Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Ukraine
Cyber Attacks Cyberspace Data Theft Network Threats Russia Ukraine

IsaacWiper, The Third Wiper Spotted Since the Beginning of The Russian Invasion

 

Recently, ESET cyber researchers have discovered a new data wiper, named as IsaacWiper, that is being used against an unnamed Ukrainian government network after Russia’s invasion of Ukraine. 

After the HermeticWiper attack, the new wiper came to light on 24th February within an organization that was not infected with the HermeticWiper malware (aka KillDisk.NCV), which contaminated hundreds of machines in the country on February 23. 

The cybersecurity firms ESET and Broadcom’s Symantec have discovered that the infections followed the DDoS attacks against various Ukrainian websites, including the Cabinet of Ministers, Ministry of Foreign Affairs, and Rada. 

“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in a Ukrainian governmental organization that was not affected by HermeticWiper,” Jean-Ian Boutin, ESET Head of Threat Research, said. In a new blog post, the company stated that the IsaacWiper attack likely “started shortly after the Russian military invasion and hit a Ukrainian governmental network.” 

The organization has revealed the technical details of the second attack on 1st March. It said that based on the observations it looks like the attacks were planned for months, though the organization did not name any particular entity or group for the attack. IsaacWiper and HermeticWiper have no code similarities and the former is less sophisticated than the latter. 

Once the network is infected, IsaacWiper starts by enumerating the physical drives and calls DeviceIoControl with the IOCTL IOCTL_STORAGE_GET_DEVICE_NUMBER to get their device numbers. 

Then IsaacWiper wipes the first 0x10000 bytes of each disk using the ISAAC pseudorandom generator. The ESET has published concluded analysis report,  saying that “at this point, we have no indication that other countries were targeted. However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entity.” 
Read more »
Website Hacked
Cyber Attacks DDoS DDOS Attacks DDoS Flaw User Security Website Attack Website Hacked

DoS Attackers are Employing ‘TCP Middlebox Reflection’ to Knock Websites Offline

 


Distributed denial-of-service (DDoS) hackers are employing a new amplification technique called TCP Middlebox Reflection to target websites. Last week, researchers at Akamai, a content distribution network firm, detected the novel attack methodology for the first time in the wild, six months after the technique was published in theory. 

"The attack […] abuses vulnerable firewalls and content filtering systems to reflect and amplify TCP traffic to a victim machine, creating a powerful DDoS attack," Akamai researchers stated in a blog post. "This type of attack dangerously lowers the bar for DDoS attacks, as the attacker needs as little as 1/75th (in some cases) the amount of bandwidth from a volumetric standpoint."

Generally, most DDoS assaults exploit the User Datagram Protocol (UDP) to amplify packet delivery by sending packets to a server that replies with a larger packet size, which is then forwarded to the victim. In these attacks, the attacker sends thousands of DNS or NTP requests containing a fake source IP address to the victim, causing the destination server to return the responses back to the spoofed address in an amplified manner that exhausts the bandwidth issued to the target. 

The amplification technique was published in a research paper in August 2021, which showed that malicious actors could exploit middleboxes such as firewalls via TCP to magnify denial of service attacks.  

While UDP reflection vectors DoS amplification attacks have traditionally been used in DoS amplification assaults due to the protocol’s connectionless nature. The novel attack approach exploits TCP non-compliance in middleboxes such as deep packet inspection (DPI) tools to launch TCP-based reflective amplification assaults.  

The first wave of this novel campaign is said to have occurred around February 17, targeting Akamai customers across banking, travel, gaming, media, and web hosting industries with high amounts of traffic that peaked at 11 Gbps at 1.5 million packets per second (Mpps).  

"The vector has been seen used alone and as part of multi-vector campaigns, with the sizes of the attacks slowly climbing," Chad Seaman, lead of the security intelligence research team (SIRT) at Akamai, explained.  

The basic thought of attackers with TCP-based reflection is to exploit the middleboxes that are used to enforce censorship laws and enterprise content filtering policies by sending specially designed TCP packets to trigger a volumetric response. Indeed, in some cases, Akamai noted that a single SYN packet with a 33-byte payload triggered a 2,156-byte response, effectively achieving an amplification factor of 65x (6,533%).  

