Feed aggregator

PCSpoof: New Vulnerability Affects Networking Tech Used by Spacecraft and Aircraft

The Hacker News - Tue, 11/15/2022 - 11:33
Credit: Marina Minkin A novel attack method has been disclosed against a crucial piece of technology called time-triggered ethernet (TTE) that's used in safety-critical infrastructure, potentially causing the failure of systems powering spacecraft and aircraft. Dubbed PCspooF by a group of academics and researchers from the University of Michigan, the University of Pennsylvania, and the NASA
Categories: Cyber Security News

Experts revealed details of critical SQLi and access issues in Zendesk Explore

Security Affairs - Tue, 11/15/2022 - 11:16
Researchers disclosed technical details of critical SQLi and access vulnerabilities in the Zendesk Explore Service.

Cybersecurity researchers at Varonis disclosed technical details of critical SQLi and access vulnerabilities impacting the Zendesk Explore service. Zendesk Explore allows organizations to view and analyze key information about their customers, and their support resources.

Threat actors would have allowed threat actors to access conversations, email addresses, tickets, comments, and other information from Zendesk accounts having the Explore service enabled. The experts are not aware of attacks in the wild.

“To exploit the vulnerability, an attacker would first register for the ticketing service of its victim’s Zendesk account as a new external user. Registration is enabled by default because many Zendesk customers rely on end-users submitting support tickets directly via the web.” reads the advisory published by Varonis. “Zendesk Explore is not enabled by default but is heavily advertised as a requirement for the analytic insights page.”

Varonis reported the flaws to Zendesk which started working on a fix the same day they were reported. The company addressed multiple vulnerabilities in less than one workweek.

In order to exploit these flaws, an attacker has to register for the ticketing service of the target’s Zendesk account as a new external user. The experts highlighted that this is a feature that’s likely enabled by default to allow end-users to submit support tickets.

The SQL injection vulnerability resides in the GraphQL API execute-query, an attacker can abuse it to exfiltrate all information (email addresses of users, leads, and deals from the CRM, live agent conversations, tickets, help center articles, and more) stored in the database as an admin user.

The second critical issue is a logic access flaw associated with a query execution API. The researchers pointed out that the execute-query API did not perform the following logical checks:

  1. The integrity of documents was not checked, allowing our team to modify them in ways that exposed the inner workings of the system.
  2. “query,” “datasources,” and “cubeModels” IDs were not evaluated to see if they belonged to the current user.
  3. Finally, and most critically, the API endpoint did not verify that the caller had permission to access the database and execute queries. This meant that a newly created end-user could invoke this API, change the query, and steal data from any table in the target Zendesk account’s RDS, no SQLi required.

Varonis reported the issues to Zendesk on August 30 and the company addressed it on September 8, 2022.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Zendesk Explore)

The post Experts revealed details of critical SQLi and access issues in Zendesk Explore appeared first on Security Affairs.

Categories: Cyber Security News

China-linked APT Billbug breached a certificate authority in Asia

Security Affairs - Tue, 11/15/2022 - 09:08
A suspected China-linked APT group breached a digital certificate authority in Asia as part of a campaign aimed at government agencies since March 2022.

State-sponsored actors compromised a digital certificate authority in a country in Asia as part of a cyber espionage campaign aimed at multiple government agencies in the region, Symantec warns.

Symantec attributes the attack to a China-linked cyberespionage group tracked as Billbug (aka Lotus Blossom, Thrip). The attribution is based on the use of tools previously attributed to this APT group.

In 2019 Symantec researchers reported that the group was using the backdoors Hannotog (Backdoor.Hannotog) and Sagerunex (Backdoor.Sagerunex), which were both used in the recent campaign.

“The victims in this campaign included a certificate authority, as well as government and defense agencies.” reads the report published by Symantec. “All the victims were based in various countries in Asia. Billbug is known to focus on targets in Asian countries. In at least one of the government victims, a large number of machines on the network were compromised by the attackers.”

The compromise of a certificate authority could allow attackers to release valid code-signing certificates that could be used to sign malware to avoid detection. Compromised certificates can also be used to intercept HTTPS traffic. 

The good news is that Symantec has seen no evidence to suggest the attackers were able to compromise digital certificates. The security firm notified the certificate authority of the malicious activity.

The campaign has been ongoing since at least March 2022.

The analysis of the attack chain suggests that the attackers are exploiting public-facing applications to gain initial access to victim networks.

