Search This Blog

Showing posts with label security threat. Show all posts

Artificial Intelligence: Main Weapon to Counter Cyber Attacks

 

The cyberattack surface in modern business environments is huge, and it’s continuing to evolve at a rapid pace. Cybersecurity staff often find themselves in a tricky situation to manage their cyber defenses. 

Threat actors are embracing AI and ML whole-heartedly, launching more sophisticated attacks that quickly learn and adapt to our inadequate defenses. On average business receives 10,000 alerts every day from the multiple software tools it uses to monitor cyber threats. To resolve the issues, there is a huge shortage of skilled security analysts, and they don’t want to be burdened by repetitive manual work. 

These challenges underscore the need for better ways to stem the tide of cyber-attacks. To analyze and enhance an organization’s cybersecurity posture artificial intelligence is particularly well suited. AI can help automate many tasks that a human analyst would often handle manually. These include automatically detecting unknown workstations, servers, code repositories, and other hardware and software on a network. 

Popular firms including FireEye, Microsoft, and Google are developing innovative AI approaches to detect malware, and monitor the spread of fake news. One notable success is Microsoft’s Cyber Signals program that uses AI to analyze 24 trillion security signals, 40 nation-state groups, and 140 hacker groups to produce cyber threat intelligence for C-level executives. 

American Federal agencies such as the Department of Defense and the National Science Foundation have invested tens of millions of dollars to develop advanced AI tools for extracting insights from data generated from the dark web and open-source software platforms such as GitHub. 

Additionally, AI-enabled analytics can assist in cracking the jargon and code words attackers develop to refer to their new tools, techniques, and procedures. One example is using the name Mirai to mean botnet. Hackers developed the term to hide the botnet topic from law enforcement and cyberthreat intelligence professionals. 

The path ahead 

Looking forward, there is massive room for growth for AI in cybersecurity. In particular, the predictions AI systems make based on the patterns they identify will help security analysts respond to emerging threats. 

AI is an intriguing tool that could help stem the tide of cyberattacks and, with careful cultivation, it could become a required tool for the next generation of cybersecurity professionals. The current pace of innovation in AI, however, suggests that fully automated cyber battles between AI attackers and AI defenders are likely years away.

New Variant of Magniber Ransomware is Targeting Windows 11 Users

 

Security analysts at 360 Security Center have unearthed a new strain of Magniber ransomware targeting Windows 11 systems. Since May 25, the attack volume of Magniber has surged significantly, and its primary transmission package names have also been upgraded, such as: win10-11_system_upgrade_software.msi, covid.warning.readme.xxxxxxxx.msi, etc. 

The ransomware is propagated via several online platforms, cracked software websites, fake pornographic websites, etc. When users visit these phony websites, they are lured to download from third-party network disks. 

According to researchers, the ransomware itself has not changed much, and can target multiple variants of Windows operating systems. The ransomware employs the RSA+AES encryption methodology to encrypt files. The RSA used is as long as 2048 bits, which is currently difficult to crack technically. 

After being encrypted by the ransomware, the file suffix is a random suffix, and each victim will have a separate payment page. If the ransom cannot be paid within the specified time, the link will be invalid. If the victim can pay the ransom within 5 days, he only needs to pay 0.09 Bitcoin, else the ransom will be doubled after 5 days. 

This is the second incident within two months hackers targeted Windows users. Earlier in April, the malicious actors employed fake Windows 10 updates to spread the Magniber ransomware strain. The fake Windows 10 updates were distributed under multiple names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi via platforms such as pirated sites, posing as legitimate cumulative or security updates. 

The malicious campaign started on April 8th, 2022, and has witnessed massive distribution worldwide since then. Meanwhile, it remains unclear how the fake Windows 10 updates are being promoted and distributed from fake warez and crack sites. 

According to security researchers, no safe decryptor exists for ransomware. Additionally, any weaknesses of the malware are also known to reverse its infection as of yet. The ransomware presently targets regular users and students, and not corporate customers. Thus, the users need to remain vigilant, avoid downloading cracked versions, and use legit sites only. 

The ransomware was first spotted in 2017 targeting victims in South Korea. Back in 2021, the ransomware was using the PrintNightmare exploit to Target Windows users, and earlier this year in January, it was distributed via Microsoft Edge and Chrome.

Multiple Organizations Targeted by Conti Ransomware Worldwide

 

The Conti ransomware gang is wreaking havoc with its assaults around the globe. The latest victim is the Peru MOF – Dirección General de Inteligencia (DIGIMIN), the premier intelligence agency in Peru. 

The ransomware group claimed to have stolen 9.41 GB of data from the agency responsible for national, military, and police intelligence, as well as counterintelligence. Targeting intelligence agency could lead to the disclosure of secret and confidential documents and pose a threat to national security. 

Last week, the US Department of State offered a reward of up to $15 million for information on the threat actor. The reward includes $10 million for the identification or the location of the leaders of the Conti ransomware gang. 

Additionally, $5 million is offered for information that results in the arrest /or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident. The reward is offered under the Department of State’s Transnational Organized Crime Rewards Program (TOCRP).

