Feed aggregator

AttachMe: a critical flaw affects Oracle Cloud Infrastructure (OCI)

Security Affairs - Thu, 09/22/2022 - 17:10
A critical vulnerability in Oracle Cloud Infrastructure (OCI) could be exploited to access the virtual disks of other Oracle customers.

Wiz researchers discovered a critical flaw in Oracle Cloud Infrastructure (OCI) that could be exploited by users to access the virtual disks of other Oracle customers. An attacker can trigger the flaw to exfiltrate sensitive data or conduct more destructive attacks by manipulating executable files.

The cloud security firm dubbed the cloud isolation vulnerability in Oracle Cloud Infrastructure (OCI) “AttachMe.”

“We found the vulnerability while working on the Wiz/Oracle cloud (OCI) integration. When trying to attach to another OCI user’s virtual disk, we were surprised to find the operation succeeded! We received read/write access to disks in another account that does not belong to us.” said Shir Tamari, head of research at Wiz, said in a series of tweets. “Each virtual disk in Oracle’s cloud has a unique identifier called OCID. This identifier is not considered secret, and organizations do not treat it as such.”

Vulnerability full disclosure – New Oracle cloud vulnerability allowed users to access the virtual disks of other Oracle customers >>

— Shir (@shirtamari) September 20, 2022

The experts discovered that once obtained the OCID of a victim’s disk that is not currently attached to an active server or configured as shareable, an attacker could “attach” to it and obtain read/write access to it.

Oracle addressed the issue within 24 hours being notified by Wiz on June 9, 2022.

“Cloud tenant isolation is a key element in cloud. Customers expect that their data isn’t accessible by other customers. Yet, cloud isolation vulnerabilities break the walls between tenants.” reads the post published by the security firm. “This highlights the crucial importance of proactive cloud vulnerability research, responsible disclosure, and public tracking of cloud vulnerabilities to cloud security.”

Experts a added that the issue can be exploited only if the attackers’s instance is in the same Availability Domain (AD) as the target volume.

“This condition can be easily met as the number of availability zones is relatively small (up to three in some regions) and can therefore be enumerated.” added the experts.

“Insufficient validation of user permissions is a common bug class among cloud service providers,” Wiz researcher Elad Gabay said. “The best way to identify such issues is by performing rigorous code reviews and comprehensive tests for each sensitive API in the development stage.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Oracle Cloud Infrastructure)

The post AttachMe: a critical flaw affects Oracle Cloud Infrastructure (OCI) appeared first on Security Affairs.

Categories: Cyber Security News

Cisco SecUniversity – ruszyły bezpłatne zapisy na piąty semestr!

Sekurak.pl - Thu, 09/22/2022 - 14:39

Cztery poprzednie edycje SecUniversity dowiodły jednego – cyberbezpieczeństwo jest tematem tyle ważnym, co wzbudzającym słuszną ciekawość. Gdy Cisco ogłaszało nabór na pierwszy semestr darmowych lekcji, miejsca szybko się wyczerpały. Kolejne cykle spotkań cieszyły się coraz większym zainteresowaniem. Teraz czas na piątą edycję wydarzenia (bez limitu miejsc). O tym, że warto, wiedzą z...

Artykuł Cisco SecUniversity – ruszyły bezpłatne zapisy na piąty semestr! pochodzi z serwisu Sekurak.

Researchers Uncover Years-Long Mobile Spyware Campaign Targeting Uyghurs

The Hacker News - Thu, 09/22/2022 - 13:03
A new wave of a mobile surveillance campaign has been observed targeting the Uyghur community as part of a long-standing spyware operation active since at least 2015, cybersecurity researchers disclosed Thursday. The intrusions, originally attributed to a threat actor named Scarlet Mimic back in January 2016, is said to have encompassed 20 different variants of the Android malware, which were
Categories: Cyber Security News

Malicious NPM Package Caught Mimicking Material Tailwind CSS Package

The Hacker News - Thu, 09/22/2022 - 11:01
A malicious NPM package has been found masquerading as the legitimate software library for Material Tailwind, once again indicating attempts on the part of threat actors to distribute malicious code in open source software repositories. Material Tailwind is a CSS-based framework advertised by its maintainers as an "easy to use components library for Tailwind CSS and Material Design." "The
Categories: Cyber Security News

A 15-Year-Old Unpatched Python bug potentially impacts over 350,000 projects

Security Affairs - Thu, 09/22/2022 - 09:27
More than 350,000 open source projects can be potentially affected by a 15-Year-Old unpatched Python vulnerability

More than 350,000 open source projects can be potentially affected by an unpatched Python vulnerability, tracked as CVE-2007-4559 (CVSS score: 6.8), that was discovered 15 years ago.

