Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerabilities. Show all posts
Vulnerabilities
Cyber Security Digital Communication email security Malware Detection Vulnerabilities

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

In an era where digital communication dominates, email remains a fundamental tool for personal and professional correspondence. However, recent research by web browser security startup SquareX has exposed alarming vulnerabilities in email security. 

The study, titled “Security Bite: iCloud Mail, Gmail, Others Shockingly Bad at detecting malware, Study Finds,” highlights the shortcomings of popular email service providers in safeguarding users from malicious attachments.

The State of Email Security

1. The Persistent Threat of Malicious Attachments

  • Despite advancements in cybersecurity, email attachments continue to be a prime vector for malware distribution.
  • Malicious attachments can carry viruses, trojans, ransomware, and other harmful payloads.
  • Users often unknowingly open attachments, leading to compromised devices and data breaches.

2. The SquareX Study

Researchers collected 100 malicious document samples, categorized into four groups:

  • Original Malicious Documents from Malware Bazaar
  • Slightly Altered Malicious Documents from Malware Bazaar (with changes in metadata and file formats)
  • Malicious Documents modified using attack tools
  • Basic Macro-enabled Documents that execute programs on user devices

These samples were sent via Proton Mail to addresses on iCloud Mail, Gmail, Outlook, Yahoo! Mail, and AOL.

3. Shockingly Bad Detection Rates

The study’s findings were alarming:

  • iCloud Mail and Gmail failed to deliver any of the malicious samples. Their malware detection mechanisms worked effectively.
  • Outlook, Yahoo! Mail, and AOL delivered the samples, leaving users potentially exposed to threats.

Implications and Recommendations

1. User Awareness and Caution

  • Users must exercise caution when opening email attachments, even from seemingly legitimate sources.
  • Educate users about the risks associated with opening attachments, especially those from unknown senders.

2. Email Providers Must Step Up

  • Email service providers need to prioritize malware detection.
  • Regularly update and enhance their security protocols to prevent malicious attachments from reaching users’ inboxes.
  • Collaborate with cybersecurity experts to stay ahead of evolving threats.

3. Multi-Layered Defense

Implement multi-layered security measures:

  • Attachment Scanning: Providers should scan attachments for malware before delivery.
  • Behavioral Analysis: Monitor user behavior to detect suspicious patterns.
  • User Training: Educate users about phishing and safe email practices.

4. Transparency and Reporting

  • Email providers should transparently report their detection rates and improvements.
  • Users deserve to know how well their chosen service protects them.

What next?

Always think before you click. The SquareX study serves as a wake-up call for email service providers. As the digital landscape evolves, robust email security is non-negotiable. Let’s bridge the gaps, protect users, and ensure that our inboxes remain safe havens rather than gateways for malware.
Read more »
Vulnerabilities
AI workload scaling Anyscale CVE Cyber Security Cybersecurity hacking campaign python Ray Framework ShadowRay Vulnerabilities

Hackers Exploit Flaw in Ray Framework to Breach Servers

 

The Ray framework, a tool for scaling AI and Python workloads in open source, has been found vulnerable to multiple flaws that enable hackers to take control of devices and pilfer sensitive data. Cybersecurity researchers from Oligo disclosed their discoveries about a new hacking campaign named “ShadowRay”.

Operating since early September 2023, ShadowRay targeted various sectors including education, cryptocurrency, and biopharma by exploiting five distinct vulnerabilities in Ray. Four of these vulnerabilities, identified as CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023, were patched by Anyscale, the developer of Ray. However, the fifth vulnerability, labelled as a critical remote code execution (RCE) flaw and tracked as CVE-2023-48022, remained unaddressed.

Anyscale defended the unpatched vulnerability, stating that it was a deliberate decision rather than a bug, as Ray lacks built-in authentication. They indicated their intention to introduce authentication in a future release as part of a defense-in-depth strategy. Anyscale argued that exploitation of this RCE flaw would only be feasible in deployments deviating from their recommended network environment controls.

In contrast, Oligo criticized Anyscale's stance, highlighting that disputing the CVE left many developers unaware of potential security risks. They termed the unresolved CVE as a "shadow vulnerability", explaining that it could lead to breaches despite not being detected in static scans. 

Oligo observed numerous instances of the CVE-2023-48022 actively exploited in the wild, resulting in compromised Ray servers and the theft of sensitive data, including AI models and production database credentials, along with instances of cryptominer installations.


Read more »
wireless chargers
Academic attacks Cyber Security electromagnetic interference Researchers Security VoltSchemer Vulnerabilities wireless chargers

Researchers Develop 'VoltSchemer' Assaults Aimed at Wireless Charging Systems

 

A team of researchers from the University of Florida, collaborating with CertiK, a Web3 smart contract auditor, have uncovered potential security threats in wireless charging systems. Their research introduces new attack methods, named VoltSchemer, which exploit vulnerabilities in these systems by manipulating power supply voltages.

The VoltSchemer attacks, outlined in a research paper, target weaknesses in wireless charging setups, allowing attackers to disrupt charging devices, tamper with voice assistants, and override safety mechanisms outlined in the Qi standard. Notably, these attacks utilize voltage fluctuations from the power source, requiring no direct modifications to the chargers themselves.

While wireless chargers are generally considered more secure than wired alternatives due to their reliance on near-field magnetic coupling, the researchers argue that they are still susceptible to manipulation. By tampering with power signals, attackers could potentially compromise communication between the charger and the device being charged, leading to malicious actions.

The underlying issue lies in the susceptibility of wireless chargers to electromagnetic interference (EMI) caused by voltage fluctuations. This interference can modulate the power signals transmitted by the charger, enabling attackers to manipulate the magnetic field produced and issue unauthorized commands to connected devices.

In their experiments, the researchers tested the VoltSchemer attacks on nine commercially available wireless chargers, all of which were found to be vulnerable. By inserting a disguised voltage manipulation device, such as a modified power port, between the power adapter and the charger, the researchers successfully executed the attacks.

The consequences of these attacks were significant, with charging smartphones experiencing overheating and devices such as key fobs, USB drives, SSD drives, and NFC cards being permanently damaged or destroyed. The researchers emphasize that the root cause of these vulnerabilities lies in the lack of effective noise suppression in certain frequency bands within wireless charging systems.

Overall, the findings highlight the potential risks associated with wireless charging technologies and underscore the need for improved security measures, especially in high-power systems like electric vehicle (EV) wireless charging.
Read more »
Vulnerabilities and Exploits
cyber attack Cyberattacks Ivanti system hacked USA VPN Vulnerabilities Vulnerabilities and Exploits

Ivanti US Faces Security Crisis, Threatening Worldwide Systems


In a recent development, a critical server-side request forgery (SSRF) vulnerability has been discovered in Ivanti Connect Secure and Ivanti Policy Secure servers, marked as CVE-2024-21893. Security experts have confirmed that this vulnerability is being actively exploited by multiple attackers, raising concerns over the security of affected systems worldwide. 

Let's Understand SSRF and Its Impact 

SSRF vulnerabilities allow attackers to send crafted requests from the vulnerable server, potentially leading to unauthorized access to internal resources, sensitive data exposure, or even full system compromise. Imagine you have a key to open doors in a building. Now, imagine someone tricks you into using that key to open doors you are not supposed to. That is what happens in an SSRF attack. 

