Tuesday, January 21, 2025
Home Blog Page 38

Threat Actors Are Actively Exploiting CVE-2022-1388 RCE in F5 BIG-IP

By
Steven Black (n0tst3)
-
0

Threat actors are exploiting critical F5 BIG-IP flaw CVE-2022-1388 to deliver malicious code, cybersecurity researchers warn.

Threat actors started massively exploiting the critical remote code execution vulnerability, tracked as CVE-2022-1388, affecting F5 BIG-IP.

Last week security and application delivery solutions provider F5 released its security notification to inform customers that it has released security updates from tens of vulnerabilities in its products.

The company addressed a total of 43 vulnerabilities, the most severe one is a critical issue tracked as CVE-2022-1388 (CVSS score of 9.8). An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses can exploit the CVE-2022-1388 flaw to execute arbitrary system commands, create or delete files, or disable services.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.” reads the advisory published by the vendor.”

The flaw affects the following versions:

16.1.0 – 16.1.2
15.1.0 – 15.1.5
14.1.0 – 14.1.4
13.1.0 – 13.1.4
12.1.0 – 12.1.6
11.6.1 – 11.6.5

and the vendor addressed it with the release of:

17.0.0
16.1.2.2
15.1.5.1
14.1.4.6
13.1.5

The company provided the following temporary mitigations for customers that cannot install the patched versions:

Researchers from Positive Technologies and Horizon3 Attack Team developed their own exploit code for CVE-2022-1388 and explained that the issue is trivial to exploit.

The popular researcher Kevin Beaumont confirmed the attack the ongoing attacks, but pointed out that they are not targeting the management interface.

https://twitter.com/GossiTheDog/status/1523223763747483648?s=20&t=cjdnodvhw2282j8oOTVMqA

The researcher Germán Fernández reported that threat actors are exploiting the flaw to drop PHP webshells to “/tmp/f5.sh” and install them to “/usr/local/www/xui/common/css/.”

source

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Hacktivists Hacked Russian TV Schedules During Victory Day and Displayed Anti-War Messages

By
Steven Black (n0tst3)
-
0

Hacktivists yesterday defaced the Russian TV with pro-Ukraine messages and took down the RuTube video streaming site

Hacktivists and white hat hackers continue to support Ukraine against the Russian invasion, in a recent attack, they defaced Russian TV with anti-war messages and took down the RuTube video streaming site.

The attack took place during Russia’s Victory Day, Russians attempting to view the parade were displayed Pro-Ukraine messages due to a cyber attack that impacted the Russian TV listings systems.

According to the BBC, the coordinated attack affected major Russian networks, including Channel One, Rossiya-1, MTS, Rostelecom, and NTV-Plus.

The hackers compromised the Russian TV schedule page and changed the name of every programme to “On your hands is the blood of thousands of Ukrainians and their hundreds of murdered children. TV and the authorities are lying. No to war”

The news of the attack was also announced by Anonymous, but at this time is not clear which group hit the Russian media.

A cyber attack also took offline the Russian video streaming platform RuTube which is considered by Pro-Ukraine hacktivists a crucial component of the Russian propaganda.

According to the company, the threat actors did not access their archive and it is working to restore the platform. On the other side, groups of hacktivists online claim that the Rutube code has been completely removed from the platform and plan to leak it as soon as possible.

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Hacked Websites Threat Report 2021

By
Steven Black (n0tst3)
-
0
Cybersecurity

Our 2021 Website Threat Research Report details our findings and analysis of emerging and ongoing trends and threats in the website security landscape. We’ve put together this analysis to help keep website owners informed and aware of the dangers posed by malicious actors.

This year’s report is a collection of observations made by Sucuri’s Research and Remediation teams from data collected on web-based malware, vulnerable software, and attacks during 2021.

The data used in this report is a representative sample of the total number of websites that our Remediation team performed services for throughout the year 2021, as well as more than 132 million SiteCheck scans.

This data reflects the environments of our clients and not the web as a whole.

This was a great project to work on and we uncovered a lot of interesting data, particularly with observing trends in credit card skimming malware and WordPress. Some trends from previous years continued while some fresh ones emerged.

Our hacked website report contains a lot of new data, including sections on emerging malware to help us analyze and understand trends in the threat landscape. We also provide an analysis of the most severe and common software vulnerabilities present within the WordPress ecosystem during 2021.