The issue is a Directory traversal vulnerability that resides in the ‘extract’ and ‘extractall’ functions in the tarfile module in Python. A user-assisted remote attacker can trigger the issue to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

“While investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module. Initially we thought we had found a new zero-day vulnerability. As we dug into the issue, we realized this was in fact CVE-2007-4559.” reads the post published by security firm Trellix.”The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive.”

The experts pointed out that the issue was underestimated, it initially received a CVSS score of 6.8, however, in most cases an attacker exploit this issue to gain code execution from the file write. Trellix shared a video PoC that shows how to get code execution by exploiting Universal Radio Hacker:

An attacker can exploit the flaw by uploading a specially crafted tarfile that allows escaping the directory that a file is intended to be extracted to and achieve code execution.

“For an attacker to take advantage of this vulnerability they need to add “..” with the separator for the operating system (“/” or “\”) into the file name to escape the directory the file is supposed to be extracted to. Python’s tarfile module lets us do exactly this:” continues the post.

Crafting a Malicious Archive (Source Trellix)

“The tarfile module lets users add a filter that can be used to parse and modify a file’s metadata before it is added to the tar archive. This enables attackers to create their exploits with as little as the 6 lines of code above.”

The researchers built Creosote, a Python script that recursively looks through directories scanning for .py files and then analyzing them once they have been found. The script is used to automatically check repositories for vulnerability. Creosote provides as output the list of files that may contain vulnerabilities, sorting them into 3 categories based on confidence level (Vulnerable, Probably Vulnerable, Potentially Vulnerable).

Trellix added that the use of the Creosote tool revealed the existence of a vulnerability in the free and open-source scientific environment Spyder Python IDE Polemarch.

“As we have demonstrated above, this vulnerability is incredibly easy to exploit, requiring little to no knowledge about complicated security topics.” concludes the report. “Due to this fact and the prevalence of the vulnerability in the wild, Python’s tarfile module has become a massive supply chain issue threatening infrastructure around the world.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Python)

The post A 15-Year-Old Unpatched Python bug potentially impacts over 350,000 projects appeared first on Security Affairs.

Categories: Cyber Security News

IT Security Takeaways from the Wiseasy Hack

The Hacker News - Thu, 09/22/2022 - 09:12
Last month Tech Crunch reported that payment terminal manufacturer Wiseasy had been hacked. Although Wiseasy might not be well known in North America, their Android-based payment terminals are widely used in the Asia Pacific region and hackers managed to steal passwords for 140,000 payment terminals. How Did the Wiseasy Hack Happen? Wiseasy employees use a cloud-based dashboard for remotely
Categories: Cyber Security News

Atlassian Confluence bug CVE-2022-26134 exploited in cryptocurrency mining campaign

Security Affairs - Thu, 09/22/2022 - 07:06
Threat actors are targeting unpatched Atlassian Confluence servers as part of an ongoing crypto mining campaign.

Trend Micro researchers warn of an ongoing crypto mining campaign targeting Atlassian Confluence servers affected by the CVE-2022-26134 vulnerability.

The now-patched critical security flaw was disclosed by Atlassian in early June, at the time the company warned of a critical unpatched remote code execution vulnerability affecting all Confluence Server and Data Center supported versions that is being actively exploited in attacks in the wild.

“We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence. The gap is being abused for malicious cryptocurrency mining.” reads the post published by Trend Micro. “If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware.”

In one of the attacks spotted by the experts, threat actors exploited the flaw to inject an OGNL expression and download and run a shell script (“ro.sh”) on the victim’s machine. Then the script was used to fetch a second shell script (“ap.sh”).