"The Conti ransomware group has been responsible for hundreds of ransomware incidents over the past two years," the statement read. "The FBI estimates that as of January 2022, there had been over 1,000 victims of attacks associated with Conti ransomware with victim payouts exceeding $150,000,000, making the Conti ransomware variant the costliest strain of ransomware ever documented." 

Costa Rica President Rodrigo Chaves declared a national cybersecurity emergency over the weekend, following a financially motivated Conti ransomware attack against his administration that has paralyzed the government and economy of the Latin American nation. Shortly after the incident occurred in April, the former President Carlos Alvarado publicly declined to pay a $10 million ransom demand. In turn, Conti has published nearly all of the 672 GB of data stolen from the government. 

After targeting the Costa Rican government, the ransomware group posted a message on their news site that the assault was merely a “demo version.” The group also said the attack was solely motivated by financial gain as well as expressed general political disgust, another signal of more government-directed attacks. 

The assaults by the Conti ransomware group are really concerning and even forced a nation to declare a national emergency. Thus, security experts recommended organizations invest in robust preventive strategies, including anti-ransomware solutions, frequent backups of data, network firewalls, and email gateways.

Scammers Employ Instagram Stories to Target Users

 

Instagram is the fourth most popular social media platform in the world, with over one billion monthly active users. Almost everyone, from celebrities to your kids, has an Instagram account. This global success makes it a very lucrative target for threat actors. 

According to BBC, the scamming has worsened over the past year, with the Instagram fraud reports increasing by 50% since the coronavirus outbreak began in 2020. Scammers just need a handful of those people who will help someone without thinking. And since they’re not after money, just a bit of someone’s time, they already have one foot in the door. 

The latest scam involves Instagram backstories. Fraudsters will ask you for help, tell their backstory, and put their fate in your hands. Here are some of the Instagram stories that fraudsters employ to target users: 

  •  "I’m launching my own product line." 
  •  "I’m in a competition and need you to vote for me." 
  • "I’m trying to get verified on Instagram and need people to confirm my fanbase with a link."
  • "I need a help link to get into Instagram on my other phone." This is the most common tactic employed by scammers. 
  • "I’m contesting for an ambassadorship spot at an online influencers program." This one is surprisingly popular, with fake influencers everywhere. 

Scammers try to get access to your Instagram account by sending you a suspicious link, either as an Instagram direct message or via email. They will then ask you not to click the link but merely take a screenshot and send the image back to them. The link is a legitimate Instagram “forgotten password” URL for your account, and fraudsters want you to screenshot it so they can use the URL to reset your password, take over your account, and lock you out. 

Regardless, any requests for link screenshots should be treated with extreme suspicion. Whether product lines or ambassador programs, you can safely ignore these messages. If you think you’ve been scammed, report it to Instagram. Change your password and enable two-factor authentication. If you reuse passwords, a scammer could break into more of your accounts. Change those passwords.

Magniber Ransomware Tricking Users via Fake Windows 10 Updates

 

Security analysts have unearthed a new ransomware campaign targeting Windows systems. Malicious actors are using fake Windows 10 updates to spread the Magniber ransomware strain. 

Since April 27, users around the world have been posting their stories on the BleepingComputer forum seeking a solution. According to the publication, these fake Windows 10 updates are being distributed under multiple names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi via platforms such as pirated sites, posing as legitimate cumulative or security updates.

Aside from these files, there also are other fake knowledge-based articles on Microsoft that can install the Magniber ransomware: 

• System.Upgrade.Win10.0-KB47287134.msi 
• System.Upgrade.Win10.0-KB82260712.msi 
• System.Upgrade.Win10.0-KB18062410.msi 
• System.Upgrade.Win10.0-KB66846525.msi

Based on the submissions to VirusTotal, this malicious campaign appears to have started on April 8th, 2022 and has seen massive distribution worldwide since then. Meanwhile, it remains unclear how the fake Windows 10 updates are being promoted and distributed from fake warez and crack sites. 

Once installed, Magniber will erase shadow volume copies and then encrypt files. When encrypting files, the ransomware will append a random 8-character extension, such as .gtearevf,. The ransomware also produces a README.html document in each folder which it encrypts. The documents then redirect users to Magniber’s Tor payment site, which is called 'My Decryptor'.

The payment site allows a victim to decrypt one file for free, contact 'support,' or determine cryptocurrency address to send coins to if they decide to pay the ransom. The ransomware demands tend to be around $2,500 or 0.068 bitcoin, Bleeping Computer reported. 

“The only 1 way to decrypt your files is to receive the private key and decryption program,” the ransom note reads. “Any attempts to restore your files with the third-party software will be fatal for your files!”

According to security researchers, no safe decryptor exists for the ransomware. Nor any weaknesses of the malware are known to reverse its infection. The ransomware presently targets regular users and students, and not corporate customers. Thus, the users need to remain vigilant, avoid downloading cracked versions, and use legit sites only. 

The ransomware was first spotted in 2017 targeting victims in South Korea. Back in 2021, the ransomware was using the PrintNightmare exploit to Target Windows user, and earlier this year in January, it was distributed via Microsoft Edge and Chrome.

