Sunday, January 19, 2025
Home Blog Page 50

Cryptocurrency Is Funding Ukraine’s Defense—and Its Hacktivists

By
Steven Black (n0tst3)
-
0
Russia Ukraine

As Russia continues to amass troops at the border, resistance groups have seen a surge in crypto donations.

CRYPTOCURRENCY MAY NEVER have fulfilled its promise as the quotidian currency for buying a cup of coffee. But it’s proven to be a powerful, regulation-resistant means of sending large amounts of money anywhere in the world. That now includes war zones—or more specifically, Ukraine, a country whose long-burning, limited war with Russia and pro-Russian separatists may be about to rapidly expand.

Cryptocurrency payments to military and hacktivist groups in Ukraine aimed at countering Russian aggression against the country spiked sharply in the second half of 2021, according to cryptocurrency tracing and blockchain analysis firm Elliptic. Crowdfunded payments to those organizations in bitcoin, litecoin, ether, and other cryptocurrencies the company tracks reached a total value of around $550,000 last year, compared with just $6,000 or so in 2020 and less still in previous years, even at the height of Russia’s 2014 invasion of the country.

That half a million dollars is no doubt just a small fraction of the total funds Ukrainian defense and hacktivism groups have raised by more traditional means amid Russia’s recent escalations, says Tom Robinson, Elliptic’s founder. But the sudden rise of cryptocurrency within these global donations demonstrates how borderless, often unregulated crypto payments could fund organizations engaged in future conflicts. “Crypto is censorship-resistant, so there’s no chance they’re going to get their funds seized or their account shut down, like might happen with PayPal, and it’s also more amenable to cross-border donations,” says Robinson. “It’s proved itself to be a robust way to fund wars.”

One Ukrainian group called Come Back Alive, for instance, has raised $200,000 for Ukrainian troops in just the second half of 2021, according to Elliptic. The group originally solicited donations for military equipment like bulletproof vests, but it has since expanded into funding the purchase of reconnaissance and targeting systems. A more controversial group called the Myrotvorets (Ukrainian for “Peacemaker”) Center has publicly named and shamed alleged supporters of Russia or pro-Russian separatists in Ukraine—at least two of whom were subsequently assassinated. Myrotvorets has raised $268,000 in cryptocurrency to date, Elliptic says, of which $237,000 came just in the second half of last year.

Pro-Ukrainian hacktivists, too, have increasingly funded their digital resistance through cryptocurrency. Elliptic traced around $100,000 worth of crypto donations to a hacker group called the Ukrainian Cyber Alliance, which has been responsible for numerous hack-and-leak and web defacement operations targeting Russians and Russian government agencies. Cyber Partisans, a Belarusian hacktivist group that gained global attention by launching a politically motivated ransomware attack on Belarus’ rail system, has also raised around $84,000 in cryptocurrency. (Elliptic included that number in its $550,000 total, despite the group self-identifying as Belarusian rather than Ukrainian, due to the hackers’ support for Ukraine and demand that Belarusian Railways cease transporting Russian troops in preparation for any invasion of Ukraine.)

Payments to Ukrainian war-effort organizations or even pro-Ukrainian hacktivists aren’t necessarily illegal or in violation of any sanctions. But the Myrotvorets Center said that at least one of its PayPal accounts, intended to fund a facial recognition program, was seized due to the complaints about “terrorists and Russians.”

Cryptocurrency exchanges that convert donated bitcoin into dollars or Ukrainian hryvna, on the other hand, are often far less closely regulated. And Elliptic’s Robinson argues that cryptocurrency offers advantages to donors, who may not want their banking records to show that they sent money to organizations that might be perceived as paramilitary groups. “If I were going to make a donation of this kind, I’d be much better off using crypto than a bank transfer,” Robinson says.

The disadvantage of cryptocurrency, of course, is that in some respects it’s even less private than the traditional banking system—as Elliptic’s own ability to track the Ukrainian groups’ donations through blockchain analysis shows. Elliptic competitor Chainalysis, for instance, identified a software developer in France who donated $500,000 to many participants in the January 6 riot at the US Capitol. (Robinson says that Elliptic didn’t attempt to identify individual donors to the Ukrainian groups, though it might be possible to do so with “some legwork,” especially if a government agency demanded identifying information from cryptocurrency exchanges.)

