Friday, January 17, 2025
Home Blog Page 16

Critical zero-day bug, first since Heartbleed, identified in OpenSSL

By
RiSec.Mitch
-
0

OpenSSL has a new “critical” bug. But it’s a secret—until next month.

Organizations have five days to prepare for what the OpenSSL Project on Oct. 26 described as a “critical” vulnerability in versions 3.0 and above of the nearly ubiquitously used cryptographic library for encrypting communications on the Internet.

On Tuesday, Nov. 1, the project will release a new version of OpenSSL (version 3.0.7) that will patch an as-yet-undisclosed flaw in current versions of the technology. The characteristics of the vulnerability and ease with which it can be exploited will determine the speed with which organizations will need to address the issue.

Potentially Huge Implications

Major operating system vendors, software publishers, email providers, and technology companies that have integrated OpenSSL into their products and services will likely have updated versions of their technologies timed for release with the OpenSSL Project’s disclosure of the flaw next Tuesday. But that will still leave potentially millions of others — including federal agencies, private companies, service providers, network device manufacturers, and countless website operators — with a looming deadline to find and fix the vulnerability before threat actors begin to exploit it.

If the new vulnerability turns out to be another Heartbleed bug — the last critical vulnerability to impact OpenSSL — organizations and indeed the entire industry are going to be under the gun to address the issue as quickly as possible.

The Heartbleed vulnerability (CVE-2014-0160), disclosed in 2014, basically gave attackers a way to eavesdrop on Internet communications, steal data from services and users, to impersonate services, and do all this with little trace of their ever having done any of it. The bug existed in OpenSSL versions from March 2012 onward and affected a dizzying range of technologies, including widely used Web servers such as Nginx, Apache, and IIS; organizations such as Google, Akamai, CloudFlare, and Facebook; email and chat servers; network appliances from companies such as Cisco; and VPNs.

The disclosure of the bug triggered a frenzy of remedial activity across the industry and sparked concerns of major compromises. As Synopsys’ Heartbleed.com site noted, Apache and Nginx alone accounted for a market share of over 66% of active sites on the Internet at the time Heartbleed was disclosed.

There’s no telling, until Tuesday at least, if the new flaw will be anything like Heartbleed. But given the almost critical-infrastructure-like use of OpenSSL for encryption across the Internet, organizations would do well not to underestimate the threat, security experts said this week.

Security Orgs Should Brace for Impact

“It is a bit difficult to speculate about the impact, but past experience has shown that OpenSSL doesn’t use the label ‘critical’ lightly,” says Johannes Ullrich, dean of research at the SANS Institute.

OpenSSL itself defines a critical flaw as one that enables significant disclosure of the contents of server memory and potential user details, vulnerabilities that can be exploited easily and remotely to compromise server private keys.

Version 3.0, the current release of OpenSSL, is used in many current operating systems, such as Ubuntu 22.04 LTS and MacOS Mavericks and Ventura, Ullrich notes. Organizations can expect to receive Linux patches quickly and likely at the same time as the OpenSSL bulletin on Tuesday. But organizations should get ready now, finding out which systems use OpenSSL 3.0, Ullrich says. “After Heartbleed, OpenSSL introduced these preannouncements of security patches,” he says. “They are supposed to help organizations prepare. So, use this time to find out what will need patching.”

Brian Fox, co-founder and CTO at Sonatype, says that by the time the OpenSSL Project discloses the bug Tuesday, organizations need to identify if they are using a vulnerable version anywhere in their technology portfolio, which applications are using it, and how long it would take for them to remediate the issue. 

“Potential reach is always the most consequential piece of any major flaw,” Fox notes. “In this instance, the largest challenge with updating OpenSSL is that often this usage is embedded inside of other devices.” In these instances, it can be hard to assess exposure without asking the upstream provider of the technology, he adds.

Anything that communicates with the Internet securely could potentially have OpenSSL built in to it. And it’s not just software that can be affected but hardware as well. The advance notice that the OpenSSL Project provided should give organizations time to prepare. “Finding what pieces of software or devices is the first step. Organizations should do that now, and then patching or sourcing updates from the upstream vendors will follow,” Fox says. “All you can do at the moment is inventory.”