Normally, a website can only talk to the outside world through your web browser. But in an SSRF attack, the bad guys make the website talk to other places it is not supposed to, like secret internal parts of a company's network or even random outside websites. This can lead to big problems. 

For example, if the website connects to a secret part of a company's network, the bad guys might steal important information. Or if it connects to a random website, it might give away sensitive data, like your passwords or credit card numbers. 

Ivanti and the Vulnerabilities 

Ivanti raised the alarm about a critical flaw in the gateway's SAML components on January 31, 2024. This vulnerability, identified as CVE-2024-21893, was immediately classified as a zero-day exploit, indicating that hackers were already taking advantage of it. Initially, the impact seemed limited, affecting only a small number of customers. 

However, the exploitation of CVE-2024-21893 opened the door for attackers to sidestep authentication measures and gain unauthorized access to restricted resources on vulnerable devices, specifically those operating on versions 9.x and 22.x. 

Now, according to the threat monitoring service Shadowserver, the situation has escalated. They have detected numerous attackers capitalizing on the SSRF bug, with a staggering 170 unique IP addresses attempting to exploit the vulnerability. This widespread exploitation poses a significant threat to the security of affected systems and the data they hold. 

The disclosure of CVE-2024-21893 revealed a series of critical vulnerabilities affecting Ivanti Connect Secure and Policy Secure VPN appliances. Alongside CVE-2024-21893, two other zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, were also identified on January 10, 2024, prompting Ivanti to release temporary mitigations. 

These vulnerabilities were exploited by the Chinese espionage threat group UTA0178/UNC5221, resulting in the installation of webshells and backdoors on compromised devices. Despite initial mitigations, attackers managed to bypass defenses, compromising even device configuration files. 

What Measures Company is Taking? 

Ivanti postponed firmware patches scheduled for January 22 due to the sophisticated nature of the threat. Given the active exploitation of multiple critical zero-days, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has mandated federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances. 

Only devices that have been factory reset and updated to the latest firmware should be reconnected. However, older versions without a patch remain vulnerable. While this directive is not compulsory for private organizations, they are strongly advised to assess the security status of their Ivanti deployments and overall environment, considering the potential risks posed by these vulnerabilities. 

About the Company 

Ivanti is a company based in Utah, USA, that makes different kinds of computer software for things like keeping your computer safe, managing IT services, tracking IT assets, managing all your devices from one place, controlling who has access to what, and managing the supply chain. It was created in 2017 when two companies, LANDESK and HEAT Software, joined together. Later, they also bought another company called Cherwell Software. Ivanti became more famous because of some big problems with the security of the VPN hardware they sell.
Read more »
Vulnerabilities
connected gadgets Cyber Security Cyber Threats Data Privacy IoT Network Security Remote Work Risks Smart Devices Vulnerabilities

Unveiling the Unseen Cybersecurity Threats Posed by Smart Devices

 

The number of smart devices worldwide has surpassed the global population, with a continuous upward trend, particularly amidst remote and hybrid work settings. Ranjit Atwal, Gartner's senior research director, attributes this surge to the increase in remote work. As work mobility grows, the demand for connected devices like 4G/5G laptops rises, crucial for employees to work from anywhere.

Smart devices encompass gadgets connecting to the internet, like smart bulbs, speakers (e.g., Amazon's Alexa), and wearables such as the Apple Watch. They collect data, enhancing user experience but also pose security risks exploited by cybercriminals. Surprisingly, consumers often overlook security when purchasing smart devices, as shown by Blackberry's research.

In response, the European Union proposed the "Cyber Resilience Act" to enforce cybersecurity standards for all connected devices. Failure to comply may result in hefty fines. Margrethe Vestager from the European Commission emphasizes the need for market products to meet robust cybersecurity measures, likening it to trusting CE-marked toys or fridges.

Security vulnerabilities in smart devices pose threats, as seen in TP-Link's smart lightbulb. Exploiting these vulnerabilities could grant hackers access to networks, risking data and enabling potential malware deployment. Even smart homes face numerous entry points for hackers, as illustrated by investigations conducted by Which?, showcasing thousands of hacking attempts in a week.

Mirai botnet targets smart devices, using brute-force attacks to gain access via weak passwords. In a concerning case, a Google Home speaker was turned into a wiretap due to vulnerabilities, highlighting the potential risks associated with unsecured devices.

Securing home networks becomes paramount. Strategies include:

1. Purposeful Device Selection: Opt for devices that suit your needs, avoiding unnecessary interconnected gadgets.
2. Router Security: Update router settings, change default passwords, and enable automatic firmware updates.
3. Password Management:Use password managers to create strong and unique passwords for each account.
4. Multi-Factor Authentication (MFA): Employ MFA to add layers of verification during logins.
5. Wi-Fi Network Segmentation: Create separate networks for different devices to isolate potential threats.
6. Virtual Private Networks (VPNs):Invest in VPNs to encrypt online activities and protect against cyber threats on unsecured networks.

Implementing these measures strengthens overall cybersecurity, safeguarding personal data and devices from potential breaches and threats.
Read more »
Vulnerabilities
Cryptojacking Cryptojacking Campaign Imperva Imperva Threat Research malware Oracle Weblogic Server Threat research TTPs Vulnerabilities

Imperva Report Previously Undocumented 8220 Gang Activities


Imperva Threat Research team has recently discovered a previously unreported activity from the 8220 gang, which is well-known for mass-deploying a range of constantly evolving TTPs to distribute malware in large quantities. The threat actor has a history of using cryptojacking malware to target Linux and Windows web servers.

The researchers reported the issue in a blog, discussing the group’s attack tactics, recent activities, and indicators of compromise (IoCs) from the threat actor’s most recent campaign. Customers of Imperva are shielded from the known actions of this group. All firms are required to keep their security and patching up-to-date. 

History of the Threat Actor

The 8220 gang, which is believed to be a China-based group, was initially discovered in 2017 by Cisco Talos. The targets include Apache Struts2, Hadoop YARN, and Drupal systems, where the threat actors transmitted cryptojacking malware. Since then, a number of additional researchers have offered updates on the group's growing tactics, methods, and procedures (TTPs), which include making use of vulnerabilities in Log4j and Confluence. The group's use of the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems was most recently shown by Trend Micro.

Evolving TTPs

The Imperva Threat Research disclosed the use of malware identified as CVE-2021-44228 and CVE-2017-3506. Also, the researchers revealed that the threat group exploited CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to spread malware.

This vulnerability, frequently linked with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or using compromised, stolen, or leaked credentials, permits remote authenticated attackers to execute code via a gadget chain. The documented exploitation of these vulnerabilities is extensive. This way, it is easier to modify for the distribution of malware. 

The 8220 gang employs two distinct gadget chains: one allows an XML file to be loaded, and this file contains a call to another gadget chain that allows commands to be executed on the operating system.

