Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Russian Cyber Security
Cyber Attacks DDOS Attacks Moscow Moscow Cyber Security Russia Russian Cyber Security

The number of DDoS attacks on Russian companies has increased 2.5 times since the beginning of the year

The press service of Rostelecom reported that the number of DDoS attacks on Russian companies in the three quarters of 2021 increased 2.5 times compared to the same period last year.

According to the report, “the main targets of the attackers were financial organizations, the public sector, as well as the sphere of online commerce. The number of DDoS attacks on data centers and gaming, which were the focus of hackers a year ago, has decreased”.

The largest number of attacks occurred in Moscow, their share was 60% of the total number of incidents, the shares of other regions did not exceed 7%.

The company added that the number of DDoS attacks on banks increased by 3.5 times, almost 90% of them occurred in September.

The number of DDoS attacks in the online trading segment increased by 20%. The number of DDoS attacks on the public sector also doubled in August and September compared to the same period in 2020.

“Every year, the power and complexity of DDoS attacks increases. This is due to the active use of larger-scale botnets by hackers. They consist of a variety of devices, and more and more vulnerabilities are used to hack them,” said Timur Ibragimov, head of the Anti-DDoS and WAF platform of Solar MSS cybersecurity services at Rostelecom-Solar.

According to him, in particular, in September, the attackers organized the largest DDoS attack using the Meris botnet, the estimated scale of which is 200 thousand devices. “Such attacks are already directed at well-protected organizations and companies whose resources can only be disabled by a very powerful DDoS. For example, it can be banks, large industrial or energy enterprises, etc.,” he added.

It is worth noting that, according to Atlas VPN, the number of DDoS attacks worldwide in the first half of the year increased by 11%, reaching 5.4 million. Thus, the number of attacks in the first half of the year turned out to be a record.
Read more »
Zero-day Flaw
Business Email Compromise User Secuirty Vulnerabilities and Exploits Zero-day Flaw

Cybercriminals are Exploiting Zero-day Vulnerabilities at a Record Pace

 

The HP Wolf Security threat research team has discovered evidence that threat actors are mobilizing quickly to weaponize new zero-day vulnerabilities. 

According to HP Wolf Security Threat Insights Report, the attackers are abusing specific problems like CVE-2021-40444 -- the remote code execution flaw that enables exploitation of the MSHTML browser engine through Microsoft Office documents. The vulnerability was first identified by HP on September 8, a week before Microsoft released the patch.

By September 10, the HP threat research team detected scripts designed to automate the creation of this exploit being published it on GitHub. The exploit gives attackers a startlingly easy entry point into systems, deploying malware through an Office document that only needs very little user interaction.

The security researchers compile the report by examining the millions of endpoints running HP Wolf Security. The report shows that 12% of isolated email malware evaded at least one gateway scanner while 89% of malware spotted was delivered via email. Also, the web downloads were responsible for 11%, and other vectors like removable storage devices for less than 1%. 

The average time for a company to apply, test, and fully deploy patches with the proper checks is 97 days, giving threat actors an opportunity to exploit this 'window of vulnerability', explained Alex Holland, the senior malware analyst with the HP Wolf Security threat research team. 

"While only highly capable hackers could exploit this vulnerability at first, automated scripts have lowered the bar for entry, making this type of attack accessible to less¬ knowledgeable and resourced threat actors. This increases the risk to businesses substantially, as zero-day exploits are commoditized and made available to the mass market in venues like underground forums," Holland said. 

"Such novel exploits tend to be effective at evading detection tools because signatures may be imperfect and become obsolete quickly as the understanding of the scope of an exploit change. We expect threat actors to adopt CVE-2021-40444 as part of their arsenals, and potentially even replace common exploits used to gain initial access to systems today, such as those exploiting Equation Editor."

Unfortunately, some major platforms like OneDrive are allowing attackers to conduct 'flash in the pan' attacks. Although malware hosted on such platforms is generally taken down quickly, this does not deter attackers because they can often secure their goal of deploying malware in the few hours the links are live, Holland explained.

"Some threat actors are changing the script or file type they are using every few months. Malicious JavaScript and HTA files are nothing new, but they are still landing in employee inboxes, putting the enterprise at risk. One campaign deployed Vengeance Justice Worm, which can spread to other systems and USB drives," Holland added. 