An Entire Ecosystem Might Need to Update

A lot will also depend on how vendors of products with vulnerable versions of OpenSSL embedded in them respond to the disclosure. The OpenSSL Project’s release of the new version on Tuesday is only the first step. “An entire ecosystem of applications built with OpenSSL will also have to update their code, release their own updates, and organizations will need to apply them,” says John Bambenek, principal threat hunter at Netenrich.

Ideally, organizations that have dealt with Heartbleed will have an idea of where their OpenSSL installs are and which of their vendor products will require an update as well. “This is why software bills of materials can be important,” Bambenek says. “They can take this time to reach out and understand their suppliers and vendors plans for updates to make sure those updates are applied as well.” One likely issue that organizations need to be prepared for is how to deal with end-of-life products for which updates are not available, he adds.

Mike Parkin, senior technical engineer at Vulcan Cyber, says that without evidence of exploit activity and associated indicators of compromise, it is best that organizations follow their normal change management process for when a known update is on the way. “On the security side, it’s worth putting some additional focus on systems that might be affected if an exploit emerges before the new release drops,” he advises.

There’s not enough information in OpenSSL Project’s announcement to say how much work will be involved in the upgrade, “but unless it requires updating certificates, the upgrade will probably be straightforward,” Parkin predicts.

Also on Nov. 1, the OpenSSL project will release OpenSSL version 1.1.1s, which it described as a “bug-fix release.” Version 1.1.1, which it replaces, is not susceptible to the CVE that is being fixed in 3.0, the project noted.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Meet the Windows Servers that have been Fueling Massive DDoS Attacks for Months

By
RiSec.Mitch
-
0

Misconfigured CLDAP services on MS domain controllers are amplifying data floods.

A small retail business in North Africa, a North American telecommunications provider, and two separate religious organizations: What do they have in common? They’re all running poorly configured Microsoft servers that for months or years have been spraying the Internet with gigabytes-per-second of junk data in distributed-denial-of-service attacks designed to disrupt or completely take down websites and services.

In all, recently published research from Black Lotus Labs, the research arm of networking and application technology company Lumen, identified more than 12,000 servers—all running Microsoft domain controllers hosting the company’s Active Directory services—that were regularly used to magnify the size of distributed-denial-of-service attacks, or DDoSes.

A never-ending arms race

For decades, DDoSers have battled with defenders in a never-ending arms race. Early on, DDoSers simply corralled ever-larger numbers of Internet-connected devices into botnets and then used them to simultaneously send a target more data than it could handle. Targets—be they games, new sites, or even crucial pillars of Internet infrastructure—often buckled at the strain and either completely fell over or slowed to a trickle.

Companies like Lumen, Netscout, Cloudflare, and Akamai then countered with defenses that filtered out the junk traffic, allowing their customers to withstand the torrents. DDoSers responded by rolling out new types of attacks that temporarily stymied those defenses. The race continues to play out.

One of the chief methods DDoSers use to gain the upper hand is known as reflection. Rather than sending the torrent of junk traffic to the target directly, DDoSers send network requests to one or more third parties. By choosing third parties with known misconfigurations in their networks and spoofing the requests to give the appearance that they were sent by the target, the third parties end up reflecting the data at the target, often in sizes that are tens, hundreds, or even thousands of times bigger than the original payload.

Some of the better-known reflectors are misconfigured servers running services such as open DNS resolvers, the network time protocol, memcached for database caching, and the WS-Discovery protocol found in Internet-of-Things devices. Also known as amplification attacks, these reflection techniques allow record-breaking DDoSes to be delivered by the tiniest of botnets.

When domain controllers attack

Over the past year, a growing source of reflection attacks has been the Connectionless Lightweight Directory Access Protocol. A Microsoft derivation of the industry-standard Lightweight Directory Access Protocol, CLDAP uses User Datagram Protocol packets so Windows clients can discover services for authenticating users.

“Many versions of MS Server still in operation have a CLDAP service on by default,” Chad Davis, a researcher at Black Lotus Labs, wrote in an email. “When these domain controllers are not exposed to the open Internet (which is true for the vast majority of the deployments), this UDP service is harmless. But on the open Internet, all UDP services are vulnerable to reflection.”

