Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerability management. Show all posts
Vulnerability management
China Cyber Security Cyber Threats Cybersecurity Dutch intelligence espionage FortiGate devices Malware Detection RAT Threat actors Vulnerability management

China Caught Deploying Remote Access Trojan Tailored for FortiGate Devices

 

The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new strain of malware believed to be orchestrated by the Chinese government. Named "Coathanger," this persistent and highly elusive malware has been identified as part of a broader political espionage agenda, targeting vulnerabilities in FortiGate devices.

In a recent advisory, MIVD disclosed that Coathanger was employed in espionage activities aimed at the Dutch Ministry of Defense (MOD) in 2023. Investigations into the breach revealed that the malware exploited a known flaw in FortiGate devices, specifically CVE-2022-42475.
Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. 
Unlike some malware that relies on new, undisclosed vulnerabilities (zero-day exploits), Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. However, the advisory emphasizes that it could potentially be used in conjunction with future vulnerabilities in FortiGate devices.

Described as stealthy and resilient, Coathanger evades detection by concealing itself through sophisticated methods, such as hooking system calls to evade detection. It possesses the capability to survive system reboots and firmware upgrades, making it particularly challenging to eradicate.

According to Dutch authorities, Coathanger is just one component of a larger-scale cyber espionage campaign orchestrated by Chinese state-sponsored threat actors. These actors target various internet-facing edge devices, including firewalls, VPN servers, and email servers.

The advisory issued by Dutch intelligence underscores the aggressive scanning tactics employed by Chinese threat actors, who actively seek out both disclosed and undisclosed vulnerabilities in edge devices. It warns of their rapid exploitation of vulnerabilities, sometimes within the same day they are made public.

Given the popularity of Fortinet devices as cyberattack targets, businesses are urged to prioritize patch management. Recent reports from Fortinet highlighted the discovery of two critical vulnerabilities in its FortiSIEM solution, emphasizing the importance of prompt patching.

To mitigate the risk posed by Coathanger and similar threats, intelligence analysts recommend conducting regular risk assessments on edge devices, restricting internet access on these devices, implementing scheduled logging analysis, and replacing any hardware that is no longer supported.
Read more »
Vulnerability management
Cloud Security Exchange Servers Server Vulnerability Vulnerabilities and Exploits Vulnerability management

Thousands of Outdated Microsoft Exchange Servers are Susceptible to Cyber Attacks

 

A large number of Microsoft Exchange email servers in Europe, the United States, and Asia are currently vulnerable to remote code execution flaws due to their public internet exposure. These servers are running out-of-date software that is no longer supported, and as a result, they do not receive any updates or security patches. As a result, they are vulnerable to a variety of security issues, some of which have critical severity ratings. 

Recent internet scans conducted by The ShadowServer Foundation have disclosed that nearly 20,000 Microsoft Exchange servers are presently accessible via the public internet and have reached the end of life stage. These statistics, however, may not be indicative of the whole picture. Yutaka Sejiyama, a Macnica security researcher, carried out additional research and identified over 30,000 Microsoft Exchange servers that have reached end-of-life status. 

Sejiyama's Shodan scans discovered nearly 30,635 unsupported Microsoft Exchange devices on the public web. There were 275 Exchange Server 2007 instances, 4,062 Exchange Server 2010 instances, and a whopping 26,298 Exchange Server 2013 instances. 

One of the main concerns with these old servers is the possibility of remote code execution. Outdated Exchange servers are vulnerable to a number of remote code execution bugs, including the critical ProxyLogon vulnerability (CVE-2021-26855), which can be combined with the less serious CVE-2021-27065 flaw to allow remote code execution.

According to Sejiyama's analysis of the scanned systems' build numbers, approximately 1,800 Exchange servers are still vulnerable to ProxyLogon, ProxyShell, and ProxyToken vulnerabilities. 

While some of these flaws do not have critical severity ratings, Microsoft still considers them "important." Furthermore, with the exception of the ProxyLogon chain, which was previously exploited in attacks, all of these flaws are believed to be "more likely" to be targeted. 

Organisations that continue to use obsolete Exchange servers despite having implemented available mitigations are still susceptible. Microsoft strongly advises prioritising the installation of updates on servers that are exposed to the outside world. The only option for servers that have reached the end of support is to upgrade to a version that continues to get security patches. 

The identification of tens of thousands of vulnerable Microsoft Exchange servers emphasises the critical importance of updating software and applying security patches on a regular basis. Failure to do so exposes businesses to the risk of remote code execution and other security breaches.
Read more »
Vulnerability management
Application Security Cloud Security Data Safety Vulnerabilities and Exploits Vulnerability management

Unpatched ICS Flaws in Critical Infrastructure: CISA Issues Alert

 

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) released recommendations for a total of 49 vulnerabilities in eight industrial control systems (ICS) utilised by businesses in various critical infrastructure sectors. Several of these vulnerabilities are still unpatched. 