Additionally, the researchers discovered threat actors exploiting Cloud and web providers to install malware as well as multiple malware families being hosted on Discord and other gaming social media platforms. 

With cyber-assaults increasing with each passing day, Dr. Ian Pratt, Global Head of Security for Personal Systems, HP Inc. believes that companies can’t keep relying on detection alone. He believes the threat landscape is too dynamic and, as highlighted in the analysis of threats captured, attackers are increasingly evolving to bypass any detection tool.

"Organizations must take a layered approach to endpoint security, following zero trust principles to contain and isolate the most common attack vectors like email, browsers, and downloads. This will eliminate the attack surface for whole classes of threats while giving organizations the breathing room needed to coordinate patch cycles securely without disrupting services," Pratt said.
Read more »
Yanluowang Ransomware
Cyber Attacks DDOS Attacks Ransomware Yanluowang Ransomware

Yanluowang Ransomware Deployed in Latest Attacks

 

Yanluowang (named after one of the ten Chinese rulers of hell, Yanluo Wang), is a newly created ransomware strain, that has been identified attacking a high-profile company. 

Upon identifying unusual behavior utilizing the legal AdFind command line Active Directory query tool, the Yanluowang ransomware was detected during an event involving an undisclosed big business. Malicious actors frequently utilize AdFind to conduct reconnaissance activities, such as gaining access to information needed to travel across their victims' networks. 

The latest strain was found by Broadcom's Symantec's threat hunter team, and at first look, it sticks out due to its unusual nickname, which is derived from the name of a Chinese deity: Yanluo Wang. He was Death's God and Diyu's Fifth Court Ruler in Chinese mythology (Diyu being depicted as the Chinese hell). The detection of this specific name appears to be connected to the extension it employs for file encryption on afflicted computers. 

Within days of the investigators finding the suspicious AdFind tool, the attackers tried to distribute their ransomware payloads throughout the compromised organization's networks. Before spreading ransomware on compromised computers, threat actors would use a malicious program to do the following: Create a .txt document with the number of remote computers to be checked on the command line. Use Windows Management Instrumentation (WMI) to obtain a list of processes operating on the remote computers mentioned in the .txt file, and lastly log all of the processes and remote machine names to processes.txt. 

And once the infected application is installed, the ransomware will suspend the hypervisor virtual machine, terminate the precursor tool harvesting process (including SQL and Veeam), and encrypt files with the ".yanluowang" extension. 

On the compromised machine, the Yanluowang gang typically leaves a README.txt ransom note advising victims not to approach law authorities or ransomware negotiation firms. 

Violations of the attacker's regulations will lead to threat actors launching distributed denial of service (DDoS) attacks against the targets and contacting workers and business partners. They also threaten to replicate the procedure in a few weeks and erase the victim's data, which is a typical tactic used to coerce victims into paying ransoms.
Read more »
Unprotected server
Configuration Cyber Security Open Source System Prometheus Unprotected server

Experts Warn of Unsecured Prometheus Endpoints Leaking Sensitive Data

 

A massive unauthenticated scraping of publicly available and non-secured endpoints from previous versions of the Prometheus event monitoring and alerting service could be used to unintentionally expose critical data, according to the latest research.

JFrog researchers Andrey Polkovnychenko and Shachar Menashe stated in a report, "Due to the fact that authentication and encryption support is relatively new, many organizations that use Prometheus haven't yet enabled these features and thus many Prometheus endpoints are completely exposed to the Internet (e.g. endpoints that run earlier versions), leaking metric and label dat." 

Prometheus is an open-source system monitoring and alerting toolkit that collects and process metrics from various endpoints while also allowing for easy analysis of software metrics such as memory usage, network usage, and software-specific defined metrics such as the number of faulty logins to a web application. 

With the release of version 2.24.0 in January, support for Transport Layer Security (TLS) and basic authentication was added. 

The findings are the result of a methodical movement of publicly exposed Prometheus endpoints that were available on the Internet without any authentication. The metrics discovered were found revealing software versions and hostnames, which the researchers stated could be weaponized by intruders to perform an inspection of a target environment before exploiting a specific server or for post-exploitation methods like lateral movement. 