DDoSers have been using the protocol since at least 2017 to magnify data torrents by a factor of 56 to 70, making it among the more powerful reflectors available. When CLDAP reflection was first discovered, the number of servers exposing the service to the Internet was in the tens of thousands. After coming to public attention, the number dropped. Since 2020, however, the number has once again climbed, with a 60-percent spike in the past 12 months alone, according to Black Lotus Labs.

The researcher went on to profile four of those servers. The most destructive one was affiliated with an unidentified religious organization and routinely generates torrents of unthinkable sizes of reflected DDoS traffic. As the following figure shows, this source was responsible for numerous bursts from July through September, with four of them exceeding 10Gbps and one approaching 17Gbps.

EnlargeBlack Lotus Labs

“This traffic is perhaps strong enough to DoS some less well provisioned servers all by itself,” Davis wrote in his report. “In theory, a hundred of these, working in unison, could generate a Terabit per second of attack traffic.”

Besides exposing CLDAP to the Internet at large, Davis said, the server also has an open DNS resolver that can be abused for reflection, and it has an exposed vulnerable SMB service. It also sends bi-directional communications with confirmed control servers for multiple malware families.

A second profiled Microsoft server was also affiliated with a religious organization, this one in North America. Over an 18-month period, it has delivered peak bit rates of more than 2Gbps. Like the other religious organization’s servber, it also had an open DNS resolver and served as a bot for multiple malware families.

Davis went on to discuss a CLDAP service hosted on an IP address associated with a telecommunications provider in North America that has been delivering potent DDoSes for more than a year. Some of the regularly changing targets are hosted on a single IP range. In other cases, the target is an entire network prefix.

Last was a server associated with a regional retail business in North Africa. For more than nine months, Black Lotus Labs has observed it repeatedly DDoSing an array of targets, with peaks of 7.8Gbps. Like the two religious organizations’ servers, it exhibits signs of being exploited by malware. It’s also exposing vulnerable remote desktop and SMB services to the Internet.

“Trying to build a story out of these facts leads us to see this system as the MS Domain Controller in a small organization,” Davis wrote. “Small sites might only have a single data center, and they would also likely host SMB, DNS, and RDP. Additionally, it’s inherent that smaller organizations, on the whole, will have less sophisticated security practices, thus suggesting more likelihood of being infected with bot malware.”

EnlargeBlack Lotus Labs

Davis said that Black Lotus was able to further confirm all four servers were engaged in actual DDoS attacks by analyzing the targets on the receiving end of the data torrents. In an email, Black Lotus Labs said it was able to confirm all 12,142 servers identified as CLDAP reflectors as Microsoft domain controllers by analyzing their response to LDAP pings, which included communications through the expected port (389/UDP) and the expected number of bytes.

Reining in CLDAP

Active Directory is among the only Microsoft products to include CLDAP. Even then, the implementation is limited to a single command—the LDAP ping. Davis wrote:

This command is not a directory-related command; it’s used by Windows clients attempting to discover a service via which they may authenticate users. While it’s hard to imagine why someone would design their network topology such that a client would need to discover a local authentication service over the open Internet, it happens. The motivations of the deployment are less salient than the simple fact that, when exposed to the public Internet, the service is open to reflection.

One interesting observation is that anomalous spikes increased in frequency the longer a CLDAP reflector remained open. “This makes sense as we would expect that attackers would need some time to locate new reflectors and update their arsenal,” Davis wrote.

EnlargeBlack Lotus Labs

Black Lotus Labs provided the following advice for locking down servers running Directory:

  • Network administrators: Consider not exposing CLDAP service (389/UDP) to the open Internet.
    • If exposure of the CLDAP service to the open Internet is absolutely necessary, take pains to secure and defend the system:
      • On versions of MS Server supporting LDAP ping on the TCP LDAP service, turn off the UDP service and access LDAP ping via TCP.
      • If MS Server version doesn’t support LDAP ping on TCP, rate limit the traffic generated by the 389/UDP service to prevent use in DDoS.
      • If MS Server version doesn’t support LDAP ping on TCP, firewall access to the port so that only your legitimate clients can reach the service.
  • Network defenders: Implement some measures to prevent spoofed IP traffic, such as Reverse Path Forwarding (RPF), either loose or, if feasible, strict. For more guidance, the MANRS initiative offers in-depth discussion of anti-spoofing guidelines and real-world applications.

