Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Vulnerability and Exploits
CVE vulnerability Linux Kernel Malicious Code NSA QNAP Vulnerabilities and Exploits Vulnerability and Exploits

Several QNAP NAS Devices are Vulnerable by Dirty Pipe Linux Bug

 

The "Dirty Pipe" Linux kernel weakness – a high-severity vulnerability that offers root access to unprivileged users with local access in all major distros – affects a majority of QNAP's network-attached storage (NAS) appliances, the Taiwanese company stated. 

The Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x, according to QNAP, is affected by Dirty Pipe, a recently revealed local privilege-escalation vulnerability. A local user with no access can get admin privileges and insert malicious code if this vulnerability is exploited. 

The flaw was identified and reported eight days ago by Max Kellermann of CM4all, a security researcher. The vulnerability, which has been identified as CVE-2022-0847, has been present in the Linux kernel since version 5.8. Fortunately, Linux kernels 5.10.102, 5.15.25, and 5.16.11 have been updated to address the issue. 

However, as Linux news site Linuxiac points out, Dirty Pipe is just not simply a threat to Linux machines: because Android is built on the Linux kernel, any device running version 5.8 or later is vulnerable, putting a large number of people at risk. For example, Linuxiac cited the Google Pixel 6 and Samsung Galaxy S22: the widely used phones run on Linux kernel 5.10.43, making them susceptible.

"QNAP will hopefully deliver a kernel update for the vulnerability soon," Mike Parkin, a highly experienced engineer at Vulcan Cyber. "This is the storage device vendor's second recent incident," Parkin further pointed out in an email.

NAS devices that allow authorized users and customers to store and retrieve data from a single location boost productivity by providing cloud computing capabilities inside networks, according to Schless. Dirty Pipe has been compared to Dirty Cow by some; an older privilege escalation flaw (CVE-2016-5195) which has been in Linux for nine years — since 2007 – before it was publicly exploited in 2016 against web-facing Linux servers.

Dirty Pipe is a lot like Dirty Cow, except it's a lot worse as it's easy to take advantage of. According to Parkin, the vulnerability's mitigating element is whether it requires local access, which reduces the danger marginally. The Dirty Pipe flaw has also been fixed in the newest Linux kernel code. Furthermore, patches for the major distributions are expected to be available soon.
Read more »
User Security
Automotive Supplier Data Breach Ransomware group User Security

Automotive Components Supplier Denso Targeted by Pandora Ransomware Group

 

Automotive component supplier Denso on Monday confirmed that its group company in Germany's network suffered a cyber-attack after the Pandora ransomware gang began leaking sensitive details allegedly stolen during the assault. 

Denso, one of the world's largest automotive components manufacturers firms is a global supplier of automotive components, including those developed for autonomous vehicle features, connectivity, and mobility services. The company's clients include Toyota, Honda, General Motors, and Ford. 

On March 10, the company detected unauthorized access using ransomware at DENSO Automotive Deutschland GmbH, a group firm responsible for managing sales and engineering in Germany, Denso spokesperson told Reuters. After the breach was detected, DENSO cut down the exposed system from the network and ensured that no other systems inside the facility were impacted. 

While the incident is under investigation, Denso says that there is "no impact" on other facilities and no disruption has been caused to production plants or manufacturing schedules. The company has not shared any details regarding the attackers, a cybercrime group named Pandora has taken credit for the attack, claiming to have stolen 1.4 Tb of data. 

“After detecting the unauthorized entry, Denso promptly lower off the community connection of units that obtained unauthorized entry and confirmed that there isn’t an impression on different Denso,” the company mentioned in a press release. "Denso would like to express its sincerest apologies for any concern or inconvenience resulting from this incident. Denso Group will once again strengthen security measures and work to prevent a recurrence."

In an effort to support their claims, the attackers released samples of the stolen datasets, as well as several images of documents. Based on the samples published by threat actors, tens of thousands of documents, spreadsheets, presentations, and images have been exposed, including many that reference customers and employees. 

It remains unclear how malicious actors secured access to the company’s network, but after Pandora took responsibility for the attack, one researcher claimed he alerted the company a couple of months ago that attackers had been selling access to its network. 

The Pandora ransomware seems to be new, but security expert pancak3 believes that it is a rebranding of the Rook ransomware due to code similarities and packers used by the operation. A sample of the Pandora ransomware was spotted on VirusTotal by Intezer as Rook, suggesting code similarities.
Read more »
McAfee
Android Android Banking Trojan Antivirus Banking Phishing Google Google Play malware McAfee

Google Authenticator Codes for Android is Targeted by Nefarious Escobar Banking Trojan

 


'Escobar' virus has resurfaced in the form of a novel threat, this time targeting Google Authenticator MFA codes. 