The report further notes that Imperva Cloud WAF and on-prem WAF have addressed the issues already by mitigating flaws that were used by the 8220 gang for conducting their malicious activities. Some of these vulnerabilities have been listed below:

  • CVE-2017-3506 – Oracle WebLogic Server RCE 
  • CVE-2019-2725 – Oracle WebLogic Server Authenticated Deserialization 
  • CVE-2020-14883 – Oracle WebLogic Server Authenticated RCE 
  • CVE-2021-26084 – Atlassian Confluence Server OGNL Injection RCE 
  • CVE-2021-44228 – Apache Log4j JNDI RCE 
  • CVE-2022-26134 – Atlassian Confluence Server RCE  

Read more »
Vulnerabilities
Crypto Currency cryptocurrency Cyberattacks Cybersecurity Data Breach database Gokumarket Vulnerabilities

Massive Data Breach at Gokumarket: Over a Million Users' Information Exposed

 


Several days before the leak, the GokuMarket team found an unprotected MongoDB instance, which was storing information about its users, namely those who bought and sold crypto on the exchange. In GokuMarket's case, it is the details of more than a million customers and admin users of the company that are stored in MongoDB in the form of large chunks of document-oriented information. 

Several users of GokuMarket, the centralized crypto exchange owned by ByteX and operated by its staff, have had their records revealed thanks to an open instance, according to a Cybernews investigation. 

With offices in Canada, the European Economic Area, and India, ByteX is a licensed and regulated CeDeFi platform that offers its services in those countries. It is ByteX's goal to bridge the best of both worlds by providing a KYC-verified platform with a compliant DeFi architecture, thus enabling a smooth transition from traditional to crypto credit infrastructure by reinventing it with transparency. 

The Gokumarket cryptocurrency exchange, one of the world's leading crypto exchanges, recently suffered a massive data breach, resulting in the disclosure of sensitive information belonging to over a million users. This is quite a significant and alarming development. 

In light of this breach, significant concerns are raised regarding the security infrastructure of the platform and the potential implications of the breach on the affected users. As a result of GokuMarket's decision, which had around a million users, denying users the option to withdraw their funds in mid-2022, which was a disastrous year for the crypto markets at the time, the company almost went bankrupt. 

GokuMarket faced the harsh reality of insolvency and financial bankruptcy as a result of the crypto market crash that occurred in early 2018. To assist users in safeguarding and protecting their interests, ByteX provided alternative solutions that were in comparison to what ByteX had originally offered. 

There has been considerable turbulence in the market in the aftermath of the recent collapse of several giants, which has also affected the stability of GokuMarket. In acquiring the platform's custodial users, we are making a conscious decision to safeguard and protect both its assets and its users from further challenges. 

It has been discovered that GokuMarket has a database that has been exposed on the web for a considerable period, which is why it was only detected in October 2023 and secured the next day after researchers sent a responsible disclosure note. However, the database could have been accessed by anyone for a considerable amount of time. 

An extensive user base, encompassing an estimated one million people, has been able to access a substantial repository of sensitive data, previously kept in a secure environment. In addition to IP addresses and geographical locations, the information compiled includes information about the users' dates of birth, their first and last names, as well as their mobile phone numbers. 

The encrypted passwords, the crypto wallet addresses, as well as their cryptocurrency wallet addresses, are all compiled in this study. Concern over the security and privacy of the affected individuals is significant in light of this breach of data. 

A persistent attacker could easily use this information to develop a spear-phishing campaign, which would likely involve draining the user's crypto funds, as the researchers believe that there is more than enough information to do so. There was also a revelation that the database, which had full-admin access, held 35 accounts that contained all sorts of sensitive information, including private Telegram channel IDs, secret exchange tokens, passwords and other highly sensitive information. 

A far more dangerous can of worms arises when attackers exploit admin access details to scam users of other platforms, with the ability to steal en-masse and transfer money to their accounts that would otherwise not be there. This is all possible through credential stuffing attacks, which can take advantage of individual user data to target exposed users. 

Using official Telegram channels for malicious purposes, attackers can manipulate the market if a leak of this nature arises. Although the official GokuMarket Telegram channel has not been active since September 2022, scammers are still attempting to impersonate brands within the crypto community to gain their attention.
Read more »
Vulnerabilities
Breach Threat Cyberattacks CyberCrime Cybersecurity Data Breach Opensource OwnCloud Vulnerabilities

Data Breach Threat: OwnCloud Users Urged to Patch Vulnerabilities Now

 


The maintainers of ownCloud, a popular open-source file-sharing software, have recently issued an alert regarding three critical security flaws that could have severe consequences. The flaws have become known through a recent announcement by ownCloud's maintainers. 

Several vulnerabilities in ownCloud pose a significant risk to the security and privacy of users, as they could allow sensitive information to be exposed and files to be modified unauthorized, compromising the security and privacy of users in ownCloud. 

A CVSS score of 10.0 has been assigned to the first vulnerability, which affects containerized deployments. This vulnerability requires the disclosure of sensitive credentials and configurations in order to exploit it. An important flaw in graphapi versions ranging for 0.2.0 to 0.3.0 has been exploited against graphapi. 

If an attacker is able to access a particular URL, crucial details about a PHP environment, including variables used to control a web server, could be revealed. The environment variables of containerized deployments may contain sensitive data such as the administrator password for the OwnCloud system, the credentials for the email server, and the license key for the software. 

Among the three critical security vulnerabilities that have been discovered in the open source file sharing software ownCloud is a vulnerability that could expose passwords for administrators and credentials for the mail server. 

The OpenSource OwnCloud system is a solution that allows users to sync and share files individually or as a team based on a self-hosted platform that allows users to access and manage files from anywhere. In addition to businesses, educational institutions, government agencies, and individuals who prefer to maintain control over their data, a cloud storage program is also used by businesses and enterprises, educational institutions, government agencies, and individuals who are conscious of their privacy.

In addition to its ownCloud site reporting that 200 million users are using OwnCloud, it also reports 600 enterprise customers. There have been three security bulletins issued by the development team behind OwnCloud this past week stating that the project could be severely compromised due to three different vulnerabilities in the project's components. 

CVE-2023-49103 is the first flaw identified, which has a CVSS v3 score of 10. This flaw allows for the theft of credentials and configuration information in containerized deployments, and it impacts all of the server's environment variables as well. 

OwnCloud recommends that immediate action be taken in order to mitigate this issue, such as deleting a particular file and disabling the PHPinfo function. It is also advised that users should change the password for the ownCloud admin account, their mail server and database credentials, as well as their access codes for Object-Store and Amazon S3. 

In order to resolve this issue, it is recommended that the  ownCloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file be deleted, Docker containers should be disabled from executing the phpinfo function, and that secrets such as the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys be changed. 

A second vulnerability, rated 9.8, can be used by malicious actors to bypass WebDAV API authentication using pre-signed URLs, which has a CVSS score of 9.8. As a result of this vulnerability, users have the ability to access, modify, or delete files without their consent when their username is known and their signing key is not configured, but it impacts core versions from 10.6.0 to 10.13.0. 

Lastly, ownCloud has made a warning about a security vulnerability discovered in oauth2 before version 0.6.1 that can bypass the validation process for subdomains. By bypassing the validation code, this vulnerability enables an attacker to redirect callbacks to a top-level domain (TLD) controlled by them, which has a CVSS score of 9.0. 

OwnCloud suggests that as a temporary solution to this issue, you disable the "Allow Subdomains" option and harden the validation code in the OAUTH2 application. In the event that the user's username is known and the sign-key has not been configured (the default setting), attackers can access, edit, or delete any file without authentication. 

It has been published that the pre-signed URLs cannot be used unless a signing key has been set up for the file owner. This can be fixed by denying the use of pre-signed URLs. There is also a third flaw (CVSS v3 score: 9) that affects all versions of the oauth2 library below version 0.6.1, which is a subdomain validation bypass vulnerability. 