The following are some of the endpoints and information disclosed: 
  • /api/v1/status/config - Leakage of usernames and passwords provided in URL strings from the loaded YAML configuration file 
  • /api/v1/targets - Leakage of metadata labels, including environment variables as well as user and machine names, added to target machine addresses 
  • /api/v1/status/flags - Leakage of usernames when providing a full path to the YAML configuration file 
An attacker can use the "/api/v1/status/flags" endpoint to request the status of two administration interfaces — "web.enable-admin-api" and "web.enable-lifecycle" — and, if discovered manually enabled, exploit them to discard all saved metrics and, in the worst-case scenario, shut down the monitoring server. It's noteworthy that the two endpoints are disabled by default for security reasons of Prometheus 2.0. 

As per JFrog, around 15% of the Internet-facing Prometheus endpoints had the API management setting activated, and 4% had database management enabled. A total of around 27,000 hosts were found through a search on the IoT search engine Shodan. 

In addition to advising organisations to "query the endpoints [...] to help verify if sensitive data may have been exposed," the researchers stated that advanced users who require stronger authentication or encryption than what Prometheus provides can also set up a different network entity to manage the additional security.
Read more »
Threat actors
Cyber Security Malicious Emails Phishing Campaign Sensitive data Threat actors

DocuSign Phishing Campaign is Aimed Against Lower-Level Employees

 

Phishing attacks involving non-executive staff with access to sensitive corporate information are on the rise. According to Avanan researchers, non-executives were impersonated in half of all phishing emails reviewed in the previous several months, while 77% targeted employees at the same level. 

Previously, phishing attacks were aimed at fooling business people, with phishing actors impersonating CEOs and CFOs. After gathering the appropriate information, attackers will pose as the company's CEO or another high-ranking official and send an email to finance personnel requesting money transfers to an account they control. 

"Security admins might be spending a lot of time providing extra attention to the C-Suite and hackers have adjusted. At the same time, non-executives still hold sensitive information and have access to financial data. Hackers realized, there is no need to go all the way up the food chain," researchers said. 

This made sense because sending orders and making urgent requests as a high-ranking employee enhances the likelihood of the receiver complying with these messages. Phishing actors switched to lower-ranking individuals who can nonetheless serve as great entry points into corporate networks, as CEOs became more alert and security teams in large firms built additional measures around those "important" accounts. 

In their emails, the malicious actors suggest using DocuSign as an alternative signing option, prompting recipients to enter their credentials in order to read and sign the document. These emails are not from DocuSign, despite the fact that they appear to be.

DocuSign, Inc. is an American firm based in San Francisco, California that helps businesses handle electronic contracts. DocuSign's Agreement Cloud includes eSignature, which allows users to sign documents electronically on a variety of devices. DocuSign has over a million customers and hundreds of millions of users across the globe. DocuSign's signatures, including EU Advanced and EU Qualified Signatures, are consistent with the US ESIGN Act and the European Union's eIDAS regulation. 

Rather than spoofing DocuSign notifications, phishing scammers were signing up for free accounts with the cloud-based documented signature service and compromising the accounts of others in August, according to researchers, in order to fool email recipients into clicking on malicious links. 

When an email appears in your inbox, it's vital to read it carefully for any signs of fraud. According to the researchers, unsolicited files, spelling errors, and requests for your credentials should all be treated with caution. Phishing attempts based on DocuSign aren't exactly new, and several threat actors have taken use of them to steal login passwords and transmit malware.
Read more »
Russia
Cyber Security Russia

Russia and the United States have submitted a joint resolution on cybersecurity to the UN General Assembly

 Russia and the United States have put forward a joint resolution to the United Nations General Assembly on responsible state behavior in cyberspace. More than 50 UN member States joined the document as co-authors.

In the document, the countries indicated joining efforts in developing rules or mandatory norms of responsible behavior of states in cyberspace.

Previously, the rules of online behavior in the UN were developed in two groups — in the Group of Governmental Experts recreated by the United States (GGE, 25 countries) and the Open-ended Working Group launched on the initiative of Russia (OEWG). Russia and the United States are part of both groups, but Moscow promoted the OEWG, and Washington supported the GGE. Thus, countries acted as rivals in cyber issues. Last week, the delegations of Russia and the United States presented a draft resolution during informal consultations at the UN. Now the work on the rules will continue in one format — the OEWG.