The spyware, which goes by the package name com.escobar.pablo is the latest Aberebot version which was discovered by researchers from Cyble, a security research firm, who combed through a cybercrime-related forum. Virtual view, phishing overlays, screen captures, text-message captures, and even multi-factor authentication capture are all included in the feature set. 

All of these characteristics are utilized in conjunction with a scheme to steal a user's financial data. This malware even tries to pass itself off as McAfee antivirus software, with the McAfee logo as its icon. It is not uncommon for malware to disguise itself as a security software; in fact, it was recently reported that the malware was installed straight inside of a completely functional 2-factor authentication app. 

The malicious author is leasing the beta version of the malware to a maximum of five customers for $3,000 per month, with threat actors getting three days to test the bot for free. After development, the threat actor intends to raise the malware's price to $5,000. 

Even if the overlay injections are curtailed in some way, the malware has various other capabilities to make it effective against any Android version. In the most recent version, the authors increased the number of aimed banks and financial organizations to 190 entities from 18 countries. 

The malware asks a total of 25 rights, 15 of which are employed nefariously. To name a few, accessibility, audio recording, read SMS, read/write storage, acquiring account lists, disabling keylock, making calls, and accessing precise device locations. Everything the virus captures, including SMS call records, key logs, notifications, and Google Authenticator codes, is sent to the C2 server. 

It is too soon to gauge the popularity of the new Escobar malware among cybercriminals, especially given its exorbitant price. Nonetheless, it has grown in strength to the point that it can now lure a wider audience. 

In general, avoiding the installation of APKs outside of Google Play, utilizing a mobile security application, and ensuring the Google Play Protect is enabled on your device will reduce, the chances of being infected with Android trojans.
Read more »
Vulnerability and Exploits
Bugs Firewall Flaws Linux Vulnerabilities and Exploits Vulnerability and Exploits

This Linux Flaw in Netfilter Firewall Module Enables Attackers Gain Root Access

 

A local adversary might use a newly reported security vulnerability in the Linux kernel to acquire higher privileges on affected systems and execute arbitrary code, escape containers, or cause a kernel panic. 

Nick Gregory, a senior threat researcher at Sophos, uncovered the flaw. The vulnerability, identified as CVE-2022-25636 (CVSS score: 7.8), affects Linux kernel versions 5.4 through 5.6.10 and is caused by a heap of out-of-bounds written in the kernel's netfilter subcomponent. 

"This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat," Red Hat stated in an advisory published on February 22, 2022. Similar warnings have been released by Debian, Oracle Linux, SUSE, and Ubuntu. 

Netfilter is a Linux kernel framework that allows for packet filtering, network address translation, and port translation, among other networking-related tasks. CVE-2022-25636 is a vulnerability in the framework's handling of the hardware offload function, which might be exploited by a local attacker to cause a denial-of-service (DoS) or execute arbitrary code. 

Gregory said, "Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don't have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails. Additionally, while nftables requires CAP_NET_ADMIN, we can unshare into a new network namespace to get this as a (normally) unprivileged user." 

"This can be turned into kernel [return-oriented programming]/local privilege escalation without too much difficulty, as one of the values that are written out of bounds is conveniently a pointer to a net_device structure," Gregory added.
Read more »
TrickBot
Advisory CISA Conti Conti Ransomware malware Ransomware TrickBot

CISA Updates Conti Ransomware Alert with Around 100 Domain Names

 

The US Cybersecurity and Infrastructure Security Agency (CISA) has upgraded the Conti ransomware advisory to include indications of compromise (IoCs) that comprise almost 100 domain names utilized in criminal operations. 

The advisory, which was first issued on September 22, 2021, contains facts about Conti ransomware assaults that attacked organizations in the United States, as observed by CISA and the Federal Bureau of Investigation (FBI). It's worth noting that the US Secret Service's data is included in the latest cybersecurity advisory. Internal data from the Conti ransomware operation began to surface at the end of February after the group publicly declared their support for Russia in the Ukraine invasion. 

The leak came from a Ukrainian researcher, who originally issued private messages exchanged by the members of the group and then released the source code for the ransomware, administrative panels, and other tools. Domains used in compromises with BazarBackdoor, the malware used to gain initial access to networks of high-value targets, were also found in the cache of data. Conti, according to CISA, has infiltrated over 1,000 businesses around the world, with TrickBot malware and Cobalt Strike beacons being the most common attack vectors. 