The ap.sh shell script was used to perform multiple actions, including the update of the path variable to include the /tmp and /dev/shm paths, downloading the curl utility, disabling the iptablesor changes the firewall policy action to ACCEPTand flushes all the firewall rules.

The script also downloads a binary file named ko, which exploits the PwnKit vulnerability to escalate the privilege to the root user, while the binary file downloads the ap.sh shell script for the next actions.

The last stage of the attack chain consists in downloading the hezb malware and kills processes that are associated with other competing coin miners.

The shell script also disables cloud service provider agents from Alibaba and Tencent, then performs lateral movement via SSH.

Threat actors were also spotted deploying additional malicious payloads, including Kinsing and the Dark.IoT malware.

“Although we have observed the abuse of this vulnerability for illicit cryptocurrency-mining activities by cybercriminals, we also urge users to prioritize patching this gap as soon as possible since it is fairly simple to exploit it for other subsequent compromises.” concludes the report. “Attackers could take advantage of injecting their own code for interpretation and gain access to the Confluence domain being targeted, as well as conduct attacks ranging from controlling the server for subsequent malicious activities to damaging the infrastructure itself.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Atlassian Confluence)

The post Atlassian Confluence bug CVE-2022-26134 exploited in cryptocurrency mining campaign appeared first on Security Affairs.

Categories: Cyber Security News

Researchers Disclose Critical Vulnerability in Oracle Cloud Infrastructure

The Hacker News - Thu, 09/22/2022 - 06:40
Researchers have disclosed a new severe Oracle Cloud Infrastructure (OCI) vulnerability that could be exploited by users to access the virtual disks of other Oracle customers. "Each virtual disk in Oracle's cloud has a unique identifier called OCID," Shir Tamari, head of research at Wiz, said in a series of tweets. "This identifier is not considered secret, and organizations do not treat it as
Categories: Cyber Security News

15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects

The Hacker News - Thu, 09/22/2022 - 05:17
As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years. The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, IT management. The shortcoming,
Categories: Cyber Security News

Hackers Targeting Unpatched Atlassian Confluence Servers to Deploy Crypto Miners

The Hacker News - Thu, 09/22/2022 - 02:17
A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations. "If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment
Categories: Cyber Security News

A disgruntled developer is the alleged source of the leak of the Lockbit 3.0 builder

Security Affairs - Thu, 09/22/2022 - 01:19
A disgruntled developer seems to be responsible for the leak of the builder for the latest encryptor of the LockBit ransomware gang.

The leak of the builder for the latest encryptor of the LockBit ransomware gang made the headlines, it seems that the person who published it is a disgruntled developer.

The latest version of the encryptor, version 3.0, was released by the gang in June. According to the gang, LockBit 3.0 has important novelties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs.

The code of the encryptor was leaked on Twitter by at least a couple of accounts, @ali_qushji and @protonleaks1.

Unknown person @ali_qushji said his team has hacked the LockBit servers and found the possible builder of LockBit Black (3.0) Ransomware. You can check it on the GitHub repository https://t.co/wkaTaGA8y7 pic.twitter.com/cPSYipyIgs

— 3xp0rt (@3xp0rtblog) September 21, 2022

The builder is contained in a password-protected 7z archive, “LockBit3Builder.7z,” containing:

  • Build.bat;
  • builder.exe;
  • config.json;
  • keygen.exe.

Ali Qushji claims to have hacked the servers of the ransomware gang and stolen the ransomware encryptor.

Is the hack real?

BleepingComputer reported that the research team VX-Underground was informed by a representative of the LockBit operation that their infrastructure was not hacked. The representative added that the leak is the work of a disgruntled developer.

“We reached out to Lockbit ransomware group regarding this and discovered this leaker was a programmer employed by Lockbit ransomware group,” reads a now deleted tweet published by VX-Underground. “They were upset with Lockbit leadership and leaked the builder.”

The availability of the builder could allow any malicious actor to create its own version of the ransomware customizing it by modifying the configuration file.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post A disgruntled developer is the alleged source of the leak of the Lockbit 3.0 builder appeared first on Security Affairs.