Beware of New Phishing Campaign Targeting Facebook Users

 

Facebook users need to remain vigilant after researchers at Abnormal Security uncovered the new phishing campaign designed to steal passwords from admin that run company Facebook pages. The scam begins with a victim being sent a phishing email claiming to be from 'The Facebook Team’. 

The email warns that the user's account might be disabled or the page might be removed over repeatedly posting content that infringes on someone else’s rights. 

Once scaring a victim into thinking their Facebook profile could soon be taken down, the victim is invited to appeal the report by clicking on a link that the security researchers said goes to a Facebook post – and within this post, there's another link that directs users to a separate website. To file an ‘appeal’, a Facebook user is told to enter sensitive information including their name, email address, and Facebook password. 

All this information is sent to the threat actor, who can exploit it to log in to the victim's Facebook page, gather sensitive details from their account, and potentially lock them out of it. If the victim re-uses their Facebook email address and password for other websites and applications, the attacker can access those too. One of the reasons phishing attacks like this are successful is because they create a sense of urgency. 

“What makes this attack interesting (and particularly effective) is that the threat actors are leveraging Facebook’s actual infrastructure to execute the attack. Rather than sending the target straight to the phishing site via a link in the email, the attackers first redirect them to a real post on Facebook. Because the threat actors use a valid Facebook URL in the email, it makes the landing page especially convincing and minimizes the chance the target will second-guess the legitimacy of the initial email,” researchers explained. 

“In addition, it appears the attackers are targeting accounts of people who manage Facebook Pages for companies. For these individuals, a disabled Facebook account wouldn’t just be an inconvenience; it could have an impact on their marketing, branding, and revenue. If they believed their account was at risk, they would be particularly motivated to act quickly.” 

If you have already been a victim of this campaign, or want to stay safe from any future threats, Facebook on its website has issued recommendations for its users. The social network advises anyone who thinks they’ve fallen for a phishing scam to report it, change their password, and make sure they log out of any devices they don’t recognize. Facebook also recommends users turn on multi-factor authentication, which helps to add an extra level of security to their account.

Critical Vulnerability Identified in Ever Surf Blockchain Wallet

 

A vulnerability identified in the browser version of the Ever Surf blockchain wallet could have allowed attackers full control over a victim’s wallet and subsequent funds, say threat analysts at Check Point Research. 

Available on Google Play and Apple iOS Store, Ever Surf is described as a cross-platform messenger, blockchain browser, and crypto wallet for the Everscale blockchain network. It currently has nearly 670,000 active accounts worldwide and claims it has facilitated at least 31.6 million transactions.

According to Check Point researchers, the web version of the Ever Surf blockchain wallet suffered from a relatively simple bug that allowed malicious actors to exfiltrate private keys and plant phrases stored in local browser storage. To do that, threat actors first needed to secure the encrypted keys of the wallet, which is usually done via malicious browser extensions, infostealer malware, or plain old phishing.

Subsequently, the bad actors could have used a simple script to perform decryption. The susceptibility made decryption possible in “just a couple of minutes, on consumer-grade hardware," the researchers stated. 

CPR reported the vulnerability to Ever Surf developers, who then published a desktop version that mitigates the flaw, the company said in a press release. The web version is now declared deprecated and should only be used for development purposes. Seed phrases from accounts that store real value in crypto should not be used in the web version of Ever Surf, the researchers warned. 

“Everscale is still in the early stages of development. We assumed that there might be vulnerabilities in such a young product,” said Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software 

“When working with cryptocurrencies, you always need to be careful, ensure your device is free of malware, do not open suspicious links, and keep OS and antivirus software updated. Despite the fact that the vulnerability we found has been patched in the new desktop version of the Ever Surf wallet, users may encounter other threats such as vulnerabilities in decentralized applications, or general threats like fraud, phishing,” Chailytko added. 

To mitigate the risks, researchers recommended users not to follow suspicious links, particularly those sent from unknown sources, always keep their OS and antivirus software updated, and avoid downloading any software or browser extensions before verifying the identity of the source.

FBI Issues Warning as BlackCat Ransomware Targets More Than 60 Organizations Worldwide

 

An FBI flash alert released this week suggests that the law enforcement agency has identified at least 60 ransomware attacks worldwide by the BlackCat (ALPHV) group between November 2021 and March 2022. 

The flash alert highlights the tactics, techniques, and procedures (TTPs) employed and indicators of compromise (IOCs) associated with ransomware groups spotted during FBI investigations.

According to the FBI's Cyber Division, BlackCat also tracked as ALPHV and Noberus "is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing."

BlackCat's ransomware executable is also highly customizable and is loaded with several encryption methods and options that make it easy to adapt attacks to a wide range of industrial organizations. "Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations," the FBI added. 

Security researchers recently revealed an increased interest from BlackCat operators in targeting industrial organizations. BlackCat affiliates often demand ransom payments of millions of dollars, but they have been observed accepting lower payments after negotiations with their victims. 

For initial access, the FBI explains, BlackCat employs compromised user credentials. Next, Active Directory user and administrator accounts are compromised and malicious Group Policy Objects (GPOs) are used to deploy the ransomware, but not before victim data is exfiltrated. 