Nor are international cryptocurrency donations intended for military operations always immune to seizure. In another group of cases announced in August of 2020, the US Justice Department traced and confiscated about half a million dollars’ worth of cryptocurrency donations from a collection of designated terrorist organizations, including the militant wing of the Palestinian group Hamas known as the al-Qassam Brigades.

source

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Vodafone Portugal hit by hackers, says no client data breach

By
Steven Black (n0tst3)
-
0
vodafone
vodafone

LISBON, Feb 8 – Vodafone’s (VOD.L) Portuguese unit said on Tuesday a hacker attack overnight had disrupted its services but assured its customers that their personal data had not been compromised as a result of the incident, which is under investigation.

Vodafone Portugal said in a statement its system faced technical problems on Monday evening, with thousands of customers reporting they were unable to make calls or access the internet on their phones or computers.

It later discovered the technical issues were caused by what it described as a “deliberate and malicious” cyber attack.

“There is no evidence customer data has been accessed or compromised,” it said. “An in-depth investigation of the criminal act…will continue for an indefinite period, with the involvement of the competent authorities.”

The attack on Vodafone came a month after the websites of one of Portugal’s biggest newspapers and of a major broadcaster were hacked. Both media organisations remain unable to access their websites. 

Vodafone Portugal said it was “determined to restore the normality of services” and mobile use was gradually recovering. The 4G network remains unavailable but customers in most of the country can use 3G.

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Data of Puma Employees Stolen in Kronos Ransomware Attack

By
Steven Black (n0tst3)
-
0
CyberSecurity

Data of 6,632 Puma employees was stolen in a December 2021 ransomware attack that hit HR management platform Ultimate Kronos Group (UKG).

Identified on December 11, the attack targeted Kronos Private Cloud, a service on which UKG runs applications such as Banking Scheduling Solutions, Healthcare Extensions, UKG TeleStaff, and UKG Workforce Central.

Kronos immediately launched an investigation into the attack and last month discovered that Puma was one of the customers impacted by the incident.

“Regrettably, this letter is to inform you that we were recently the victim of a ransomware attack that involved some of your personal information, which was provided to us in connection with the services we provide to PUMA,” UKG says in a notification letter sent to the impacted individuals.

In its letter, Kronos informed the affected individuals that the malicious actor behind the attack had access to its cloud-based environment before deploying the ransomware.

“Since the attack was discovered, Kronos has been conducting a comprehensive review of the impacted environment to determine whether any individual’s personal information was subject to unauthorized access or acquisition,” the company said.

Kronos says it confirmed the theft of personal data on January 7, 2022, and that Puma was notified of the incident on January 10.

The company also says it has taken the necessary steps to ensure it can prevent similar incidents, by strengthening the security of its IT systems and implementing expanded scanning and monitoring capabilities.

In a filing with the Maine Attorney General’s Office, UKG revealed that potentially exposed data includes names, Social Security numbers, and other personal information.

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

LockBit Ransomware, FBI Issues Flash Warning Alert

By
Steven Black (n0tst3)
-
0
ransomware

The FBI released a flash alert containing technical details associated with the LockBit ransomware operation.

The Federal Bureau of Investigation (FBI) has issued a flash alert containing technical details and indicators of compromise associated with LockBit ransomware operations.

The LockBit ransomware gang has been active since September 2019, in June 2021 the group announced the LockBit 2.0 RaaS. Like other ransomware gangs, Lockbit 2.0 determines the system and
user language settings and only targets those not matching a set list of languages that are
Eastern European.

After ransomware ads were banned on hacking forum, the LockBit operators set up their own leak site promoting the latest variant and advertising the LockBit 2.0 affiliate program. 

“As infection begins, Lockbit 2.0 deletes log files and shadow copies residing on disk. Lockbit 2.0 enumerates system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Lockbit 2.0 attempts to encrypt any data saved to any local or remote device but skips files associated with core system functions.” reads the flash alert. “Once completed, Lockbit 2.0 deletes itself from disk and creates persistence at startup. Prior to encryption, Lockbit affiliates primarily use the Stealbit application obtained directly from the Lockbit ransomware panel to exfiltrate specific file types.”