Key Takeaways

  • Vulnerable plugins and extensions account for far more website compromises than out-of-date, core CMS files.
  • Websites containing a recently vulnerable plugin or other extension are most likely to be caught up in malware campaigns.
  • Default configurations of popular website software applications remain a serious liability.
  • By default, WordPress administrator panels contain no multi-factor authentication, nor a limit on failed login attempts.
  • Responsible disclosure and proactive security monitoring is key to maintaining a safe web.
  • Some major catastrophes were avoided in 2021. Major plugins with millions of installations had vulnerabilities patched with very few incidents, due to proactive security monitoring, patching, and exceptional communication with the public.
  • Credit card skimming is on the rise, especially for WordPress.
  • Hacker groups are actively developing and customizing their malware. Each variation is distributed to a small number of sites, but the overall number of affected sites is significant.
  • SEO spam continues to be a menace.
  • 52.6% of remediated websites contained some form of SEO spam in 2021. Spam also accounted for 34.45% of infected SiteCheck detections.
  • Backdoors and malicious admin users remain the backbone of many compromises.
  • Backdoors are extremely common, with 60.04% of infected environments containing at least one website backdoor.
  • Website reinfections remain common.
  • A website compromise can be a miserable experience. Website owners are often averse to taking all the necessary post-infection steps, but if measures aren’t taken the attackers are likely to return.
  • Malware tends to focus on either quality or quantity.
  • The goal of spam and redirect malware is to compromise as many websites as possible, in the shortest time period possible, to affect as many users as possible. They do not care about staying hidden. Malware that compromises credit card details is the opposite: They try to have a small, very well hidden payload to stay present as long as possible in order to steal as many card numbers as they can.
  • Cryptomining attacks are no longer very common.
  • Cryptomining has largely moved away from website and server environments, focusing instead on dedicated hardware “farms”.

Software Distribution

Based on our data, the following graph illustrates the usage of different CMS platforms among our client base.

These data sets indicate that WordPress continues to be the most popular CMS among our user base, accounting for 95.62% of clients in 2021. As seen in past years, Joomla (2.03%) followed in second place with Drupal (0.82%) taking third.

Vulnerable Software and Components

Out-of-date CMS

The percentage of websites that had an out-of-date CMS at the time of infection was roughly equal.

Our data suggests that out-of-date CMS only roughly correlates to infection, and points to the usage of vulnerable plugins and themes as well as unsecured admin panels to be of greater importance in terms of security risk.

The presence of out-of-date CMS may not necessarily be the attack vector itself but rather a symptom of a lack of maintenance of the environment.

Out-of-date CMS Distribution

Out of all of the websites submitted for malware cleanup, WordPress and ModX were by far the most well maintained at the point of infection.

Top Malware Infections

To identify the most common malware types seen on compromised websites in 2021, our team aggregated and analyzed the data from malware signatures detected and cleaned during Incident Response.

Why is there a percentage overlap?

Our teams regularly find multiple types of malware on a compromised website. For example, attackers might infect a website with spam and plant a website backdoor on a website to maintain access to the environment.

Malware

In 2021, 61.65% of remediated websites were flagged with the malware category. Malware is a very broad category which often includes code designed to redirect website visitors to scam and other malicious websites or steal login credentials. It typically engages in some type of malicious action against site visitors, in contrast to backdoors and hack tools that facilitate hacker activities or spam that aims to increase SEO rankings to third party sites.

The top ten most common malware types we cleaned were as follows:

Backdoors

Backdoors were one of the most common threats found on compromised websites in 2021, with 60.04% of all infected sites containing at least one backdoor.

An important tool for attackers, our analysts typically find backdoors alongside many other types of malware. This malware bypasses regular access channels, granting attackers full access to the website backend. Once installed, a backdoor can be used to maintain access to the compromised environment long after the infection has occurred, making it easy for the attacker to reinfect the site after the payload is removed.

We analyzed the different types of backdoors we detected and cleaned in 2021 and found the following distribution.

  • Uploader
  • A type of backdoor which allows the attackers to upload files to the victim environment.
  • Webshell
  • These backdoors allow the attackers full access to the website file system.
  • RCE
  • The backdoor will attempt to execute the command issued by the attackers.

Credit Card Skimmers

Credit card skimmers have increased significantly from previous years and the behavior has become more targeted. A growing number of credit card theft has been occurring on independent websites where the store has set up their own ecommerce website.

Over 25% of all new PHP malware signatures generated in 2021 were for credit card skimmers.

In 2021, SiteCheck detections found that 34.5% of websites infected with a credit card skimmer were running WordPress.

SEO Spam

SEO spam still remains one of the most common website compromises, with 52.6% of remediated websites containing SEO spam. Infections typically occur via PHP, database injections, or .htaccess redirects.