Organizations in the critical infrastructure sectors must increasingly take cybersecurity into account. Environments for ICS and operational technology (OT) are becoming more and more accessible via the Internet and are no longer air-gapped or compartmentalised as they once were. As a result, both ICS and OT networks have grown in popularity as targets for both nation-state players and threat actors driven by financial gain.

That's bad because many of the flaws in the CISA advisory can be remotely exploited, only require a simple assault to succeed, and provide attackers access to target systems so they may manipulate settings, elevate privileges, get around security measures, steal data, and crash systems. Products from Siemens, Rockwell Automation, Hitachi, Delta Electronics, Keysight, and VISAM all have high-severity vulnerabilities. 

The CISA recommendation was released at the same time as a study from the European Union on threats to the transportation industry, which included a similar warning about the possibility of ransomware attacks on OT systems used by organisations that handle air, sea, rail, and land transportation. Organizations in the transportation industry are also affected by at least some of the susceptible systems listed in CISA's alert. 

Critical vulnerabilities

Siemens' RUGGEDCOM APE1808 technology contains seven of the 49 vulnerabilities listed in CISA's alert and is not currently patched. The flaws give an attacker the ability to crash or increase the level of privileges on a compromised system. The device is presently used by businesses in several critical infrastructure sectors all around the world to host commercial applications. 

The Scalance W-700 devices from Siemens have seventeen more defects in various third-party parts. The product is used by businesses in the chemical, energy, food, agricultural, and manufacturing sectors as well as other critical infrastructure sectors. In order to protect network access to the devices, Siemens has urged organisations using the product to update their software to version 2.0 or later. 

InfraSuite Device Master, a solution used by businesses in the energy sector to keep tabs on the health of crucial systems, is impacted by thirteen of the recently discovered vulnerabilities. Attackers can utilise the flaws to start a denial-of-service attack or to obtain private information that could be used in another attack. 

Other vendors in the CISA advisory that have several defects in their products include Visam, whose Vbase Automation technology had seven flaws, and Rockwell Automaton, whose ThinManager product was employed in the crucial manufacturing industry and had three flaws. For communications and government businesses, Keysight had one vulnerability in its Keysight N6845A Geolocation Server, while Hitachi updated details on a previously known vulnerability in its Energy GMS600, PWC600, and Relion products. 

For the second time in recent weeks, CISA has issued a warning to firms in the critical infrastructure sectors regarding severe flaws in the systems such organisations employ in their operational and industrial technology settings. Similar warnings on flaws in equipment from 12 ICS suppliers, including Siemens, Hitachi, Johnson Controls, Panasonic, and Sewio, were released by the FCC in January. 

Many of the defects in the previous warning, like the current collection of flaws, allowed threat actors to compromise systems, increase their privileges, and wreak other havoc in ICS and OT contexts. 

OT systems under attack

A report this week on cyberthreats to the transportation industry from the European Union Agency for Cybersecurity (ENISA) issued a warning about potential ransomware attacks against OT systems. The report's analysis of 98 publicly reported incidents in the EU transportation sector between January 2021 and October 2022 was the basis for the report. 

According to the data, 47% of the attacks were carried out by cybercriminals who were motivated by money. The majority of these attacks (38%) involved ransomware. Operational disruptions, spying, and ideological assaults by hacktivist groups were a few more frequent reasons. 

Even while these attacks occasionally caused collateral damage to OT systems, ENISA's experts did not discover any proof of targeted attacks on them in the 98 events it examined. 

"The only cases where OT systems and networks were affected were either when entire networks were affected or when safety-critical IT systems were unavailable," the ENISA report stated. However, the agency expects that to change. "Ransomware groups will likely target and disrupt OT operations in the foreseeable future."

The research from the European cybersecurity agency cited an earlier ENISA investigation that warned of ransomware attackers and other new threat groups tracked as Kostovite, Petrovite, and Erythrite that target ICS and OT systems and networks. The report also emphasised the ongoing development of malware designed specifically for industrial control systems, such as Industroyer, BlackEnergy, CrashOverride, and InController, as indicators of increasing attacker interest in ICS environments. 