"The main takeaway is that the new vector is starting to see real world abuse in the wild. Typically, this is a signal that more widespread abuse of a particular vector is likely to follow as knowledge and popularity grows across the DDoS landscape and more attackers begin to create tooling to leverage the new vector,” Seaman explained.
Read more »
Vulnerabilities and Exploits
Bugs Flaw Google Google Flaws Security flaw Vulnerabilities and Exploits

Google WAF Circumvented Via Oversized POST Requests

 

It is possible to circumvent Google's cloud-based defences due to security flaws in the default protection offered by the company's web application firewall (WAF). 

Researchers from security firm Kloudle discovered that by sending a POST request larger than 8KB, they were able to get beyond the web app firewalls on both Google Cloud Platform (GCP) and Amazon Web Services (AWS). 

“The default behaviour of Cloud Armor, in this case, can allow malicious requests to bypass Cloud Armor and directly reach an underlying application,” according to Kloudle. 

"This is similar to the well-documented 8 KB limitation of the AWS web application firewall, however, in the case of Cloud Armor, the limitation is not as widely known and is not presented to customers as prominently as the limitation in AWS.” 

Even if an underlying application is still susceptible, WAFs are designed to guard against web-based attacks like SQL Injection and cross-site scripting. If a targeted endpoint accepts HTTP POST requests "in a manner that could trigger an underlying vulnerability," bypassing this safeguard would bring a potential attacker one step closer to attacking a web-hosted application. 

Kloudle explains in a technical blog post,“This issue can be exploited by crafting an HTTP POST request with a body size exceeding the 8KB size limitation of Cloud Armor, where the payload appears after the 8192th byte/character in the request body." 

Google's Cloud Armor WAF comes with a collection of predefined firewall rules based on the OWASP ModSecurity Core Rule Set, which is open source. The possible attack vector can be blocked by setting a custom Cloud Armor rule to block HTTP requests with request bodies larger than 8192 bytes - a general rule that can be customised to accommodate defined exceptions. 

Even though AWS' WAF has similar issues, Kloudle faulted GCP for neglecting to notify customers about the problem. According to the researchers, other cloud-based WAFs have comparable drawbacks. 

Kloudle told The Daily Swig: “This is part of ongoing work… so far, we have seen request body limitations with Cloudflare, Azure, and Akamai as well. Some have 8KB and others extend to 128KB.” 

In response to questions from The Daily Swig, a Google spokesperson stated that the 8KB restriction is stated in the company's documentation. Kloudle's representative expressed concern over security and functionality. 

The representative explained, “Perimeter security software is hard. I suspect in this case 8KB limit allows them to reliably process other WAF rules. They could be doing more for developer awareness, including adding that rule by default with the option to disable in case someone wants to. As per the shared security responsibility model they put the onus on the end-user to use the service securely.”  

Kloudle's representative expressed sympathy for the security and functionality trade-offs that cloud providers must make but suggested to The Daily Swig that cloud providers could do more to educate consumers about the issue.
Read more »
Vulnerability and Exploits
CVE vulnerability High Severity Bugs IP Address Medical Sector Security flaw Vulnerability and Exploits

Decade-Old Critical Vulnerabilities Might Affect Infusion Pumps

 

According to scans of over 200,000 infusion pumps located on the networking of healthcare providers and hospitals, increasing numbers of gadgets are vulnerable to six critical-severity issues (9.8 out of 10) reported in 2019 and 2020.

According to Palo Alto Networks experts, 52% of scanned devices are vulnerable to two significant security issues discovered in 2019: CVE-2019-12255 (CVSS score of 9.8) and CVE-2019-12264 (CVSS score of 9.8). (CVSS score of 7.1) In a research report, the business stated over 100,000 infusion pumps were vulnerable to older, medium-severity issues (CVE-2016-9355 and CVE-2016-8375). 

"While some of these vulnerabilities and alerts may be difficult for attackers to exploit unless it is physically present in an organization," the researchers added, "all represent a potential risk to the general security of healthcare organizations and the safety of patients – particularly in situations where threat actors may be motivated to devote additional resources to attacking a target." 

