Amey Anekar – TechKranti https://techkranti.com CyberSecurity Revolution Fri, 13 Dec 2024 10:43:08 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 169658937 Preventing/Fixing SSRF Issues https://techkranti.com/preventing-fixing-ssrf-issues/ Fri, 13 Dec 2024 10:43:08 +0000 https://techkranti.com/?p=871 SSRF in a nutshell:

When a server-based application allows end-users to specify a URL that the server then fetches and processes, the application is susceptible to SSRF attacks. Examples of such features include Webhooks, Blog Import, or Profile picture update using URL.

Attackers can abuse this functionality by passing an internal URL that is inaccessible from the Internet but accessible from the application server’s local network.

This can lead to attackers accessing internal systems or cloud metadata endpoints, which can sometimes lead to full cloud compromise.

Fixing or preventing SSRF issues

✅ Don’t introduce an SSRF-susceptible functionality

The best way to mitigate risk is risk avoidance. If the functionality isn’t essential for business, don’t implement features that allow users to specify URLs that are fetched by the application backend.

If you have to add this feature, implement the below checks to prevent SSRF issues.

✅ Prevent bare IP addresses in user-supplied URLs

There is no real need for such features to allow users to enter IP address URLs and these can be safely blocked without any side effects.

It is extremely difficult to assess whether a bare IP address is safe to fetch in such a functionality. Even if you blocklist internal or metadata IPs, there are ways to get around this using octal IPs, decimal IPs, or IPv6. Implementing more checks leads to more headaches and more potential opportunities for failure.

I have never seen this implemented as a security measure in such functionalities, but I believe that this can eliminate a lot of headaches for developers.

✅ Strict Allow-listing

If the feature is supposed to fetch resources from a limited set of sites, an allowlist of hostnames should be created and the URL passed by the user should be checked against the list of allowlisted hostnames.

If allowlisting does not meet your business use case, then follow the below guidance.

✅ Verify IP by resolving the requested host

Resolve the hostname supplied. After resolution, block requests with the below IPs.

Block IPv4 IPs in the following ranges:

0.0.0.0 – 0.255.255.255

10.0.0.0 – 10.255.255.255

127.0.0.0 – 127.255.255.255

169.254.169.254

172.16.0.0 – 172.32.255.255

192.168.0.0 – 192.168.255.255

Block the following IPv6 IPs:

::1

0:0:0:0:0:0:0:1

✅ Prevent DNS Rebinding Attacks

Just ensuring that the resolved IP of a host does not match a blocklist is not enough. An attack called DNS rebinding can be used by attackers to bypass such checks.

Attackers configure DNS servers to alternate DNS responses between a public IP address and an internal IP address. This way, when the first request is sent to check whether the hostname corresponds to an allowed IP address, the DNS server responds with the allowed IP address.

However, in the subsequent request that is sent when actually fetching the resource, the DNS server responds with an internal IP address.

This can be prevented by forcing the HTTP client module to use the IP address resolved in the validation step.

This way, you can ensure that the HTTP request sent to fetch the resource is sent to the IP address that has already been validated instead of relying on the subsequent resolution.

✅ Only allow http: scheme in the URL

This can be done to prevent attackers from providing schemes such as file: that can be abused to trick the application into fetching local files. Or worse, protocols like gopher: can be used to send system commands on open ports.

✅ Finally, don’t follow redirects

All the above checks may fail, if you allow the HTTP client to follow redirects. Redirects can be abused to cause the HTTP client to hit a restricted endpoint via a redirect.

Hope this helps you better secure your application code. If you have any questions or if you would like to discuss further, please feel free to get in touch via LinkedIn.

]]>
871
11-Oct-24: In Security News Today https://techkranti.com/11-oct-24-in-security-news-today/ Fri, 11 Oct 2024 23:51:27 +0000 https://techkranti.com/?p=862 Github, Telegram Bots, And Qr Codes Abused In New Wave Of Phishing Attacks

Phishing attacks are increasingly leveraging GitHub infrastructure, Telegram bots, and QR codes to evade detection and deliver malware. A recent campaign targeting the insurance and finance sectors uses GitHub links in phishing emails to bypass security measures and deliver the Remcos RAT, exploiting trusted repositories and GitHub comments to propagate malware without leaving traces. Meanwhile, scammers are targeting booking platforms like Airbnb, using compromised accounts and Telegram-based tools to streamline phishing processes, improve victim engagement, and evade law enforcement.

CISA: Hackers Abuse F5 Big-IP Cookies To Map Internal Servers

CISA has issued a warning that cyber threat actors are exploiting unencrypted persistent cookies from the F5 BIG-IP Local Traffic Manager (LTM) to map internal devices within networks. These cookies, which contain encoded data like IP addresses and port numbers, can be abused to identify hidden or vulnerable servers, facilitating network discovery and potential exploitation. CISA recommends administrators encrypt these cookies to prevent such attacks and use F5’s diagnostic tool, BIG-IP iHealth, to detect misconfigurations.

NHS England Warns Of Critical Veeam Vulnerability Under Active Exploitation

NHS England has issued a warning about active exploitation of a critical vulnerability (CVE-2024-40711) in Veeam Backup & Replication, which could allow remote code execution (RCE) with a CVSS score of 9.8. Ransomware groups are leveraging this flaw to create new local administrator accounts for further network compromise, with cases involving Fog and Akira ransomware. Organizations are urged to update Veeam Backup & Replication to version 12.2 or above to mitigate risks, as this vulnerability is actively targeted by threat actors shortly after its disclosure.

Casio Confirms Customer Data Stolen In A Ransomware Attack

Casio has confirmed a ransomware attack that compromised sensitive data, including personal information of employees, job candidates, business partners, and some customers, though payment data remains unaffected. The attack, claimed by the Underground ransomware group, has caused system disruptions, and Casio advises vigilance against phishing attempts as the investigation continues. Casio has notified authorities and urges against sharing leaked information to protect affected individuals’ privacy and prevent further damage.

After Breach Of Billions Of Records, National Public Data Files For Bankruptcy

National Public Data (NPD), a background check company, filed for bankruptcy after a breach exposed 2.7 billion records, including 272 million Social Security numbers. The company faces numerous lawsuits from victims and scrutiny from state prosecutors and the US Federal Trade Commission over the leak, which led to a class-action lawsuit for negligence and unjust enrichment. NPD’s bankruptcy filing aims to manage the financial fallout from lawsuits, civil penalties, and investigations, while experts warn that the stolen data can fuel identity theft and phishing attacks.

Openai Says Iranian Hackers Used Chatgpt To Plan ICS Attacks

OpenAI has disrupted over 20 cyber and influence operations in 2024, including attacks by Iranian and Chinese state-sponsored hackers. The Iranian group CyberAv3ngers, linked to the Islamic Revolutionary Guard Corps, used ChatGPT for reconnaissance and exploitation of industrial control systems (ICS), targeting water utilities in Ireland and the US. Despite their use of AI for tasks like evading detection and scanning vulnerabilities, OpenAI found that these tools provided only incremental capabilities that could be achieved with non-AI tools.