Andrei Krutskikh, Russian presidential special envoy for international cooperation on information security and director of the Foreign Ministry's International Security Department, presenting the resolution at a meeting at the UN, said that it was a “historic moment.”

The resolution notes that all States are interested in promoting the use of information and communication technologies (ICT) for peaceful purposes, as well as in preventing conflicts arising from their use. It states that a number of States are engaged in building ICT capacity for military purposes, and the use of ICT in future conflicts is becoming increasingly likely. Potential ICT-related malicious acts targeting critical infrastructure are of particular concern.

In Russia, according to the federal law adopted in 2017, 13 sectors of the economy are classified as critical infrastructure, including the banking sector, defense industry enterprises, transport facilities, healthcare, and others. 

Read more »
User Security
Credential Stuffing Cyber Attacks User Privacy User Security

Verizon’s Visible Network Acknowledges Credential Stuffing Attack

 

Visible, an all-digital wireless carrier has finally acknowledged that attackers secured access to customer accounts last week. However, the firm denied the rumors of any intrusion on its backend infrastructure.

US-based firm, which is owned by Verizon, acknowledged the attack after multiple users voiced their complaints on Reddit and other social media sites, saying that attackers hacked their Visible accounts, changed login passwords, updated shipping addresses, and then bought and charged new smartphones to the compromised accounts. 

After facing severe criticism, a Visible spokesperson came forward and confirmed the attack in a Twitter thread, writing that the company was "aware of an issue in which some member accounts were accessed and/or charged without their authorization."

"As soon as we were made aware of the issue, we initiated a review and deployed tools to mitigate the issue, enabling additional controls to further protect our members. Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts," the company claimed. 

The carrier is now urging affected customers to contact them and change the account password immediately. 

"I spotted a $1,175.85 charge to my account coming from Visible. Upon examining further, I discovered a 128GB iPhone 13 Pro Max that had been purchased and sent to an address in New York City, far away from my home in the DC/Virginia area," the company’s user wrote on Reddit account.

"Visible basically offered nothing. I asked them what the hell is this, and they asked me if I had the order number. I said no, since my entire account was hijacked and the emails don't come to me. I asked if I can be given access to my account again, and they said 'We're not sure.' I should be hearing back within 24-48 hours," the user wrote.

In a later message on Reddit, the company denied the allegations of any breach or exploit, claiming that only "a small number of member accounts was changed without their authorization. We don't believe that any Visible systems have been breached or compromised, nor that this unauthorized access to your Visible account is ongoing," the company stated.

"However, for your protection, we recommend you review your account contact information and change your password and security questions to your Visible account. We also recommend that you review any other accounts that share the same email, login, or password, and make any changes you determine necessary to secure those accounts," the firm advised. 

Earlier this year in August, cybercriminals targeted T-Mobile's systems, exposing the sensitive information of more than 50 million current, former, and prospective customers. This indicates that cybercriminals are oozing with confidence and are not hesitating in taking down the big firms.
Read more »
User Security
Ad Blocking AllBlock Cyber Security Google User Security

Ad-Blocker Developed to Block Ads, Ironically Injects them in Google Search Pages

 

According to the latest research by cybersecurity firm Imperva, a new misleading ad injection campaign has been discovered that uses an ad blocker plugin for Google Chrome and Opera internet browsers to surreptitiously install advertisements and affiliate codes on websites. 

The discoveries came after the researchers had found rogue websites spreading an ad injection script in late August 2021, which they linked to an add-on named AllBlock. Ever since the extension has been removed from the Chrome Web Store and the Opera add-ons markets. 

Though AllBlock is intended to properly prevent advertisements, the JavaScript code is injected into each new window launched in the browser. It operates by recognizing and sending all links in a website page — especially on search engine results pages — to a remote server, that further responds with a list of internet sites to replace the genuine links with, resulting in a type of situation in which the victim is diverted to a separate page upon clicking a link. 