As part of observed BlackCat assaults, PowerShell scripts, Cobalt Strike Beacon, and authentic Windows tools and Sysinternals utilities have been used. The malicious actors were also seen disabling security features to move unhindered within the victim’s network. 

As usual, the FBI recommends not paying the ransom, as this would not guarantee the recovery of compromised data, and urges organizations to proactively deploy cybersecurity defenses that can help them prevent ransomware attacks. 

Since the start of the year, the notorious group has taken credit for ransomware attacks on US schools like Florida International University and North Carolina A&T University and has already breached dozens of US critical infrastructure organizations. 

The group was first spotted in November 2021 and became known for aggressively posting details about its victims publicly. Emsisoft threat analyst Brett Callow and others previously said the group is a rebrand of the BlackMatter and DarkSide ransomware groups, something the FBI also highlighted in its notice.

Cyware is Changing the Cybersecurity Landscape

 

Cybercriminals often have an equivalent or sometimes superior technical prowess as their cyber security counterparts! This has led to an ever-evolving landscape of cybercrimes that constantly outsmart modern cyber security technologies. So, does that end our fight against cyber threats? No, the answer lies in increasing cognizance and implementation of automation technologies.

Akshat Jain, CTO & Co-founder, of Cyware shared his vision and the role of automation technologies in eliminating cyber threats. Here are the key points he discussed in an interview with Elets CIO: -

The vision of Cyware 

Anuj Goel and I started the company in 2016 with the vision of assisting organizations to reimagine the way they approach and manage cybersecurity. Our prior experiences in steering large security and technology teams made us realize the inadequacies of reactive, manually-driven, and intelligence-deprived cybersecurity strategies that put organizations at a disadvantage against threat actors. 

Today, Cyware is helping organizations transform their security postures through our cyber fusion solutions that combine the capabilities of Threat Intel Platforms (TIP) and Security Orchestration, Automation, and Response (SOAR) to make security proactive and to integrate and accelerate different security functions, including threat detection, response, vulnerability management, threat hunting, and others. 

Role of Automation in advanced security operations 

Automation plays an important role in the enrichment, correlation, analysis, and last-mile delivery of this threat intelligence to different teams within an organization or with external partners, industry peers, regulatory bodies, and information sharing community (ISAC/ISAO) members, and others. Using this telemetry, they are expected to take mitigating actions to contain and respond effectively to those threats. 

“Automation assists in detecting the variety of threats by using historical indicators of compromise (IOCs), and the knowledge of threat actors’ tactics, techniques, and procedures (TTPs) to trigger machine-driven detection alerts. From there, security teams can once again automate containment actions to ensure that a threat does not spread laterally across their systems and networks, thereby minimizing the impact of a threat. 

Response actions needed to finally eliminate the threat can also be executed rapidly through automated workflows leveraging security orchestration for information exchange and actioning across a variety of tools,” Jain explained. 

 Importance of Cyber Innovation and Global Collective Defence in the cloud-first economy

Cyber innovation is the need of the hour to help organizations adopt new security technologies and strategies to deal with these new challenges. With the increasingly distributed nature of today’s work environment, it is essential to boost collaboration in cybersecurity across all sectors to develop collective defense strategies for resilient cyberspace for all. 

As threat actors become stealthier and quicker, organizations should also make smart use of threat intel collected from both internal and external sources to drive proactive actions against potential threats to their infrastructure. 

Cyware’s progress in designing a first-of-its-kind global collective defense network 

Cyware is creating the first-of-its-kind global collective defense network through its advanced cross-sectoral threat intel sharing platforms that link all the stakeholders within an organization, as well as its business partners, vendors, industry peers, national CERTs, information sharing communities (ISACs/ISAOs), and others.

The network will assist organizations in sharing strategic, tactical, technical, and operational threat intelligence in real-time to ensure a timely response to various threats. More than 20 information-sharing communities (ISACs, ISAOs, and CERTs) from financial services, automotive, space, aviation, healthcare, retail, energy, and manufacturing sectors, among others, are using Cyware’s solutions to share threat intelligence with their 10,000+ member organizations.

PCI DSS Launches New Version to Tackle Cyber Security Threats

A new variant of the PCI Data Security Standard (PCI DSS) has been posted today by the PCI Security Standards Council (PCI SSC), the global payment security forum. The standard version is 4.0, it offers a baseline of operational and technical needs designed to improve payment security, replacing version 3.2.1 to assist combat surfacing threats and technologies. Besides this, the updates are built for enabling innovative methods to tackle these new threats. 

PCI SCC says these changes were motivated by feedback from the global payments industry over the past three years, including more than 6000 items from over 200 organizations. The latest changes in the PCI DSS v4.0 include the Expansion of Requirement 8 to apply multi-factor authentication (MFA) for all access to the cardholder data scenario. Up-to-date firewall terminology to network security controls, supporting a wider range of tech used to reach the security objectives earlier fulfilled by firewalls. 

 Improved flexibility for enterprises to show how they are incorporating different techniques to meet security objectives. Adding targeted threat analysis enables organizations to decide how frequently they do certain actions best suited for their organization's risk exposure and needs. The present version, v3.2.1, will remain online for two years until March 31, 2024. This will give associated organizations some time to know v4.0 and implement these updates. PCI SCC has also released some supporting documents besides the updated standard in the PCI SSC Document Library. 