The agency has published a list of 98 domain names that have "registration and naming characteristics identical" to those used in Conti ransomware attacks. While some of the domains were used in malicious operations, the agency warns that others of them may be abandoned or may share similar features coincidentally. The list of domains linked to Conti ransomware assaults does not appear to be the same as the hundreds of domains released from BazarBackdoor infections by the Ukrainian researcher. 

Conti did not halt its activities despite the negative attention it earned recently as a result of the exposure of its internal discussions and tools. Conti has listed more than two dozen victims on its website since the beginning of March in the United States, Canada, Germany, Switzerland, the United Kingdom, Italy, Serbia, and Saudi Arabia.
Read more »
Security Risk
Cyber Security Mid-market Organizations Ransomware Threat Security Risk

One in Three Mid-Market UK Organizations Suffered from Attacker Outages in 2021

 

A third of mid-market UK organizations hit by cyberattacks in 2021 suffered breakdowns that knocked them offline for more than a day, a new research from cybersecurity firm Censornet revealed.

The survey discloses that more than one in five (21%) were forced to pay attackers to put an end to the attack, with the average pay-out amounting to £144,000 and 7% handing over more than £500,000. As a result, the primary demand for cybersecurity in 2022 was to see security vendors open up traditionally closed point products to enable an automated response to cyberattacks.

The report, which surveyed 200 IT decision-makers across the UK, covering ten different industries, found that ransomware was particularly problematic, as more workers work from home.

“For the UK mid-market, the cybersecurity situation is serious. The financial and reputational cost of cybercrime is rising, putting more pressure on overwhelmed professionals, who are tackling hundreds of alerts a day from siloed point products,” said Ed Macnair, CEO at Censornet. Organizations must work smarter, not harder. Only when security systems work seamlessly together, faster than humanly possible, will we see the needle begin to move in the right direction.”

Nearly half of mid-market organizations participating in the survey said they hadn’t purchased cybersecurity products specifically manufactured to guard against threats for hybrid and remote workers. As a result, 76% of organizations said they plan to invest in a cloud-based security platform that allows their security products to autonomously share security event data to better protect their organization. 

In response to the challenges that organizations are facing, respondents indicated a clear need for fundamental change in the way cybersecurity is designed and run over the next year. 46% want security vendors to open up traditionally closed point products to enable an automated response to cyber threats.

Last week, Slovak cybersecurity firm ESET published a separate report revealing that London has the highest cybercrime rate in the UK, with 5,258 reports in total followed by the West Midlands at 1,242. Cumbria was the area with the lowest cybercrime, with only 174 reports, followed by Cleveland 194 and Dyfed-Powys 213. 

In its report, ESET researchers discovered an overall decline of 2.97% in cybercrime in 2021. The most common form of cybercrime for 2021 was social media and email hacking, which accounted for 53.1% of reports. This was followed by computer viruses, which accounted for 28% of reports.
Read more »
TrickBot
Banking Trojan Botnets Conti Emotet Trojan IP Address malware Qakbot RSA TrickBot

The Emotet Malware is Alive and Using TrickBot to Rebuild its Botnet

 

The malicious Emotet botnet, which made a comeback in November 2021 after a 10-month break, is showing indications of steady expansion once again, collecting a colony of over 100,000 infected hosts to carry out its destructive actions. 

In a new round of attacks, Emotet, a Banking Trojan which has evolved into a formidable modular threat, has reappeared with improved features. It has infected devices to carry out additional spam campaigns and install various payloads like the QakBot (Qbot) and Trickbot malware. These payloads would subsequently be utilized to give threat actors, such as Ryuk, Conti, ProLock, Egregor, and others, early access to deploy ransomware. 

"While Emotet has not yet reached the same magnitude as before, the botnet is displaying a strong resurrection with a total of around 130,000 unique bots scattered over 179 countries since November 2021," Lumen's Black Lotus Labs researchers wrote in a report. On April 25th, 2021, German law enforcement used the network to send an Emotet module that removed the malware from afflicted devices. 

The TrickBot malware has begun to dump an Emotet loader on affected devices, according to Emotet research group Cryptolaemus, GData, and Advanced Intel. While Emotet used to deploy TrickBot, the threat actors now use a mechanism called "Operation Reacharound" by the Cryptolaemus group, which rebuilds the botnet utilizing TrickBot's current infrastructure. 

Apart from command-and-control (C2) lists and RSA keys, which change from version to version, Emotet's main payload hasn't changed much, but the list of phrases used to establish a process name for its bot has been renewed. Along with new binaries, words like engine, finish, magnify, resapi, query, skip, and many more are utilized and modified. Researchers may be able to construct signatures to detect Emotet infections on machines once these lists have been secured, but signature-based detection is more challenging if the list changes. 