The LockBit Ransomware group is very active in this period, the list of victims is very long and includes Riviana, Accenture, Wormington & Bollinger, Anasia Group, Bangkok Airways, Italian energy company ERG, Vlastuin Group, E.M.I.T. Aviation Consulting, SCIS Air Security, Peabody Properties, DATA SPEED SRL, Island independent buying group, Ministry of Justice of France, Day Lewis, Buffington Law Firm and tens of other companies worldwide.

Ransomware operators have continuously improved their ransomware across the years by implementing new features, such as the support for Linux and VMware ESXi systems and the capability to abuse of group policies to encrypt Windows domains.

The flash alert details a Hidden debug / Status Window which can be activated by pressing Shift + F1 during the initial infection and provides real-time information on the process, status of user data destruction and encryption.

Lockbit hidden debug mode
Lockbit hidden debug mode

The FBI recommends victims avoid paying ransoms. The FBI is seeking any information about the Lockbit ransomware operations that can be shared, including boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with the threat actors, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file.

“The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office.” concludes the alert. “By reporting any related information to FBI Cyber Squads, you are assisting in sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks.”

The FBI flash alert also includes mitigations to prevent LockBit ransomware infections:

  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords
  • Require multi-factor authentication for all services to the extent possible
  • Keep all operating systems and software up to date
  • Remove unnecessary access to administrative shares
  • Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
  • Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.

To limit an adversary from learning the organization’s enterprise environment, limit common system and network discovery techniques by taking the following actions:

what is ransomware
What is ransomware and how does it work?
  • Segment networks to prevent the spread of ransomware
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool
  • Implement time-based access for accounts set at the admin level and higher
  • Disable command-line and scripting activities and permissions
  • Maintain offline backups of data, and regularly maintain backup and restoration
  • Ensure all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure

In January 2022 LockBit Ransomware hit European Firms & The French Ministry Of Justice, read more here LockBit ransomware hit European firms & French Ministry of Justice

Why not learn more about ransomware and how it works?

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Critical Flaws Discovered in Cisco Small Business RV Series Routers

By
Steven Black (n0tst3)
-
0

Cisco has patched multiple critical security vulnerabilities impacting its RV Series routers that could be weaponized to elevate privileges and execute arbitrary code on affected systems, while also warning of the existence of proof-of-concept (PoC) exploit code targeting some of these bugs.

Three of the 15 flaws, tracked as CVE-2022-20699, CVE-2022-20700, and CVE-2022-20707, carry the highest CVSS rating of 10.0, and affect its Small Business RV160, RV260, RV340, and RV345 Series routers.

Additionally, the flaws could be exploited to bypass authentication and authorization protections, retrieve and run unsigned software, and even cause denial-of-service (DoS) conditions.

The networking equipment maker acknowledged that it’s “aware that proof-of-concept exploit code is available for several of the vulnerabilities” but didn’t share any further specifics on the nature of the exploit or the identity of the threat actors that may be exploiting them.

CVE-2022-20699 concerns a case of remote code execution that could be exploited by an attacker by sending specially crafted HTTP requests to a device that functions as an SSL VPN Gateway, effectively leading to the execution of malicious code with root privileges.

CVE-2022-20700, CVE-2022-20701 (CVSS score: 9.0), and CVE-2022-20702 (CVSS score: 6.0), which the company said stems from an insufficient authorization enforcement mechanism, could be abused to elevate privileges to root and execute arbitrary commands on the affected system.

CVE-2022-20708, the third flaw to receive a 10.0 score on the CVSS scale, is due to insufficient validation of user-supplied input, enabling the adversary to inject malicious commands and get them on the underlying Linux operating system.