"In general, adversaries are willing to dedicate time and resources in compromising their targets to harvest information on the OT networks for future purposes," the ENISA report further reads. "Currently, most adversaries in this space prioritize pre-positioning and information gathering over disruption as strategic objectives."
Read more »
Vulnerability management
Cyber Attacks malware OST Ransomware RDP Secureworks Vulnerability Vulnerability management

Ransomware is Now the Top Attack Vector Due to Bug Exploitation

 



Security experts at Secureworks have revealed that vulnerability exploitation has accounted for 52% of ransomware incidents investigated by the company over the past 12 months. This makes it the number one initial access vector for attackers, according to a new report published by the company.

As an annual report, the security firm's State of the Threat report is compiled based on the insight gathered from the anti-terrorism unit of the organization over the past year.

A leading ransomware researcher has found that last year, ransomware actors mainly used vulnerabilities found in systems exposed to the Internet to increase their effectiveness, rather than to take advantage of credentials  often associated with the compromise of Remote Desktop Protocol (RDP), and using malicious emails.

Reports suggested that this shift in tactics may directly result from a significant imbalance between the capabilities of threat actors and network defenders. This imbalance may explain this shift in tactics.

At the same time as threats are rapidly weaponizing newly discovered vulnerabilities, developers of offensive security tools (OSTs) are also driven by the need to generate profit or keep their tools relevant  to implement updated exploit code as soon as possible, the report illustrated. 

A lot of people often overlook the fact that responsible disclosure is often about not having to wait for patches to become available. Even if a patch is available, the process of patching a vulnerability in an enterprise environment is far more complicated and much slower than the process for threat actors or OST developers of weaponizing publicly accessible exploit code.

As a result, vulnerability management teams must also take precautions against the persistent threat of credential-based attacks. In a recent report, Secureworks reported a 150% growth in the use of info-stealers that are designed to grab credentials from networks and gain access to them in an attempt to steal sensitive information.

There has been an investigation launched by an anti-virus vendor on a single day in June, during which it claimed to have observed over 2.2 million credentials, which were collected by criminals who stole information and made them available for sale on an underground platform.

According to Secureworks, ransomware continues to represent the number one threat to global organizations, accounting for more than a quarter of the attacks analyzed by the company. Among the threats that have been reported, most of them have been linked to Russian cybercrime groups.

So far this year, the good news is that the median dwell time of attackers has dropped from 22 days in 2021 to 11 days. This is a decrease of two days from last year, but it still leaves attackers with plenty of time to steal data from organizations and deploy the payloads for ransomware attacks.

Preventions for ransomware attacks


Safeguarding your systems from malware attacks includes simple yet effective measures like

• Never click on unknown or unauthorized links or stores.
• Never input your personal information on unofficial stores or websites.
• Never click on any unknown attachments on emails.
• Never plug into any unknown USB sticks.
• Never download any software or application from unauthorized sources.
• Always keep your systems up-to-date.
• Always work under VPN security while using public wi-fi.
 
To ensure that the vulnerabilities do not get exploited, you need to identify and address them as soon as possible. Keeping track of your vital systems and their security is impossible without implementing an effective vulnerability management system (VM). 

Choosing the right VM tools is important as they provide accuracy, guidance in the right directions, and efficiency, to help your team in dealing with the most critical vulnerabilities. Once you establish a scalable and sustainable VM program you will be capable of defending your systems from ransomware attacks.
Read more »
zero Day vulnerability
Bugs Exploits Flaws Log4j PoC Vulnerabilities and Exploits Vulnerability management Vulnerable Systems zero Day vulnerability

The Log4j Incident Demonstrated Again That Publicly Disclosing 0-day Vulnerabilities Only Aids Intruders

 

On December 9, 2021, a (now-deleted) tweet pointing to a 0-day proof of concept (PoC) exploit for the Log4Shell vulnerability on GitHub set the internet ablaze, sending businesses rushing to mitigate, patch, and patch again as other PoCs surfaced. 

Public vulnerability disclosure – that is, revealing to the world the existence of a bug in a piece of software, a library, an extension, or another piece of software, and releasing a proof-of-concept (PoC) that exploits it – occurs frequently for vulnerabilities in a wide range of software, from the most esoteric to the most mundane (and widely used). 

Threat actors are the only ones who benefit from the public disclosure of 0-day PoCs, as per research and experience, because it puts enterprises in the awkward position of needing to remediate the issue without having anything solid to mitigate it with (i.e., a vendor's patch). 

There are several different types of responsible vulnerability disclosure systems available today. Some companies have an official vulnerability disclosure programme while others arrange and operate it through crowdsourced platforms. Companies typically offer money for information concerning flaws in their products (also known as "bug bounties"). 

Those disclosures usually follow a set of steps, and vendor patches have clearly stated release dates so that users have plenty of time to install them (90 days is the accepted standard for this). 