SEO attacks often infect websites with redirects and spam, referring site visitors to spam landing pages. These attacks can significantly impact rankings and organic traffic from popular search engines like Google, Bing, and Yahoo who block websites with malicious content.

Our analysis revealed that 33.3% of SEO spam infections were spam doorways, which produce subsections of dynamic spam content on a compromised website. Another 32.2% of SEO spam infections were related to spam injectors, responsible for peppering a compromised environment with hidden spam links for SEO purposes.

Unsurprisingly, our analysis revealed that the most common SEO spam themes and keywords on compromised websites included pharmaceuticals like Viagra and Cialis.

Top Spam Themes

  • Pharmaceuticals
  • Essay writing services
  • Knockoff jerseys and other brand name products
  • Escort services
  • Adult websites
  • Online casinos
  • Replica watches
  • Pirated software

Left untreated, SEO spam can seriously damage a website’s reputation and take a significant time to recover. Website owners may experience a loss in revenue, hijacked search results, browser warnings, or even blocklisting.

Phishing

Phishing has become more prevalent in recent years, with 7.39% of websites containing some form of phishing in 2021. By and large what we see are legitimate websites hacked to host phishing content. This distances the attacker from their payload and allows them to avoid culpability and lower their costs.

Phishing tends to target login credentials for cloud services such as Microsoft Office and Adobe, as well as financial institutions and popular services such as Netflix. Stolen passwords are also used in credential stuffing attacks.

The majority of phishing were payloads (phishing landing pages) targeting a wide variety of companies and services. A large portion of attackers used ready-made, pre-built phishing kits and installed them onto their targets.

These kits contain some key component parts:
  • A payload landing page
  • A mailer script to either send the compromised data to the attackers or to send out phishing emails to victims
  • Code designed to prevent search engines from indexing the payload

SiteCheck and Blocklist Analysis

Our SiteCheck tool is one of our most important website security monitoring tools. It is free to use and scans millions of websites per year.

Since it is an external monitoring tool, it cannot see infections that do not display outwardly on websites (such as PHP backdoors). For a comprehensive solution, Sucuri clients have full access to our server-side scanning and monitoring.

We queried the scans performed on SiteCheck during 2021 to identify the trends seen for our remote security scanner.

From the 132,374,781 scans performed with SiteCheck in 2021, a whopping 10.38% of websites were identified as containing out-of-date software and 4.34% were identified as infected. Of these infected websites, 34.45% had been identified as containing SEO spam while less than 1% were website defacements.

Blocklisted Domains

Within the top blocklisted resources, we found a number of domains related to the massive WordPress campaign our team has been tracking for several years.

This campaign largely aims to redirect users to spam, malware and scam sites. Nearly all of the domains listed below were present in siteurl/home database infections or in injections targeting wp_post content in WordPress environments.

To dig a bit deeper, we analyzed the top blocklisted resources for this ongoing campaign.

One prevalent theme that differed from previous years was the high prevalence of .ga (Gabon) and .tw (Taiwan) domains used in redirect campaigns. These top-level domains have become very popular among attackers due to lack of active regulation and domain ownership restrictions.

Spam

SEO spam accounted for 34.45% of the infected websites scanned with SiteCheck in 2021. Since this number was so significant, we dug a bit deeper to break down the types of spam found on these compromised environments.

Our analysis of the top ten SEO spam signatures for SiteCheck revealed a few prevalent themes.

Unsurprisingly, the most common theme was related to pharmaceuticals with 28.03% of SEO spam content found to be related to themes like Viagra and Cialis. This indicates that despite the long legal battles fought by pharmaceutical companies against spammers, knock-off drugs continue to be an important source of revenue for attackers.

A predominant number of signatures were also found relating to Japanese SEO spam (22.13%). These ongoing SEO Japanese Spam campaigns pollute victim’s website search results with knock-off designer goods.

Conclusion

At its core, maintaining a good security posture comes down to a few core principles: keep your environment updated and patched, use strong passwords, exercise the principle of least privilege, and leverage a web application firewall WAF to filter malicious traffic.

Check out the full hacked website report to get the entire story on our 2021 research and remediation analysis!

Download the full report (hosted by sucuri.net)

Report Source

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Anonymous Hacked Russian PSCB Commercial Bank and Companies In The Energy Sector

By
Steven Black (n0tst3)
-
0
databreach

OpRussia continues, less than a week after my last update Anonymous has hacked other Russian companies and leaked their data via DDoSecrets.