American Water Suffers Network Disruptions After Cyberattack

American Water, the largest publicly traded water utility in the U.S., experienced a cyberattack on October 3, 2024, leading to the shutdown of its online systems, including customer portals and telecommunications. Although water and wastewater services were not affected, the company initiated incident response protocols, disconnected certain systems, and is working with third-party cybersecurity experts to contain the attack. This incident highlights the growing risk of cyberattacks on critical infrastructure, with U.S. authorities continuing to push for stronger cybersecurity regulations for water utilities.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

]]>
862
10-Oct-24: In Security News Today https://techkranti.com/10-oct-24-in-security-news-today/ Thu, 10 Oct 2024 22:03:37 +0000 https://techkranti.com/?p=860 Marriott Settles Over Data Breach That Exposed Millions Of Guests

Marriott International has settled for $52 million with the FTC and U.S. states over data breaches affecting 344 million guests between 2014 and 2020. As part of the settlement, Marriott will implement a comprehensive information security program, including multi-factor authentication and encryption, and offer customers more control over their personal data. The breaches, attributed to poor security practices, exposed sensitive information like passport details and payment card data, with the FTC criticizing Marriott for misleading consumers about its data security standards.

Customer Data Of Major US Asset Managers Exposed: Over 70K Investors Affected

Fidelity Investments, a major US asset manager with $4.9 trillion under management, experienced a data breach where over 77,000 customer records were exposed between August 17th and 19th, 2024. Attackers accessed personal details using two newly established accounts, though customer account access was not compromised. In response, Fidelity terminated unauthorized access, launched an investigation, and is offering affected customers 24 months of free credit monitoring and identity restoration services to mitigate identity theft risks.

Internet Archive Hacked, Data Breach Impacts 31 Million Users

Internet Archive’s “The Wayback Machine” suffered a major data breach, exposing 31 million user records, including email addresses and Bcrypt-hashed passwords, after a threat actor compromised the site. The stolen data, confirmed to be legitimate, was shared with the “Have I Been Pwned” service, allowing affected users to check their exposure. Simultaneously, the Internet Archive has faced DDoS attacks, although it is not believed that the data breach and DDoS incidents are linked.

Gitlab Warns Of Critical Arbitrary Branch Pipeline Execution Flaw

GitLab has released patches addressing several critical vulnerabilities in both the Community and Enterprise Editions, including the highly severe CVE-2024-9164, which allows unauthorized users to execute CI/CD pipelines on any repository branch. This flaw, rated 9.6 on the CVSS scale, poses significant risks such as unauthorized code execution and data exposure, affecting versions 12.5 through 17.4.1. GitLab users are strongly urged to upgrade to the patched versions (17.4.2, 17.3.5, and 17.2.9), while GitLab Dedicated customers remain unaffected due to automatic updates.

This Trojan Disguises As Google Chrome Or Nordvpn To Wipe Out Your Accounts

The Octo2 malware, an evolved version of the notorious Octo (ExobotCompact) banking trojan, poses a significant threat by disguising itself as apps like Google Chrome and NordVPN, enabling attackers to steal credentials and perform unauthorized actions remotely. Its use of a Dynamic Domain Generation Algorithm (DGA) makes it difficult to detect, as it frequently changes its command and control (C2) addresses. To mitigate risks, cybersecurity professionals are urged to monitor DNS traffic for suspicious domains, use malware detection tools, and enhance collaboration within the security community to combat this evolving threat

Over 10M Conversations Exposed In AI Call Center Hack

A recent data breach in the Middle East compromised over 10 million interactions from an AI-powered call center platform, exposing personally identifiable information (PII) such as national IDs. Cybersecurity firm Resecurity revealed that attackers gained unauthorized access to the platform’s management dashboard, which could enable sophisticated fraud, phishing, and social engineering attacks. The incident highlights the growing vulnerability of AI-driven systems, emphasizing the need for enhanced cybersecurity measures tailored to the unique risks posed by AI technologies.

Microsoft Outlook Bug Blocks Email Logins, Causes App Crashes

Microsoft is investigating a bug in its Outlook desktop app that causes crashes, high memory usage, and prevents users from logging in. Initially believed to affect only European users, reports now show the issue also impacts users worldwide, including Outlook Web Access (OWA) in the U.S. The company is analyzing memory dumps and telemetry data to identify the root cause, with concerns that other Microsoft 365 services might also be impacted.

OpenAI Blocks 20 Global Malicious Campaigns Using AI For Cybercrime And Disinformation

OpenAI has disrupted over 20 malicious campaigns that exploited its platform for cybercrime and disinformation. These activities involved debugging malware, generating fake social media profiles, and creating content related to elections in multiple countries. Despite these efforts, OpenAI noted that no significant breakthroughs in malware creation or widespread influence were observed, though threat actors continue evolving their tactics.

Cyrisma Raises $7 Million For Risk Management Platform

Cyrisma, a cybersecurity startup specializing in risk management for managed service providers (MSPs), has raised $7 million in a Series A funding round led by Blueprint Equity. The company’s platform helps MSPs identify vulnerabilities, track compliance, and manage AI-driven security risks across the attack surface, offering tools for mitigation and reporting. With this new funding, Cyrisma plans to accelerate product development, expand its sales and marketing efforts, and enhance customer support.

Underground Ransomware Claims Attack On Casio, Leaks Stolen Data

Underground ransomware gang has claimed responsibility for a cyberattack on Casio, which occurred on October 5, resulting in system disruptions and potential data theft. The group leaked sensitive information on its dark web portal, including employee personal data, legal documents, financial records, and confidential project information, raising concerns about the impact on Casio’s operations and intellectual property. The Underground group, linked to the Russian cybercrime faction RomCom, employs advanced tactics such as exploiting vulnerabilities in Microsoft Office to maintain prolonged access to compromised systems while evading detection.

US, UK Warn Of Russian APT29 Hackers Targeting Zimbra, Teamcity Servers

U.S. and U.K. cyber agencies have issued a warning about Russian APT29 hackers, linked to the SVR, exploiting vulnerabilities in Zimbra and JetBrains TeamCity servers at a mass scale. The advisory emphasizes the importance of patching exposed servers against CVE-2022-27924 and CVE-2023-42793, which have been used for credential theft and supply-chain attacks, respectively. Given APT29’s history of targeting critical sectors, including government and private organizations, network defenders are urged to implement security updates and reinforce security controls to mitigate potential breaches.

Chinese Influencers Reportedly Using Lebanon Pager Attacks To Spread iPhone Rumors

Chinese influencers are spreading misleading rumors about iPhones, suggesting they may explode, using a 13-year-old video of a modified iPhone explosion to sway public opinion against Apple. This campaign appears to be fueled by rising nationalism and aims to promote local Chinese smartphone brands amidst declining Apple sales in China. Despite attempts by some state media to counteract the misinformation, the rumors are gaining traction, with some companies even banning iPhones among employees.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

]]>
860
08-Oct-24: In Security News Today https://techkranti.com/08-oct-24-in-security-news-today/ Tue, 08 Oct 2024 21:46:19 +0000 https://techkranti.com/?p=857 Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited

Ivanti has disclosed active exploitation of three critical vulnerabilities (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) in its Cloud Service Appliance (CSA), which allow authenticated attackers to execute arbitrary SQL commands, bypass restrictions, or obtain remote code execution. These flaws are being exploited alongside a previously patched path traversal vulnerability (CVE-2024-8963), enabling remote unauthorized access to restricted functions. Ivanti urges immediate patching and system reviews for potential compromise, particularly for customers running outdated versions (4.6 or earlier) of CSA.