Categories: Cyber Security News

Over 39K unauthenticated Redis services on the internet targeted in cryptocurrency campaign

Security Affairs - Wed, 09/21/2022 - 11:45
Threat actors targeted tens thousands of unauthenticated Redis servers exposed on the internet as part of a cryptocurrency campaign.

Redis, is a popular open source data structure tool that can be used as an in-memory distributed database, message broker or cache. The tool is not designed to be exposed on the Internet, however, researchers spotted tens thousands Redis instance publicly accessible without authentication.

The researcher Victor Zhu detailed a Redis unauthorized access vulnerability that could be exploited to compromise Redis instances exposed online.

“Under certain conditions, if Redis runs with the root account (or not even), attackers can write an SSH public key file to the root account, directly logging on to the victim server through SSH. This may allow hackers to gain server privileges, delete or steal data, or even lead to an encryption extortion, critically endangering normal business services.” reads the post published by Zhu on September 11, 2022.

Now researchers from Censys are warning of tens of thousands of unauthenticated Redis servers exposed on the internet that are under attack.

Threat actors are targeting these instances to install a cryptocurrency miner.

“There are 39,405 unauthenticated Redis services out of 350,675 total Redis services on the public internet.” warns Censys. “Almost 50% of unauthenticated Redis services on the internet show signs of an attempted compromise.”

“The general idea behind this exploitation technique is to configure Redis to write its file-based database to a directory containing some method to authorize a user (like adding a key to ‘.ssh/authorized_keys’), or start a process (like adding a script to ‘/etc/cron.d’),” Censys adds.

The experts found evidence that demonstrates the ongoing hacking campaign, threat actors attempted to store malicious crontab entries into the file “/var/spool/cron/root” using several Redis keys prefixed with the string “backup.” The crontab entries allowed the attackers to execute a shell script hosted on a remote server.

The shell script was designed to perform the following malicious actions:

  • Stops and disables any running security-related process
  • Stops and disables any running system monitoring processes
  • Removes and purges all system and security-related log files, including shell histories (e.g., .bash_history).
  • Adds a new SSH key to the root user’s authorized_keys file
  • Disables the iptables firewall
  • Installs several hacking and scanning tools such as “masscan”
  • Installs and runs the cryptocurrency mining application XMRig

The researchers used a recent list of unauthenticated Redis services running on TCP port 6379 to run a one-time scan that looked for the existence of the key “backup1” on every host. Censys found that out of the 31,239 unauthenticated Redis servers in this list, 15,526 hosts had this key set. These instance were targeted by threat actors with the technique described above.

Most of the Internet-exposed Redis servers are located in Chine (15.29%) followed by Germany (14.11%), and Singapore (12.43%).

“Still, this does not mean that there are over 15k compromised hosts. It is improbable that the conditions needed for this vulnerability to be successful are in place for every one of these hosts. The primary reason many of these attempts will fail is that the Redis service needs to be running as a user with the proper permissions to write to the directory “/var/spool/cron” (i.e., root).” concludes the report. “Although, this can be the case when running Redis inside a container (like docker), where the process might see itself running as root and allow the attacker to write these files. But in this case, only the container is affected, not the physical host.”

The report also includes a list of mitigation for these attacks.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, mining)

The post Over 39K unauthenticated Redis services on the internet targeted in cryptocurrency campaign appeared first on Security Affairs.

Categories: Cyber Security News

Hackers stole $160 Million from Crypto market maker Wintermute

Security Affairs - Wed, 09/21/2022 - 10:54
Threat actors have stolen around $160 million worth of digital assets worth from crypto trading firm Wintermute.

Malicious actors continue to target organizations in the cryptocurrency industry, the last victim in order of time is crypto trading firm Wintermute.

The company made the headlines after that threat actors have stolen around $160 million worth of digital assets. The company confirmed the disruption of its services in the coming days, but it pointed out that it is “solvent with twice over that amount in equity left.”

Threat actors breached the company and performed multiple transactions that transferred multiple cryptocurrencies to a wallet under their control.

The company states that the centralized finance (CeFi) and over-the-counter (OTC) operations have not been impacted by the security breach.