It includes the summary of changes from PCI DSS v3.2.1 to v4.0, v4.0 Report on Compliance (ROC) Template, ROC FAQs, and ROC Attestations of Compliance (AOC). Additionally, Self-Assessment Questionnaires (SAQs) will be posted in the future. “The industry has had unprecedented visibility into, and impact on, the development of PCI DSS v4.0. Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard,” said Lance Johnson, executive director of PCI SSC.

US Federal Agencies Warn of Cyber Attacks Targeting UPS Devices

 

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy released a joint advisory warning for U.S. organizations to secure Internet-connected uninterruptible power supply (UPS) devices from ongoing cyber assaults.

UPS devices are regularly used as emergency power backup solutions in mission-critical environments and are also equipped with an internet of things (IoT) capability, enabling the administrators to carry out power monitoring and routine maintenance. But as is often the case, such features also expose them to malicious attacks. 

"The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords," the federal agencies said.

"Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet." 

To safeguard against such threats, CISA and DoE are recommending concerned entities ensure all UPS systems are disconnected from the internet. If linking their management interfaces to the Internet is not viable, admins are advised to put the devices behind a virtual private network (VPN), enable multifactor authentication (MFA), and use strong passwords or passphrases in accordance with the National Institute of Standards and Technology guidelines. 

Additionally, the advisory includes auditing usernames and passwords to ensure that they’re not still factory-default or otherwise easily guessed or cracked. U.S. organizations are also urged to execute login timeout/lockout policies to mitigate these ongoing assaults against UPSs and similar systems. Besides default credentials, malicious actors can also exploit critical security loopholes to enable remote takeovers of uninterruptible power supply (UPS) devices and allow them to burn them out or disable power remotely. 

The warnings come three weeks after security firm Armis uncovered multiple high-impact vulnerabilities in APC Smart-UPS devices that could be exploited remotely by unauthenticated attackers without user interaction as a physical weapon. Two of the main vulnerabilities include flaws in SmartConnect’s TLS implementation – the first is a buffer overflow memory bug, and the second is a problem with the way SmartConnect’s TLS handshake works.

Muhstik Botnet Targeting Redis Servers by Exploiting Recently Published Bug

 

The Muhstik botnet infamous for spreading via web application exploits, has been spotted targeting and exploiting a Lua sandbox escape flaw (CVE-2022-0543) in Redis severs after a proof-of-concept exploit was publicly released. 

Lua sandbox escape flaw was uncovered in the open-source, in-memory, key-value data store in February 2022 and could be exploited to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 on the severity scale. 

"Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host," Ubuntu explained in an advisory released last month. 

The attacks exploiting the new flaw started on March 11, 2022, leading to the retrieval of a malicious shell script ("russia.sh") from a remote server, which is then utilized to fetch and implement the botnet binaries from another server, Juniper Threat Lab researchers explained. 

According to Chinese security firm Netlab 360, the Muhstik botnet is known to be active since March 2018 and is monetized for performing coin mining activities and staging distributed denial-of-service (DDoS) attacks. 

The botnet propagates by exploiting home routers, but researchers noticed multiple attempted exploits for Linux server propagation. The list of compromised routers includes GPON home router, DD-WRT router, and the Tomato router. The vulnerabilities exploited by Muhstik over the years are as follows – 

• CVE-2017-10271 (CVSS score: 7.5) – An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware 
• CVE-2018-7600 (CVSS score: 9.8) – Drupal remote code execution vulnerability 
• CVE-2019-2725 (CVSS score: 9.8) – Oracle WebLogic Server remote code execution vulnerability 
• CVE-2021-26084 (CVSS score: 9.8) – An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and 
• CVE-2021-44228 (CVSS score: 10.0) – Apache Log4j remote code execution vulnerability (aka Log4Shell) 

"This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force," Juniper Threat Labs researchers said in a report published last week. In light of active exploitation of the critical security loophole, users are strictly advised to act quickly to patch their Redis services to the latest version.

New Bipartisan Bill Would Require Firms to Report Cyber Incidents Within 72 hours

 

Financial institutions critical to U.S. national interests will now have to report substantial cyber assaults and ransom payments to the federal government, an Associated Press report said, under a bill passed by Congress and expected to be signed by President Joe Biden.

The move comes amid the escalating war in Ukraine and concerns of possible Russian cyber threats to the U.S. firms. Last year, multiple private and government organizations were jolted by a series of high-profile digital espionage campaigns and disruptive ransomware attacks. The reporting will provide federal government much greater visibility into hacking efforts that target private firms, which often have skipped going to the FBI or other agencies for assistance. 

The reporting requirement was approved by the House and Senate on Thursday. It is expected to be signed into law by President Biden soon. “It’s clear we must take bold action to improve our online defenses,” stated Sen. Gary Peters, a Michigan Democrat who leads the Senate Homeland Security and Government Affairs Committee.

AP wrote that the new rules require any entity considered part of America’s critical infrastructure, including finance, transportation, and energy, to report any “substantial cyber incident” within 72 hours, and any ransomware payment they make within 24 hours, to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. 

