Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Web security. Show all posts

Barracuda's Vigilance: Tackling Cyberattack Sophistication Head-On

 


Security for web applications has historically been difficult and complex because they are among the primary vectors of attack against your network that criminals use to penetrate. In addition to offering comprehensive protection against all kinds of application-based threats, the Barracuda Web Application Firewall comes with highly flexible deployment options and exceptional ease of use. 

Using artificial intelligence-based pattern analysis, Barracuda Managed XDR, a leading provider of cloud-first security solutions, revealed the results of its first half of 2023 analysis. Among more than one trillion IT events collected, Barracuda Managed XDR was able to detect and neutralize thousands of high-risk incidents based on the data it collected. 

It has been discovered in new research that scammers are keeping cyber-extortion attacks hidden from tech-savvy consumers. As part of a research project carried out by Columbia University, researchers examined 300,000 emails that were detected over one year to be blackmail scams as a result of artificial intelligence (AI) detectors designed by Barracuda Networks.  

It was also the team's goal to study how cybercriminals use tactics to extort money from people without being detected by security teams or payment systems, to see how they can do so.   There have been several studies that have revealed how fraudsters can protect themselves from detection by targeting no more than 10 work email accounts at a time, as well as by making moderate demands for payment in Bitcoin of US$1000. 

Artificial intelligence (AI) is a powerful security tool because of its ability to identify anomalies and build patterns based on normal activity patterns. It creates a significant advantage when an attacker tries to manipulate legitimate credentials to use compromised accounts to commit fraud. 

In the first half of 2023, the three most common high-risk detections were "impossible travel" login detection, the detection of communication with known artefacts, and the detection of "unauthorized use" of computer accounts. These threats were defined as those requiring immediate defensive action by security professionals. 

The cloud cybersecurity firm Barracuda Networks Inc. has released a new report on how artificial intelligence is being used by attackers to cause damage to systems and to prevent potential attacks and breaches. The report details how AI is being used by attackers and provides information on how to mitigate risk. 

During the period January through July 2023, ninety-five billion events were analysed from customers' integrated network, cloud, email, endpoint, and server security tools. A comprehensive analysis of all types of events was conducted that included logins, application and device processes, configuration and registry changes, as well as much more. 

A total of 0.1% of all customer events, or 985,000 of the events analyzed, were labelled as "alarms," which indicates activity that may be malicious and may require further investigation. Only 9.7% of these were flagged for customer review, while another 2.7% were identified as high-risk and sent to the Security Operations Center to be further investigated. Six thousand individuals had to take immediate defensive action to contain and neutralise the threat. 

It is noteworthy that AI-based detection, which was used both in detecting and analyzing the data, was the key factor involved in both detecting as well as analyzing the data using the Barracuda report during the first six months of 2023. 

As Barracuda noted, the number of login events that occurred "impossible travel” in the cloud was the most common, which occurred when a user attempted to log into a cloud account from two geographically different locations simultaneously, resulting in “impossible travel” log-in. 

It is possible for a user to use a virtual private network when using one of these sessions, but it is almost always a sign that an attacker has gained access to that account and has gained control over it. In the following list, there are detections of “anomalies” in users’ accounts — unusual or unexpected activity in their accounts. To detect such anomalies, there need to be several factors taken into account. 

For example, one-time or unusual login times, unusual file access patterns, or excessive account creations for an individual user or an organization. Infection by malware, phishing attacks, or insider threats can be a sign of anomaly detection. 

Detecting communications with known malicious artefacts is also ranked third as being a sign of a malware infection or a phishing attempt. These actions are designed to identify contacts with IP addresses, domains, and files that have been marked as red-flagged or known malicious. 

Despite the results of the data analysis demonstrating how AI can be used to detect and prevent attacks as well as detect and prevent them, the report also warns that AI can also be misused by attackers in malicious ways. 

According to the report, generative AI language tools are capable of creating highly convincing emails that resemble an actual company’s style, making it even more difficult for individuals to distinguish if an email is legitimate or a phishing, account takeover, or business email compromise attempt. 