The threat actors make large use of dual-use and living-off-the-land tools, as well as custom malware. Below is a list of tools used by this APT group:

  • AdFind – A publicly available tool that is used to query Active Directory. It has legitimate uses but is widely used by attackers to help map a network.
  • Winmail – Can open winmail.dat files.
  • WinRAR – An archive manager that can be used to archive or zip files – for example, prior to exfiltration.
  • Ping – A tool that is freely available online that can allow users to determine if a specific location on a network is responding.
  • Tracert – A network tool that can be used to determine the “path” packets take from one IP address to another. It provides the hostname, IP address, and the response time to a ping.
  • Route – A path for sending packets through the internet network to an address on another network.
  • NBTscan – Open-source command-line NetBIOS scanner.
  • Certutil – Microsoft Windows utility that can be used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates.
  • Port Scanner – Allows an attacker to determine what ports are open on a network and could potentially be used to send and receive data.

The APT group also used an open source multi-level proxy tool called Stowaway to proxy external traffic to the intranet.

Cobalt Strike, which is a penetration testing framework, is considered commodity malware by many due to how often it is used by malicious actors.

“The targeting of the government victims is most likely driven by espionage motivations, with the certificate authority likely targeted in order to steal legitimate digital certificates, as mentioned in the introduction.” the researchers concluded. “The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns,”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, certificate authority)

The post China-linked APT Billbug breached a certificate authority in Asia appeared first on Security Affairs.

Categories: Cyber Security News

Researchers Reported Critical SQLi and Access Flaws in Zendesk Analytics Service

The Hacker News - Tue, 11/15/2022 - 08:49
Cybersecurity researchers have disclosed details of now-patched flaws in Zendesk Explore that could have been exploited by an attacker to gain unauthorized access to information from customer accounts that have the feature turned on. "Before it was patched, the flaw would have allowed threat actors to access conversations, email addresses, tickets, comments, and other information from Zendesk
Categories: Cyber Security News

Deep Packet Inspection vs. Metadata Analysis of Network Detection & Response (NDR) Solutions

The Hacker News - Tue, 11/15/2022 - 07:58
Today, most Network Detection and Response (NDR) solutions rely on traffic mirroring and Deep Packet Inspection (DPI). Traffic mirroring is typically deployed on a single-core switch to provide a copy of the network traffic to a sensor that uses DPI to thoroughly analyze the payload. While this approach provides detailed analysis, it requires large amounts of processing power and is blind when
Categories: Cyber Security News

Researchers Say China State-backed Hackers Breached a Digital Certificate Authority

The Hacker News - Tue, 11/15/2022 - 06:03
A suspected Chinese state-sponsored actor breached a digital certificate authority as well as government and defense agencies located in different countries in Asia as part of an ongoing campaign since at least March 2022. Symantec, by Broadcom Software, linked the attacks to an adversarial group it tracks under the name Billbug, citing the use of tools previously attributed to this actor. The
Categories: Cyber Security News

Google to Pay a record $391M fine for misleading users about the collection of location data

Security Affairs - Tue, 11/15/2022 - 05:16
Google is going to pay $391.5 million to settle with 40 states in the U.S. for secretly collecting personal location data.

Google has agreed to pay $391.5 million to settle with 40 US states for misleading users about the collection of personal location data. The settlement is the largest attorney general-led consumer privacy settlement ever, states the announcement published by DoJ.

“Google misled its users into thinking they had turned off location tracking in their account settings, when, in fact, Google continued to collect their location information. In addition to the multimillion-dollar settlement, as part of the negotiations with the AGs, Google has agreed to significantly improve its location tracking disclosures and user controls starting in 2023.” reads the DoJ’s press release.

Oregon Attorney General Ellen Rosenblum, who led the settlement along with Nebraska AG Doug Peterson, pointed out that for years Google has prioritized profit over their users’ privacy.

The authorities started the investigation into Google collection practice following a 2018 Associated Press article that revealed Google “records your movements even when you explicitly tell it not to.”

According to the article, there are two settings responsible for the location data collection, the “Location History” and “Web & App Activity”. The former is “off” by default while the latter is automatically enabled when users set up a Google account, including all Android users.

Location data represent the core of the digital advertising business of the IT giant. However, location data can be used to expose a person’s identity and routines, and even infer personal details.

Google violated state consumer protection laws by misleading consumers about its location tracking practices since at least 2014. Google confused its users about the use of the account and device settings to limit Google’s location tracking.

The settlement requires Google to be more transparent about its practices. In particular, Google must:

  1. Show additional information to users whenever they turn a location-related account setting “on” or “off”;
  2. Make key information about location tracking unavoidable for users (i.e., not hidden); and
  3. Give users detailed information about the types of location data Google collects and how it’s used at an enhanced “Location Technologies” webpage.