Other flaws fixed by Cisco are as follows:

  • CVE-2022-20703 (CVSS score: 9.3) – Cisco Small Business RV Series Routers Digital Signature Verification Bypass Vulnerability
  • CVE-2022-20704 (CVSS score: 4.8) – Cisco Small Business RV Series Routers SSL Certificate Validation Vulnerability
  • CVE-2022-20705 (CVSS score: 5.3) – Cisco Small Business RV Series Routers Improper Session Management Vulnerability
  • CVE-2022-20706 (CVSS score: 8.3) – Cisco RV Series Routers Open Plug and Play Command Injection Vulnerability
  • CVE-2022-20707 and CVE-2022-20749 (CVSS scores: 7.3) – Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Command Injection Vulnerabilities
  • CVE-2022-20709 (CVSS score: 5.3) – Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability
  • CVE-2022-20710 (CVSS score: 5.3) – Cisco Small Business RV Series Routers GUI Denial of Service Vulnerability
  • CVE-2022-20711 (CVSS score: 8.2) – Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Overwrite Vulnerability
  • CVE-2022-20712 (CVSS score: 7.3) – Cisco Small Business RV Series Routers Upload Module Remote Code Execution Vulnerability

Cisco also stressed that there are no workarounds that address these aforementioned weaknesses, urging customers to update to the latest version of the software as soon as possible to counter any potential attacks.

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Hackers breached China’s National Games ahead of last year’s competition

By
Steven Black (n0tst3)
-
0
databreach

An unidentified hacking group has gained access to the internal IT network of the 2021 National Games of China.

The competition, which took place in September 2021 in the city of Shaanxi, is an internal sporting event for Chinese athletes only, modeled after the rules of the Olympic Games and the event where national champions are crowned across different sporting events.

Avast said that roughly 12 days before the event’s start, unknown attackers gained access to a public server and an SQL database belonging to the event’s organizers and proceeded to install web shells so they could access systems at later points.

“After gaining access, the attackers tried to move through the network using exploits and brute-forcing services in an automated way,” Avast said in a report published on Thursday.

To achieve lateral movement, Avast said the attackers used an exploitation framework written in the Go programming language that included plugins for several known vulnerabilities.

The security firm said it learned of the incident from an incident response report that contained details about the breach its researchers found on VirusTotal, a web platform now owned by Google where users can upload and scan files for malware.

“Based on the initial information from the report and our own findings, it appears the breach was successfully resolved prior to the start of the games,” Avast added.

The Czech security firm said it was unable to determine what information the hackers stole but said that they “have reason to believe [the attackers] are either native Chinese-language speakers or show high fluency in Chinese.”

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

British Council exposed more than 100,000 files with student records

By
Steven Black (n0tst3)
-
0
data breach

More than 100,000 files with student records belonging to British Council were found exposed online.

An unsecured Microsoft Azure blob discovered on the internet by a cybersecurity firm revealed student names, IDs, usernames and email addresses, and other personal information.

British Council promotes the study of British culture and the English language around the world and is known for administering the IELTS standardized language exam.

Unsecured Azure blob spills Excel, XML, JSON files

British Council, the global organization for promoting British culture, the English language, and education opportunities, was leaking over 144,000 files containing student records.

Cyber security firm Clario, along with security researcher Bob Diachenko discovered the leak in December 2021 and immediately reported their findings to British Council.

Spread across more than 100 countries, British Council has previously been dubbed the ‘soft power‘ arm of the UK foreign policy. Although partially funded by the UK Government via a grant, the independently operated non-profit generates the vast majority of its revenue from activities like teaching, exams, tendered contracts, and partnerships.

The organization also administers the International English Language Testing System (IELTS) exam, the most recognized standardized English language test around the world, alongside TOEFL.

According to the researchers, an unprotected Azure blob container was indexed by a public search engine and contained thousands of Excel spreadsheets and XML/JSON files, viewable by anyone.

These files had the personal information of hundreds of thousands of British Council English course learners and students from around the world.

Exposed student records in one of the spreadsheets discovered in the exposed Azure blob (Clario)

The exposed information as seen above, included:

  • Full name
  • Email address
  • Student ID
  • Student status
  • Enrollment dates
  • Duration of study
  • Notes

It isn’t known for how long was this data available online to the public, with no authentication in place, state the researchers.

British Council: 10,000 records held by third-party provider

Diachenko and Clario discovered the data leak on December 5th, 2021, and promptly notified British Council.

One of the main concerns the researchers had at the time was the risk from phishing actors and identity thieves—should they get their hands on this information.

After not hearing back for 48 hours from British Council, the researchers reattempted contact; this time via Twitter, which is where subsequent communication between the two parties took place.

“On December 23rd, 2021 (two weeks after the initial contact), confirmation around the security of the repository was announced,” state the researchers.