According to Heather Hogsett, a senior leader of the Bank Policy Institute’s technology policy division, the 36-hour notices of service disruption “allow bank regulators to keep a pulse on what is happening in the country’s financial services industry” while the 72- and 24-hour notices to CISA will allow the agency to “produce reports about threat actors and provide early warning of potential attack vectors.”

In recent years ransomware attacks have flourished beyond expectation and have targeted multiple high-profile organizations. Last year, the ransomware operators targeted the biggest U.S. fuel pipeline and the world’s biggest meat packing company. 

The state hackers based in Russia and China have had success in spying on and hacking U.S. targets, including those that are deemed critical infrastructure, Reuters reported.

Security experts and government officials are concerned that Russia's war in Ukraine has increased the threat of cyberattacks against U.S. entities, by either state or proxy actors. Many ransomware operators live and work in Russia. 

“As our nation rightly supports Ukraine during Russia’s illegal unjustifiable assault, I am concerned the threat of Russian cyber and ransomware attacks against U.S. critical infrastructure will increase. The federal government must be able to quickly coordinate a response and hold these bad actors accountable," said Sen. Rob Portman, a Republican from Ohio.

Imperva Mitigates 2.5 million RPS Ransom DDoS Assaults Targeting Unnamed Firm

 

Imperva, a cyber security software and services firm on Friday claimed it thwarted a massive 2.5 million RPS (requests per second) ransom DDoS attack targeting an unnamed company. 
 
According to Nelli Klepfish, a security analyst at Imperva, the company against which the DDoS assault was launched received multiple ransom notes during the attack. To prevent the loss of “hundreds of millions” in market cap and to remain online, the company paid the attackers in bitcoin.  
 
Imperva thwarted more than 12 million embedded requests targeting random pages of the firm’s site. The next day, the attackers sent over 15 million requests to the same site, however, this time the URL contained a different message. But the attackers employed similar methodology of threatening the company’s CEO for devastating consequences, such as the company’s stock price plummeting if they refuse to pay the ransom.  
 
The most devastating assault is said to have lasted less than a minute, in which researchers measured 2.5 million RPS (1.5Gbps of TCP traffic in terms of bandwidth) as the highest number of requests received.  
 
An identical attack was sustained by one of the sister sites operated by the same firm that lasted nearly 10 minutes, even as the attackers constantly changed their attack tactics and ransom notes to avert mitigation.  
 
Evidence gathered by Imperva points to the DDoS assaults originating from the Mēris botnet, which has exploited a now-patched security loophole in Mikrotik routers (CVE-2018-14847) to strike targets, including Yandex, a Russia-based technology and search engine giant last September.  
 
"The types of sites the threat actors are after appear to be business sites focusing on sales and communications," Klepfish said. "Targets tend to be U.S.- or Europe-based with the one thing they all have in common being that they are all exchange-listed companies and the threat actors use this to their advantage by referring to the potential damage a DDoS attack could do to the company stock price."  
 
Imperva unearthed about 34,815 sources of attack’s origin. In 20% of the cases Imperva discovered, the attackers launched 90 to 750 thousand RPS. Top attack sources attacks came from Indonesia, followed by the U.S., China, Brazil, India, Colombia, Russia, Thailand, Mexico, and Argentina.  
 
Imperva reported an interesting fact that the attackers are claiming to be members of REvil, the infamous ransomware-as-a-service cartel that suffered a major setback after a number of its operators were arrested by Russian law enforcement agencies earlier this January. However, the researchers yet to confirm that the claims are made by the original REvil operators or some imposter.

CISA Issues Warning to Federal Agencies Regarding Actively Exploited Windows Flaw

 

The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to address their systems against an actively exploited Windows vulnerability that allows malicious actors to abuse the Microsoft operating system and secure administrator privileges on a device. The vulnerability affects Windows 10, Windows 11, and Windows Server. 

In a CISA notice published February 4, all Federal Civilian Executive Branch Agencies (FCEB) agencies have two weeks to comply and address their systems to mitigate the threat from this actively exploited Windows vulnerability, tracked as CVE-2022-21882. 

Additionally, CISA recommended all private and public sector firms reduce their exposure to ongoing cyber assaults by adopting this Directive and prioritizing mitigation of vulnerabilities included in its catalog of actively exploited security flaws. 

"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below," the cybersecurity agency said today. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose a significant risk to the federal enterprise."

According to Microsoft's advisory, the attackers with limited access to exploited devices can use the newly obtained user rights to spread laterally within the network, create new admin users, or execute privileged commands. 

"A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver," researchers explained. This vulnerability affects systems running Windows 7, Windows 8, Windows 10, and Windows 11 as well as Windows Server 2019 and 2022. The bug is also a bypass of another Windows Win32k privilege escalation bug (CVE-2021-1732), a zero-day flaw patched in February 2021 and actively exploited in attacks since at least the summer of 2020.

Security experts at BleepingComputer also examined an exploit targeting this bug and discovered no issues compiling the exploit and using it to open Notepad with SYSTEM privileges on a Windows 10 system (the exploit didn't work on Windows 11). 