The post said Black Lotus Labs has notified operators of the misconfigured CLDAP services in the IP space provided by Lumen. The company is working to notify other operators and possibly begin blocking long-lived CLDAP reflectors on the Lumen backbone. Microsoft had no immediate comment for this post.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

High-severity vulnerability in GitHub was susceptible to Repo Jacking

By
RiSec.Mitch
-
0

Researchers on Wednesday reported they found a “high-severity” vulnerability in GitHub that could have let an attacker take control over a GitHub repository and potentially infect all applications and other code relying on it with malicious code.

In a blog post, researchers from the Checkmarx Supply Chain Security team said using a technique known as Repo Jacking, an attacker can take control of a GitHub repository by exploiting a logical “hidden” flaw in the architecture that makes renamed users susceptible to such an attack.

The researchers said all renamed usernames on GitHub were vulnerable to this flaw, including more than 10,000 packages on the Go, Swift, and Packagist package managers.

“The practical meaning of this is that thousands of packages can immediately be hijacked and start serving malicious code to millions of users and many applications,” wrote the researchers.

This vulnerability was fixed by GitHub following Checkmarx’s report and it’s no longer exploitable, say the researchers.

Constantly evolving cyberattack methodologies

Aviad Gershon, security researcher and team leader at Checkmarx, explained that earlier this year his team witnessed attackers using the Repo Jacking technique, which demonstrates how malicious actors will continually evolve their methodologies to find the simplest ways to leverage trusted open-source packages for maximum impact.

“The security community needs to be proactively working together to find and close these gaps before the attackers do,” said Gershon. “As time-to-delivery requirements relentlessly pressure AppSec and development teams, and as low-code development becomes more common, the potential attack surface for hidden malicious code like this will grow exponentially.”

Thousands of projects with millions of end users rely on open-source libraries and code repositories, which makes the repositories a very attractive target for threat actors, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said if they can take control of a GitHub repository and insert malicious code into a trusted and widely used project, they can potentially infect tens of thousands to potentially millions of hosts with little additional effort. 

“This is especially true for older projects that may still be widely used, but are not as actively maintained, as there are fewer eyes on the code so a malicious insertion could go unnoticed,” Parkin said. “The issue reported here [involving GitHub] is potentially severe, and there have been previous examples of repositories being hijacked to spread malicious code.”

Corrupting the open-source model attractive to bad actors

In research from Blackberry also released Wednesday, more than 80% of U.S. and North American organizations reported being notified of a vulnerability or attack affecting their software supply chain in the past year, though just 10% cited open source as the biggest impact on the security of their code.

As SC Media has reported, part of the issue is the sheer volume of open-source code powering the modern internet, with 98% of applications using them, according to a report from Synopsys. Dan Lorenc, CEO and co-founder of Chainguard, likened it to an iceberg, where a little bit of the internet is floating above the water, while the rest “is the massive amount of open source beneath.” 

But further enticing cybercriminals is the open-source development model itself: the collaborative approach, defined by sharing and reuse of code. Sonatype found an average 700% jump in attacks against open source projected over the last three years, while the cybersecurity community learned firsthand about the implications of open-source vulnerabilities when a flaw in Log4j, the popular Java logging package distributed under the Apache software license, was exploited.

Checkmarx’s Gershon said that before the GitHub vulnerability was fixed: “The ramifications regarding some package managers … eventually could have ended up with millions of infected end-users poisoned with whichever malicious code the attackers could think of. Specifically for GitHub, this means that any vulnerable GitHub action could have also been poisoned by exploiting this vulnerability and infecting CI/CD pipelines running them.”

Melissa Bischoping, director, endpoint security research at Tanium, added that the prevalence of open-source software as shared libraries, dependencies and integrations across enterprise tooling and custom built projects can lead to Repo Jacking attacks such as these, which could scale, rapidly if successful.  