British Council Statement

“The data in question was held and processed by a third party service provider. Approximately 10,000 records were accessible in a way that should not have occurred.  On becoming aware of this, our third party service provider immediately secured the records with appropriate controls and the data in question was rendered no longer accessible. We are working with the supplier to ensure similar incidents do not happen in the future.

We have reported the incident in accordance with our regulatory obligations and we remain in contact with the Information Commissioner’s Office should any further action be required.

The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The privacy and security of personal information is paramount,” a British Council spokesperson told BleepingComputer.

As noted, although the researchers discovered over 144,000 files, according to British Council, just about 10,000 student records were affected.

The disclosure of this data leak follows a last month’s report stating British Council had been a victim of “two successful ransomware attacks over the past five years,” in addition to six unsuccessful attempts by ransomware ops.

As a result of these attacks, British Council had reportedly experienced 12 days of downtime in total—five days in the first case, and seven in the second. However, the organization didn’t pay a ransom either time.

Given the prominent place held by the British Council in promoting UK culture abroad, and its role in co-managing the IELTS exam, it isn’t hard to see why threat actors would be lured to target the institution.

Clario recommends British Council students and test-takers to keep an eye out for any suspicious phishing emails they may receive, and to change their login passwords immediately as an extra precaution.

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

NCSC warns UK entities of potential destructive cyberattacks from Russia

By
Steven Black (n0tst3)
-
0
ncsc national cyber security

The UK’s National Cyber Security Centre (NCSC) urges organizations to improve cybersecurity due to the risk of imminent destructive cyberattacks from Russia-linked APT groups.

The NCSC is investigating recent cyber attacks against entities in Ukraine making parallelism with other attacks preciously attributed to Moscow, such as NotPetya (2017) and cyber attacks against Georgia

“UK organisations are being urged to bolster their cyber security resilience in response to the malicious cyber incidents in and around Ukraine. ” reads the alert published by the NCSC.

While the tension between Ukraine and Russia is rising, the risks of cyber attacks against European and US entities is increasing

NCSC’s guidance encourages organizations to perform the following actions to increase their resilience to cyber attacks:

  • patch systems; 
  • improve access controls and enabling multi-factor authentication; 
  • implement an effective incident response plan; 
  • check that backups and restore mechanisms are working; 
  • ensure that online defences are working as expected, and; 
  • keep up to date with the latest threat and mitigation information. 

The good news is that the UK cybersecurity agency is not aware of any current specific threats to UK organisations linked to the events in Ukraine.

cyberattacks from Russia

Previous known cyberattacks from Russia

“The NCSC is committed to raising awareness of evolving cyber threats and presenting actionable steps to mitigate them. While we are unaware of any specific cyber threats to UK organisations in relation to events in Ukraine, we are monitoring the situation closely and it is vital that organisations follow the guidance to ensure they are resilient.”

Paul Chichester, NCSC Director of Operations.

“Over several years, we have observed a pattern of malicious Russian behaviour in cyberspace. Last week’s incidents in Ukraine bear the hallmarks of similar Russian activity we have observed before.”

Paul Chichester, NCSC Director of Operations.

Recently the UK agency released NMAP Scripting Engine scripts that can help defenders to scan their infrastructure to find and fix unpatched vulnerabilities impacting them.

The scripts were developed by i100 (Industry 100), an initiative that promotes close collaborative working between the NCSC and 100 industry personnel.

The scripts will be published on GitHub through a project named Scanning Made Easy (SME).

Read more on Cyberattacks from Russia

source

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Windows Privilege Elevation Exploit POC Released into The Wild

By
Steven Black (n0tst3)
-
0
Windows Privilege Elevation Exploit POC

A security researcher has publicly disclosed an exploit for a Windows local privilege elevation vulnerability that allows anyone to gain admin privileges in Windows 10.

Windows Privilege Elevation Exploit POC

Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network, create new administrative users, or perform privileged commands.

The vulnerability affects all supported support versions of Windows 10 before the January 2022 Patch Tuesday updates.

Researcher releases bypass to patched vulnerability

As part of the January 2022 Patch Tuesday, Microsoft fixed a ‘Win32k Elevation of Privilege Vulnerability’ vulnerability tracked as CVE-2022-21882, which is a bypass for the previously patched and actively exploited CVE-2021-1732 bug.