In recent months, Windows patches have hit the headlines for the wrong reasons especially after Microsoft botched not one, but two zero-day patches. This led to security researcher Abdelhamid Naceri, who identified one of the failed patches, sarcastically warning users: “you better wait and see how Microsoft will screw the patch again.”

BlackCat Ransomware Gang Employing Novel Techniques to Target Organizations

 

Last year in December, malware researchers from Recorded Future and MalwareHunterTeam unearthed ALPHV (aka BlackCat), the first professional ransomware strain that was designed in the Rust programming language. In this post, we will explore some of the methodologies employed by ransomware developers to target organizations.

According to an analysis published last month by Varonis, BlackCat was observed recruiting operators from multiple ransomware organizations, offering to allow affiliates to leverage the ransomware and keep 80-90% of the ransom payment.

“The group’s leak site, active since early December 2021, has named over twenty victim organizations as of late January 2022, though the total number of victims, including those that have paid a ransom to avoid exposure, is likely greater,” Varonis’s Jason Hill explained. 

The attackers leveraging BlackCat, often referred to as the "BlackCat gang,” employ multiple tactics that are becoming increasingly commonplace in the ransomware space. Notably, they use several extortion techniques in some cases, including the siphoning of victim data before ransomware deployment, threats to release data if the ransom is not paid, and distributed denial-of-service (DDoS) attacks.

According to cybersecurity researchers at Recorded Future, the ALPHV/BlackCat developer was previously involved with the REvil ransomware gang. Last month, the Russian government disclosed that at the United States’ request it arrested 14 individuals in Russia linked to the REvil ransomware gang.

Still, REvil rolls on despite these actions, according to Paul Roberts at ReversingLabs. “The recent arrests have NOT led to a noticeable change in detections of REvil malicious files,” Roberts wrote. “In fact, detections of files and other software modules associated with the REvil ransomware increased modestly in the week following the arrests by Russia’s FSB intelligence service.” 

Meanwhile, the U.S. State Department has a standing $10 million reward for information leading to the identification or location of any individuals holding key leadership positions in REvil. 

As of December 2021, BlackCat has the seventh-largest number of victims listed on their leak site among ransomware groups tracked by Unit 42 researchers. While Conti (ranked second) has been around in various guises for almost two years, it is surrounded at the top of the chart by emerging families.

Microsoft Claims it Countered the Largest-Ever DDoS Attack on Azure Servers

 

Microsoft has experienced a record-breaking 3.47 terabits per second (Tbps) distributed denial of service (DDoS) attack on its Azure servers in Asia. 

According to Azure Networking product manager Alethea Toh, an unnamed Azure user in Asia was targeted with a DDoS attack in November with a throughput of 3.47 Tbps and a packet rate of 340 million packets per second.

The attack originated from roughly 10,000 sources across the globe, including China, South Korea, Russia, Iran, and Taiwan, lasting for 15 minutes. However, it is not the first one of such gigantic scale, as there were two additional assaults, one of 3.25 Tbps and another of 2.55 Tbps in December in Asia.

"In November, Microsoft mitigated a DDoS attack with a throughput of 3.47 Tbps and a packet rate of 340 million packets per second (pps), targeting an Azure customer in Asia. We believe this to be the largest attack ever reported in history," said Alethea Toh. "This was a distributed attack originating from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan." 

But this isn't the only large attack Microsoft has had to deal with over the past few months. Last year in December, Microsoft countered two more attacks that surpassed 2.5 Tbps, both of which were focused on customers in Asia. The first of the attacks was a 3.25 Tbps UDP attack, while the other attack was a 2.55 Tbps UDP flood that lasted for just a little over five minutes.

According to Microsoft, these attacks, are part of an unprecedented number of attacks seen over the course of the second half of 2021 around the globe. In India alone, Microsoft experienced a 30-fold surge in DDoS attacks in October. Additionally, in 2021, Microsoft mitigated 40% more attacks in the second half of the year compared to the first half. On August 10th alone, Microsoft saw a whopping 4,296 attacks. 

The primary reason DDoS attacks have escalated so much during the end of 2021 is related to DDoS "for hire" services, which Microsoft notes, are incredibly cheap these days to acquire, giving attackers more incentive to push more attacks. Despite this, Microsoft has successfully countered every single attack aimed at it thus far. Let's hope the company's team of highly skilled engineers can continue to do so for the foreseeable future.

Security Flaw in AWS S3 Possess Security Threat for Business Organizations

 

New security flaws have emerged in the AWS’ Amazon Simple Storage Service (S3) buckets which are now exposed via additional channels and APIs, which create new security loopholes allowing hackers to exploit. 

The flaw in cloud platforms has given threat actors an opportunity to steal data from various organizations. Several industries such as finance, fintech, retail, manufacturing, enterprise software, and more, have failed to implement the most efficient threat detection tools to ensure their data is properly secured in the cloud. The companies are essentially blind when it comes to files that originate from external sources, internal company assets, etc. 