The attacker can inject a specially crafted redirect URL into the Oauth2 app that bypasses the validation code, allowing the attacker's callbacks to be redirected to his own domain. As a temporary workaround, a temporary workaround is provided in the bulletin of the Oauth2 application. It is recommended that the validation code be hardened in the Oauth2 application. 

Three security flaws described in the bulletins significantly damage the security and integrity of ownCloud, potentially exposing sensitive information to phishing attacks, stealthy data theft, and other possible malicious activities. Various ransomware groups have been using vulnerabilities in file-sharing platforms to steal data from thousands of companies around the world, and are using them as part of their attacks on companies that use file-sharing platforms. 

As a result of this disclosure, a proof-of-concept (PoC) exploit for a critical remote code execution vulnerability (CVE-2023-43177) has been released for the CrushFTP solution. If exploited by an unauthenticated attacker, the attacker could gain access to files, run arbitrary programs on the host, and obtain plain-text passwords through the application. Converge security researcher Ryan Emmons discovered and reported the issue, and the issue has been resolved since CrushFTP 10.5.2, the version that was released on August 10, 2023, addressed this issue.
Read more »
Vulnerabilities
AutoZone Faces Cyber Attacks CyberCrime Data Breach MOVEit Ransomware Vulnerabilities

AutoZone Faces Data Breach Headache as MOVEit System Compromised

 


Almost 185,000 individuals have been informed that their personal information has been compromised due to the recent data breach at the American car parts company AutoZone. MOVEit Transfer managed file transfer application was exploited by cybercriminals to steal sensitive information including the social security number of its users as well as other private information. 

There have been no reports so far that the exposed information has been used for fraudulent activity as a result of this alarming breach, yet AutoZone has assured its customers that there has been no evidence that such information has been misused. A credit monitoring service and identity protection services are complimentary as a preventative measure for customers who are affected by this issue. 

It has been reported that AutoZone did suffer a data breach due to an attack on the file transfer service Clop MOVEit where they lost data for tens of thousands of its customers. With over 7 140 locations in the U.S., and also in Brazil, Mexico, and Puerto Rico, AutoZone is the country's number one retailer and distributor of automotive spare parts and accessories. 

There are approximately 17.5 billion dollars in revenue generated each year by the company, 119,000 jobs are created by the company, and 35 million monthly users visit the company's online shop, as reported by similarweb.com statistics. It has come to AutoZone's attention that an unauthorized third party exploited a vulnerability associated with MOVEit and exfiltrated certain information from an AutoZone system supported by the MOVEit application, the company said in a notice published last week. 

The AutoZone company was found on or about August 15, 2023, to be responsible for the exfiltration of certain data as a result of the exploiting of a vulnerability in the MOVEit application." Despite not specifying what type of data has been stolen, the filing with the Maine Attorney General states "full names" and "social security numbers." This information is sufficient for identity theft or even wire fraud to occur.  

An archive of 1.1 gigabytes contains employee names, emails, details about parts supplies, tax information, payroll documents, Oracle databases, and much more, and many other data. The archive seems to have spared customers from this issue. AutoZone has been operating for over 7,000 years and employs close to 120,000 people across the US, making it a major retailer of spare car parts. 

Since late May, a staggering number of organizations have been affected by the MOVEit software vulnerability, which has been tracked as CVE-2023-34362. According to data collected from Huntress with industry collaborators, there have not been any notable exploits of the identified vulnerability since the discovery in late May 2023, as MoveIt found the patch for vulnerability by 31st May 2023.

It is conceivable that a malicious actor equipped with an effective exploit for a service characterized by high availability, making it resistant to swift patching, and commonly accessible from external sources, would persist in capitalizing on this opportunity. However, contrary to this expectation, the broader security community has noted an initial surge in activity, followed by a marked decrease or absence of actions as the calendar transitioned into June. 

In an update issued by cybersecurity firm Emsisoft on November 21, it was reported that over 2,620 organizations, either directly or indirectly, had been impacted by this breach, with an overall count of over 77 million individuals having been affected as a result. 

Many US schools and the state of Maine are among the victims in this extensive list, along with Siemens Energy, Schneider Electric, and Shell, among other big-name energy companies. In the wake of the MOVEit hack, organizations have suffered significant disruptions and financial losses in a variety of industries and sectors as a result.

Keeping vigilance in the face of ever-evolving threats and robust cybersecurity measures is essential for the protection of all data, including AutoZone's, as a stark reminder of the importance of robust cybersecurity measures. 

For businesses that are more reliant on digital tools and technologies, it becomes even more crucial for them to prioritize secure data management, regularly update software, and implement multilayered security protocols to avoid potential breaches of data security. 

As AutoZone has taken immediate action to address this breach, businesses of all sizes should take the opportunity to learn from this incident and strengthen their cybersecurity defences to protect their customers' personal information and prevent future breaches from occurring. To do so, one needs to invest in advanced threat detection systems, conduct regular security audits, and train employees in cybersecurity best practices to prevent future breaches. 

To maintain the trust and confidence of their stakeholders, organizations have to remain vigilant in protecting sensitive data and prioritizing the security of their digital infrastructure to ensure that cyber threats do not increase their level of sophistication.
Read more »
Vulnerabilities
Apple CISA Cybersecurity Google Heating Issue iOS iPhone Iphone15 Mac Technology Vulnerabilities

Apple's iOS 17.0.3 Update: Solving Overheating and Enhancing Security

 


In response to reports that iPhone 15s were running hot over the weekend, Apple pointed to an array of possible causes for the problem, including app-specific problems like Instagram and Uber, problems with background processing/post-transfer, and the presence of unspecified bugs in iOS 17. 

With the new software update created recently by Apple, the company was able to address a bug that could cause the iPhone to run hotter than normal. According to the patch notes for iOS 17.0.3, this bug may cause the iPhone to run hotter than usual.

It has been identified that two vulnerabilities have been fixed for both iOS and iPadOS in an update highlighting the security fixes included in this patch. An attacker with local access to the device could exploit the first vulnerability, which was a kernel exploit that could be exploited by a local attacker on the device. 

Apple mentioned that they believe it was exploited against older versions of iOS before iOS 16.6. It was also tackled in the update that a bug had been found in libvpx, which had been previously raised as a concern by CISA (Cybersecurity and Infrastructure Security Agency) and had been noted by them. 

A device with this bug may be vulnerable to remote attacks that could allow attackers to gain control of the device remotely. Additionally, other applications such as Chrome and Firefox have recently implemented similar patches to fix the same libvpx bug that was identified in the Chrome bug report. 

As a result, it is recommended that you check for the latest version of the iOS on your device in the Settings application. The download will take approximately 400MB, and there is no charge for this update. This update addresses an issue in iOS, the iPhone operating system, that was discovered on Wednesday.

The developers of these apps are also updating their apps with fixes for bugs that have been found in them. In addition, Apple said that the heat issue with the new phones was not partly due to the titanium and aluminium frames on the new models at the top end, and it was not partly due to the USB-C port since USB-C is the standard for charging phones now. 

It should be noted that Apple informs its customers that all iPhones are likely to feel warm when they are being restored from a backup, while they are being wirelessly charged, when using graphics-rich apps and games or when streaming high-quality video. 