Gamers Tricked Into Downloading Lua-Based Malware Via Fake Cheating Script Engines

Cybercriminals are exploiting the popularity of Lua-based game cheating script engines to distribute malware, targeting users searching for cheats through fake websites. This Lua-based malware uses obfuscated scripts to avoid detection, establishes persistence, and communicates with a command-and-control server to deliver additional payloads like RedLine Stealer. The malware campaign, spreading across multiple regions, highlights the growing trend of infostealers and crypto-miners distributed through compromised GitHub repositories and social platforms.

American Water Hit By Cyber-Attack, Billing Systems Disrupted

American Water, the largest water utility in the US, has suffered a cyber-attack, disrupting its billing systems but not affecting water and wastewater operations. The company quickly isolated systems and is investigating the breach with law enforcement, though details on the type of attack remain undisclosed. The incident highlights growing cybersecurity concerns in critical infrastructure, with experts emphasizing the need for better funding and protection of identity management systems against increasingly sophisticated threats.

European Govt Air-Gapped Systems Breached Using Custom Malware

The APT group GoldenJackal successfully breached air-gapped government systems in Europe, using custom malware spread via USB drives to steal sensitive data like encryption keys, emails, and documents. They employed two toolsets, with the older attacks involving malware called GoldenDealer, which infiltrated air-gapped systems via infected USB drives, installing backdoors and file stealers to exfiltrate data when the drive reconnected to internet-accessible machines. In 2022, GoldenJackal developed a more sophisticated Go-based toolset, allowing attackers to task machines with different espionage roles and exfiltrate targeted data, demonstrating their adaptability in covert cyber-espionage.

Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

Microsoft and the US Department of Justice dismantled over 100 domains linked to the Russian state-sponsored hacker group Star Blizzard, known for targeting NGOs, journalists, and government agencies through phishing campaigns and custom backdoors. The takedown aims to delay the group’s operations, particularly ahead of the upcoming US presidential election, a key target for foreign interference. Despite this success, cybersecurity experts warn that nation-state groups like Star Blizzard will likely continue to evolve their tactics, emphasizing the need for proactive threat hunting and enhanced security measures.

North Korea’s Apt37 Targets Cambodia With Khmer, ‘VeilShell’ Backdoor

APT37, a North Korean state-sponsored group, has launched a new cyber campaign targeting Cambodian organizations using a backdoor called “VeilShell.” This attack relies on phishing emails with malicious shortcut (.LNK) files disguised as PDF or Excel documents to establish persistence on compromised systems, using a PowerShell-based RAT for long-term access. APT37 employs advanced evasion techniques such as AppDomainManager injection and long sleep timers between attack stages, ensuring stealth and making the campaign harder to detect and mitigate.

Scammer Rings Costing Victims Millions Busted By International Efforts

International cooperation led by Interpol has successfully dismantled two major criminal organizations involved in phishing and romance scams, resulting in millions of dollars in losses for victims. The initiative, known as ‘The Contender 2.0,’ targets cybercrime in West Africa, leveraging intelligence sharing with private cybersecurity firms like Group IB to identify and apprehend perpetrators. Key arrests were made in Côte d’Ivoire and Nigeria, with ongoing investigations aiming to recover stolen funds and uncover additional victims of these sophisticated scams.

31 New Ransomware Groups Join The Ecosystem In 12 Months

Secureworks’ 2024 State of the Threat Report highlights a 30% increase in active ransomware groups, with 31 new players joining the ecosystem over the past year, despite law enforcement efforts. Established groups like LockBit, PLAY, and RansomHub continue to dominate, but the ecosystem is increasingly fragmented, adding complexity for defenders. The report also flags the growing threat of AI-driven attacks and Adversary-in-the-Middle (AiTM) campaigns, while state-sponsored cyber activities from Russia, China, Iran, and North Korea remain a significant concern.

Cyberattack Group ‘Awaken Likho’ Targets Russian Government With Advanced Tools

Awaken Likho, also known as Core Werewolf and PseudoGamaredon, is a cyberattack group actively targeting Russian government agencies and industrial sectors using sophisticated tools, particularly since June 2024. Their latest tactics involve leveraging the legitimate MeshCentral platform for remote access, replacing the previously used UltraVNC module, and employing spear-phishing techniques with malicious executables disguised as legitimate document files to compromise systems. The group has demonstrated adaptability in their attack methods, including the use of self-extracting archives to facilitate covert installations, thereby enhancing their persistence and control over compromised hosts.

Moneygram Says Personal Information Stolen In Recent Cyberattack

MoneyGram announced a data breach resulting from a cyberattack that occurred from September 20 to 22, 2024, during which hackers accessed and exfiltrated personal information from customer systems. The breach led to a temporary worldwide outage of their money transfer services, impacting various types of sensitive data, including national ID numbers, bank account details, and copies of government-issued IDs. In response, MoneyGram has implemented containment measures, restored services, and is offering affected customers two years of free identity monitoring and credit monitoring for U.S. clients.

Adobe Patches Critical Bugs In Commerce And Magento Products

Adobe has released urgent patches addressing 25 vulnerabilities across its Adobe Commerce and Magento Open Source products, which pose significant risks including code execution and privilege escalation. Two of these vulnerabilities have a critical CVSS score of 9.8, underscoring the urgency for businesses to update impacted versions, specifically Adobe Commerce 2.4.7-p2 and earlier, and Magento Open Source 2.4.7-p2 and earlier. Additionally, Adobe addressed critical flaws in other products, including Adobe Dimension and Adobe Animate, although no active exploitation of these vulnerabilities has been reported at this time.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

]]>
857
03-Oct-24: In Security News Today https://techkranti.com/03-oct-24-in-security-news-today/ Thu, 03 Oct 2024 21:55:34 +0000 https://techkranti.com/?p=854 Fraudsters Imprisoned For Scamming Apple Out Of 6,000 iPhones

Two Chinese nationals, Haotian Sun and Pengfei Xue, were sentenced to prison for a scam that involved exchanging over 6,000 counterfeit iPhones for authentic ones, exploiting Apple’s device replacement policy. They, along with co-conspirators, shipped fake iPhones with spoofed IMEI and serial numbers from Hong Kong to the U.S., submitted them for replacement, and sold the genuine devices overseas, causing over $2.5 million in losses. Sun and Xue were convicted of mail fraud and sentenced to over 4 years in prison, with restitution payments ordered to Apple.

