Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Zero-day Flaw. Show all posts
Zero-day Flaw
Data Breach Data Leak MoveIt Hack Patient Info Zero-day Flaw

IBM MOVEit Hack Exposes Data of 4 Million US Citizens

 

Millions of Americans had their private medical and health information stolen after attackers hacked into systems operated by tech giant IBM and exploited a zero-day flaw in the widely used MOVEit file transfer software. 

The MOVEit major hacks exposed the data of more than 4 million patients, according to the Colorado Department of Health Care Policy and Financing (HCPF), which oversees Colorado's Medicaid programme.

In a notification of a data breach sent to people impacted, Colorado's HCPF stated that IBM, one of the state's vendors, "uses the MOVEit application to move HCPF data files in the normal course of business." 

While the Colorado state government or HCPF systems were unaffected by this problem, the letter claims that "certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorised actor." 

These files contain the full names, birth dates, residences, Social Security numbers, Medicaid and Medicare ID numbers, information on income, clinical and medical data (such as lab results and medication information), and information on health insurance for the patients. 

HCPF claimed that the hack in the system affected nearly 4.1 million people. However, IBM is yet to publicly disclose that it was impacted by the MOVEit mass attacks.

The Department of Social Services (DSS) in Missouri was also affected by the IBM MOVEit system breach. However, the exact number of victims is unknown at the moment. Missouri state is home to more than 6 million people. 

Missouri's DSS stated in a data breach notification posted last week: "IBM is a vendor that provides services to DSS, the state agency that provides Medicaid services to eligible Missourians." The data vulnerability did not directly affect any DSS systems, but it did affect DSS data." 

According to DSS, the data accessed may include an individual's name, department client number, date of birth, potential benefit eligibility status or coverage, and medical claims information. 

Neither Colorado's HCPF nor Missouri's DSS are named on the dark web leak site of the Clop ransomware gang, which has claimed responsibility for the mass hacks. The Russia-linked group asserts on the site, "We don't have any government data."

Colorado's latest breach comes just days after the Colorado Department of Higher Education revealed a ransomware incident in which hackers accessed and copied 16 years of data from its networks. Last month, Colorado State University disclosed a MOVEit-related data breach that affected tens of thousands of students and academic employees.
Read more »
Zero-day Flaw
Chinese Actors Firewall South Asia Vulnerabilities and Exploits Zero-day Flaw

Chinese Attackers Abused Sophos Firewall Zero-Day Bug to Target South Asian Organizations

 

Chinese hackers exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate multiple organizations in the South Asia region. 

The security bug has been patched in the meantime but multiple hackers continued to exploit it to bypass authentication and run arbitrary code remotely on several organizations. 

On March 25, Sophos issued a security patch about CVE-2022-1040, an authentication bypass flaw that affects the User Portal and Webadmin of Sophos Firewall and could be weaponized to implement arbitrary code remotely. 

Earlier this week, Volexity researchers detailed an assault from a Chinese APT group they track as DriftingCloud, which exploited CVE-2022-1040 since early March, a little over three weeks before Sophos issued a patch. The hackers employed a zero-day exploit to drop a webshell backdoor and target the customer’s staff. 

“This particular attack leveraged a zero-day exploit to compromise the customer’s firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer’s staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.” reads a blog post published by Volexity researchers. “This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature.” 

The adversary used the zero-day exploit to compromise the firewall to install webshell backdoors and malware that would enable compromising external systems outside the network protected by Sophos Firewall. Volexity spotted the breach while investigating suspicious traffic generated from the Sophos Firewall to key systems in its customer’s networks. The examination of the logs revealed significant and repeated suspicious access aimed at a valid JSP file (login.jsp). 

Further investigation disclosed that the hackers were using the Behinder framework, which was employed by other Chinese APT groups in assaults abusing the recently disclosed CVE-2022-26134 vulnerability in Confluence servers. 

The exploitation of the Sophos Firewall was the first stage of the attack chain, APT group later launched man-in-the-middle (MitM) assaults to steal data and use them to exploit additional systems outside of the network where the firewall resided. Once secured access to the target webservers, the hackers installed multiple open-source malware, including PupyRAT, Pantegana, and Sliver.
Read more »
Zero-day Flaw
APT APT Campaigns Security Risk Vulnerabilities and Exploits Zero-day Flaw

Organizations are More Susceptible to Known Vulnerabilities in Comparison to Zero-Day Flaw

 

A study of APT hacking campaigns conducted from 2008 to 2020 by University of Trento security researchers indicates enterprise IT security admins should worry most about fixing their systems for known vulnerabilities, rather than chasing a patch for every zero-day flaw that emerges. 

The researchers analyzed the impact of 86 APTs and 350 attack campaigns and debunked the belief that all APTs are highly sophisticated and prefer targeting zero-day flaws rather than ones that have already been patched. 