"When the user clicks on any modified links on the webpage, he will be redirected to an affiliate link," Imperva researchers Johann Sillam and Ron Masas said. "Via this affiliate fraud, the attacker earns money when specific actions like registration or sale of the product take place." 

AllBlock is additionally distinguished by several anti-detection measures, such as emptying the debug console every 100ms and barring main search engines. According to Imperva, the AllBlock extension is likely part of a wider distribution effort that may have used additional browser extensions and delivery mechanisms, with links to a prior PBot campaign based on domain name and IP address overlaps. 

"Ad injection is an evolving threat that can impact almost any site. Attackers will use anything from browser extensions to malware and adware installed on visitors' devices, making most site owners ill-equipped to handle such attacks," Sillam and Masas said. 

This example serves as yet another warning of the necessity of selecting the browser extensions properly and installing just those that are required. 

In this situation, AllBlock has received positive customer feedback since its adblocking technology has been correctly implemented. Nevertheless, it raises the danger of deceit and confuses customers.
Read more »
MyKings
Bitcoin Address Bitcoins Botnet Cryptocurrencies digital currency malware MyKings

This Malware Botnet Gang has Made Millions With a Surprisingly Simple Trick

 

MyKings, a long-running botnet, is still active and has generated at least $24.7 million by using its network of compromised computers to mine for cryptocurrencies. 

It is also known as Smominru and Hexen and is the world's largest botnet focused on mining cryptocurrencies by exploiting the CPUs of its victims' desktop and server computers. It's a profitable business that grabbed notoriety in 2017 after infecting more than half a million Windows machines to mine $2.3 million of Monero in a month. 

A security firm, Avast has now verified that its operators have received at least $24.7 million in cryptocurrencies, which have been transferred to Bitcoin, Ethereum, and Dogecoin accounts. It states, however, that the majority of this was accomplished by the group's 'clipboard stealer module.' When it detects that a cryptocurrency wallet address has been duplicated (for example, to make a payment), this module replaces it with a new cryptocurrency address authorized by the group. 

Since the beginning of 2020, Avast claims to have blocked the MyKings clipboard stealer from 144,000 computers: the clipboard stealer module has emerged in 2018. 

According to the study of the security firm Sophos, the clipboard stealer, a trojan, monitors PCs for the usage of various currency wallet formats. It operates because users frequently utilise the copy/paste option to enter rather lengthy wallet IDs when logging into an account. 

Sophos noted in a report, "This method relies on the practice that most (if not all) people don't type in the long wallet IDs rather store it somewhere and use the clipboard to copy it when they need it. Thus, when they would initiate a payment to a wallet, and copy the address to the clipboard, the Trojan quickly replaces it with the criminals' own wallet, and the payment is diverted to their account." 

Sophos did mention, however, that the coin addresses it discovered "hadn't received more than a few dollars," implying that coin theft was a tiny component of the MyKings operation. Sophos estimates that the crypto-mining part of the company generated around $10,000 per month in October 2019. 

Avast now claims that MyKings is generating significantly more money from the clipboard trojan after extending the 49 coin addresses uncovered in Sophos' investigation to over 1,300 coin addresses. 

According to Avast, the clipboard stealer's involvement may be far greater than Sophos uncovered. Avast researchers explain in a report, "This malware count on the fact that users do not expect to paste values different from the one that they copied. It is easy to notice when someone forgets to copy and paste something completely different (e.g. a text instead of an account number), but it takes special attention to notice the change of a long string of random numbers and letters to a very similar looking string, such as crypto wallet addresses.” 

"This process of swapping is done using functions OpenClipboard, EmptyClipboard, SetClipboardData and CloseClipboard. Even though this functionality is quite simple, it is concerning that attackers could have gained over $24,700,000 using such a simple method." 

Remarks from users on Etherscan who claimed to have mistakenly sent amounts to accounts covered in Avast's study provide circumstantial evidence to support the idea that the clipboard stealer is certainly effective.

Avast recommended that people should always double-check transaction details before sending money.
Read more »
User Credentials
Cyber Security Iranian hackers Phishing Attacks United States User Credentials

APT35 Continues Targeting Important US Citizens and Institutions

 

This year, the Google Threat Analysis Group (TAG) has noticed an increase in government-sponsored hacking. According to the data revealed in the blog post, Google has sent over 50,000 warnings of phishing and malware attempts to account holders thus far in 2021. The number of people has increased by 33% from the same period last year. 