Over 4,000 Adobe Commerce, Magento Shops Hacked In Cosmicsting Attacks

Over 4,000 Adobe Commerce and Magento sites have been compromised by multiple threat actors exploiting the CosmicSting vulnerability (CVE-2024-32102), in combination with another security flaw (CVE-2024-2961), to steal credit card and customer data through remote code execution. Despite warnings and available patches, many stores remain unprotected, including high-profile brands such as Ray-Ban, Whirlpool, and National Geographic. Security researchers have identified at least seven groups involved in these attacks, leveraging malicious scripts to inject payment skimmers and steal cryptographic keys from unpatched sites.

Microsoft And DOJ Disrupt Russian FSB Hackers’ Attack Infrastructure

Microsoft and the U.S. Department of Justice (DOJ) have disrupted over 100 domains used by the Russian ColdRiver hacking group, linked to Russia’s Federal Security Service (FSB), targeting U.S. government and nonprofit entities through spear-phishing attacks. This effort is part of a broader strategy to counter ColdRiver’s long-standing cyber-espionage campaigns, which have increasingly focused on defense and energy sectors since Russia’s invasion of Ukraine. By seizing attack infrastructure, Microsoft and DOJ aim to mitigate ongoing risks to sensitive information and critical U.S. assets.

Chrome, Firefox Updates Patch High-Severity Vulnerabilities

Google and Mozilla released updates for Chrome and Firefox, addressing 17 vulnerabilities, including 10 high-severity flaws. Chrome 129.0.6668.89 fixes issues like an integer overflow in Layout and insufficient data validation in Mojo, while Firefox 131 resolves bugs affecting Android users and cross-origin content access. Both companies encourage users to update their browsers and email clients, with no evidence of the vulnerabilities being exploited in the wild so far.

Dutch Police: ‘State Actor’ Likely Behind Recent Data Breach

The Dutch national police reported a significant data breach, suspected to be the work of a state actor, compromising contact details and other private information of police officers. The breach involved hacking a police account and exfiltrating work-related data, prompting the implementation of stricter security measures, including two-factor authentication and enhanced monitoring. While intelligence services point to a foreign government or affiliated group, the police are withholding detailed information to protect the ongoing investigation.

Google Adds New Pixel Security Features To Block 2G Exploits And Baseband Attacks

Google has introduced new security measures in its latest Pixel devices to combat baseband vulnerabilities and 2G network exploits, which are commonly targeted through false base stations and covert downgrade attacks. Android 14 now includes a feature allowing administrators to disable 2G networks, and Google has improved baseband security using Clang sanitizers to prevent remote code execution exploits. Additional defenses like stack canaries, control-flow integrity (CFI), and new alerts for unencrypted network connections help strengthen Pixel devices against advanced threats such as cell-site simulators and SMS blaster fraud.

Litespeed Cache Plugin Flaw Allows Xss Attack, Update Now

A vulnerability (CVE-2024-47374) in the LiteSpeed Cache plugin for WordPress, affecting over six million sites, enables unauthenticated attackers to inject malicious code via the plugin’s CSS queue generation process. The flaw, discovered by Patchstack, is an unauthenticated stored XSS issue that exploits the “Vary Group” functionality when certain CSS optimization settings are enabled. LiteSpeed has addressed the issue in version 6.5.1, and users are urged to update immediately to avoid privilege escalation or data theft.

CISA’s Platform Receives 2,400 Unique Vulnerability Disclosures, Researchers Paid $335K

CISA’s Vulnerability Disclosure Policy (VDP) Platform received over 12,000 submissions in its first two years, identifying over 2,400 unique vulnerabilities, of which nearly 2,000 were remediated. Bug bounty programs through the platform rewarded $335,000 for 229 vulnerabilities, with payouts averaging $1,463 per bug, incentivizing researchers to find critical issues, such as cross-site scripting (XSS) vulnerabilities. CISA estimates significant cost savings, with an estimated $4.45 million in remediation costs saved, while highlighting the potential catastrophic impact of unaddressed critical vulnerabilities.

North Korean Hackers Using New Veilshell Backdoor In Stealthy Cyber Attacks

North Korean hackers, linked to APT37, have launched a campaign called SHROUDED#SLEEP, employing a new backdoor trojan named VeilShell to target Cambodia and possibly other Southeast Asian nations. This stealthy malware, which utilizes a Windows shortcut file as a dropper to deploy PowerShell-based components, enables full access to compromised systems, facilitating data exfiltration and other malicious activities. Notably, the attack strategy incorporates advanced techniques like AppDomainManager injection to maintain persistence and evade detection, highlighting the group’s evolution in cyber espionage tactics.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

]]>
854
02-Oct-24: In Security News Today https://techkranti.com/02-oct-24-in-security-news-today/ Wed, 02 Oct 2024 21:38:27 +0000 https://techkranti.com/?p=852 Lockbit Associates Arrested, Evil Corp Bigwig Outed

Operation Cronos has led to the arrest of four key LockBit ransomware associates and uncovered significant ties between LockBit and Russia’s Evil Corp, notorious for banking Trojans like Zeus and Dridex. Aleksandr Ryzhenkov, previously Evil Corp’s second-in-command, was sanctioned and named as a LockBit affiliate, highlighting cross-affiliation within major cybercrime groups. Law enforcement efforts across multiple countries have intensified, aiming to disrupt LockBit’s infrastructure and expose its links to large-scale ransomware and financial crimes.

Zero-Day Breach At Rackspace Sparks Vendor Blame Game

Rackspace experienced a data breach due to a zero-day vulnerability in a third-party utility bundled with ScienceLogic’s SL1 monitoring software. The breach exposed limited internal monitoring information, including customer details and encrypted credentials, but did not impact other Rackspace products or services. This follows a previous ransomware attack in 2022, further highlighting vulnerabilities within Rackspace’s infrastructure and the software supply chain.

Roblox Cheaters Targeted By Cybercriminals Offering Malicious Gaming ‘Hacks’

Malware campaigns targeting Roblox cheaters have surged, with cybercriminals distributing malicious Python packages and executables via platforms like Github and Discord. These malware variants, including Skuld Stealer and Blank Grabber, are designed to steal sensitive data from browsers, Discord, and cryptocurrency wallets. Young gamers are particularly vulnerable, as they often disable antivirus protections to run game cheats, exposing them to serious security risks.

Fake Trading Apps Target Victims Globally Via Apple App Store And Google Play

A global fraud campaign, known as “pig butchering,” uses fake trading apps to lure victims via the Apple App Store, Google Play, and phishing websites, promising high financial returns through cryptocurrency and other investments. These apps, including UniShadowTrade and SBI-INT, manipulate users through social engineering tactics, ultimately stealing their funds when they attempt to withdraw investments, often demanding additional fees. The attackers exploit trusted app distribution platforms, employ web-based components to avoid detection, and target victims across various regions including Asia-Pacific and Europe.