“Contrary to common belief, most APT campaigns employed publicly known vulnerabilities,” researchers Giorgio Di Tizio, Michele Armellini, and Fabio Massacci wrote in the report published on the pre-print server arXiv. 

Indeed, out of the 86 APTs they examined, only eight – known respectively as Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus, and Rancor – exploited CVEs were not used by anybody else. This demonstrates that not all the APTs are as sophisticated as many thinks, as the groups “often reuse tools, malware, and vulnerabilities,” researchers wrote. 

Faster updates minimize the threat 

The study showed that organizations that apply software updates as soon as they're published face the lowest odds of being compromised. However, the need to do regression testing before applying an update means that entities often take far longer to update their software. 

It typically takes more than 200 days for an organization to align 90 percent of their machines with the latest software patches due to regression testing, which ensures that updated systems function properly after the update, researchers found. Such behavior is rational because not all vulnerabilities are always exploited in the wild. However, to combat APTs, slow updates do not seem appropriate. 

The study conducted by University of Trento researchers specifically focused on the effectiveness and cost of different software update strategies for five widely used enterprise software products: Office, Acrobat Reader, Air, JRE, and Flash Player for the Windows OS environment. 

"In summary, for the broadly used products we analyzed, if you cannot keep updating always and immediately (e.g., because you must do regression testing before deploying an update), then being purely reactive on the publicly known vulnerable releases has the same risk profile than updating with a delay, but costs significantly less," the researchers added.
Read more »
Zero-day Flaw
Business Email Compromise User Secuirty Vulnerabilities and Exploits Zero-day Flaw

Cybercriminals are Exploiting Zero-day Vulnerabilities at a Record Pace

 

The HP Wolf Security threat research team has discovered evidence that threat actors are mobilizing quickly to weaponize new zero-day vulnerabilities. 

According to HP Wolf Security Threat Insights Report, the attackers are abusing specific problems like CVE-2021-40444 -- the remote code execution flaw that enables exploitation of the MSHTML browser engine through Microsoft Office documents. The vulnerability was first identified by HP on September 8, a week before Microsoft released the patch.

By September 10, the HP threat research team detected scripts designed to automate the creation of this exploit being published it on GitHub. The exploit gives attackers a startlingly easy entry point into systems, deploying malware through an Office document that only needs very little user interaction.

The security researchers compile the report by examining the millions of endpoints running HP Wolf Security. The report shows that 12% of isolated email malware evaded at least one gateway scanner while 89% of malware spotted was delivered via email. Also, the web downloads were responsible for 11%, and other vectors like removable storage devices for less than 1%. 

The average time for a company to apply, test, and fully deploy patches with the proper checks is 97 days, giving threat actors an opportunity to exploit this 'window of vulnerability', explained Alex Holland, the senior malware analyst with the HP Wolf Security threat research team. 

"While only highly capable hackers could exploit this vulnerability at first, automated scripts have lowered the bar for entry, making this type of attack accessible to less¬ knowledgeable and resourced threat actors. This increases the risk to businesses substantially, as zero-day exploits are commoditized and made available to the mass market in venues like underground forums," Holland said. 

"Such novel exploits tend to be effective at evading detection tools because signatures may be imperfect and become obsolete quickly as the understanding of the scope of an exploit change. We expect threat actors to adopt CVE-2021-40444 as part of their arsenals, and potentially even replace common exploits used to gain initial access to systems today, such as those exploiting Equation Editor."

Unfortunately, some major platforms like OneDrive are allowing attackers to conduct 'flash in the pan' attacks. Although malware hosted on such platforms is generally taken down quickly, this does not deter attackers because they can often secure their goal of deploying malware in the few hours the links are live, Holland explained.

"Some threat actors are changing the script or file type they are using every few months. Malicious JavaScript and HTA files are nothing new, but they are still landing in employee inboxes, putting the enterprise at risk. One campaign deployed Vengeance Justice Worm, which can spread to other systems and USB drives," Holland added. 

Additionally, the researchers discovered threat actors exploiting Cloud and web providers to install malware as well as multiple malware families being hosted on Discord and other gaming social media platforms. 

With cyber-assaults increasing with each passing day, Dr. Ian Pratt, Global Head of Security for Personal Systems, HP Inc. believes that companies can’t keep relying on detection alone. He believes the threat landscape is too dynamic and, as highlighted in the analysis of threats captured, attackers are increasingly evolving to bypass any detection tool.

"Organizations must take a layered approach to endpoint security, following zero trust principles to contain and isolate the most common attack vectors like email, browsers, and downloads. This will eliminate the attack surface for whole classes of threats while giving organizations the breathing room needed to coordinate patch cycles securely without disrupting services," Pratt said.
Read more »
Subscribe to: Posts (Atom)