The #OpRussia launched by Anonymous on Russia after the criminal invasion of Ukraine continues, the collective claims to have published more than 6 TB of Russian data via DDoSecrets. This is my update on the recent attack and associated data leaks via the DDoSecrets platform:

  • Elektrocentromontazh is the largest the chief power organization of Russia, it designs, tests, builds, installs and maintains electrical equipment in power generation and transmission facilities in over 25 regions of Russia. ECM’s domestic clients include the Novovoronezh, Kursk and Smolensk nuclear power plants, Russian Railways JSC, State enterprise Moscow Power Directorate, the Energy department of Moscow Government, the Moscow united electric grid JSC branch, and Baltic Oil Pipelines LLC. The collective has released a 1.7 TB archive via DDoSecrets that contains 1.23 millions emails from the company.
  • PSCB Petersburg Social Commercial Bank is one of the top 100 Russian banks in terms of net assets. The financial institution was hacked by Anonymous’s affiliate Network Battalion 65, one of the most active hacking groups since the beginning of the invasion. The collective has released a 542 GB archive via DDoSecrets that contains 229,000 emails and 630,000 files from the Petersburg Social Commercial Bank.
  • ALET is a customs broker for companies in the fuel and energy industries, handling exports and customs declarations for coal, crude oil, liquefied gases and petroleum products. ALET has worked with over 400 companies since 2011 to file over 119,000 customs declarations and has recommendations from Gazprom, Gazprom Neft and Bashneft. Approximately 75% of ALET’s business comes from oil products, 10% from oil, and 9% from hydrocarbon products. The collective has released a 1.1 TB archive via DDoSecrets that contains nearly 1.1 million emails from ALET / АЛЕТ..

Source

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Sina Weibo, China’s Twitter Analogue, Reveals Users’ Locations and IP Addresses

By
Steven Black (n0tst3)
-
0

To the surprise of many users, China‘s largest Twitter-esque microblogging website, Sina Weibo, announced on Thursday that it will publish users’ IP addresses and location data in an effort to keep their content honest and nice.

In a post whose title translates as “IP Territorial Function Upgrade Announcement,” the company stated it was taking the action to protect users’ rights, and to make the service more pleasant to use.

“In order to reduce undesirable behaviors such as impersonating parties, malicious rumors … as well as to ensure the authenticity and transparency of the disseminated content, the site launched the ‘IP Territory’ function in March this year,” announced the social media platform’s official account in Chinese.

The function will see users’ IP addresses recorded, and the province or municipality from which they post appended to their output.

And no, clarified Weibo, the functionality cannot be turned off.

Bryan Tan, a partner at tech-centric law firm Reed Smith, said he doubts the measure will be effective.

“Conventional thinking is that IP addresses may be considered personal data because they could reveal exact locations (and hence are personal data),” he told The Register by email. “So from an outside China point of view, it would be eyebrow-raising. The stated aim is noble, but a blunt tool usually has a chilling effect which affects all kinds of speech, not just misinformation.”

Some Chinese Weibo users expressed similar sentiments, especially over privacy concerns.

One user asked “Why should I know where netizens come from and where they go? Why do netizens want to know where I came from and where I want to go?”

Others sought workarounds and posed question as to what would happen if they denied Weibo location permissions.

The new feature works even when users post from mobile devices with location services disabled. A VPN might defeat the location service – but they’re mostly illegal in China.

Some users welcomed the change.

“I feel this initiative not only standardizes civilized speech, but is to prevent foreign forces from provoking various confrontations on the Chinese network, After all, in these special times, China is indeed a thorn in the eyes of too many countries. In reality, a lot of spies have been arrested recently, and cyber spies are more invincible …” wrote one Weibo user.

Weibo’s move is very much in line with Beijing’s many recent actions aimed at keeping China’s internet nice and dissent-free.

The latter aim was advanced this week, with Douyin – the app known as TikTok outside China – asking users to report posts that criticize China’s leaders or economic policies.

That request, and Weibo’s actions, come amid unusual levels of anti-government sentiment being expressed online during long city-wide COVID-19 lockdowns across China.

Parts of Shanghai have been in strict lockdown for over a month, with most residents forbidden from stepping outside for any reason other than getting a COVID test. Some of the the populace has loudly complained of hunger – both online and by shouting out their windows.

Government-issued vegetable boxes are delivered to registered residents, but are often seen as insufficient. In early April, WeChat hashtags discussing food shortages, such as “scrambling to secure food in Shanghai” (#上海抢菜#) and “anxieties over food supplies in Shanghai” (#上海疫情下的抢菜焦虑#) were allegedly blocked.

Around the same time, street signs appeared in Beijing warning residents they should “not post pandemic-related messages online”. Others advised “the internet is full of perils, exercise caution on the internet” – a message aimed at discrediting complaints.