AI tools can also be used by attackers to automate and dynamically replicate adversarial behaviour, which can allow them to be more efficient and difficult to detect in the future. In 2023, there will inevitably be an increase in the number of online phishing attacks as well as other forms of e-mail cyber attacks, with Acronis confirming, for instance, that the number of email-based phishing attacks has increased 464% compared with2022 in the first half of the year. 

As part of its report, Barracuda offered some steps to be taken to prevent businesses from being extorted from their assets. The best way to prevent hackers from gaining control of critical systems is to invest in artificial intelligence-powered email security that detects and blocks emails before they reach their recipients so that they do not reach their target. 

The report also emphasizes the importance of employee training and security policies by prohibiting staff from accessing third-party websites via their work email address or storing sensitive information there on a work email address. 

Brizy WordPress Plugin Exploit Chains Permit Full Site Takeovers

 

According to researchers, flaws in the Brizy Page Builder plugin for WordPress sites may be linked together to allow attackers to totally take over a website. 

Brizy (or Brizy - Page Builder) is used on over 90,000 websites. It's advertised as an easy-to-use website builder for individuals with no technical knowledge. It has over 500 pre-designed blocks, maps and video integration, and drag-and-drop creation capability. 

Before version 2.3.17, it also had a stored cross-site scripting (XSS) vulnerability and an arbitrary file-upload vulnerability, according to researchers. 

“During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting. 

“This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.” 

According to the researchers, the two new flaws may be chained together with the reintroduced access control weakness to enable total site takeover. Any logged-in user, in combination with the stored XSS flaw, would be able to edit any published post and inject malicious JavaScript into it. Meanwhile, a combination with the other flaw may allow any logged-in user to post potentially executable files and achieve remote code execution. 

A Reintroduced Access Control Bug Serves as the Attack's Foundation

The previous access-control problem (now listed as CVE-2021-38345) was fixed in June 2020 but reappeared this year in version 1.0.127. According to Wordfence, it's a high-severity problem caused by a lack of adequate authorisation checks, allowing attackers to edit posts. The plugin used a pair of administrator functions for a wide range of authorization checks, and any user that passed one of these tests was considered to be an administrator.

"Being logged in and visiting any endpoint in the wp-admin directory was sufficient to pass this check," as per the researchers. 

As a result, all logged-in users, such as newsletter subscribers, were able to alter any post or page made or updated with the Brizy editor, even if it had already been published. 

According to Wordfence’s analysis, “While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site.” 
 
The first follow-on bug (CVE-2021-38344) is a medium-severity stored XSS flaw that allows intruders to insert malicious scripts into web pages. Because it is a stored XSS issue rather than a reflected one, victims are only required to visit the affected page to be attacked. 

The flaw allows a less-privileged user (such as a contributor or subscriber) to attach JavaScript to an update request, which is subsequently executed if the post is read or previewed by another user, such as an administrator. It becomes hazardous, however, when paired with the authorisation bypass, according to the researchers. 

The second new vulnerability is a high-severity arbitrary file-upload flaw (CVE-2021-38346), which might allow authenticated users to post files to a website. According to Wordfence researchers, the authorization check vulnerability allows subscriber-level users to elevate their privileges and subsequently upload executable files to a place of their choice via the brizy_create_block_screenshot AJAX method. According to the evaluation, other types of assaults are also possible.

“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also possible,” researchers explained. 

“For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via .htaccess.” 

Thus, “by supplying a file with a .PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover,” they added. 

Users can protect themselves by switching to the most recent version of the plugin, 2.3.17.

Visa: Hackers Use Web Shells to Compromise Servers and Steal Credit Card Details

Visa, a global payment processor has warned that hackers are on the rise in deploying web shells in infected servers to steal credit card information from online customers. A kind of tools  (scripts or programs) Web Shells are used by hackers to infiltrate into compromised, deploy remote execute arbitrary commands or codes, traverse secretly within victim's compromised network, or attach extra payloads (malicious). Since last year, VISA has witnessed an increase in the use of web shells to deploy java-script-based files termed as credit card skimming into breached online platforms in digital skimming (also known as web skimming, e-skimming, or Magecart attacks).  