As long as iPhones display an explicit warning about the temperature, they are safe to use, according to Apple. There has been a security problem identified in iOS 17.0.3 and iPadOS 17.0.3 that was addressed by Apple with improved checks, but Apple has not yet revealed who is responsible for finding and reporting the issue. 

In a nutshell, there are a lot of devices that have been impacted, including: iPhone XS and later In addition to iPad Pro 12.9-inch and iPad Pro 10.5-inch 2nd generation models, there are the iPad Pro 11-inch and iPad Pro 12.9-inch 1st generation models, the iPad Air and iPad Mini 5th generation models, as well as iPad 6th generation models. 

The open-source libvpx video codec library does not contain a heap buffer overflow vulnerability, CVE-2023-5217, which can be exploited to execute arbitrary code, resulting in the execution of arbitrary code following successful exploitation. 

The vulnerability was also addressed by Apple. Despite this fact, Apple has not labelled the libvpx bug as exploited anywhere in the wild, but it has already been patched as a zero-day by both Google and Microsoft in their Edge and Teams web browsers and their Skype service. 

As part of Google's Threat Analysis Group (TAG), a group of security experts who are known for frequently discovering zero-day vulnerabilities in government-sponsored targeted spyware attacks that target high-risk individuals, Clément Lecigne discovered CVE-2023-5217 as part of a research project. 

In the past few months, Apple has begun to fix 17 zero-day vulnerabilities discovered by its clients through attacks due to CVE-2023-42824 being exploited. Aside from the recently patched CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, Apple recently patched three other zero-day vulnerabilities reported by Citizen Lab and Google TAG researchers and exploited by hackers to install Cytrox's Predator spyware during spyware attacks. 

In addition to these two zero-day bugs (CVE-2023-41061 and CVE-2023-41064), Citizens Lab also disclosed today that they were exploited, together with NSO Group's Pegasus spyware, to infect fully patched iPhones with BLASTPASS, a zero-click exploit chain exploited by the FBI. 

In the same way that new phones and new operating systems come out at around the same time each year, it's not uncommon for new iPhones to receive specific iOS patches in rapid succession. In addition, older devices receive a more thorough vetting as they enter the months-long developer and public beta programs, which Apple is making even easier to use in recent releases. 

There is currently a beta version of the first major update to iOS 17 called 17.1, which is currently being tested. According to MacRumors, the update appears to mainly refine a few of iOS 17's new features, such as the StandBy smart display mode. 

A comprehensive list of the changes can be found in MacRumors. It is expected that Apple will release the 17.1 update within a couple of weeks if it follows its usual schedule. Although rumours were circulating about potential hardware issues, possibly linked to the iPhone 15's advanced processor or the incorporation of titanium components, Apple's official statements primarily attribute the problem to software-related issues. 

Moreover, they also acknowledge the possibility of overheating when utilizing USB-C chargers. It is worth noting that Apple had previously released a post-iPhone 15 launch patch to address data transfer problems that were experienced by certain new users. 

Additionally, it is important to mention that the company is currently in the beta testing phase for a more substantial update, namely iOS 17.1. This update is expected to bring significant improvements and enhancements to the overall user experience.
Read more »
Vulnerabilities
CISA Cyber Security Meeting Owl Video Conferencing Vulnerabilities

CISA Removes Meeting Owl Vulnerabilities from Exploited List


CISA Reverses Course on Malicious Exploitation of Video Conferencing Device Flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) recently removed five vulnerabilities affecting Owl Labs’ Meeting Owl smart video conferencing product from its Known Exploited Vulnerabilities (KEV) Catalog. The vulnerabilities, discovered by researchers at Modzero, include encryption flaws, hardcoded credentials, and authentication issues. However, CISA cited insufficient evidence of exploitation for their removal from the catalog. The vulnerabilities would require an attacker to be in Bluetooth range of the device, making it unlikely to be exploited.

What is the KEV Catalog?

The KEV Catalog is a list of known vulnerabilities that have been exploited by threat actors in the past. It is maintained by CISA and is used by federal agencies to prioritize their patching efforts. The catalog includes vulnerabilities that have been exploited in the wild and those that have not yet been exploited but are considered high-risk.

The Meeting Owl Vulnerabilities

The Meeting Owl is a smart video conferencing device that uses artificial intelligence to automatically focus on the person speaking in a meeting room. Researchers at Modzero discovered five vulnerabilities in the device that could allow an attacker to control it. These include encryption flaws, hardcoded credentials, and authentication issues. However, the vulnerabilities would require an attacker to be in the Bluetooth range of the device, making it unlikely to be exploited.

CISA’s Decision

CISA’s decision to remove the Meeting Owl vulnerabilities from its KEV Catalog has raised some eyebrows. While it is true that the vulnerabilities would require an attacker to be in the Bluetooth range of the device, this does not mean that they are not exploitable. In fact, researchers at Modzero were able to exploit the vulnerabilities in their lab environment. Furthermore, removing the vulnerabilities from the catalog could lead federal agencies to deprioritize patching efforts for the Meeting Owl.

While it is true that the Meeting Owl vulnerabilities would require an attacker to be in the Bluetooth range of the device, they are still exploitable. CISA’s decision to remove them from its KEV Catalog could lead federal agencies to deprioritize patching efforts for the device. It is important for organizations to remain vigilant and patch all known vulnerabilities in their systems.

Read more »
Vulnerabilities
AIE Cyber Attacks CyberCrime Cybersecurity Radio Vulnerabilities

Exposed Secrets: Backdoor Vulnerabilities in Worldwide Radio Systems

 


The world has been secretive for over 25 years about a technology used for critical data and voice radio communication around the globe. No one could closely examine its security properties to detect vulnerabilities. A small group of researchers in the Netherlands have compiled a research study on the subject. Now, due to their efforts, it is publicly airing. It was discovered that its viscera, including a deliberate backdoor, had serious flaws, which they worked around. 

Vendors who sell radios have known the encryption algorithm baked into them for years by vendors who sell the technology. Customers have not necessarily known this backdoor. A pipeline, a railway, an electric grid, a mass transit system, or a freight train could send encrypted data and commands via this technology. If someone has access to these communications, they could snoop on them and find out how they work. The command could then be relayed to the radios, triggering a blackout, stopping gas pipeline flows, or rerouting trains. This would eliminate the problem at hand. 

An additional vulnerability was found in a different part of the same radio technology that is used in more specialized systems used only by police forces, prisons, military personnel, intelligence agencies, and emergency services that were sold exclusively to police forces, prison personnel, military personnel, and emergency services. 

The Dutch police, fire brigades, ambulance services, and the Ministry of Defense utilize the C2000 communication system for mission-critical voice and data communication to manage their business. Someone could exploit the flaw to decrypt the encryption of voice and data communications and send fraudulent messages. This could be done to spread misinformation during times of national crisis or to redirect personnel and forces during that period. 

A Dutch security firm, Midnight Blue, has discovered five vulnerabilities in the Terrestrial Trunked Radio system (TETRA), which is used by governments, law enforcement agencies, emergency services organizations, etc. In many countries in Europe, the United Kingdom, and other parts of the world. 

Several innovations have been brought about by TETRA development because it is an open standard with competition between vendors. There is no doubt that TETRA solutions from Airbus can achieve outstanding coverage. This is because they use the same frequency band and output power as cellular systems seen today. 