In Shanghai recently, a loudspeaker in a residential area blared messages stating that foreign forces are behind pandemic protests.

Beijing’s expectations of a censored social media landscape pre-date the current COVID outbreak. It is the main reason LinkedIn left the Middle Kingdom last October, and the country shut down Reddit-like Douban in December (on the pretext that it was hosting notoriously mean fandom communities). ®

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Ukraine Government and Pro-Ukrainian Sites Hit by DDoS Attacks

By
Steven Black (n0tst3)
-
0

The Computer Emergency Response Team in Ukraine (CERT-UA) has announced that Ukraine government web portals and pro-Ukraine sites are subjected to ongoing DDoS (distributed denial of service) attacks. They don’t currently know who is behind these attacks.

The attack involves injecting a malicious JavaScript (JS)—officially named “BrownFlood”—into compromised WordPress sites, arming them with the ability to DDoS sites. The script, which is encoded in base64 to avoid detection, is injected into the HTML structure of the sites’ main files. Whoever visits these sites are then turned into an unknowing accomplice to an online attack they are unaware of.

Target URLs are defined in the code.

BrownFlood in a compromised WordPress site (Source: CERT-UA)

Even the owners of these compromised WordPress sites do not realize that they were involuntarily signed up for a cause against Ukraine.

BleepingComputer revealed that the same JS script shared on GitHub had been involved in a DDoS attack a month ago against a smaller pool of pro-Ukraine sites. It then came to light that a particular pro-Ukrainian site had used the same DDoS code to target Russian sites.

CERT-UA worked closely with the National Bank of Ukraine to strengthen its defensive stance against DDoS attacks. The agency also informed WordPress site owners of their compromise and provided guidance on detecting and removing the malicious JS.

Screenshot of event log WordPress admins should watch out for to know if they are infected (Source: CERT-UA)

CERT-UA listed three recommendations for WordPress site admins to follow, which we have replicated the translated version of below:

  1. Take steps to detect and remove malicious JavaScript code.
  2. Provide up-to-date [active plug-ins] and up-to-date support for website content management systems (CMS).
  3. Restrict access to website management pages.

The agency also provided a detection tool (scroll down to the bottom of the page) admins can use to scan their sites.

Article source

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

5 Secure Ways to Configure a Firewall

By
Steven Black (n0tst3)
-
0
Cybersecurity

Internet access is no longer an option; it has become a requirement for everyone. Internet connection has its own set of advantages for an organization, but it also allows the outside world to communicate with the organization’s internal network.

Visiting another website requires connection to a specialized computer called a web server, which, like any other computer, can be targeted by hackers. Attackers have the potential to infect the host computer with malware and start DDoS attacks when they connect to a foreign machine.

That is where a firewall becomes helpful. 

What is Firewall?

A firewall is a type of network security device that monitors and controls incoming and outgoing traffic. It can be either hardware or software. It allows, rejects, or blocks specific traffic based on a predetermined set of rules. It protects the network from both external and internal threats.

How does a firewall work?

When encountering unauthorized traffic, a firewall runs a scan and tries to match the traffic with its defined set of rules. Once the network matches with the set of rules, appropriate actions are taken for that specified network. If the incoming traffic is determined to be a security risk, the firewall prevents it from entering the internal network.

The vulnerability of networks connected to the internet necessitates the use of firewalls. A third party can readily infiltrate and infect an unprotected network. The hacked website or server might be infected with malware once the hackers gain control of it. DDoS (Distributed-Denial-of-Service) attacks, which can force a website or server to crash, can render your network vulnerable if firewalls aren’t installed.

There are different ways a firewall can filter and control the unauthorized traffic, such as:

  • Packet Filtering 

In this strategy, packets are formed up of little pieces of data that are treated separately by firewalls. Packets trying to enter the network are checked against a set of rules. The packets that match a known threat are quarantined, while the others are allowed to proceed to their intended destination.

This form of firewall has no way of knowing if the packet is part of an existing traffic stream. Packets can only be allowed or denied depending on their unique headers.

  • Stateful Inspection

Stateful Inspection is a more advanced type of firewall filtering that looks at a variety of elements in each data packet and compares them to a database of reliable data. The source and destination of IP addresses, ports, and applications are among these factors.

To be allowed to get through to the internal network, incoming data packets must have the required information.

  • Proxy Service

To safeguard network resources, the Proxy Firewall, also known as an Application Firewall or a Gateway Firewall, inspects incoming traffic at the application layer. It restricts the kind of applications that a network can support, which improves security but reduces functionality and performance.

A proxy server acts as a go-between, preventing direct connections between the two sides of the firewall. Each packet must pass via the proxy, which determines whether traffic is allowed to pass or is blocked based on the rules set forth.