Wind River, the company which supports VxWorks RTOS, has patched all URGENT/11 concerns since July 19, 2019. However, in the embedded device world, large delays in applying patches or not applying them at all are well-known issues. The last five critical-severity bugs that were discovered in June 2020, affect items made by the American healthcare corporation Baxter International. 

Malicious misuse of software security flaws might put human lives in danger, according to the firm. Infusion pumps are used to give medications and fluids to patients, and the company cautioned how malicious exploitation of software security flaws could put human lives at risk. The majority of the discovered flaws can be used to leak sensitive information and gain unauthorized access. Bugs that lead to the release of sensitive information harm not only infusion pumps, but also other medical devices, and may affect credentials, operational information, and patient-specific data.

Another area of concern is the use of third-party modules which may have security flaws. CVE-2019-12255 and CVE-2019-12264, for example, are significant vulnerabilities in the IPNet TCP/IP stack utilized by the ENEA OS of Alaris Infusion Pumps, according to the researchers. 

"Overall, most of the typical security alerts triggered on infusion systems imply avenues of attack which the device owner should be aware of," the security experts told. "For example, via internet access or default login and password usage."Given some infusion pumps are utilized for up to ten years, healthcare practitioners seeking to protect the security of devices, data, and patient information should consider the following.
Read more »
Ukraine
cyber threat Russia Technology Ukraine

Tesla CEO Musk Issues Warning Regarding the Use of Starlink Terminals in Ukraine

 


The CEO of the electric vehicle manufacturer Tesla (TSLA) SpaceX chief Elon Musk has issued a warning regarding the future of Starlink satellite broadband service in Ukraine, given the current scenario of uncertainty in the country post the Russian invasion. 
 
In his warning message on Twitter, Elon Musk wrote there is a high chance of the Starlink satellite internet service being targeted. It is worth noting that internet connectivity in Ukraine plummeted by 20% on 26 February, according to a report from Reuters. "Important warning: Starlink is the only non-Russian communications system still working in some parts of Ukraine, so probability of being targeted is high. Please use with caution," Musk tweeted.  
 
Elon Musk’s SpaceX activated the Starlink internet service in Ukraine after the country’s minister of digital transformation and first Vice Prime Minister, Mykhailo Fedorov, requested Musk to send Starlink stations because of the Russian invasion had crippled the country’s internet service considerably.  
 
The terminals resembling home satellite dishes arrived in the country in less than 48 hours. Moreover, the technology is apparently working as advertised, and the Ukrainian government has thanked the Tesla CEO for his assistance.   
 
However, multiple skeptics claimed that Musk was using the invasion of Ukraine as a publicity stunt. One Twitter user asked if the technology could really be under the threat of a Russian cyberattack. Musk clarified that it did already happen to all Viasat Ukraine user terminals on the first day of the Russian invasion of Ukraine.  
 
Starlink antennas that resemble home satellite television dishes, are not designed to be used while in motion, and it was not clear what Musk meant by the tweet, Tim Farrar, a consultant in satellite communications, stated. 
 
Musk's warning comes after John Scott-Railton, a senior researcher at the University of Toronto's Citizen Lab project, tweeted last week that Russian President Vladimir Putin controls the “air above” so that users’ uplink transmissions become viable targets for airstrikes.  
 
Additionally, security researcher Nicholas Weaver from the University of California at Berkeley stated that every Ukrainian citizen using a Starlink device should consider Starlink a “potential giant target.” That’s because if Russia uses a specialized plane aloft, it can easily get detected and target the location, putting the user at high risk.
Read more »
User Security
Data Breach Data Expose Data Leak data security Ransom Samsung User Data User Privacy User Security

Hackers Expose 190GB of Alleged Samsung Data

 

Hackers that exposed secret information from Nvidia have now turned their attention to Samsung. The hacker group known as Lapsus$ is suspected of taking 190GB of data from Samsung, including encryption and source codes for many of the company's new devices. 