It seems that all TETRA radio networks are affected by the flaw, named TETRA: BURST. An attacker may have access to these vulnerabilities to decrypt communications in real-time or later, inject messages, deanonymize users, or set the session key to zero so that a backdoor could be set for interception on the uplink. 

Two of the flaws have been classified as critical, which means they require immediate attention. It can be used for decrypting text, voice, or data communications to reveal their contents during an attack (CVE-2022-24401). Air Interface Encryption (AIE) keystream generator relies on public and unencrypted network time, which encrypts sensitive data at transmission. 

A second vulnerability (CVE-2022-24402) that the researchers detected is not technical - the TEA1 [PDF] encryption algorithm, they claim, "has a backdoor that can be exploited to reduce the original 80-bit key size to a size that can be easily brute-forced on consumer hardware in minutes." There seems to be a consensus among the Midnight Blue team that the backdoor, as they call it, stems from deliberately designed.

 In most cases, encryption technology must be weakened under various rules and regulations to be used for export purposes: for instance, under certain rules and regulations, it may be necessary to weaken the security to allow the shipment. 

An attacker could read the encrypted message through a radio if they targeted a radio that could transmit the message. This shows that the message would be intercepted in a demonstration video demonstrating CVE-2022-24401. There is no way for you to gain access to a key in any of the circumstances under which this vulnerability is exploited by Midnight Blue founder Wouter Bokslag. He says, “The only thing you will receive is the keystream, which is the key stream you need to decrypt, arbitrary frames, or arbitrary messages that pass through the network.” 

CVE-2022-24402 can be demonstrated in a second demo video, which exposes a backdoor in the TEA1 algorithm that can affect networks that rely on TEA1 concerning both confidentiality and integrity, due to the backdoor. The TEA1 algorithm used in this case also has an 80-bit key that allows an attacker to brute-force it to listen in undetected to the communications as well as a brute-force attack to intercept them. 

Bokslag admits he may seem overly sensitive about his use of the word backdoor, but he thinks the term is justified here. The TEA1 decryption process involves inserting an 80-bit key into it. That 80-bit key is then reduced by a reduction step, leaving it with only 32 bits of key material left, which it can use in the decryption process. 

What is the Suitability of TETRA for Telemetry? 


With TETRA, you are assured of the highest levels of reliability which can be an invaluable advantage for critical applications. The majority of telemetry transactions are composed of a few bytes taken from varying sources, so they can be relatively small. 

TETRA offers several powerful Short Data Services (SDS). It is possible to deliver SDS messages on several channels, such as the control channel, during the speech, or on dedicated data transmission channels. TETRA systems from Airbus can also address a single message to multiple devices at the same time as you send it. There will be significant savings in capacity and time due to this. 

In cases where the volume of data to be transferred is high, it is recommended to use the IP Packet Data service. As long as the spectrum is limited, it may make sense to use State Messaging (16 bytes), SDS messages (140 bytes without concatenation), and IP Packet Data together as a means of communication. 

As a result of the weakening of the cipher, Bokslag says an attacker could search exhaustively through all 32 bits of the cipher. He could also decrypt all traffic with very cheap hardware as a result of the attack. In many cases, the attacker would have permanent access to communications since they only needed a $10 USB dongle to receive signals. They would have access to those communications until the key changed. In many cases, however, the key never changes, which means that the attacker can attack communications at any time they want.   
Read more »
Vulnerabilities
AT&T CPNI Cyberattack CyberCrime Data Breach Federal Communications Commission Vulnerabilities

AT&T Alerts Millions About Data Breach That Exposed Sensitive Information

 


An internal supply chain cyber-incident that occurred in AT&T's supply chain revealed some sensitive information belonging to tens of millions of the company's customers, exposing them to some serious vulnerabilities in their systems. 

A hacking incident did occur in January 2023 against AT&T's marketing vendor, resulting in a data breach of AT&T's system.  

Approximately 9 million clients of the company have been given a precautionary warning after unauthorized access to their personal information was discovered.  

According to the company, in addition to the first names of buyers, the company also uncovered wireless account numbers and smartphone numbers, as well as e-mail addresses. 

There have been specific instances where a small number of impacted clients have had their prices, late fees, monthly fee amounts, fluctuating monthly expenses, and/or minutes used exposed. These have been the name of the price plan, late amount, or late charges. Moreover, AT&T acknowledged that the data was a few years old and was not updated regularly. 

The representative of the company confirmed that the supply chain was at risk and that its methods would not be compromised. Additionally, the company mentioned that the collected information is frequently linked to eligibility for improvements to devices. Although there is no way to prevent it, the company notified the police immediately about the incident that happened. 

AT&T, in a report published on Wednesday, said that there was no information in the breach that involved payment details, account passwords, Social Security numbers, or any other information relating to an individual. Instead, the cyberattack allowed unauthorized access to information used to determine eligibility it said, characterizing the data as years old.  

The mobile carrier notified affected customers, it said. According to a notification posted on the AT&T Community forum.   The company informed its customers that they had notified federal law enforcement about unauthorized access to their CPNI as required by the Federal Communications Commission. 

The company's report to law enforcement does not contain specific information about their account, only that unauthorized access occurred.
Read more »
Vulnerabilities
Cyberattacks CyberCrime Data Breach T-Mobile UpGuard Vulnerabilities

Customers' Accounts Were Exposed in the Verizon breach

 


There have been a lot of talks lately about telecom companies and consumer data breaches. In the past few years, you are more likely to hear about T-Mobile announced in the headlines. There have been numerous attacks on the self-titled Un-carrier with disastrous results each time it was attacked. 

However, Verizon (and its customers) are not the only ones suffering this year - updated information has revealed that millions of Verizon subscribers have been subjected to data breaches, with their personal information being made publicly available. 

A Verizon contractor has apologized after failing to secure a large batch of customer information previously collected by the telecom company. Due to this vulnerability, over 6 million customer accounts have been exposed. Although it is unclear whether Verizon - the country's largest wireless carrier - will notify users infected, many believe they will. 

In some cases, customers' PIN codes were exposed as well, which are often used in conjunction with their names, addresses, phone numbers, account information, as well as basic information about how to contact customer service teams via phone. Some logs contained information about customer service calls stored in the cloud containing exposed data. 

As part of its commitment to security and privacy, Verizon is committed to protecting the personal information of its customers. 

A researcher with the cyber risk team at security vendor UpGuard, Chris Vickery, discovered that the data was exposed through a breach at the location. 

In a blog post Dan O'Sullivan, a cyber resilience analyst at UpGuard, wrote In a recent post, a cyber resilience analyst at UpGuard wrote that the data was contained in an unsecured Simple Storage Service (S3) bucket. This repository is controlled by NICE Systems, an Israeli company that is part of Verizon's partner network. 

It is also said that Verizon has said in a press statement that their agency supports a wireline self-service call center portal for small businesses and homes, and certain data is required for the project.

The data exposure was discovered by UpGuard on June 13; Verizon notified the company to lock out the bucket by June 22 as soon as it discovered it. It has been characterized as "troubling" from the perspective of UpGuard, and officials from NICE were unable to comment as of right now. 

UpGuard says 14 million customer records may have been exposed due to the breach. 

In an attempt to prove its point, Verizon denied the figure, saying Wednesday that 6 million accounts had been exposed to the vulnerability. 