  • Next Generation Firewalls (NGFW)

Next-generation firewalls (NGFWs) are used to guard against modern security threats such as malware and application-layer assaults. Packet Inspection and Stateful Inspection are combined in NGFW. To protect the network from modern threats, it also contains Deep Packet Inspection (DPI), Application Inspection, malware filtering, and antivirus.

The Importance of proper Firewall Configuration

A firewall is an important part of network security and must be configured correctly to protect a company against cyberattacks and data breaches. Hackers can obtain unauthorized access to a protected internal network and steal critical information if the firewall is configured incorrectly.

A properly configured firewall can protect an online server from harmful cyberattacks to the fullest extent possible.

Secure ways to Configure a Firewall

Firewall setting is critical for ensuring that only authorized administrators have access to a network.

The following actions are required:

  • Securing the Firewall to authorized personnel

Secure your firewall so only authorized personnel can access the internal network. 

  • Update your firewall to the latest firmware. 
  • A firewall should never be put into production without the proper configurations in place.
  • Delete, disable, or rename the default accounts and use unique and complex passwords.
  • Never use shared accounts managed by multiple administrators. 
  • Disable Simple Network Management Protocol (SNMP).
  • Creating Firewall Zones and Establish IP Addresses

Decide which assets need to be safeguarded and map out your network so that these assets can be grouped together and assigned to different networks or zones based on their functions and sensitivity levels. The greater the number of zones you construct, the more secure the network will be.

However, managing more zones takes more effort, which is why assigning zones to firewall interfaces and sub interfaces requires establishing associated IP addresses.

  • Configuring Access Control Lists (ACLs)

Access Control Lists are used by organizations to determine which traffic is permitted to pass or is banned (ACLs). ACLs are the rules that a firewall uses to determine what actions should be taken in response to unauthorized traffic attempting to access the network.

The actual source and destination port numbers as well as IP addresses should be specified in ACLs. Each ACL should have a “Deny All” rule to allow organizations to filter traffic. The interface and sub interface should both be inbound and outgoing to guarantee that only allowed traffic reaches a zone.

  • Configuring Firewall Services and Logging

Other services, such as an Intrusion Prevention System (IPS), a Network Time Protocol (NTP) server, and others, can be built within some firewalls. It’s critical to turn off any firewall-supported extra services that aren’t in use.

  • Testing the Firewall Configuration

It’s crucial to test your firewall settings once you’re confident it’s correct. Testing such as Vulnerability Assessment and Penetration Testing (VAPT) is crucial for ensuring that the correct traffic is permitted to pass and that the firewall is working as intended. In the event that the firewall configuration fails during the testing phase, make a backup.

HOW KRATIKAL CAN HELP?

As a CERT-In empanelled cybersecurity solutions firm, Kratikal provides a complete suite of VAPT testing services, one of which is Network Security Testing, a method of evaluating the external and internal security state of a network to detect and illustrate flaws present within the network.

The Infrastructure Penetration Testing includes a variety of tasks like:

  1. Identifying, prioritizing and quantifying the threats within the network.
  2. Checking the control of security.
  3. Analyzing the defenses against network-based attacks such as brute-force attacks, port scanning among the others.

Kratikal also offers Firewall Auditing. The assessment methodology includes proper planning and execution.

The steps followed are:

  1. Security Configuration Review
  2. Firewall Rule-set Review or ACL Review
  3. Firewall Auditing Test Case
  4. Reporting 

Depending on the business and technical requirements, we use industry-standard security testing tools such as Burpsuite, Nmap, Metasploit, and others throughout each IT architecture.

The relevance of firewall setup to the security of our networks cannot be overstated. Firewalls protect our IT infrastructure, but they, too, require regular maintenance in order to perform correctly. A functioning firewall ensures that our networks remain healthy as well.

What other configuration options do you see for a firewall? Let us know what you think in the comments section below!

The post 5 secure ways to configure a Firewall appeared first on Kratikal Blogs.

*** This is a Security Bloggers Network syndicated blog from Kratikal Blogs authored by Deepti Sachdeva. Read the original post at: https://www.kratikal.com/blog/5-secure-ways-to-configure-a-firewall/

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Organizations Warned of Attacks Exploiting WSO2 Vulnerability

By
Steven Black (n0tst3)
-
0
vulnerability

Products made by enterprise software development solutions provider WSO2 are affected by a critical vulnerability that has been exploited in the wild.

According to WSO2’s website, its products are used by many major companies worldwide, including Fortune 500 firms, which could all be at risk.