Microsoft attributes the discovery of this vulnerability to RyeLv, who shared a technical analysis of the vulnerability after Microsoft released the patch.

This week, multiple exploits were publicly released for CVE-2022-21882 that allows anyone to gain SYSTEM privileges on vulnerable Windows 10 devices.

After the exploit’s release, Will Dormann, a vulnerability analyst for CERT/CC and Twitter’s resident exploit tester, confirmed that the exploits works and provides elevated privileges.

BleepingComputer also tested the vulnerability and had no problem compiling the exploit and using it to open Notepad with SYSTEM privileges on Windows 10, as shown below. BleepingComputer could not get the exploit to work on Windows 11.

Notepad launched with SYSTEM privileges by exploit
Source: BleepingComputer

While we only opened Notepad using this exploit, threat actors can also use it to add new users with Administrator privileges or execute other privileged commands.

While we would not normally report on a patched vulnerability, many administrators chose to skip January 2022 updates due to the significant number of critical bugs introduced by the January 2022 updates, including reboots, L2TP VPN problems, inaccessible ReFS volumes, and Hyper-V issues the installation of these updates.

This means that their devices remain unprotected and vulnerable to an exploit that has historically been used in cyberattacks by APT hacking groups.

With the release of these exploits and as Microsoft released OOB updates that resolve the issues introduced in the January 2022 updates, it is now strongly advised that admins install the updates rather than wait until the February 8th Patch Tuesday.

Bug found two years earlier

This same vulnerability was discovered two years ago by Israeli security researcher and Piiano CEO Gil Dabah, who decided not to disclose the bug due to the reduced bug bounty rewards by Microsoft.

Dabah is not alone in his frustrations over Microsoft’s diminishing bug bounty rewards.

In November, security researcher Abdelhamid Nacer released a zero-day privilege elevation exploit due to Microsoft’s decreasing payouts in their bug bounty program.

RyeLv noted in his technical writeup for the CVE-2022-21882 vulnerability that the best way to eliminate this bug class is to improve Microsoft’s Windows kernel bug bounties.

“Improve the kernel 0day bounty, let more security researchers participate in the bounty program, and help the system to be more perfect,” advised RyeLv.

What can I do

Ensure Windows is kept up-to-date.

source

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

UK: Data breach at Greensward Academy

By
Steven Black (n0tst3)
-
0
databreach

Information such as free school meal status, address, deprivation status, exam dispensation and special educational needs of Year 11 children at Greeensward Academy in Hockley was accidentally leaked by a teacher.

SENSITIVE information about pupils was leaked to parents and students following a data breach Data breach at Greensward Academy High School

The information was made available to Year 11 pupils and their parents via Google Classroom when a mock examinations timetable was shared by the teacher who was unaware the document also contained sensitive information.

“It’s just unacceptable for this to happen,” a parent who wished to remain anonymous said.

“Some kids might not want other kids to know these things about them, as sadly, when it comes to stuff like free school meals, they might be mocked or looked down upon.”

According to a pupil, who also wished to remain anonymous, the document was posted online on January 17 and was removed five days later.

They said: “Kids are going around saying other people are on benefits. Some of my friends are on there and they’re not comfortable that other people know their disabilities or if they are getting free meals.”

On Tuesday, a letter was sent to parents of Year 11 pupils explaining the mistake and detailing actions taken to rectify the leak.

What the Academy had to Say

Education support manager Tom Gibbs-Digby said: “At Greensward Academy, we take the security of personal data extremely seriously and work hard to ensure we work within the GDPR regulations to keep your personal data secure.”

General Data Protection Regulation (GDPR) came into law in 2018 and means individuals and establishments responsible for using personal data have to follow strict rules to keep it secure.

Mr Gibbs-Digby added: “The information was only visible to Year 11 students and their parents/carers registers with Greensward Academy and was not visible to any other outside parties, companies or organisations.

“The incident was reported immediately and has been logged with our data controller as a data breach. An investigation has taken place and the staff involved have been given training and guidance in an effort to ensure that this does not happen again.”

source

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Bookmark
Please login to bookmarkClose
1...495051...79Page 50 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.