When the Log4Shell vulnerability was announced publicly, the disclosure procedure was already underway (as evidenced by the pull request on GitHub that appeared on November 30). The following is the timeline of the disclosure, according to information provided by the Apache Software Foundation:
  • November 24: The Log4j maintainers were informed 
  • November 25: The maintainers accepted the report, reserved the CV, and began researching a fix November 26: The maintainers communicated with the vulnerability reporter 
  • November 29: The maintainers communicated with the vulnerability reporter December 4: Changes were committed 
  • December 5: Changes were committed 
  • December 7: First release candidate created 
  • December 8: The maintainers communicated with the vulnerability reporter, made additional fixes, created a second release candidate 
  • December 9: Patch released 
While user comments on the Apache Log4j GitHub project page expressed dissatisfaction with the timeliness of the update, this is to be expected when it comes to patching vulnerabilities - as everyone keeps pointing out, after all, the patch was developed by volunteers. 

Probable reasons for releasing PoC 

There could be valid and logical reasons for releasing a 0-day proof-of-concept. The most prevalent of these is the breakdown of the vulnerability disclosure process: the vendor may not be or cease to be responsive, may judge the vulnerability to be minor enough to warrant a repair, or may take too long to fix it – or any combination of the above. 

In situations like these, security researchers frequently decide to make the PoC public for the "common good," i.e. to force vendors to release a patch quickly. Other factors could include publicity (especially if the researcher is associated with a security vendor) – nothing attracts more press attention than zero-day proof-of-concept exploits for a widely used piece of software, especially if no patch is available. 

However, it should be noted that the evidence against publishing proof-of-concept exploits is now substantial and overwhelming. According to a study conducted by Kenna Security, sharing proof-of-concept attacks mostly assists attackers. A presentation at Black Hat several years ago walked through the lifecycle of zero-days and how they were released and exploited, demonstrating that if proof-of-concept exploits aren't publicly disclosed, the vulnerabilities in question aren't discovered for an average of 7 years by anyone else (threat actors included).

Unfortunately, during the log4j scramble, this was discovered a little too late. Although the initial tweets and disclosures were quickly withdrawn, the harm had already been done. Even the most recent revelation, which resulted in the release of patch 2.17.1, generated so much criticism from the security community that the researcher apologized publicly for the publication's bad timing. 

It's encouraging to see that public disclosure of PoC exploits is becoming more common. Researchers who choose to jump the gun need to be criticized, but all must all work together to ensure that more rigorous disclosure mechanisms are in place for everyone so that the public PoC scenario is avoided the next time a vulnerability like Log4Shell is uncovered.
Read more »
Zero-day vulnerability
Botnets DDOS Attacks LeetHoxer malware Mirai botnet Moobot Vulnerability management Zero-day vulnerability

LeeHozer and Moobot Have The Same Attack Maneuvers?


Sharing has become a thing with cyber-criminals and their malware mechanisms. Reportedly, LeetHozer botnet was found to have similar attack tactics as that of the Mootbot malware family. Researchers have reasons to think that the party that created the Moobot also could be the ones who created the LeetHozer.

Per researchers, the LeetHozer botnet has been counting on other kinds of malware for a little bit of sharing here and there. Per sources, it has in the past used the loader and reporter system that the Mirai uses.

Apparently, despite using the same mechanisms as Mirai the LeetHoxer threat was a little different. According to researchers, other Mirai variations too were altered including the encryption procedure, the bot program, and the command and control protocol. The unique "string and downloader" too were revealed to be of the same kind as Mirai.

Per reports, the botnet was noticed when it was found to be manipulating a vulnerability in the “telenet service” of a device. It made use of the default password to get access to the device. Once the device got infected the LeetHozer sent the information of the device to its reporter mechanism which then got to the command and control server and then finally the instructions for the Denial-of-Service attack were received.

The history of various attacks has it that Moobot has been a part of quite a lot of attacks ever since it first surfaced last year. According to researchers, several threat actors have made use of it to exploit zero-day vulnerabilities. It was discovered by the researchers while it was manipulating a zero-day vulnerability in fiber routers, reports mention. It hence is needless to say that one of the major attack tactics of the Moobot is exploiting any zero-day flaw it could get it claws into.

There are numerous ways in which an organization can create a barricade against any such attacks. The cyber and technological security personnel could design a response plan and a contingency plan especially against DDoS attacks, the systems should be backed up at all times, and configuration could be done in a way that as soon as the network is attacked the back-up kicks in. Also, researchers suggest that Artificial Intelligence could prove to be a very lucrative solution for such problems.

Read more »
Subscribe to: Posts (Atom)