In addition, the US Cybersecurity and Infrastructure Security Agency (CISA) on Monday added the flaw to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to install the available patches until May 16.

The security hole is tracked as CVE-2022-29464 and it impacts WSO2’s API Manager, Identity Server, Enterprise Integrator, and Open Banking products. In its advisory for CVE-2022-29464, the vendor said temporary mitigations were made available in January 2022 and fixes were delivered in February.

The vulnerability, discovered by Orange Tsai from DEVCORE, who over the past years has discovered many critical bugs that ended up being exploited in attacks, has been described as an arbitrary file upload issue that can lead to remote code execution.

“Due to improper validation of user input, a malicious actor could upload an arbitrary file to a user controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server,” WSO2 said in its advisory.

Technical details and proof-of-concept (PoC) exploits are available for the vulnerability and Rapid7 on Friday reported seeing opportunistic exploitation in the wild.

“Attackers appear to be staying close to the original proof-of-concept exploit and are dropping web shells and coin miners on exploited targets,” Rapid7 said, noting that exploitation is “quite easy.”

Threat intelligence company Bad Packets has also reported seeing exploitation attempts.

In addition to the WSO2 bug, CISA added six other flaws to its Known Exploited Vulnerabilities Catalog, which is often referred to as a “Must-Patch” list, due to the fact that government agencies are required — and private organizations are advised — to immediately address these vulnerabilities.

The most recent issues added to the list are two Windows bugs (CVE-2022-26904 and CVE-2022-21919) and the Linux kernel flaw named Dirty Pipe.

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Spring4Shell Mitigations and Details (CVE-2022-22965)

By
Steven Black (n0tst3)
-
0
vulnerability

Last week researchers found the critical vulnerability CVE-2022-22965 in Spring – the open source Java framework. Using the vulnerability, an attacker can execute arbitrary code on a remote web server, which makes CVE-2022-22965 a critical threat, given the Spring framework’s popularity. By analogy with the infamous Log4Shell threat, the vulnerability was named Spring4Shell.

CVE-2022-22965 and CVE-2022-22963: Technical Details

CVE-2022-22965 (Spring4Shell, SpringShell) is a vulnerability in the Spring Framework that uses data binding functionality to bind data stored within an HTTP request to certain objects used by an application. The bug exists in the getCachedIntrospectionResults method, which can be used to gain unauthorized access to such objects by passing their class names via an HTTP request. It creates the risks of data leakage and remote code execution when special object classes are used. This vulnerability is similar to the long-closed CVE-2010-1622, where class name checks were added as a fix so that the name did not match classLoader or protectionDomain. However, in a newer version of JDK an alternative method exists for such exploitation, for example, through Java 9 Platform Module System functionality.
So an attacker can overwrite the Tomcat logging configuration and then upload a JSP web shell to execute arbitrary commands on a server running a vulnerable version of the framework.

A typical vulnerable configuration consists of:

  • JDK version 9+
  • Apache Tomcat for serving the application
  • Spring Framework versions 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19 and below
  • application built as a WAR file

CVE-2022-22963 is a vulnerability in the routing functionality of Spring Cloud Function that allows code injection through Spring Expression Language (SpEL) by adding a special spring.cloud.function.routing-expression header to an HTTP request. SpEL is a special expression language created for Spring Framework that supports queries and object graph management at runtime. This vulnerability can also be used for remote code execution.

A typical vulnerable configuration consists of:

  • Spring Cloud Function 3.1.6, 3.2.2 and older versions

Mitigations for Spring vulnerabilities exploitation

CVE-2022-22965 is fixed in 2.6.6; see the Spring blog for details.

To fix CVE-2022-22963, you also need to install the new Spring Cloud Function versions; see the VMware website for details.

To detect exploitation attempts, ensure that Advanced Exploit Prevention and Network Attack Blocker features are enabled. Some techniques used during exploitation can be seen in other exploits that we detect, which is why the verdict names can differ.

Indicators of Compromise

Verdicts
PDM:Exploit.Win32.Generic
UMIDS:Intrusion.Generic.Agent.gen

MD5 hashes of the exploits
7e46801dd171bb5bf1771df1239d760c – shell.jsp (CVE-2022-22965)
3de4e174c2c8612aebb3adef10027679 – exploit.py (CVE-2022-22965)

Detection of the exploitation process with Kaspersky EDR Expert

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

What is credential stuffing? And how to prevent it?