On Saturday, hackers launched an attack on Samsung, leaking critical data collected through the attack and making it accessible via torrent. The hackers shared the complete data in three sections in a note to their followers, as seen by Bleeping Computer, along with a text file that details the stuff available in the download. 

The exposed material includes "source code from every Trusted Applet" installed on every Samsung smartphone, as per the message. It also includes "confidential Qualcomm source code," algorithms for "all biometric unlock operations," bootloader source code for the devices, and source codes for Samsung's activation servers and Samsung account authentications, including APIs and services. 

In short, the Lapsus$ attack targets Samsung Github for critical data compromise: mobile defence engineering, Samsung account backend, Samsung pass backend/frontend, and SES, which includes Bixby, Smartthings, and store. 

The attack on Samsung comes after the cyber organisation attempted to extort money from Nvidia in a ransom scheme. It's worth noting that it's not a straightforward monetary request. Instead, the hackers have asked Nvidia to lift the restriction on Ethereum cryptocurrency mining that it has placed on its Nvidia 30-series GPUs. Nvidia's GPU drivers must be open-sourced forever, according to the hackers. 

The hackers are plainly looking for money from the disclosed data, as evidenced by the updates. For $1 million, one of them promised to sell anyone a bypass for the crypto nerf on Nvidia GPUs. Another communication from the group, according to The Verge, claimed that instead of making the data public, they are attempting to sell it straight to a buyer. 

Last Monday, Nvidia confirmed the breach, acknowledging a leak of "employee credentials" and "proprietary information." It, on the other hand, disputed that the attack was linked to the ongoing Russia-Ukraine crisis and claimed that the cyberattack would have no impact on its operations. 

As of currently, there are no reports of Lapsus$ demanding a similar ransom from Samsung. If they do, however, Samsung is likely to suffer a significant setback, especially given the type of data that the hacking group now claims to have access to.
Read more »
Sensitive data
cybercriminals Data Breach Data Theft Hackers Medical Data Leak Sensitive data

 Cyberattack Logan Health and Server Intrusion 

 

A sophisticated intrusion on the IT systems resulted in the compromise of a file server containing protected health information of Logan Health Medical Center which recently notified 213,543 patients, workers, and business associates warning the personal and health data may have been accessed by criminals.

Logan Health Medical Center, according to a letter, first observed evidence of illegal behavior on one of its servers on November 22, 2021. As a result, the hospital solicited the help of outside forensic experts to investigate the magnitude of the event and as to whether any sensitive personal information had been exposed. 

Logan Health CEO Craig Lambrecht reminded staff of its "vital responsibility in protecting patients' sensitive health information" in an email to employees, as well as a series of reminders on password security and responding with emails from unknown senders. 

Logan Health Medical Center confirmed on January 5, 2022, how an unauthorized party had gained access to files containing protected health information about specific staff and patients. On February 22, 2022, Logan Health began sending out data breach notification letters to all factions whose knowledge was contained in the affected files. 

After gaining access to a computer network, a cybercriminal can see and delete any data stored on the stolen servers. While most organizations can determine which files were accessed in the event of a data breach, it may not be able to determine which files the hacker really visited or whether any data was removed. 

The investigation into the Logan Health Medical Center data breach is still in its early stages. There is currently no proof of Logan Health being legally liable for the data breach. However, as more information about the breach surfaces, this could change. 

You can defend oneself from data theft or other forms of fraud by doing the following:

  • Determine what information has been tampered with.
  • Limit Who Has Access to Your Accounts in the future. 
  • Take steps to safeguard your credit and financial accounts.
  • Monitor your credit report and financial accounts regularly.
Read more »
Ukraine Websites
Anonymous Cyber Security Government Killnet RaHDit Russia Russia-Ukraine War Russian Hacker Ukraine Websites

Ukrainian Government Websites Shut Down due to Cyberattack

 

Ukrainian state authorities' websites have stopped working. At the moment, the website of the Ukrainian president, as well as resources on the gov.ua domain are inaccessible. 
According to the source, a large-scale cyberattack by the Russian hacker group RaHDit was the reason. A total of 755 websites of the Ukrainian authorities at the gov.ua domain were taken offline as a result of the attack. 