Bischoping said when developing software, it’s essential for dev teams to audit the code in those repositories, as well as create their own private fork to work, as opposed to pulling from the current public repository. Bischoping advised security teams to avoid pulling code “live” from sources such as GitHub repos that they don’t control and audit. 

“Otherwise, it’s impossible to conduct proper security reviews on every single change,” Bischoping said. “If you’re a consumer of a third-party product, keep an accurate inventory via software bill of materials (SBOM) solutions to have insight into dependencies and risks. While we hope to see more software providers offer clear and transparent documentation of their dependencies and libraries, SBOMs serve as an essential tool to empower security team to understand if and when these vulnerabilities impact them.” 

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, said it’s important to understand that any GitHub attack first starts with compromising a GitHub account. Mackey said enabling two-factor authentication or the use of the GitHub Mobile registration are two important ways to reduce the potential for any GitHub account to be compromised. The next step, said Mackey, is for GitHub users to clearly define an end-of-life or transition plan for each repo that they are responsible for.

“This includes having trusted individuals as owners or group accounts and defining a GitHub successor, in addition to publishing explicit end-of-life or deprecation statements,” Mackey said. “Of course, responsibility for the overall lifecycle of any open-source project includes the consumers of that code, so anyone choosing any new project shouldn’t be looking at the historical popularity of the project, but instead should be looking for evidence that the project is actively maintained and is healthy.”

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Ransomware Attack Announced by Australian Clinical Labs after Nine Months

By
RiSec.Mitch
-
0
Cyber

Australian Clinical Labs (ACL) disclosed on October 27, 2022, a data breach in its Medlab Pathology division. The attack took place in February 2022 end resulted in exposing the personal data of 223,000 people.

The Australian healthcare company has 89 medical laboratories which do six million tests each year for 92 private and public hospitals in Australia.

Details about the Attack

According to Australian Clinical Labs (ACL) statement, the leaked data include:

  • 128,608 Medicare numbers and full names
  • 28,286 credit card numbers, 12% of which have a CVV code, and 55% are expired
  • 17,539 individual medical and health records associated with pathology tests

All impacted patients have been announced about the data breach and will be offered free credit monitoring and identity theft protection services, and ID document replacements if needed.

ACL notified Australian authorities: Australia’s Cyber Security Center (ACSC), and the Office of the Information Commissioner (OAIC). While ACSC was the one who alerted the Labs that stolen data is now on the dark web, the company says that for the moment there is no sign of malicious use of the information.

Quantum ransomware gang took responsibility for the attack posting all stolen files on its Tor site on June 14, 2022. The 86GB of data leaked contains patient and employee details, financial reports, invoices, contracts, forms, and subpoenas. The data leak page for MedLab on the Quantum ransomware’s website has been accessed 130,000 times.

A Nine Months Long Timeline

From the moment of the ransomware attack to yesterday’s notification nine months have passed, and Australian Clinical Labs (ACL) tries to motivate its delay by explaining the timeline.

ACL first detected the incident in February 2022, but the forensics did not reveal anything wrong. In March 2022, ACSC contacted them after finding out about the attack, and only in June 2022 ACSC warned about the data leak. So, five months have passed from the day of the attack until the data exfiltration was discovered.

Another four months went by from June 2022 to October 2022 until Australian Clinical Labs publicly disclosed the breach, claiming that “the data set was too complicated to quickly determine what customers were affected”, according to BleepingComputer.

It was not the first attack on Australian businesses, over the last two months we have seen cybercriminals targeting Optus, Medibank, MyDeal, and Vinomofo. This made the Australian government suggest a new data protection set of laws with more insight into cyberattacks and greater fines for companies not protecting their data.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

PayPal ditches passwords, at least on Apple devices

By
RiSec.Mitch
-
0

No more reusing, recycling passwords! PayPal has added passkeys for passwordless login to accounts across Apple devices.

The PayPal passkey login option will initially be available to iPhones, iPads and Macs running iOS 16, iPadOS 16.1 or macOS Ventura. It will expand to additional platforms as other vendors add passkey support. Apple, Microsoft and Google have all pledged to implement the new passwordless authentication standards by early 2023.

Passkeys allows users to login to accounts with cryptographic key pairs instead of passwords. In essence, using the device in combination with user biometric data to prove account ownership, as opposed to a username and password.