By
Steven Black (n0tst3)
-
0
Credential Stuffing
Credential Stuffing

This post explains what is a credential stuffing attack and which are the countermeasures to prevent them.

credential stuffing attempt can be caught as a behavioral anomaly – if you’re looking. Earmarked by the FBI as a particular threat to the financial service industry just over a year ago, the increase of internet traffic, data breaches and API usage all contribute to the perfect conditions for successful credential stuffing attacks. Here’s what you need to know about how they work, and how you can stay safe. 

What is credential stuffing?

Credential stuffing is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts for the purpose of abusing permissions, siphoning out data, or both. 

Why is it so prevalent now?

It’s now easier and more economical than ever to come by lists of compromised credentials (many are posted free on hacker forums) and run low-sophistication credential stuffing attacks. Tooling-wise, hackers are also using the same efficient resources used to automate and defend, to automate and attack. These upgraded capabilities include scripting and automation tools, APIs and traffic throttling (to disguise brute force attacks as legitimate traffic).

Also, with the massive push to remote work, XaaS technologies and the rush to the convenience of apps, companies are relying heavily on APIs which are often underprotected. They aren’t customer-facing, and there seems to be a lag in protection owing to that. “Out of sight, out of mind” apparently does not apply to eager cybercriminals, however. And, there remains general bad hygiene surrounding the creation of usernames and passwords, with many being reused over multiple websites. That is the primary way – and indeed the premise upon which – credential stuffing works. You can’t access an account with recycled credentials if there aren’t any.

How credential stuffing attacks work

Here are several steps an attacker could take to implement a successful credential stuffing campaign:

  • Scope out the target and its APIs. Bad actors will look for hosting servers, domain names and vulnerable API endpoints. Over 50% of records breached over the last few years came from apps and APIs.
  • Gathers database of stolen credentials. These lists of pilfered usernames and passwords serve as the ammunition for the attack. If the set of them are reused wholesale, it’s an automatic in. If just one, brute forcing can more easily find out the other.
  • Create a tool to be automated and unsuspicious. Automated tooling or scripts will then brute force the stolen credentials against access points until one of them works. Most hackers make this look like legitimate user activity by limiting the number of attempts per hour.
  • Launch attack. It is common for attacks to be launched from the cloud, or various geolocations, to evade detection.
  • Learn from results and pivot to ATO. Hackers will check for success codes and often code all results into their automation tooling to make the attack ever more efficient in the future. Once they have obtained a workable login, ATO is achieved and data compromise begins.

How to stop credential stuffing attacks

Here are some primary methods for preventing credential stuffing attacks:

  • Multi-Factor Authentication (MFA). “Credential stuffing relies on automation scripts and tools that cannot easily provide additional factors of authentication, particularly mobile phone authenticator tokens or 2FA tokens sent through alternate channels such as email or SMS.” Salt Security says in their recommendations for how to defend against credential stuffing.
  • Good password hygiene and password managers. “If a password is weak or reused across multiple accounts, it will eventually be compromised.” content delivery network Akamai concluded in its State of the Internet report.
  • Runtime behavior analysis. Determine a baseline and identify abnormal behavior. In addition to warning of nefarious activity, it can protect APIs against data scraping, commonly used in credential stuffing attacks.

Secondary methods include:

  • CAPTCHA. Completing a CAPTCHA for each access attempt deters password sprays and nefarious logins. Although there have been cases of “CAPTCHA for hire”, adding on any additional costs reduces the ROI (and incentive) of the attackers.
  • Block-listed IPs. Basic attacks can pull from a small pool of IPs, which can be blocked after several failed login attempts. Public IP block lists are also out there, and you can add those to your list.
  • Fingerprint device. A device fingerprint is matched to your browser, and if the two ever don’t correlate, you’ll be prompted for additional verification. In that event, you should probably also change your password.
  • Provide unpredictable usernames. Instead of allowing email addresses which can be easily found (and guessed), require a distinct and secure username. You can provide a generated (not generic) username to improve user experience.

According to OSWAP , a nonprofit dedicated to making software safe, “In isolation none of these [secondary measures] are as effective as MFA, however if multiple defenses are implemented in a layered approach, they can provide a reasonable degree of protection.” It’s important to note that to avoid disrupting the user experience, secondary methods of authenticating can be employed on suspicious login attempts only.

Proactive Defense

Credential stuffing is a systemic problem with a simple solution. If everybody changed their logins tonight, the issue could be solved by morning. However, in lieu of that, best practices can be put in place and successful. MFA, CAPTCHA and limits on your API go a long way to discouraging hackers and securing access. However, the most effective proactive defense is to track traffic over time. That will identify anomalous patterns in traffic over time and point towards attempted attack, even if other methods fail to do so. 

About the Author: An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.

source

Common methods hackers use to hide credential stuffing attacks

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
1...373839...79Page 38 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.