If successful, the skimmers allow the hackers to extradite payment information, and personal data posted by breached online platform customers and then transfer it to their controlled severs. According to VISA, "throughout 2020, Visa Payment Fraud Disruption (PFD) identified a trend whereby many e-skimming attacks used web shells to establish a command and control (C2)during the attacks. PFD confirmed at least 45 eskimming attacks in 2020 using web shells, and security researchers similarly noted increasing web shell use across the wider information security threat landscape."

As per VISA PFD findings, most Magecart hackers used web shells to plant backdoors in compromised online store servers and build a c2c (command and control) infrastructure which lets the hackers steal the credit card information. The hackers used various approaches to hack the online shops' servers, exploiting vulnerabilities in unsafe infrastructure (administrative), apps/website plugins related to e-commerce, and unpatched/out-of-date e-commerce websites. These Visa findings were confirmed earlier this February when Microsoft Defender Advanced Threat Protection (APT) team revealed that these web shells implanted on compromised servers have grown as much as twice since last year.  

"The company's security researchers discovered an average of 140,000 such malicious tools on hacked servers every month, between August 2020 to January 2021," reports Bleeping Computer.  "In comparison, Microsoft said in a 2020 report that it detected an average of 77,000 web shells each month, based on data collected from roughly 46,000 distinct devices between July and December 2019," it further says.

Phishing Attacks Can Now Dodge Microsoft 365's Multi-Factor Authentication


Of late a phishing attack was found to be stealing confidential user data that was stored on the cloud.
As per sources, this is the work of a new phishing campaign that dodges the Office 365 Multi-Factor Authentication (MFA) to acquire the target’s cloud-stored data and uses it as bait to extract a ransom in Bitcoin.

Per reports, researchers discovered that the campaign influences the “OAuth2 framework and OpenID Connect (OIDC) protocol”. It employs a malicious “SharePoint” link to fool the targets into giving permission to “rogue” applications.

MFAs are used as a plan B in cases where the users’ passwords have been discovered. This phishing attack is different because it tries to fool its targets into helping the mal-actors dodge the MFA by giving permissions.

This campaign is not just about gaining ransoms via exploiting the stolen data it is that and the additional threat of having sensitive and personal information at large for others to exploit as well. Extortion and blackmail are among the first things that the data could be misused for.

Sources mentioned that via obtaining basic emails and information from the target’s device, the attacker could easily design “hyper-realistic Reply-Chain phishing emails.”

The phishing campaign employs a commonplace invite for a SharePoint file, which happens to be providing information regarding a “salary bonus”, which is good enough for perfunctory readers to get trapped, mention reports.

The link when clicked on redirects the target to an authentic login page of Microsoft Office 365. But if looked on closely, the URL looks fishy and created without much attention to detail, thus say the security experts.

Reportedly, access to Office 365 is acquired by getting a token from the Microsoft Identity Platform and then through Microsoft Graph authorizations. OIDC is used to check on the user granting the access if authentication comes through then the OAuth2 grants access for the application. During the process, the credentials aren’t revealed to the application.

The URL contains “key parameters” that explain how targets could be tricked into granting permissions to rogue applications on their account. Key parameters signify the kind of access that is being demanded by the Microsoft Identity Platform. In the above-mentioned attack, the request included the ID token and authentication code, mentioned sources.

If the target signs in on the SharePoint link that was delivered via the email they’ll be providing the above-mentioned permissions. If the target doesn’t do so, it will be the job of the domain administrators to handle any dubious activities.

This phishing campaign is just an example of how these attack mechanisms have evolved over the years, to such an extent that they could now try to extort sensitive data out of people seemingly by tricking them into providing permissions without an inkling of an idea of what is actually up.