China-Linked Ceranakeeper Targeting Southeast Asia With Data Exfiltration

CeranaKeeper, a China-linked threat actor, has been targeting Southeast Asia since 2023, primarily focusing on governmental institutions in countries like Thailand, Myanmar, and Taiwan. Leveraging tools such as TONESHELL and newly developed malware like WavyExfiller and BingoShell, the group employs sophisticated methods for data exfiltration through cloud services like Dropbox and OneDrive. The attackers use custom backdoors, abuse compromised machines as update servers, and continuously adapt their toolset to evade detection and maximize data collection across infected networks.

CISA: Network Switch Rce Flaw Impacts Critical Infrastructure

CISA has issued an alert regarding two critical vulnerabilities (CVE-2024-41925 and CVE-2024-45367) in Optigo Networks ONS-S8 Aggregation Switches, allowing remote code execution and authentication bypass. These flaws, which impact all versions up to 1.3.7, stem from weak authentication enforcement and improper user input validation, creating serious risks for critical infrastructure and manufacturing units globally. As no patches are available yet, CISA advises isolating the management interface, using VPNs, and following risk mitigation strategies to secure affected systems.

Alert: Over 700,000 Draytek Routers Exposed To Hacking Via 14 New Vulnerabilities

DrayTek routers have been found vulnerable to 14 security flaws, including two critical vulnerabilities that allow for remote code execution (RCE) and denial-of-service (DoS) attacks. Over 700,000 routers worldwide, primarily in the U.S., are exposed to these risks, making them a significant target for cybercriminals. Patches have been released to address the vulnerabilities, and security experts advise disabling remote access, implementing access control lists, and using two-factor authentication to mitigate potential threats.

Critical Zimbra RCE Flaw Exploited To Backdoor Servers Using Emails

Attackers are leveraging the CVE-2024-45519 remote code execution flaw in Zimbra’s postjournal service by sending specially crafted emails that execute base64-encoded commands via the SMTP server’s CC field. This exploitation results in the installation of webshells, providing attackers with full access to compromised servers for data exfiltration and lateral movement within networks. Cybersecurity professionals should urgently apply the latest Zimbra patches, disable the postjournal service if unnecessary, and ensure proper configuration of network access controls to mitigate this widespread threat.

Data Leak Hits Latin America’s Financial Institutions, Leads Point To Fintech App

A significant data leak from the fintech platform Bankingly has compromised the personal information of nearly 135,000 clients across seven financial institutions in Latin America, with the majority of affected individuals residing in the Dominican Republic. The incident, attributed to misconfigured Azure Blob Storage buckets, highlights the risks associated with third-party service providers in the financial sector, as exposed personally identifiable information (PII) could facilitate social engineering attacks and credential stuffing. Despite securing the leaked data, the incident raises concerns about the potential for sophisticated phishing schemes targeting vulnerable clients and the ongoing threat posed by third-party vulnerabilities in digital banking.

Record-Breaking DDoS Attack Peaked At 3.8 Tbps, 2.14 Billion Pps

Cloudflare has successfully mitigated a historic DDoS attack that peaked at 3.8 Tbps and 2.14 billion packets per second, targeting an unidentified customer of a hosting provider utilizing its services. This attack is part of a month-long campaign that began in early September, during which Cloudflare managed to defend against over 100 similar hyper-volumetric attacks, many surpassing 2 billion Pps and 3 Tbps. The attack origins were global, with significant contributions from compromised systems in Vietnam, Russia, Brazil, Spain, and the United States, affecting sectors such as financial services and telecommunications.

Andariel Hacking Group Shifts Focus To Financial Attacks On U.S. Organizations

Andariel, a North Korean state-sponsored hacking group linked to the Lazarus Group, has shifted its focus to financially motivated attacks, targeting three U.S. organizations in August 2024 without deploying ransomware. Symantec reported that the attacks involved tools like Dtrack and a newly observed backdoor named Nukebot, suggesting a potential increase in extortion attempts against U.S. entities despite ongoing government countermeasures. This shift in strategy indicates a growing trend of North Korean cyber actors engaging in financially driven operations, reflecting a broader threat landscape for cybersecurity professionals to monitor.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

]]>
852
01-Oct-24: In Security News Today https://techkranti.com/01-oct-24-in-security-news-today/ Tue, 01 Oct 2024 21:24:24 +0000 https://techkranti.com/?p=850 DOJ Charges 3 Iranian Hackers In Political ‘Hack & Leak’ Campaign

The U.S. Department of Justice has charged three Iranian hackers affiliated with the Islamic Revolutionary Guard Corps (IRGC) for conducting a politically motivated “hack-and-leak” operation targeting U.S. presidential campaigns. The attackers infiltrated accounts of U.S. government officials and political figures, stealing sensitive information which was later weaponized to disrupt election integrity. Their tactics included spear-phishing and social engineering, with the U.S. offering up to $10 million for information on election interference tied to foreign actors.

Elaborate Deepfake Operation Takes a Meeting With Us Senator

Senator Ben Cardin was targeted by cybercriminals using deepfake technology, where attackers impersonated a Ukrainian official during a Zoom meeting to elicit sensitive political information. The operation was thwarted when the attackers asked out-of-character questions, prompting Cardin’s office to end the call and report the incident. This case highlights the growing threat of deepfakes, which pose significant risks to national security, businesses, and individuals, with experts stressing the need for heightened awareness, education, and robust verification processes.

AI-Powered Rhadamanthys Stealer Targets Crypto Wallets With Image Recognition

Rhadamanthys, an AI-powered information stealer, has introduced new capabilities that use optical character recognition (OCR) to extract cryptocurrency wallet seed phrases from images, significantly increasing its threat level to cryptocurrency users. The malware, marketed under a malware-as-a-service (MaaS) model, also harvests credentials, system information, and browser data, with the latest version incorporating enhanced stability, AI-powered graphics recognition, and evasion techniques. Alongside other stealers like Lumma, it has been involved in large-scale phishing campaigns targeting tech-savvy victims, emphasizing the rapidly evolving and sophisticated nature of modern cybercrime.

Evil Corp Hit With New Sanctions, Bitpaymer Ransomware Charges

Evil Corp, a notorious cybercrime syndicate, has been hit with additional sanctions by the US, UK, and Australia, targeting seven individuals and two entities linked to its operations. The US also indicted Aleksandr Ryzhenkov, a member of the group, for conducting ransomware attacks using BitPaymer and LockBit ransomware, demanding ransoms to decrypt victim data. These sanctions reinforce restrictions on financial transactions with Evil Corp, making it illegal for organizations to pay ransom demands without prior approval, as the group continues to evolve its tactics to evade detection and sanctions.

Ransomware Attack Forces UMC to Divert Emergency Patients

The University Medical Center (UMC) in Lubbock, Texas, faced a ransomware attack that severely disrupted its IT systems, forcing the diversion of emergency patients and disabling critical services like phone systems and patient portals. Although some services have been restored, UMC continues to divert select patients, and the full extent of the incident, including potential data breaches, is still under investigation. This attack highlights the increasing threat ransomware poses to healthcare institutions, stressing the need for proactive, intelligence-driven security measures to protect critical infrastructure.