The Verizon spokesman did not answer a question as to how Verizon came to this conclusion, although an analysis of access logs could have contributed. In response to a question about notification, Samberg declined to comment. 

Error in Redux Configuration

Vickery has made several data exposure discoveries this year, including Verizon. The search engine Shodan is an excellent tool to catalog staggering breaches. An internet-connected device is found by Shodan by searching for it on the internet. Researchers can detect unsecured internet-related systems and cloud instances by plugging specific search terms into Shodan, which helps discover insecure internet-connected systems and cloud instances. 

The configuration error appears to have been made by NICE and was caused by a rule that was set incorrectly in the S3 bucket, similar to the previous episodes of unintentionally exposed data detected by Vickery. 

The data was then available via the internet, which left it accessible to everyone. Having accessed the database and its many terabytes of contents with just the S3 URL was a convenient way to access and download the data, writes UpGuard's O'Sullivan in a post, and the files themselves were also accessible. 

Amazon S3 storage buckets do not have public access enabled by default, which is Amazon's policy. As part of Amazon's identity and access management controls, you can also control who has access to buckets and has enough permission to alter or delete data. It is also possible to block buckets based on HTTP referrers and IP addresses to make them off-limits to certain users. 

It seems unlikely that anyone at NICE would have disabled those security defaults, but it's possible. 

Exposure to Orange Data is Suspected

Aside from the information exposed in the S3 bucket, according to O'Sullivan, the information appears to have also been exposed by at least one other organization, Orange, which is also a partner of NICE. 

The data, he writes, appears less sensitive. However, it is noteworthy to see this type of information being included in a Verizon repository, even though it is internal to Orange. On the European market, Verizon's enterprise division competes directly with Orange's enterprise division. 

Data Security is at Risk

In contrast, Verizon has downplayed the idea that data has been exposed. Even though some personal information was included in the data set, the overwhelming majority of the information did not have any outside value. As Verizon confirmed in a statement, the company said that there were no Social Security numbers or Verizon voice recordings in the cloud storage area. 

Yet some security experts are skeptical about whether this leak will cause damage. In some customer records, the PIN was masked in some cases; however, this only affected a subset of accounts. 

It is believed that UPSGuard believes that unmasked PINs could be used by Verizon to gain access to account information. The PINs required for these accounts are fundamental to verifying callers as legitimate Verizon customers. This is preventing impersonators from accessing and changing Verizon account settings, writes O'Sullivan. 

Verizon says users cannot access online accounts using PINs. Samberg, Verizon's Chief Creative Officer, did not follow up with a question from the media about whether having a PIN alone might be enough for an individual to obtain an additional SIM card, but he did suggest that having a PIN might not be sufficient. 

Scammers are feared to be able to impersonate customers and obtain SIM cards by impersonating them as customers. 

Having the victim's phone number would give them the capability to use it to their advantage. Fraudsters would then receive messages from the victim including their two-factor authentication codes as part of the fraud scheme. To better block unauthorized access, a one-time passcode is now required for many online services, from banks to cloud storage providers. 

According to a report released by the U.S. National Institute of Standards and Technology, it is recommended that out-of-band authentication be avoided by using voice calls and SMS messages. 

A smartphone app, which you can find on your smartphone, is becoming increasingly popular among businesses - even wireless carriers - to enable users to receive a one-time code via the program. This method of sending one-time codes is generally considered to be a safer approach by security experts than sending them via voice or SMS communication.
Read more »
Vulnerabilities
LockBit malware MOTW Ransomware Vulnerabilities

New MOTW Bypass Method Introduced by LockBit

 


Despite being on the winning side of the race, LockBit operators continue to exfiltrate data from high-profile organizations and add the names of those organizations to its leak site. It's well known that the tactics and techniques employed by the gang are one of the significant factors contributing to the murders of innocent individuals. In the context of evasion tradecrafts, researchers have come across one such technique. 

When a .img container is used to deliver an image, the protection mechanism used by the Mark of the Web (MOTW) has been bypassed. As a result, it is possible to bypass traditional signature-based detection by deploying scripts that extract a password-protected executable from a compressed archive that can only be unpacked when a specific password is provided. 

Revolutionary Techniques: What are They? 

In a campaign conducted between December and January of this year, Fortinet researchers observed that LockBit operators were using evasion techniques to conceal their identities.

  • An image file mounted as part of the attack campaign contains malware files, one of which is visible to the user and the others are hidden. Therefore, attackers can evade MOTW's protection mechanism by sending the attack through a .img file container.  
  • It is after the user opens the single visible file that a set of BAT scripts are downloaded. These scripts check whether the targeted system is at the proper privilege level. 
  • The Python embed package of the official Python distribution is also sometimes used to execute Python scripts in some cases. Some scripts are used to change the password and settings of the system without the user being aware of them. 
  • There is also a BAT script in the final payload of LockBit ransomware, which will be executed by the ransomware's password-protected archive. 
The Exploitation Strategy of LockBit 

  • LockBit 3.0, released by the LockBit operators in June 2022, caught the attention of researchers as they added enhanced anti-analysis features and evasion improvements as well. In these regards, it exhibited similarities to BlackMatter ransomware in that it packaged code into byte strings, created function trampolines, and resolved function addresses dynamically, which are techniques that have been used to execute the malware. 
  • There was a slight setback suffered by operators towards the end of September 2022 when disgruntled developers allegedly leaked the source code of LockBit 3.0 to the media. There was, however, no adverse effect on the attackers as LockBit Green was upgraded in February, bringing an upgrade to the threat landscape. 
  • This updated version of ransomware draws on the code that was used in Conti ransomware and uses reverse engineering analysis to develop it. 
  • The LockBit Green variant has recently been released by the LockBit team and is believed to have targeted at least five victims so far. 
A few examples of successful ransomware attacks using LockBit have been reported in the second and third quarters of 2022. LockBit remains one of the most active ransomware families in RaaS and extortion attacks. Depending on the leak sites, LockBit tallied records for 436 victim organizations between April and September based on data gathered from the leak sites. 

Exfiltrator-22 or EX-22 has been developed by a group of former LockBit affiliates and members known as a new framework that aims at defending against post-exploitation attacks. The framework has been created by utilizing the source code from other famous post-exploitation frameworks that have been leaked out. 

The EX-22 ransomware family is designed to spread ransomware across corporate networks, using a framework-as-a-service model for post-exploitation without being detected by the victim. 

There are a variety of industries that have been targeted by LockBit ransomware, such as a variety of critical infrastructure industries, in recent years. The threat actors will continue to use obscure methodologies to avoid detection as long as new variants are released with additional capabilities, experts claim.
Read more »
Vulnerabilities
Cyberattack CyberCrime Cybersecurity Hackers malware Vulnerabilities

Some Hackers Use Malware-Free Methods

 


As cybercriminals try to become more and more sophisticated, they are turning away from their adversaries. They are turning back on their hacking attacks without even using any malware as part of their hacking campaigns, according to new research.  

This report, published by cybersecurity experts CrowdStrike, reveals that almost three out of four attacks detected in 2022 were malware-free, a significant increase over the 62% figure that was reported just a year ago based on “data from trillions of daily events” from CrowdStrike Falcon platforms and CrowdStrike Falcon OverWatch products. 

This is why researchers have reported a 50% increase in interactive intrusions. These intrusions require the user to tinker with the keyboard, according to the researchers. This illustrates how sophisticated human adversaries are increasingly looking for ways to evade antivirus protection and outwit fully automated defenses. 

