, an open communication protocol. 
  • The most recent flaw was command injection in a scheduled task (CVE-2021-45966). 
To look at it another way, the vulnerabilities can be chained together to acquire access to non-exposed endpoints by sending arbitrary GET requests to obtain the administrator password, then utilizing those passwords to gain remote code execution via the scheduled job.

"This provides users full control of the device and an easy means to escalate privileges," Daniel Eshetu said, adding the attack chain may be used "to execute commands as root." The issues were reported to Pascom on January 3, 2022, and patches were released as a result. Customers who host CPS should update to the most recent version (pascom Server 19.21) as soon as possible to avoid any potential dangers.
Read more »
VoIP
Bandwidth Cyber Attcaks DDoS DDOS Attack Outage VoIP

Bandwidth Suffers Outages Caused by DDoS Attack

 

Within the last couple of days, Bandwidth.com has been the latest target of distributed denial of service attacks targeting VoIP companies. 

Bandwidth, a firm providing Voice over Internet Protocol (VoIP), services to companies and resellers, revealed that it suffered a failure after reporting on the DDoS attack on the 27th of September, Monday night. 

Bandwidth Chief Executive Officer David Morken confirmed the incident and also claimed that "a number of critical communications service providers have been targeted by a rolling DDoS attack." Bandwidth started reporting unintended voice and messaging services breakdown from September 25 at 3:31 p.m. EST. 

Bandwidth has since provided periodic status updates describing voice disruptions, improved services 911 (E911), messaging, and portal access. As Bandwidth is among the world's major voicemail service providers for IP firms, several other VoIP suppliers, including Twilio, Accent, DialPad, Phone.com, and RingCentral, have experienced disruptions throughout the past few days. 

While the fact that all those failures are linked to a service outage has not been established, one failure report specifically cites Bandwidth while the others say an upstream provider is implicated. "While we have mitigated much-intended harm, we know some of you have been significantly impacted by this event. For that, I am truly sorry. You trust us with your mission-critical communications. There is nothing this team takes more seriously," Morken said. 

The firm continues to monitor the circumstance with the network services and technical teams and actively engages with the customers to deal with any questions. The company mentioned that they’re going to post updates to status.bandwidth.com because they have further information to provide.

Since the statement was issued, the firm updated the details of a number of incoming and outgoing calling services with partial outages. 

On its Cloud Service Status page, Accent said on Tuesday that the "upstream provider continues to acknowledge the DDoS attack has returned to their network however we are seeing a very limited impact to inbound calling for our services." 

"Mitigation steps are being put in place to route inbound phone numbers around the upstream carrier the impact to service grows. We will continue to monitor the situation and update the status as appropriate," Accent wrote. 

Further, on Monday, a source said that their clients were experiencing serious issues with their migrated phone lines. The firm is the downstream retailer of Bandwidth hosted products and claimed that because of the bandwidth problem, they knew major telecoms company that "was in emergency mode".

Considering VoIP services are usually routed through the internet and necessitate public access to their servers and endpoints, they are indeed the main targets for DDoS extortion. Hackers would be overwhelmed by the transmission of more queries than possible to carry out these DDoS assaults, and the targeted devices and servers will not be available to everyone else. 

"Bandwidth continues to experience a DDoS attack which is intermittently impacting our services. Our network operations and engineering teams continue active mitigation efforts to protect our network," reads a screenshot shared on Reddit. 

Monday night, Bandwidth said that it had restored its services, although it was not apparent if threats were ceased or demands were fulfilled as asked by the actors. Nevertheless, it is usual for cybercriminals to stop attacks momentarily while pushing for extortion, while on Tuesday morning the DDoS attacks were resumed. 
Read more »
VoIP
Google Google Voice Technology TLS VoIP

Google Voice Disruption Caused by Expired TLS Certificates

 

Google has affirmed that a Google Voice malfunction that had impacted the majority of telephone service users this month was triggered, in an incident report released on Friday, by expired TLS certificates. It stopped most of Google Voice users from signing into their accounts and allowing more than four hours of use of the app between 15 February and 16 February 2021. 

Google Voice is a Google voicemail service that allows users to send free texts, personalize the voicemail, read text transcripts for voicemail, and much more. The voicemail service of Google, which previously required a Google Voice invitation code for installation, is now free of charge available for all Gmail users. 

The incident report states that, "Google Voice users experienced an issue in which some new inbound or outbound Voice over Internet Protocol (VoIP) calls failed to connect, for a total duration of 4hours 22 minutes." 

In order to manage phone calls over the Internet protocol, Google Voice uses the Initiation Session Protocol (SIP). Google Voice consumer devices aim at ensuring a continuous SIP link with Google Voice services during routine operation. The customer tries to regain contact automatically after a link fails. Transport Layer Security (TLS) certificates are also rotated periodically to ensure that all Google Voice traffic is protected and linked. 

"Due to an issue with updating certificate configurations, the active certificate in Google Voice frontend systems inadvertently expired at 2021-02-15 23:51:00, triggering the issue," Google explained. "During the impact period, any clients attempting to establish or re-establish a SIP connection were unable to do so." 

Users could not access the Google Voice platform to make or accept VoIP calls following the breakdown of expired certificates. However, consumer systems with an active SIP connection were not impacted during the outage before this incident (as long as the connection was not interrupted). The technical team concluded after the analysis that the root cause was certificate configuration. The team has developed and initiated an emergency roll-out of modified credentials and configuration information to interfaces. After mitigation was enforced, the functionality of Google Voice SIP customers restored retrieval of their connections.

Publishing the incident report, the Google Workspace Team stated the steps taken by the engineers. They insisted on, setting additional constructive warnings for credential expiry incidents to come, and set up additional reactive warnings in Google Voice frontend applications for TLS errors. Alongside, enhance automatic credential rotation tooling and changes to set up and to allow the quick rollout of configuration improvements, utilizing more portable facilities. Developing emergency roll-out testing and practice examples with Google Voice interface applications and settings.

Google is committed to improving our technology and operations efficiently and consistently to avoid service disruptions. They said that “We thank your patience and excuse your company for any effects. For your company, we appreciate you.”
Read more »
Subscribe to: Posts (Atom)