Four Lockbit Ransom Gang Arrests, Servers Seized By Europol

Europol has arrested four individuals linked to the LockBit ransomware group, including a developer, affiliates, and a Bulletproof hosting administrator, as part of the third phase of Operation Cronos. In addition to the arrests, nine critical servers used by LockBit were seized, dealing another blow to the ransomware group’s infrastructure. Despite these efforts, LockBit remains one of the most evasive and dominant ransomware threats, accounting for 47% of publicized ransomware attacks in the last year, and continuing to operate using a Ransomware-as-a-Service model.

UAE, Saudi Arabia Become Plum Cyberattack Targets

The UAE and Saudi Arabia have become prime targets for cyberattacks, with a 70% increase in DDoS attacks driven by hacktivist groups, particularly focused on public sector entities. A report from Positive Technologies highlights that stolen data and illicit access are highly sought on Dark Web forums, with 54% of posts relating to selling or buying access, often involving government agencies. The growing attack surface and geopolitical tensions make the region a hotspot for both nation-state and hacktivist cyber campaigns, signaling a need for stronger cybersecurity defenses.

Ten Million Brits Hit By Fraud In Just Three Years

A recent study sponsored by Santander UK revealed that 10 million Brits were victims of fraud between 2021 and 2023, with the direct economic loss reaching £9bn and broader productivity costs pushing the total to £16bn. The study emphasizes that combating fraud requires a coordinated international response, as fraudsters operate across borders, affecting both developed and developing countries. Recommendations include the UK taking a global leadership role in enhancing law enforcement, promoting cross-border cooperation, and pushing for private sector accountability in fraud prevention efforts.

Cyberattackers Use HR Targets To Lay More_Eggs Backdoor

The FIN6 group has shifted its spear-phishing tactics, now targeting recruiters by posing as job applicants, spreading the more_eggs backdoor malware, which can deploy secondary payloads. Researchers from Trend Micro discovered that the campaign leverages fake resumes, malicious .zip files, and convincing applicant websites to deceive recruiters into executing the malware. Organizations are advised to bolster their cybersecurity measures, especially through advanced threat detection systems and fostering cybersecurity awareness to combat these evolving, social engineering-based attacks.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

]]>
850
30-Sep-24: In Security News Today https://techkranti.com/30-sep-24-in-security-news-today/ Mon, 30 Sep 2024 21:45:00 +0000 https://techkranti.com/?p=847 North Korea Hackers Linked To Breach of German Missile Manufacturer

North Korean hackers linked to the Kimsuky APT have successfully breached Diehl Defence, a German missile manufacturer, using sophisticated phishing tactics that included fake job offers and booby-trapped PDF files. This breach is particularly alarming due to Diehl Defence’s role in producing missile systems, notably the Iris-T, which are critical to defense initiatives in South Korea. Mandiant’s investigation revealed that the attackers conducted thorough reconnaissance prior to the attack, utilizing a domain mimicking Diehl’s location to harvest login credentials from German users and potentially compromise sensitive information related to defense operations.

Media Giant AFP Hit By Cyberattack Impacting News Delivery Services

AFP, a global news agency, suffered a cyberattack affecting its IT systems and content delivery services, though news coverage remains unaffected. The company is collaborating with France’s cybersecurity agency, ANSSI, to mitigate the attack, while advising media partners to update FTP credentials as a precaution. No details about the attackers or specific attack methods have been disclosed, and investigations are ongoing.

FBI Warns of Sophisticated Iranian Hackers Targeting Personal Accounts

The FBI has warned that Iranian hackers, likely associated with the Islamic Revolutionary Guard Corps (IRGC), are using advanced social engineering techniques to target individuals involved in U.S. political campaigns, Middle Eastern affairs, and other high-profile areas. The attackers impersonate trusted contacts or service providers to deceive victims into sharing sensitive login credentials, often using fake email login pages to steal information. To mitigate the risks, the FBI advises enhanced security measures like multi-factor authentication, user training, and vigilance against phishing and spoofing attempts.

Critical RCE Vulnerabilities Found In Common Unix Printing System

New RCE vulnerabilities in the Common Unix Printing System (CUPS) have been discovered, posing significant risk to Linux environments with a critical CVSS score of 9.9. These flaws allow unauthenticated attackers to execute arbitrary code by sending malicious print jobs, potentially escalating privileges through compromised drivers. Security professionals are urged to apply immediate patches, disable CUPS if not required, and block UDP port 631 to mitigate risk, as these vulnerabilities can be exploited via internet-wide scans and lead to persistent threats like remote access Trojans.

Hawaii Health Center Discloses Data Breach After Ransomware Attack

The Community Clinic of Maui, targeted by the LockBit ransomware group in May 2024, suffered a data breach affecting over 120,000 individuals, with attackers stealing sensitive personal and medical information. Despite the clinic’s claim of no evidence of misuse, the stolen data includes Social Security numbers, bank details, and medical records, raising concerns of potential exploitation. In response, the clinic offers credit monitoring to impacted individuals, while law enforcement continues efforts to disrupt the LockBit group’s activities.

Transport, Logistics Orgs Hit By Stealthy Phishing Gambit

Since May 2024, a cyber threat actor has compromised email accounts in the transport and logistics sector, using thread hijacking to insert malware-laden attachments deep within legitimate conversations. Initially using Google Drive files to deploy malware like Lumma and NetSupport, the attacker later shifted to a “ClickFix” method, tricking victims into running malicious PowerShell scripts. These attacks exploit the high financial stakes and extensive communications within the industry, making it a lucrative target for cybercriminals seeking to intercept large transactions or redirect shipments.

Accounting Firm WMDDH Discloses Data Breach Impacting 127,000

WMDDH, a Louisiana-based accounting firm, disclosed a data breach from July 2023, compromising the personal data of over 127,000 individuals, including Social Security numbers, financial information, and medical records. The breach, initially detected due to unusual network activity, took ten months to fully assess and identify the affected individuals. WMDDH is offering one year of credit monitoring and identity theft protection services to those impacted by the incident.

Critical Flaws In Tank Gauge Systems Expose Gas Stations To Remote Attacks

Critical vulnerabilities have been identified in six Automatic Tank Gauge (ATG) systems from various manufacturers, exposing them to potential remote attacks that could lead to significant physical, environmental, and economic consequences. With thousands of ATGs accessible via the internet, malicious actors can exploit these flaws, which include severe issues such as OS command injection and authentication bypasses, granting them administrative control over these systems. Experts recommend immediate action, including limiting access to affected devices and enhancing cybersecurity measures, to mitigate the risks posed by these vulnerabilities in critical infrastructure.

US Charges 3 Iranians Over Presidential Campaign Hacking

US authorities have charged three Iranian nationals affiliated with the Islamic Revolutionary Guard Corps (IRGC) for their involvement in cyberattacks aimed at influencing the 2024 presidential election. The hackers targeted multiple campaigns, including those of Biden, Trump, and Harris, employing tactics such as spear-phishing and social engineering to steal sensitive information. In addition to the charges, the US government has announced sanctions and a $10 million reward for information leading to the arrest of these individuals, highlighting the ongoing threat posed by Iranian cyber operations to US democratic processes.