The new login method, created by the FIDO Alliance and World Wide Web Consortium, aims to eliminate passwords altogether, replacing them with a more secure authentication method. PayPal is a founding member of the organization.

According to Microsoft, 579 attacks involving passwords occur every second, or about 18 billion a year. Many of them are successful, mainly because people have a tendency to pick poor passwords or reuse them across multiple accounts.

To drive this point home, consider 82 percent of security breaches last year were attributed to stolen credentials, phishing, and human error, according to Verizon’s most recent Data Breach Investigations Report. This, according to the report [PDF], illustrates the “importance of proper password protection” — or, perhaps, the need to eliminate passwords altogether.

PayPal SVP Doug Bland said the move “eliminates the risks of weak and reused credentials and removes the frustration of remembering a password.

The passwordless future is one other retailers will be eyeing, if not working to implement swiftly, but it’s not about you or your online safety. According to a survey of 16,000 global consumers by biometric authentication firm iProov, 15 percent of global consumers abandon online purchases at least once a week because they forgot their password, and 32 percent ditch the shopping cart at least once a month for this same reason.

PayPal began rolling out passkeys to US customers this week, and will expand to other countries early next year. 

Existing customers can log in to PayPay on an Apple device using their existing credentials, and then select the option to “create a passkey.” They will then be prompted to authenticate with Apple Face ID or Touch ID, and the device automatically creates the passkey. Once created, passkeys are synced with iCloud Keychain.

Additionally, customers using devices that don’t support passkeys yet can still use an iPhone to log in with a PayPal passkey by scanning the QR code that appears after they enter their PayPal user ID. 

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Researchers uncover cryptojacking campaign targeting Docker, Kubernetes cloud servers

By
Steven Black (n0tst3)
-
0

Researchers at CrowdStrike have discovered a new hacking campaign that targets cloud infrastructure around the world in service of a cryptojacking scheme.

The campaign – dubbed “Kiss-A-Dog” – dates back to at least September, when a CrowdStrike honeypot first began picking up signs of attacks targeting vulnerable Docker and Kubernetes instances. The name given to the campaign derives from the domain name used by attackers to fetch the Python-coded malware payload: kiss[.]a-dog[.]top.

It leverages multiple command and control servers to escape containerized environments and gain root privileges, while using kernel and user rootkits for obfuscation, creating backdoors, lateral movement and persistence. The attackers also demonstrated the ability to detect and uninstall third-party cloud monitoring services.

Once they gained a foothold within a compromised container, the threat actors sought to compile network scanning tools to look for additional cloud servers running Docker and Kubernetes.

And there are plenty to find. According to Shodan, there are more than 68,000 vulnerable Kubernetes instances (16,915 in the U.S.) and 13,000 Docker instances (2,320 in the U.S.) exposed to the internet globally.

Vulnerable Kubernetes instances exposed to the internet. (Source: Shodan and CrowdStrike)
Vulnerable Docker instances exposed to the internet. (Source: Shodan and CrowdStrike)

According to researchers, the ultimate goal was to harness victims’ computing power to install XMRig and mine cryptocurrency. While these attacks have been happening for some time before they were first observed by CrowdStrike, a parallel crash of the cryptocurrency market over the summer likely “muffled” their visibility and impact at first.

“The campaigns by cryptojacking groups last from days to months depending on the success rate,” wrote Manoj Ahuje, senior threat researcher for cloud security. “As cryptocurrency prices have dropped, these campaigns have been muffled in the past couple of months until multiple campaigns were launched in October to take advantage of a low competitive environment.”

CrowdStrike doesn’t make a firm attribution around the campaign, but does note that multiple attacks emanated from command and control servers that were previously used by TeamTNT, a hacking group known to target cloud and container environments.

Research from Trend Micro released Oct. 19 tracks a very similar-sounding cryptomining campaign from actors that also target cloud containers, use TeamTNT routines and install XMRig on victim servers. However, Trend Micro senior threat researcher Sunil Bharti wrote that “analysis of the attack patterns and other technical details of the code has also led us to believe that the routines are mimicking TeamTNT’s arsenal, but are likely deployed by another cryptocurrency mining group named WatchDog.”