Hackers posted on government websites an appeal written on behalf of Russian soldiers to soldiers of the Armed Forces of Ukraine and residents of Ukraine. "The events of the last days will be the subject of long discussions of our contemporaries and descendants, but the truth is always the same! It is absolutely obvious that what happened is a clear example of what happens when irresponsible, greedy, and indifferent to the needs of their people come to power," they wrote. 

Another of the hacked websites published an appeal on behalf of Zelensky. In it, the President of Ukraine allegedly stated that he had agreed to sign a peace treaty with Russia. "This is not treason to Ukraine, to the Ukrainian spirit, it is exclusively for the benefit of the Ukrainian people," the banner said. 

The third message called on civilians to "refuse to support national radical formations formed under the guise of territorial defense." It was warned that any attempts to create armed gangs would be severely suppressed. In another announcement, Ukrainian soldiers were asked not to open fire on the Russian army and lay down their weapons: "Return fire will kill you. You are guaranteed life, polite treatment, and a bus home after the war." 

This information could not be confirmed. Currently, when entering government websites, it is reported that access to them cannot be obtained.

Earlier it became known that Russian hackers from the Killnet group hacked the website of the Anonymous group, which had previously declared a cyberwar against Russia. They urged Russians not to panic and not to trust fakes. 

On February 25, hackers from Anonymous announced their decision to declare a cyberwar against Russia due to the start of a special operation in the Donbas. The attackers attacked Russian Internet service providers and government websites. They also hacked the websites of major media outlets: TASS, Kommersant, Izvestia, Forbes, Mela, Fontanka. 

As a reminder, the special operation in Ukraine began in the morning of February 24. This was announced by Russian President Vladimir Putin.
Read more »
User Security
Cyber Attacks DDOS Attack security threat User Security

Imperva Mitigates 2.5 million RPS Ransom DDoS Assaults Targeting Unnamed Firm

 

Imperva, a cyber security software and services firm on Friday claimed it thwarted a massive 2.5 million RPS (requests per second) ransom DDoS attack targeting an unnamed company. 
 
According to Nelli Klepfish, a security analyst at Imperva, the company against which the DDoS assault was launched received multiple ransom notes during the attack. To prevent the loss of “hundreds of millions” in market cap and to remain online, the company paid the attackers in bitcoin.  
 
Imperva thwarted more than 12 million embedded requests targeting random pages of the firm’s site. The next day, the attackers sent over 15 million requests to the same site, however, this time the URL contained a different message. But the attackers employed similar methodology of threatening the company’s CEO for devastating consequences, such as the company’s stock price plummeting if they refuse to pay the ransom.  
 
The most devastating assault is said to have lasted less than a minute, in which researchers measured 2.5 million RPS (1.5Gbps of TCP traffic in terms of bandwidth) as the highest number of requests received.  
 
An identical attack was sustained by one of the sister sites operated by the same firm that lasted nearly 10 minutes, even as the attackers constantly changed their attack tactics and ransom notes to avert mitigation.  
 
Evidence gathered by Imperva points to the DDoS assaults originating from the MÄ“ris botnet, which has exploited a now-patched security loophole in Mikrotik routers (CVE-2018-14847) to strike targets, including Yandex, a Russia-based technology and search engine giant last September.  
 
"The types of sites the threat actors are after appear to be business sites focusing on sales and communications," Klepfish said. "Targets tend to be U.S.- or Europe-based with the one thing they all have in common being that they are all exchange-listed companies and the threat actors use this to their advantage by referring to the potential damage a DDoS attack could do to the company stock price."  
 
Imperva unearthed about 34,815 sources of attack’s origin. In 20% of the cases Imperva discovered, the attackers launched 90 to 750 thousand RPS. Top attack sources attacks came from Indonesia, followed by the U.S., China, Brazil, India, Colombia, Russia, Thailand, Mexico, and Argentina.  
 