Below is a message shared by Wintermute founder Evgeny Gaevoy via Twitter:

We’ve been hacked for about $160M in our defi operations. Cefi and OTC operations are not affected

— wishful cynic (@EvgenyGaevoy) September 20, 2022

We are (still) open to treat this a s a white hat, so if you are the attacker – get in touch

— wishful cynic (@EvgenyGaevoy) September 20, 2022

“If you have a MM agreement with Wintermute, your funds are safe. There will be a disruption in our services today and potentially for next few days and will get back to normal after.” Gaevoy added.

“Out of 90 assets that has been hacked only two have been for notional over $1 million (and none more than $2.5M), so there shouldn’t be a major selloff of any sort. We will communicate with both affected teams asap”

The company did not disclose details about the attack, Gaevoy said that it is open to negotiating a bounty with the attackers for having exploited a vulnerability in its platform.

Gaevoy is offering to the investors the opportunity to recall loans if they wanted to.

Researchers speculate that the attacker likely exploited a vulnerability in Profanity, which generates “vanity addresses” for digital cryptocurrency accounts. 

“Wintermute had been using Profanity not to create easy-to-remember names for digital accounts, but to lower its trading transaction costs, since that’s another feature of Profanity’s service, Gaevoy says. When Wintermute learned of the vulnerability last week, they took steps to technologically “blacklist” their Profanity accounts, shielding them from being liquidated.” reported Forbes. “However, due to their own “human error,” one of the 10 accounts didn’t get blacklisted, according to Gaevoy, which probably resulted in the $160 million heist.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, security breach)

The post Hackers stole $160 Million from Crypto market maker Wintermute appeared first on Security Affairs.

Categories: Cyber Security News

Over 39,000 Unauthenticated Redis Instances Found Exposed on the Internet

The Hacker News - Wed, 09/21/2022 - 09:38
An unknown attacker targeted tens of thousands of unauthenticated Redis servers exposed on the internet in an attempt to install a cryptocurrency miner. It's not immediately known if all of these hosts were successfully compromised. Nonetheless, it was made possible by means of a "lesser-known technique" designed to trick the servers into writing data to arbitrary files – a case of unauthorized
Categories: Cyber Security News

Crypto Trading Firm Wintermute Loses $160 Million in Hacking Incident

The Hacker News - Wed, 09/21/2022 - 08:21
In what's the latest crypto heist to target the decentralized finance (DeFi) space, hackers have stolen digital assets worth around $160 million from crypto trading firm Wintermute. The hack involved a series of unauthorized transactions that transferred USD Coin, Binance USD, Tether USD, Wrapped ETH, and 66 other cryptocurrencies to the attacker's wallet. The company said that its centralized
Categories: Cyber Security News

U.S. gov adds more Chinese Telecom firms to the Covered List

Security Affairs - Wed, 09/21/2022 - 08:18
The U.S. Federal Communications Commission (FCC) has added more Chinese telecom firms to the Covered List.

The U.S. Federal Communications Commission (FCC) has added Pacific Network Corp, ComNet (USA) LLC, and China Unicom (Americas) Operations Limited, to the Covered List.

The Covered List, published by Public Safety and Homeland Security Bureau published, included products and services that could pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.

These letters explain that the above companies are subject to the exploitation, influence and control of the Chinese government, and the national security risks associated with such exploitation, influence, and control.

The US government believes the government of Beijing could force the company to conduct malicious activities, such as intercepting and misrouting communications, to gather intelligence against the U.S..

“The FCC’s Public Safety and Homeland Security Bureau today added equipment and services from two entities – Pacific Network Corp. and its wholly-owned subsidiary ComNet (USA) LLC and China Unicom (Americas) Operations Limited – to its list of communications equipment and services that have been deemed a threat to national security.” reads the announcement published by the FCC. “Today we take another critical step to protect our communications networks from foreign national security threats,” said Chairwoman Jessica Rosenworcel. “Earlier this year the FCC revoked China Unicom America’s and PacNet/ComNet’s authorities to provide service in the United States because of the national security risks they posed to communications in the United States. Now, working with our national security partners, we are taking additional action to close the door to these companies by adding them to the FCC’s Covered List. This action demonstrates our whole-of-government effort to protect network security and privacy.”