Cyber-Attacks Hit Over A Third Of English Schools

Cyber incidents have impacted 34% of English schools and colleges during the 2023/24 academic year, with phishing attacks being the most common threat. A report revealed that 20% of educational institutions were unable to recover immediately from such incidents, and 4% took over half a term to resume normal operations. Given the unique cybersecurity challenges faced by schools, including a lack of training for one in three teachers, experts are urging educational institutions to enhance their cybersecurity measures and adopt best practices to protect sensitive data and maintain operational integrity.

Microsoft: Cloud Environments Of US Organizations Targeted In Ransomware Attacks

Microsoft has issued a warning about the cybercriminal group Storm-0501, which is targeting the hybrid cloud environments of U.S. organizations across various sectors, including government and manufacturing. Active since 2021, Storm-0501 employs a ransomware-as-a-service model and has used multiple ransomware families, such as Alphv/BlackCat and LockBit, to carry out sophisticated multi-stage attacks. The group exploits weak credentials and known vulnerabilities to gain initial access, subsequently moving laterally to compromise cloud environments, create backdoor access, and deploy ransomware across networks.

British National Arrested, Charged For Hacking US Companies

British national Robert Westbrook has been charged with executing a hack-to-trade scheme against five U.S. companies, where he accessed corporate executives’ email accounts to obtain sensitive earnings information. Between January 2019 and May 2020, he allegedly profited approximately $3.75 million by trading securities based on this nonpublic information, employing tactics like password resets and auto-forwarding rules to facilitate the scheme. Awaiting extradition to the U.S., Westbrook faces serious charges including computer, securities, and wire fraud, along with potential civil penalties from the SEC.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

]]>
847
23-Sep-24: In Security News Today https://techkranti.com/23-sep-24-in-security-news-today/ Mon, 23 Sep 2024 22:12:44 +0000 https://techkranti.com/?p=845 New Mallox Ransomware Linux Variant Based On Leaked Kryptina Code

Mallox ransomware affiliates have been using a modified version of the leaked Kryptina ransomware source code to target Linux systems, representing a shift from their previous Windows-only focus. This new “Mallox Linux 1.0” variant retains Kryptina’s core encryption and decryption mechanisms but has been rebranded with only superficial changes, such as modified ransom notes. The incident highlights the evolving ransomware landscape, as Mallox expands its reach to Linux and VMWare ESXi systems, with affiliates possibly using multiple versions in their attacks.

Ally Bank May Have Compromised Your Personal Data In An April Data Breach

Ally Bank is facing a class-action lawsuit after an April 2023 data breach exposed sensitive customer information, including Social Security numbers, allegedly sold on the dark web. The breach impacted both current and former customers, with attackers gaining access through a third-party vendor’s system. Ally Bank is offering affected customers three years of identity theft protection, while cybersecurity experts warn of increasing attacks on banks due to the value of sensitive financial data.

Commerce Dept. Proposes Ban On Automotive Software & Hardware From China, Russia

The U.S. Department of Commerce has proposed a ban on automotive software and hardware from foreign adversaries, particularly China and Russia, citing national security concerns. This move would affect nearly all Chinese vehicles in the U.S. market, prohibiting their sale and the testing of self-driving cars, and requiring American automakers to remove any foreign adversary technology. The proposal, targeting connected vehicles due to the risk of surveillance and remote control threats, is expected to take effect by 2027 for software and 2029 for hardware.

Vulnerabilities Found In Popular Houzez Theme And Plugin

Two vulnerabilities, CVE-2024-22303 and CVE-2024-21743, were found in the Houzez WordPress theme and Login Register plugin, which could allow unauthorized privilege escalation and account takeover. The primary issues stemmed from insufficient authorization checks, including weaknesses in password reset and email modification processes. Both vulnerabilities have been patched, and users are advised to upgrade to version 3.3.0 or higher to mitigate potential risks.

Android Malware ‘Necro’ Infects 11 Million Devices Via Google Play

Necro malware has infected 11 million Android devices through malicious SDKs embedded in legitimate apps like Wuta Camera and Max Browser, both available on Google Play. The malware uses various techniques, including invisible WebViews, subscription fraud tools, and proxy mechanisms, to generate fraudulent revenue and facilitate malicious activities. In addition to Google Play, Necro is also spread via unofficial app mods of popular software like WhatsApp and Spotify, further extending its reach.

Man Scams $4M From Mostly Elderly Victims

A federal jury convicted Roger Roger, 40, for leading a telemarketing scheme that defrauded primarily elderly victims of over $4 million from a call center in Costa Rica. Posing as U.S. government officials, he and his co-conspirators tricked victims into believing they had won sweepstakes prizes, requiring them to make fraudulent upfront payments for taxes and fees. The operation utilized VoIP technology to obscure their identities and facilitate the illegal transfer of funds to Costa Rica, with Roger now facing up to 25 years in prison for various fraud and money laundering charges.

China’S ‘Earth Baxia’ Spies Exploit Geoserver To Target Apac Orgs

China’s Earth Baxia APT group is targeting organizations in the APAC region, including Taiwan, Japan, and the Philippines, using spear-phishing tactics and exploiting a vulnerability in GeoServer software (CVE-2024-36401). Their attacks focus on government agencies and critical infrastructure, often utilizing malicious decoy documents related to significant conferences. Compromised systems typically involve the installation of Cobalt Strike or a custom backdoor known as EagleDoor, facilitating extensive data exfiltration and lateral movement within networks.

Russian Cyber-Attacks Home In On Ukraine’S Military Infrastructure

Recent findings by Ukraine’s State Service of Special Communications and Information Protection reveal a strategic shift among Russian-aligned cyber threat actors, moving from broad data exfiltration efforts to targeted cyber espionage against military infrastructure. In the first half of 2024, cyber-attacks on Ukraine’s defense sectors surged to 276 incidents, with notable activity from five specific threat groups employing remote access Trojans to control compromised systems. The report highlights an overall 19% increase in cyber incidents, driven by lower-severity attacks, and underscores the urgent need for licensed software to mitigate vulnerabilities associated with malware from pirated programs.

After Summer Leak, Disney Is Doing Away With Slack For Good

Disney is discontinuing the use of Slack following a significant data breach where a hacktivist group, NullBulge, stole over 1 terabyte of internal data, allegedly aided by an insider. The transition away from Slack, mandated by senior leadership, aims to enhance the company’s cybersecurity posture and is expected to be completed by Q2 FY25. This incident highlights the vulnerabilities of internal communication platforms and underscores the necessity for companies to implement behavioral analysis and monitoring to prevent unauthorized data access.

Cert/CC Warns Of Unpatched Critical Vulnerability In Microchip Asf

The CERT Coordination Center has issued a warning regarding a critical vulnerability (CVE-2024-7490) in Microchip’s Advanced Software Framework (ASF) 3, which may enable remote code execution through specially crafted DHCP requests. The flaw arises from improper input validation in the implementation of the Tinydhcp server, leading to a stack-based overflow. Microchip recommends migrating to actively maintained software, as the affected version is no longer supported and no practical solution exists to mitigate the vulnerability.