APT35 operations dating back to 2014 have been found by FireEye. APT35, also known as the Newscaster Team, is an Iranian government-sponsored threat group that carries out long-term, resource-intensive operations to gather strategic intelligence. APT35 usually targets military, diplomatic, and government people in the United States and the Middle East, as well as organisations in the media, energy, and defense industrial base (DIB), as well as engineering, business services, and telecommunications. 

Since 2017, APT35 has been targeting politicians, NGOs, government institutions, journalists, and academia under the names Ajax Security Team, Charming Kitten, and Phosphorus. During the 2020 elections, the group also attempted to target former US President Donald Trump's election campaign staff. 

Charming Kitten made 2,700 attempts to gather information about targeted email accounts in a 30-day period between August and September 2019, according to Microsoft. There were 241 attacks and four compromised accounts as a result of this. Despite the fact that the initiative was allegedly directed at a presidential campaign in the United States, none of the stolen accounts had anything to do with the election. Microsoft did not say who was directly targeted, although Reuters later reported that it was Donald Trump's re-election campaign. The fact that only the Trump campaign utilized Microsoft Outlook as an email client backs up this claim.

 "For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government," Google said. 

Phishing attacks including malicious URLs are the most popular approach employed by APT35. APT35, for example, infiltrated a website affiliated with a UK university in early 2021. The group then set up a phishing kit on the website in order to collect user credentials and began sending out emails with a link to the site. The users were instructed to log in using the link provided in order to participate in a fictitious webinar. 

APT35 also attempted to use the Google Play Store to distribute spyware disguised as a VPN client. If the app is installed on the phone, it can gather SMS and call records, as well as location data and contacts. The attempt was thwarted when Google removed the app from the Play Store.
Read more »
Russian Hackers
Malicious Emails malware Phishing Campaign Russian Hackers

Russia-Linked TA505 Targets Financial Organizations in MirrorBlast Phishing Campaign

 

Russia-based threat group TA505 is deploying a weaponized Excel document in a new malware campaign, tracked as MirrorBlast, targeting financial organizations. 

According to cybersecurity experts at Morphisec Labs, the most significant feature of the new MirrorBlast campaign is the low detection rates of malicious Excel documents by the security software, putting organizations at high risk that rely solely upon detection tools.

Evasive technique 

The developers of the malware campaign use phishing emails to mount the first phase of its attack. The initial email contains an Excel document that uses a macro. The macro, which can only be executed on a 32-bit version of Office due to ActiveX compatibility issues, contains a lightweight Office file designed to bypass detection. 

"The macro code performs anti-sandboxing by checking if these queries are true: computer name is equal to the user domain; and username is equal to admin or administrator," the researchers explained. "We have observed different variants of the document; in the first variants there wasn’t any anti-sandboxing and the macro code was hidden behind the Language and Code document information properties. Later it moved to the sheet cells. In addition, the code has added one more obfuscation layer on top of the previous obfuscation." 

Upon installation, the command executes JScript, which generates the msiexec.exe process responsible for downloading and installing the MSI package. The dropped MSI package, comes in two variants, one written in REBOL and one in KiXtart, according to researchers who analyzed several samples of the dropped MSI package. 

Subsequently, the MSI package sends the machine's information to a command and control (C2) server, including the computer name, user name, and a list of running processes. The C2 server then responds with a code telling the software how to proceed. The malware campaign also uses a Google feed proxy URL with a fraudulent message requesting the user to access a SharePoint or Onedrive file. This helps the attackers evade detection, Morphisec said.

Since September 2021, the malware campaign has targeted multiple institutions in regions such as Canada, the US, Hong Kong, and Europe. Morphisec tied the attack to TA505, an active Russian threat group that has been operating since 2014 and has a long history of creativity in the manner they lace Excel documents in phishing campaigns. 

In this malware campaign, researchers observed certain aspects of the attack that led them to attribute it to TA505. This includes the infection chain and installer script. It also uses similar domain names to other TA505 attacks and an MD5 hash that matches one used in another of the group's assaults.
Read more »
Subscribe to: Comments (Atom)