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

DHL named most-spoofed brand in phishing

By
RiSec.Mitch
-
0

DHL is the most spoofed brand when it comes to phishing emails, according to Check Point, with Microsoft and LinkedIn close on the shipping giant’s heels.

Crooks most frequently used the brand name in their attempts to steal personal and payment information from marks between July and September 2022, with the shipping giant accounting for 22 percent of all worldwide phishing attempts intercepted by the cybersecurity outfit.

DHL warned customers that it was the target of a “major global scam and phishing attack” on June 28, and noted it was “working hard to block the fraudulent websites and emails.” 

Miscreants used a tried-and-true phony message in the phishing attempts, falsely alerting customers that their package couldn’t be delivered and requesting personal and payment info to proceed with the delivery. 

As we saw with the recent Oktapus cybercrime spree, these types of urgent requests — to change a password or, in this case, delivery or payment info — are especially effective at stealing credentials.

Don’t click this

One phishing email observed by Check Point attempting to impersonate DHL was sent from the address “info@lincssourcing[.]com.” Crooks doctored it to look like the sender was “DHL Express,” the security biz noted in the report. 

The email’s subject line, “Undelivered DHL(Parcel/Shipment)”, and message also tried to trick the victim into clicking on a malicious link claiming that they need to update their delivering address to receive the package. 

Of course, the URL doesn’t really direct a user to DHL’s website. Instead, it leads them to a fake, attacker-controlled website with a form asking the victim to enter their name and password, which are then harvested by the crooks.

These stolen credentials can then be used to nab other account info, such as payment details, or can simply be sold to other identity thieves in dark-web forums.

While DHL tops the list of lifted brands, Check Point says Microsoft is in second place for third-quarter phishing scams, totaling 16 percent of all campaigns cashing in on brand recognition. LinkedIn, which topped the list in both Q1 and Q2 of this year, dropped down to third place with 11 percent.

Victims are more likely to click on a malicious link that looks like it was sent from a trusted brand, which is what keeps the phishing pool stocked. It is an inexpensive crime with a high return on investment for crooks.

Phishing attacks were by far the most commonly reported cybercrimes last year, with 323,972 reported to the FBI and costing victims $44.2 million in losses [PDF].

In another brand-spoofing phish example, Check Point detailed how criminals used a fake OneDrive email to try to steal a user’s Microsoft account information. With this particular scam, the message was sent from “websent@jointak[.]com[.]hk,” used “OneDrive” as a phony sender name, and contained the subject: “A document titled ‘Proposal’ has been shared with you on Onedrive.” 

Similar to the DHL spoof, the Microsoft-brand phish attempts to lure the victim into clicking on a malicious link that spoofs a Microsoft web app login page and then enter their account password.

Not that we need to tell you this, but as a general rule, don’t trust emails and especially not those that ask for personal information or credit card details, Check Point warned. Additionally, “think twice before opening email attachments or links, especially emails that claim to be from companies such as DHL, Microsoft or LinkedIn.” 

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

US charges Ukrainian national over alleged role in Raccoon Infostealer malware operation

By
RiSec.Mitch
-
0
malware

U.S. officials have charged a Ukrainian national over his alleged role in the Raccoon Infostealer malware-as-a-service operation that infected millions of computers worldwide.

Mark Sokolovsky — also known online as “raccoonstealer,” according to an indictment unsealed on Tuesday — is currently being held in the Netherlands while waiting to be extradited to the United States.

The U.S. Department of Justice accused Sokolovsky of being one of the “key administrators” of the Raccoon Infostealer, a form of Windows malware that steals passwords, credit card numbers, saved username and password combinations, and granular location data.

An example of one of the phishing emails sent by the crime group. Image Credits: U.S. Justice Department.

According to U.S. officials, the malware stole more than 50 million unique credentials and forms of identification from victims around the world since February 2019. These victims include a financial technology company based in Texas and an individual who had access to U.S. Army information systems, according to the unsealed indictment. Cybersecurity firm Group-IB said the malware may have been used to steal employee credentials during the recent Uber breach.