Intensification of Sophistication 

As CrowdStrike conducted a deeper exploration of cybercrime, they discovered that to combat cybercriminals, identity credentials, and access credentials remain valuable and in high demand. Comparing 2022 to 2021, this is expected to increase by 112% in comparison to the previous year. In the same timeframe, the number of cases involving threat actors who have adopted a cloud-oriented approach has nearly tripled while cloud awareness has grown by 95%.  

A combination of threats of unprecedented magnitude has come to the forefront of security over the past 12 months. 

Several splintered cybercrime groups emerged with greater sophistication in the past year, relentless threat actors have spied on patched vulnerabilities, and a growing number of Chinese-nexus adversaries have gained traction against the feared Russia-Ukraine conflict by masking the feared threats,” said Adam Meyers, CrowdStrike's head of intelligence.  

It is important to remember that today's threat actors are more sophisticated, more resourceful, and more well-funded than ever before. To remain one step ahead of today's increasingly relentless adversaries, companies are going to need to understand their rapidly evolving tactics, techniques, and objectives and embrace the latest technology nourished by threat intelligence that will allow them to remain on top of today's increasingly persistent adversaries. 

Researchers claim that there are now 33 new adversaries on the scene in 2022, which means that the number of hacking groups is growing at an astonishing rate. As per the paper, this was one of the largest increases seen in just over a year, according to the publication. One of the most well-known threats that are being launched against telecommunications, BPO, and tech companies is SCATTERED SPIDER, a group behind many recent high-profile attacks on companies in these sectors.  

Aside from that, hackers are still using old tools and known vulnerabilities that were discovered years ago. As ProxyNotShell, and Follina, have all continued to be huge liabilities for the IT department, Log4Shell remains a key culprit. 

Hacker Operations and Protection  

Computer threats are the result of human action, not the actions of computers. Computer predator takes advantage of others who are vulnerable to them to benefit themselves. You can imagine the scale of the threat to your security that a predator poses when he gains access to the Internet - and also to your PC. 

An illegal computer hacker is a person who unauthorized enters your computer system with the intent of stealing, changing, or destroying your data, often by installing dangerous malware on your computer without your knowledge or consent. 

Through clever strategies and the use of their expertise, they can access information that you would like to keep private.   

In What Ways Can Hackers Harm? 

Several different types of malware have been installed on your computer by hackers. This malware quietly transmits your personal and financial information without your knowledge or consent, while your computer is connected to the Internet. Then again, the private information you unwittingly divulge on your computer could potentially be gathered by a computer predator. Both scenarios will allow them to be able to perform the following tasks: 

  • Passwords and usernames can be stolen by hackers.
  • Taking advantage of you by stealing your money and opening bank accounts and credit cards on your behalf.
A person could be threatened by a predator when they are stalking him or her while he or she is online. It is always wise to use extreme caution when deciding to meet a person in person that you met online, especially when you are not familiar with them previously.
Read more »
Vulnerabilities
Cyber Attacks Cybersecurity FBI Ontario Ransomware Vulnerabilities

'Ransomware Year' May Be The Most Devastating Ever

 


In recent months, cyberattacks have been launched against Canada's largest children's hospital and a large-scale liquor board. It may be just the beginning of a year filled with major cyber and ransomware attacks on these private institutions. The reason behind this trend is that due to sanctions against Russia and the declining crypto markets, hackers have become more aggressive. In late December, Toronto’s Hospital for Sick Children was the victim of a ransomware attack that caused delays in lab results and the system to go down. 

It was reported in January that the Liquor Control Board of Ontario had been compromised by a piece of malicious code. This code was used by hackers to steal the data of Ontario customers. As David Shipley from Beauceron Security, a cybersecurity company, explained, many payments in the world of cybercrime are being facilitated through bitcoin and other cryptocurrencies. These currencies are used as payment instruments in the world of cybercrime. 

Throughout the past year, many crypto assets have experienced significant losses. Several of those losses were recovered through ransom attacks perpetrated by hackers as part of the effort. 

Their business model is that they make hundreds of millions, and perhaps billions of dollars, mainly through bitcoin. This is due to ransoms, which they facilitate mainly through bitcoin, Shipley explained. They have lost a lot of their wealth and they will have to work hard to recoup it. Shipley believes it is the most likely reason for upcoming investigations into future malicious attacks. Additionally, he warned that cybercrime can also be a lucrative way for people to earn money, particularly now that sanctions are being placed against Russia. The U.S. FBI's raid on a ransomware group called Hive may have had a positive effect on slowing down activity. Cybercrime however has an easy entry barrier and a great deal more criminals will be able to enter the market as a result of the low entry barrier. 

During a recent interview with the Canadian Centre for Cyber Security, Sami Khoury, head of the organization, said things seem to be getting comparatively more challenging as time passes. 

Some of the ransomware events have indeed grown in sophistication and number over the past few years. Additionally, it is becoming increasingly apparent that skills that were previously associated with nation-states are now being transferred to cyber criminals. Compared to the ransomware and phishing emails sent five years ago, the malicious email used by today's scammers is a different game altogether,  Khoury added.

Ransomware is the biggest threat to Canadians, according to a report released by the Cyber Center detailing threats. More than 400 healthcare organizations in the U.S. and Canada have been hit by ransomware attacks since March 2020. The researchers found that the majority of them were located in the United States. Their findings also indicated that Chinese, Russian, Iranian, and North Korean state actors were significant contributors. 

Keeping in mind that ransomware can be incredibly lucrative for criminals, Khoury believes it attracts them to attack any company that is constantly running. 

When it comes to ransomware, cybercriminals are indiscriminate, they do not have any scruples, and they believe they will be able to make the most profit by attacking organizations that can not afford an interruption to their day-to-day operations, he continued. 

Cyber-terrorism attacks are constantly evolving, so governments have to adjust their tactics to stay ahead of hackers. Khoury believes the Canadian federal government is adequately protected from cyber-terrorist attacks. 

The government is being targeted with ransomware attacks in an attempt to get complete control of the system. Fortunately, all the sensor technology deployed has allowed people to catch them at the earliest possible stages of their development. This has allowed everyone to hold them at every phase of their expansion. 

There have never been any payments made by the federal government to ransomware companies, according to Shirley Ivan, chief information security officer for the government of Canada. When she was asked how to change passwords and backup systems when they were threatened, she explained that the government had effective procedures in place. 

It is their policy that, in general, they do not pay ransomware for the damage it has caused. Therefore, it cannot be said that there has never been a payment made to us or our partner. However, their IT systems are some decades old, including those that handle large organizations like the Employment Insurance System, which, in some cases, dates back decades. COBOL is a programming language that has not been widely used in recent years but is used in the EI program. 

The programs Ivan is aware of are over a decade old, but he assures it is being updated and the system will remain stable until the updates are completed. 

The company indeed has some older systems, but there are programs in progress to modernize these systems. This will enable the company to continue to provide services to clients to the fullest extent of the company's abilities. Making sure that payment is made, that transactions are processed, and that there is a flow of funds. 

Shipley recognizes that the government and the cyber center do a great job maintaining the security and operation of government systems. Yet, he said, the situation in the country is similar to that of a medieval castle; all the people live outside the walls.   
Read more »
Subscribe to: Posts (Atom)