Imperva reported an interesting fact that the attackers are claiming to be members of REvil, the infamous ransomware-as-a-service cartel that suffered a major setback after a number of its operators were arrested by Russian law enforcement agencies earlier this January. However, the researchers yet to confirm that the claims are made by the original REvil operators or some imposter.
Read more »
Threat actors
cyber analysis Cyber Attacks cybercriminals Malware Analyzers Privacy Sandbox Threat actors

 Is Malware Analysis Challenging?

 

To minimize the likelihood and possible effect of cyberattacks, security teams require greater detection and analytic capabilities. Despite this, companies are limited in their ability to detect and respond to advanced and targeted assaults due to a lack of qualified cybersecurity personnel, an overabundance of tools, and broken processes. 

To answer these questions, OPSWAT has released two new solutions which aim to minimize the time and effort required for manual analysis, eliminate the requirement for specialized expertise, and break down barriers across diverse tools and workflows: 

  • OPSWAT Sandbox 
  • MetaDefender Malware Analyzer

"Malware analysis is a vital tool for management teams looking to go beyond check-the-box compliance procedures toward the proactive threat management and crisis response programs," said OPSWAT CEO Benny Czarny. "Organizations are undertaking a change to keep ahead of skilled adversaries which are attacking vital infrastructure to remain abreast of these attacks." 

These tools work together to make malware analysis more intelligent, resulting in faster and more accurate results with less manual effort. MetaDefender Malware Analyzer is a unified, fully integrated platform for malware tool integration, analysis orchestration, playbook automation, and aggregated reporting across several analysis tools.

Finding, training, and retaining malware analysts is difficult for businesses — The most difficult aspect of hiring new employees is that there are not enough qualified prospects. As a result, the vast majority of businesses rely on their staff to learn malware analysis skills, despite the fact, almost half of them say it's difficult to find good training programs. Furthermore, these firms recognize the malware analysis function is understaffed - more than half reported worker burnout in the last 12 months, and far more than half reported active recruitment of existing teams. 

Malware analysis technologies are ineffective due to a lack of automation, integration, and accuracy  The lack of automated tools which are not integrated is the biggest problem with malware analysis tools. Without these features, malware analysis might devolve into a time-consuming and error-prone manual procedure involving many tools and workflows. Accuracy is the most critical criterion to consider when assessing malware analysis tools — only around a quarter of businesses are confident in their capacity to detect, investigate, and resolve malware attacks.
Read more »
Vulnerability and Exploits
Android Applications App vulnerability Data Breach student information system Vulnerability and Exploits

How a Simple Vulnerabilty Turned Out to be University Campus 'Master Key'

When Erik Johnson couldn't make his university's mobile student ID app work properly, he found a different way to get the job done. The app seems to be important, as it lets students in the university paying meals, get into events, and lock/unlock dormitory rooms, labs, and other facilities across campus. The app is known as getting Mobile, made by CBORD, it is a tech company that assists hospitals and universities by bringing access control and payment systems. 

However, Johnson, and other students who gave the app "1 star" due to poor performance, said that it was very slow in terms of loading time. It can be improvised. After studying the app's network data while unlocking his dorm room door, Johnson realized a way to mirror the network request and unlock doors via a one-tap shortcut button on the iPhone. To make it work, the shortcut needs to send an accurate location with the door unlock request, or the doors won't open. For security purposes, students have to be in certain proximity for unlocking doors via the app. 

It is done to avoid accidental door openings on the campus. To make it even better, Johnson decided to take his talents elsewhere too. CBORD has a list of API commands that can be used via student credentials. (API allows two things to interact, in our case, it's a mobile app and university servers that store data). Johnson identified a problem, here the API wasn't checking in case of valid student credentials. It meant that anyone could interact with the API and take control of other students' accounts, without having the need for passwords. 

As per Johnson, the API only looked for student ID (unique). Tech Crunch reports "Johnson described the password bug as a “master key” to his university — at least to the doors that are controlled by CBORD. As for needing to be in close proximity to a door to unlock it, Johnson said the bug allowed him to trick the API into thinking he was physically present — simply by sending back the approximate coordinates of the lock itself." As the bug was discovered in the API, it could affect other universities too. Johnson found a way to report the bug to CBORD, and it was resolved after a short time.
Read more »
Subscribe to: Comments (Atom)