Abuse.ch has published a list of the new Emotet botnet's command and control servers and strongly advises network administrators to ban the linked IP addresses. Another new feature is the ability to collect extra system information from compromised workstations in addition to a list of running processes. The number of bots and associated dispersion are crucial indicators of Emotet's success in reconstructing its once-vast infrastructure.
Read more »
Ukraine-Russia War
Cyber Security security threat U.S. Firms Ukraine-Russia War

New Bipartisan Bill Would Require Firms to Report Cyber Incidents Within 72 hours

 

Financial institutions critical to U.S. national interests will now have to report substantial cyber assaults and ransom payments to the federal government, an Associated Press report said, under a bill passed by Congress and expected to be signed by President Joe Biden.

The move comes amid the escalating war in Ukraine and concerns of possible Russian cyber threats to the U.S. firms. Last year, multiple private and government organizations were jolted by a series of high-profile digital espionage campaigns and disruptive ransomware attacks. The reporting will provide federal government much greater visibility into hacking efforts that target private firms, which often have skipped going to the FBI or other agencies for assistance. 

The reporting requirement was approved by the House and Senate on Thursday. It is expected to be signed into law by President Biden soon. “It’s clear we must take bold action to improve our online defenses,” stated Sen. Gary Peters, a Michigan Democrat who leads the Senate Homeland Security and Government Affairs Committee.

AP wrote that the new rules require any entity considered part of America’s critical infrastructure, including finance, transportation, and energy, to report any “substantial cyber incident” within 72 hours, and any ransomware payment they make within 24 hours, to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. 

According to Heather Hogsett, a senior leader of the Bank Policy Institute’s technology policy division, the 36-hour notices of service disruption “allow bank regulators to keep a pulse on what is happening in the country’s financial services industry” while the 72- and 24-hour notices to CISA will allow the agency to “produce reports about threat actors and provide early warning of potential attack vectors.”

In recent years ransomware attacks have flourished beyond expectation and have targeted multiple high-profile organizations. Last year, the ransomware operators targeted the biggest U.S. fuel pipeline and the world’s biggest meat packing company. 

The state hackers based in Russia and China have had success in spying on and hacking U.S. targets, including those that are deemed critical infrastructure, Reuters reported.

Security experts and government officials are concerned that Russia's war in Ukraine has increased the threat of cyberattacks against U.S. entities, by either state or proxy actors. Many ransomware operators live and work in Russia. 

“As our nation rightly supports Ukraine during Russia’s illegal unjustifiable assault, I am concerned the threat of Russian cyber and ransomware attacks against U.S. critical infrastructure will increase. The federal government must be able to quickly coordinate a response and hold these bad actors accountable," said Sen. Rob Portman, a Republican from Ohio.
Read more »
VPNS
Anonymous Email Russia Telegram Ukraine Ukraine Websites VPNS

Anonymous Rises Again Amid Russia Ukraine War

 

Anonymous, the international hacktivists collective has surfaced again, this time, the group claims to have hacked RoskoAmnadzor (known as Federal Service for Supervision of Communications, Information Technology and Mass Media), a federal Russian agency. Anonymous has also claimed that it stole more than 360,000 files. You have mostly read about Russian banning VPNs, Telegram, or email services, however, there's a particular agency that bans these services. 

It's called Roskomnadzor, a major federal executive agency that is responsible for handling, managing, and censoring Russian media. "Anonymous also targeted and hacked misconfigured/exposed Cloud databases of Russian organizations. Tho shocking aspect of the attack was the fact that Anonymous and its affiliate hackers hacked 90% of Russian Cloud databases and left anti-war and pro Ukrainian messages," Hackread reports. 

Details about the attack 

The size of the leaked data is 820 GB, most of these database files in the database related to Roskomnadzor's data are linked to the Republic of Bashkortostan, Russia's largest provinces. The full dataset is now available on the official website of Distributed Denial of Secrets (aka DDoSecrets), a non for profit whistleblower organization. However, it should be noted that initially started as an Anonymous affiliate shared Roskomnadzor's data with DDoSecrets and the agency itself is not responsible for the attack. Besides this, the first announcement of the data leak came from a journalist and co-founder of DDoSecrets Emma Best in March 2022. 

YourAnonNews, a famous representative of the Anonymous collective also tweeted about the attack. Anonymous has openly sided with Ukraine over the ongoing war with Russia, the Russian government has restricted all important sources of information, especially news and media outlets, and Roskomnadzor was told to block Facebook, Twitter, and other online platforms. 