But the DOJ said it “does not believe it is in possession of all the data stolen by Raccoon Infostealer and continues to investigate.”

The Justice Department said it worked with European law enforcement to dismantle the IT infrastructure powering Raccoon Infostealer in March 2022, when Dutch authorities arrested Sokolovsky. According to one report, the malware operation claimed it was suspending its operations after one of its lead developers was allegedly killed during Russia’s invasion of Ukraine. A new version of Raccoon Infostealer was reportedly launched in June this year.

The FBI also announced on Tuesday that it has created a website that allows anyone to check if their data is contained in the U.S. government’s archive of information stolen by Raccoon Infostealer.

“This case highlights the importance of the international cooperation that the Department of Justice and our partners use to dismantle modern cyber threats,” said Deputy Attorney General Lisa O. Monaco. “As reflected in the number of potential victims and global breadth of this attack, cyber threats do not respect borders, which makes international cooperation all the more critical. I urge anyone who thinks they could be a victim to follow the FBI’s guidance on how to report your potential exposure.”

Sokolovsky is charged with computer fraud, wire fraud, money laundering, and identity theft and faces up to 20 years in prison if found guilty. The DOJ said Sokolovsky is appealing a September 2022 decision by the Amsterdam District Court granting his extradition to the United States.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Emotet Botnet Drops Malware via Self-Unlocking Password-Protected RAR Files

By
RiSec.Mitch
-
0

A surge of malspam campaigns has been recently attributed to Emotet botnet. Taking advantage of password-protected archive files, the notorious trojan drops CoinMiner and Quasar RAT on the systems it takes over.

In an attack chain detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was found to contain a nested self-extracting (SFX) archive, with the first archive having the purpose to launch the second.

Deeper Dive

Emotet is known to primarily spread through malspam and, while phishing attacks usually rely on persuasion techniques in order to trick the victims into opening the attachment, this time researchers claim the campaign bypassed this by making use of a batch file to automatically supply the password to unlock the payload. The first archive is a RARsfx, only meant to execute a second RARsfx contained within itself. The second archive is password-protected but no user input is necessary to extract and execute its content.

The self-extracting archive has been around for a long time and eases file distribution among end users. However, it poses a security risk since the file contents are not easily verifiable, and it can run commands and executables silently.

Source

Once inside, the infection proceeds with the execution of CoinMiner, a cryptocurrency miner that can also double up as a credential stealer, or Quasar RAT, an open-source remote access trojan, depending on the payload packed in the archive.

Source

This attack technique enables threat actors to bypass the password barrier, making it easier for them to carry out attacks such as cryptojacking, data exfiltration, and even ransomware.

Trustwave researchers claim there has been a noticeable increase in threats packaged in password-protected archives, 96% of them being spammed by the Emotet botnet.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Apple fixes exploited iOS, iPadOS zero-day (CVE-2022-42827)

By
RiSec.Mitch
-
0

For the ninth time this year, Apple has released fixes for a zero-day vulnerability (CVE-2022-42827) exploited by attackers to compromise iPhones.

About CVE-2022-42827

CVE-2022-42827 is an out-of-bounds write issue in the iOS and iPadOS kernel, which can be exploited to allow a malicious application to execute arbitrary code with kernel privileges.

“Apple is aware of a report that this issue may have been actively exploited,” the company said, though – as per usual – did not offer details about the attack(s).

Reported by an anonymous researcher, the vulnerability has been fixed with improved bounds checking in iOS 16.1 and iPadOS 16, which is available for:

  • iPhone 8 and later
  • iPad Pro (all models)
  • iPad Air 3rd generation and later
  • iPad 5th generation and later
  • iPad mini 5th generation and later

iOS 16.1 and iPadOS 16 also come with fixes for 19 additional CVE-numbered security issues, including a flaw (CVE-2022-32946) in the Bluetooth component that could allow an app to record audio using a pair of connected AirPods, and many other code execution holes.

Other security updates

Mac users, whether they are running macOS Big SurMonterey, or Ventura (the latest version of the OS, with new security and privacy features), have also security updates available.

Ventura’s is particularly sizeable, with fixes for 113 issues (40 of which are in the Vim text editor).

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

source

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
1...151617...79Page 16 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.