In each scenario, the blend of file types may vary depending on the business, but most files fall under the high-risk category and should be properly examined. Content-borne risks include malware, ransomware, APTs, embedded malicious links, evasion attempts, and more which are well hidden in different file types including Word (.doc, .docm, .docx), Excel (.xls, .xlsx, .xlsm, etc.), PowerPoint (.ppt, .pptx, .pptm), Adobe (.pdf), archive files, text files, executables, and even email (.eml) files. 

Maor Hizkiev, CTO and co-founder of BitDam notes that the average office worker now spends up to 80% of their time collaborating with their managers and colleagues using collaboration tools such as instant messaging, Dropbox, Google Drive, or OneDrive, however, many collaboration tools lack adequate security.

Hence, modern threat detection tools are required to detect the threats and mitigate them quickly. Threat detection tools must be able to scan 100 percent of files dynamically and in a matter of seconds and should deliver high detection rates and low false positives. 

Previously, sandbox technology was used to scan the files but due to its slow nature companies were forced to be selective concerning which files to scan. This increases the risk for the infiltration of malicious content, and this is what attackers are exploiting. 

Security Recommendations 

Security analysts have advised organizations and business application providers to remain vigilant regarding their security and realize that S3 bucket security is a blind spot due to the changing use cases and data workflows. Meanwhile, they should also upgrade their threat detection tools.

Organizations should adopt the cloud-native solution which can easily scan 100 percent of their S3 content in seconds – both files and URLs at the CPU level. The cloud-native solution detects security loopholes by scanning the entire execution flow to identify malicious activity. Another important element that companies should consider is access to an incident response team. Organizations must be vigilant while selecting the right service for comprehensive S3 bucket protection at the speed and scale of their business.

Major Security Flaw Patched by Hyperkitty

 

Hyperkitty, a Django-based application responsible for providing a web interface for the popular open-source mailing list and newsletter management service Mailman, has patched a critical flaw that disclosed personal mailing lists while importing them.

Amir Sarabadani, a software engineer at Wikimedia Deutschland, identified the flaw while upgrading Wikimedia's mailing lists from Mailman 2 to Mailman 3.

“We were upgrading a test mailing list that was private but realized during the upgrade it was public. Once the upgrade was done, the list would become private. Private mailing lists can contain sensitive information, like publicly identifiable information,” Sarabadani stated. 

“When importing a private mailing lists archives, these archives are publicly visible for the duration of the import,” reads the security advisory on GitHub. This means a threat actor would be able to access the personal information of the users.

Security researchers marked the flaw in the critical list with a severity score of 7.5. The latest version of Hyperkitty has patched the flaw by obtaining privacy configurations of imported lists from Mailman instead of using default settings. According to the GitHub advisory, upgrades from older versions of Mailman to version three can last more than an hour. 

According to Sarabadani the impact of the flaw depends on the mailing list and how large it is. “Private mailing lists can contain sensitive information, like publicly identifiable information. If you communicated publicly that mailing lists are being upgraded [at] certain dates and times as a maintenance window (which you would usually), an attacker can use the opportunity to extract as much private data as possible, especially since Hyperkitty allows you to download all of the archives in batch.” Sarabadani further added.

“Don’t take security for granted. A new software being deployed in your infra, no matter how mature, can still have rather major security issues.”

The latest research revealed that nearly 41 percent of executives do not execute open-source governance in their organizations, a problematic figure considering that open-source components underpin vast sections of enterprise applications and networks. Security flaw in Hyperkitty caused the partially imported list to be marked as public regardless of its privacy setting in Mailman. 

A Series Of Cyber Essentials Toolkits Released To Address Cyber-Security Risks


As a major starting point for small businesses and government agencies to comprehend and address cybersecurity risk as they indulge with other risks, Cyber Essentials, the Cybersecurity and Infrastructure Security Agency (CISA) released the first in a series of six Cyber Essential Toolkits following its own November 2019 release.

CISA's toolkits will give greater detail, insight, and assets on every one of the Cyber Essential' six "Essential Elements" of a Culture of Cyber Readiness.

The launch of the introductory "Essential Element: Yourself, The Leader" will be followed every month by another toolkit to compare with every one of the six "Essential Elements." Toolkit 1 targets on the role of leadership in fashioning a culture of cyber readiness in their organization with an accentuation on methodology and investment.

CISA Director Christopher Krebs says “We thank all of our partners in government and the private sector who played an essential role in the development of CISA’s Cyber Essentials Toolkit. We hope this toolkit and the ones we are developing, fills gaps, and provides executives the tools they need to raise the cybersecurity baseline of their teams and the organizations they lead.”

Cyber Essential created in collaboration with small businesses and state and local governments, plans to prepare smaller organizations that generally have not been a part of the national dialogue on cybersecurity with basic steps and assets to improve their cybersecurity.

The CISA incorporates two sections, the core values for leaders to build up a culture of security, and explicit activities for them and their IT experts to put that culture into action. Every one of the six Cyber Essential incorporates a list of noteworthy items anybody can take to bring down cyber risks.

These are:

  •  Drive cybersecurity strategy, investment, and culture; 
  •  Develop a heightened level of security awareness and vigilance;
  •  Protect critical assets and applications; 
  •  Ensure only those who belong on your digital workplace have access; 
  •  Make backups and avoid loss of info critical to operations; 
  • Limit damage and restore normal operations quickly.