Hackread reports, "While Twitter launched its Tor onion service, authorities in Russia have also amended the Criminal Code to arrest anyone who posts information that contradicts the government’s stance. Nevertheless, since Roskomnadzor is a major government agency responsible for implementing government orders Anonymous believes the Russian public must have access to information about what is going on within Roskomnadzor."
Read more »
War
Data Hacking Data Stealer Hackers IT Data malware Russia Ukraine War

Ukraine’s “IT Army” Struck with Info-stealing Malware

 

Pro-Ukrainian actors should be cautious of downloading DDoS tools to attack Russia, according to security experts, because they could be booby-trapped with data-stealing malware. 

Mykhailo Fedorov, Ukraine's vice prime minister, called for a volunteer "IT army" of hackers to DDoS Russian targets in late February. Cisco Talos, on the other hand, claims that opportunistic cyber-criminals are attempting to take advantage of the subsequent outpouring of support for the Eastern European country. It specifically detected Telegram posts offering DDoS tools that were actually malware-loaded. An organisation calling itself "disBalancer" offers one such tool, named "Liberator,". Although authentic, has been spoofed by others, according to Cisco. 

It explained, “The file offered on the Telegram page ended up being malware, specifically an infostealer designed to compromise unwitting users. The malware, in this case, dumps a variety of credentials and a large amount of cryptocurrency-related information, including wallets and metamask information, which is commonly associated with non-fungible tokens (NFTs).” 

Since none of the malicious spoofs is digitally signed, there is no way to distinguish them apart from the real DDoS tool, according to the vendor. Because the perpetrators of this harmful behaviour have been disseminating infostealers since November, Cisco concluded that it is not the work of fresh people, but rather those aiming to profit from the Ukraine conflict. 

However, Cisco warned that if Russia is subjected to a continuous DDoS attack, such techniques could proliferate. 

It concluded, “In this case, we found some cyber-criminals distributing an infostealer, but it could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state. We remind users to be wary of installing software whose origins are unknown, especially software that is being dropped into random chat rooms on the internet.” 

The discovery comes as the Russian government revealed this week that hackers targeted an externally loaded widget used to collect visitor statistics and caused temporary disruptions on numerous agency websites. 

Pro-Ukrainian hacktivists have also been seen searching for and deleting Russian cloud databases, according to security researchers.
Read more »
Windows
Antivirus Industrial control system LockBit malware Multi-factor authentication PowerShell Ransomware Threat Windows

Bridgestone USA Alleges to be Infiltrated by a LockBit Ransomware Cell

 

The LockBit ransomware gang claims to have infiltrated Bridgestone Americas' network and stolen data. It is an American subsidiary of Bridgestone Corporation, a Japanese tire, and automobile components manufacturer. It is a conglomerate of companies with more than 50 manufacturing locations and 55,000 people spread across America. If the corporation does not pay the ransom, Lock bit operators aim to reveal the private documents by March 15, 2022, 23:59. 

Bridgestone began an investigation into "a potential information security incident" on February 27, which was discovered in the morning hours of the same day. The incident remained unknown until recently when the LockBit ransomware gang claimed responsibility for the attack by adding Bridgestone Americas to its list of victims.

LockBit is one of the most active ransomware groups today, demanding significant sums of money in exchange for stolen data. According to a Kaspersky investigation, the ransomware gang utilizes LockBit, a self-spreading malware that uses tools like Windows Powershell and Server Message Block to proliferate throughout an enterprise. 

As per Dragos' study, the transportation and food and beverage industries were the second and third most targeted industries, respectively. LockBit is currently threatening Bridgestone with the release of their data.

The examination by the tire company indicated the attacker followed a "pattern of behavior" which is usual in ransomware assaults. Bridgestone went on to say the attacker had taken information from a small number of its systems and had threatened to make the stolen data public.

In a statement, the company said they are "committed to conducting a rapid and definitive inquiry to identify as swiftly as possible what precise data was obtained" from their environment. "The security of our teammates, customers, and partners' information is extremely important to Bridgestone."

Despite the fact that the LockBit ransomware gang has primarily targeted the industrial and manufacturing sectors, ransomware like the one utilized by the gang can still infect your PC.

To prevent ransomware criminals from getting into users' accounts, Kaspersky recommends using strong passwords and enabling multi-factor authentication. The antivirus firm also advised having system-wide backups in case data was lost due to malware infection. Additionally, keeping your system configurations up to date and following all security measures will help you avoid being a ransomware victim, saving you a lot of time and aggravation.
Read more »
Subscribe to: Comments (Atom)