The Executive Branch entities warn that PacNet/ComNet’s interconnections to U.S. telecommunications networks and customers could be exploited by China to conduct or to increase economic espionage and collect intelligence against the United States, or “otherwise provide a strategic capability to target, collect, alter, block, and re-route network traffic.”

In March 2022, the Federal Communications Commission (FCC) added multiple Kaspersky products and services to its Covered List saying that they pose unacceptable risks to U.S. national security.

The US commission also added Chinese state-owned mobile service providers China Mobile International USA and China Telecom Americas to the list. Below is the list of Covered Equipment or Services added on March 25, 2022:

  • Information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates.
  • International telecommunications services provided by China Mobile International USA Inc. subject to section 214 of the Communications Act of 1934.
  • Telecommunications services provided by China Telecom (Americas) Corp. subject to section 214 of the Communications Act of 1934.

The Covered List also includes other Chine companies, such as Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Covered List)

The post U.S. gov adds more Chinese Telecom firms to the Covered List appeared first on Security Affairs.

Categories: Cyber Security News

Why Zero Trust Should be the Foundation of Your Cybersecurity Ecosystem

The Hacker News - Wed, 09/21/2022 - 08:00
For cybersecurity professionals, it is a huge challenge to separate the “good guys” from the “villains”. In the past, most cyberattacks could simply be traced to external cybercriminals, cyberterrorists, or rogue nation-states. But not anymore. Threats from within organizations – also known as “insider threats” – are increasing and cybersecurity practitioners are feeling the pain.  Traditional
Categories: Cyber Security News

U.S. Adds 2 More Chinese Telecom Firms to National Security Threat List

The Hacker News - Wed, 09/21/2022 - 06:54
The U.S. Federal Communications Commission (FCC) has added Pacific Network Corp, along with its subsidiary ComNet (USA) LLC, and China Unicom (Americas) Operations Limited, to the list of communications equipment and services that have been deemed a threat to national security. The agency said the companies are subject to the Chinese government's exploitation, influence, and control, and could
Categories: Cyber Security News

Imperva blocked a record DDoS attack with 25.3 billion requests

Security Affairs - Wed, 09/21/2022 - 05:15
Cybersecurity company Imperva announced to have mitigated a distributed denial-of-service (DDoS) attack with a total of over 25.3 billion requests.

Cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests on June 27, 2022. According to the experts, the attack marks a new record for Imperva’s application DDoS mitigation solution.

The attack targeted an unnamed Chinese telecommunications company and outstands for its duration, it lasted more than four hours and peaked at 3.9 million RPS.

“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solutionreads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”

The Chinese telecommunications company was already targeted by large attacks in the past, and experts added that two days later a new DDoS attack hit its website, although the attack was shorter in duration.

The average rate for this record-breaking attack was 1.8 million RPS. Threat actors used HTTP/2 multiplexing, or combining multiple packets into one, to send multiple requests at once over individual connections.

The technique employed by the attackers is difficult to detect and can bring down targets using a limited number of resources.

“Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva.

This specific attack was launched botnet composed of almost 170,000 different IPs, including routers, security cameras and compromised servers. The compromised devices are located in over 180 countries, most of them in the US, Indonesia, and Brazil.

On Monday, September 12, 2022, Akamai mitigated the largest DDoS attack ever that hit one of its European customers. The malicious traffic peaked at 704.8 Mpps and appears to originate from the same threat actor behind the previous record that Akamai blocked in July and that hit the same customer.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, DDoS)

The post Imperva blocked a record DDoS attack with 25.3 billion requests appeared first on Security Affairs.

Categories: Cyber Security News

Podstawy analizowania złośliwego oprogramowania (malware)

Niebezpiecznik.pl - Wed, 09/21/2022 - 04:10
Pomimo regularnych ataków phishingowych, złośliwe oprogramowanie ma się dobrze. I niestety malware często sieje spustoszenie na firmowych komputerach. Skąd wiadomo, czy oprogramowanie jest złośliwe? Jak ustalić co dana aplikacja robi po uruchomieniu, w jakie pliki zagląda, które informacje kopiuje i czy wysyła na jakieś zewnętrzne serwery? Na te pytanie odpowiemy w piątek (23 września) o […]

Pages