Hacker Selling Dell Employees’ Data After A Second Alleged Data Breach

A hacker known as “grep” has reportedly breached Dell Technologies twice within a week, compromising over 3.5GB of sensitive data related to more than 10,000 employees. The breaches, allegedly facilitated by vulnerabilities in Dell’s Atlassian tools, expose employee IDs and personal information, raising concerns about potential phishing and social engineering threats. Despite Dell’s acknowledgment of the first incident, the company has yet to release an official statement regarding either breach, highlighting ongoing security challenges faced by the organization.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

]]>
845
19-Sep-24: In Security News Today https://techkranti.com/19-sep-24-in-security-news-today-2/ Thu, 19 Sep 2024 22:24:25 +0000 https://techkranti.com/?p=842 Tor Says It’s “Still Safe” Amid Reports Of Police Deanonymizing Users

The Tor Project reassures users that their network remains secure despite recent reports of law enforcement using timing attacks to deanonymize users. While acknowledging timing analysis as a known method, Tor emphasizes that mitigations in newer versions of its tools, including improved relay management, reduce such risks. The project also urges increased network diversity, noting that past attacks targeted outdated software and specific vulnerabilities that have since been addressed.

Hackers Demand $6 Million For Files Stolen From Seattle Airport Operator In Cyberattack

Hackers linked to the Rhysida ransomware group are demanding $6 million in bitcoin from the Port of Seattle after stealing and leaking sensitive airport documents in a cyberattack. Despite the breach, the airport has refused to pay the ransom, and the FBI has launched a criminal investigation into the incident. The attack, which disrupted operations like ticketing and baggage handling, is still under recovery, while authorities work to secure any exposed personal information.

Ivanti Warns Of Another Critical CSA Flaw Exploited In Attacks

Ivanti has disclosed another critical Cloud Services Appliance (CSA) vulnerability, CVE-2024-8963, which is actively being exploited in conjunction with the previously disclosed CVE-2024-8190. This vulnerability allows remote attackers to bypass authentication and execute arbitrary commands on unpatched systems, posing a significant risk to enterprise network security. Ivanti urges administrators to apply patch 519 immediately, implement proper network segmentation, and monitor for signs of exploitation, as federal agencies are required to patch by October deadlines.

Hackers Exploit Default Credentials In Foundation Software To Breach Construction Firms

Hackers are exploiting default credentials in FOUNDATION Accounting Software to breach construction firms, targeting sub-industries like plumbing, HVAC, and concrete. Attackers brute-force access to Microsoft SQL Server instances, leveraging high-privileged accounts such as “sa” and “dba,” which are often left with default credentials, allowing execution of arbitrary shell commands via xp_cmdshell. To mitigate these risks, experts recommend rotating default credentials, limiting public exposure of the software, and disabling the xp_cmdshell configuration.

Police Dismantles Phone Unlocking Ring Linked To 483,000 Victims

A multinational law enforcement operation dismantled an international phishing network using the iServer phishing-as-a-service platform, which exploited over 483,000 victims globally by unlocking stolen or lost mobile phones. The platform, active since 2018, was used by low-skilled criminals to steal credentials and bypass phone security features, with over 2,000 “unlockers” registered to access stolen devices. During the coordinated action week, 17 suspects were arrested, and the platform’s Argentinian administrator was detained, concluding an investigation spanning multiple countries and leading to significant seizures.

Packed With Features, ‘SambaSpy’ Rat Delivers Hefty Punch

SambaSpy is a sophisticated remote access Trojan (RAT) with extensive capabilities like file management, password theft, webcam control, and keystroke logging, making it a versatile tool for espionage and cyberattacks. Originating from Brazil and initially targeting Italian users, the malware uses phishing emails and Zelix KlassMaster obfuscation to evade detection, with signs of expanding to Spain, Brazil, and other regions. Its deployment method, through phishing lures, remains a highly effective attack vector, enhanced by AI-driven tactics, and is expected to persist in future campaigns.

Thousands Of ServiceNow Kb Instances Expose Sensitive Corporate Data

Over the past year, 1,000 instances of ServiceNow enterprise knowledge bases have exposed sensitive data, including PII and active credentials, due to outdated configurations and misconfigured access controls. Although ServiceNow implemented security updates to enhance data protection, these improvements failed to address vulnerabilities in KB access controls, leading to widespread data leaks. To mitigate these issues, organizations should regularly audit KB access controls and ensure proper security configurations are in place to prevent unauthorized data exposure

CISA Releases Cyber Defense Alignment Plan For Federal Agencies

CISA’s Federal Civilian Executive Branch Operational Cybersecurity Alignment (FOCAL) plan aims to unify and standardize cybersecurity measures across federal agencies to better address dynamic cyber threats. The plan emphasizes five priority areas: asset management, vulnerability management, defensible architecture, cyber supply chain risk management, and incident detection and response, with the goal of improving collective operational defense and resilience. By aligning these components, CISA seeks to enhance interagency coordination and reduce vulnerabilities within the federal enterprise

Germany Seizes 47 Crypto Exchanges Used By Ransomware Gangs

German authorities have seized 47 cryptocurrency exchanges implicated in facilitating anonymous money laundering for cybercriminals, including ransomware gangs. These platforms, bypassing “Know Your Customer” regulations, enabled users to evade detection, creating a significant risk environment for illicit financial activities. The operation, dubbed “Operation Final Exchange,” has led to the capture of extensive user and transaction data, potentially aiding in future investigations and arrests of involved cybercriminals.

As Geopolitical Tensions Mount, Iran’s Cyber Operations Grow

Iranian cyber operations, particularly by the group APT34, are increasingly targeting government sectors in the Middle East, including recent attacks on Iraq. This group, linked to Iran’s Ministry of Intelligence and Security, utilizes custom malware and sophisticated communication techniques to exfiltrate sensitive data rather than cause destruction. With geopolitical tensions rising, Iran’s cyber capabilities are expected to continue evolving, emphasizing the need for robust cybersecurity measures and zero-trust architectures in the region.

Contractor Software Targeted Via Microsoft SQL Server Loophole

Cybercriminals have been exploiting a vulnerability in Foundation accounting software, widely used in construction, by targeting its exposed Microsoft SQL Server (MSSQL) through port 4243, which is accessible due to mobile app features. Researchers from Huntress identified the threat from unusual SQL Server process activity and noted that attackers are utilizing brute force and default credentials to gain administrative access. To mitigate this threat, organizations are advised to rotate credentials and ensure their installations are isolated from the Internet.

New TeamTNT Cryptojacking Campaign Targets Centos Servers With Rootkit

TeamTNT has launched a new cryptojacking campaign targeting CentOS-based Virtual Private Servers (VPS) using a sophisticated rootkit. The attack begins with an SSH brute force to upload a malicious script that disables security features, deletes logs, and disrupts other mining activities before deploying the Diamorphine rootkit for stealth and persistent access. This operation reflects TeamTNT’s evolution from 2019, now employing enhanced tactics to ensure persistent control and concealment within compromised systems.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

]]>
842