Following the settlement, Google announced it has introduced more transparency and tools to help users manage their data and minimize the data it collects. Below are the measures announced by the company:

  • Launched auto-delete controls, a first in the industry, and turned them on by default for all new users, giving you the ability to automatically delete data on a rolling basis and only keep 3, 18 or 36 months worth of data at a time.
  • Developed easy-to-understand settings like Incognito mode on Google Maps, preventing searches or places you navigate to from being saved to your account.
  • Introduced more transparency tools, including Your Data in Maps and Search, which lets you quickly access your key location settings right from our core products.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, privacy)

The post Google to Pay a record $391M fine for misleading users about the collection of location data appeared first on Security Affairs.

Categories: Cyber Security News

Previously undetected Earth Longzhi APT group is a subgroup of APT41

Security Affairs - Tue, 11/15/2022 - 03:46
Trend Micro reported that the Earth Longzhi group, a previously undocumented subgroup of APT41, targets Ukraine and Asian Countries.

Early this year, Trend Micro investigated a security breach suffered by a company in Taiwan. Threat actors employed a custom Cobalt Strike loader in the attack. Further analysis, revealed that the same threat actor targeted multiple regions using a similar Cobalt Strike loader and has been active since 2020. The experts attributed the attacks to a new subgroup of the China-linked APT41 group, tracked as Earth Longzhi.

The researchers analyzed two campaigns attributed to Earth Longzhi; the first one conducted between 2020 to 2021 targeted the government, infrastructure, and health industries in Taiwan and the banking sector in China. The second campaign from 2021 to 2022, targeted high-profile victims in the defense, aviation, insurance, and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine. 

The new APT group used spear-phishing emails as an attack vector to deliver Earth Longhzhi’s malware. The malware was embedded in a password-protected archive attached to the messages. In other cases, attackers shared a link to a Google Drive hosting a password-protected archive containing a Cobalt Strike loader called CroxLoader.

In another attack scenario, the group exploited publicly available applications to deploy and execute a downloader, which downloads a shellcode loader and the necessary hack tools for the routine.

The researchers noticed that the new APT targets organizations that in the past were hit by another group of APT41 known as Earth Baku.

“After checking all the metadata of the Cobalt Strike payloads, we found that most of payloads shared the same watermark, 426352781, and public key 9ee3e0425ade426af0cb07094aa29ebc. This watermark and public key combination is also used by Earth Baku and GroupCC, which are also believed to be subgroups of APT41. The identified watermark has not yet been attributed to other threat actors.” reads the analysis published by Trend Micro. “The use of the same watermark and public key indicates Earth Longzhi sharesing the Cobalt Strike team server, as well as Cobalt Strike package and license with the other APT41 subgroups.”

The investigation into the second campaign revealed that the Earth Longzhi APT used multiple custom versions of known hacking tools used for privilege escalation (PrintNightmare and PrintSpoofer), credential dumping (custom standalone Mimikatz), and disabling security products. Instead of using public tools as they are, the threat actors are able to reimplement or develop their own tools based on some open-source projects. In the following subsections, we introduce these hack tools.

“In the process of attribution, we also discovered that the group uses shared Cobalt Strike licenses and imitates the TTPs used with other APT41 subgroups.” concludes the report. “The behavior of sharing tools between different groups could point to the following circumstances:

  1. These threat actors are no longer static groups. Although the organizational structure will keep changing from time to time, the tools will be inherited by the subsequent newly organized groups.
  2. The tool developers and campaign operators share the tools with their collaborator groups.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Earth Longzhi)

The post Previously undetected Earth Longzhi APT group is a subgroup of APT41 appeared first on Security Affairs.

Categories: Cyber Security News

Avast details Worok espionage group’s compromise chain

Security Affairs - Tue, 11/15/2022 - 03:33
Cyber espionage group Worok abuses Dropbox API to exfiltrate data via using a backdoor hidden in apparently innocuous image files.

Researchers from cybersecurity firm Avast observed the recently discovered espionage group Worok abusing Dropbox API to exfiltrate data via using a backdoor hidden in apparently innocuous image files.

The experts started their investigation from the analysis published by ESET on attacks against organizations and local governments in Asia and Africa. Avast experts were able to capture several PNG files embedding a data-stealing payload. They pointed out that data collection from victims’ machines using DropBox repository, and attackers use DropBox API for communication with the final stage.

Avast experts shed the light on the compromise chain detailing how attackers initially deployed the first-stage malware., tracked as CLRLoader, which loads the next-state payload PNGLoader.

“PNGLoader is a loader that extracts bytes from PNGs files and reconstructs them into an executable code. PNGLoader is a .NET DLL file obfuscated utilizing .NET Reactor; the file description provides information that mimics legitimate software such as Jscript Profiler or Transfer Service Proxy.” reads the report published by Avast. “The deobfuscated PNGLoader code includes the entry point (Setfilter) invoked by CLRLoader.”

The malicious code is supposedly deployed by threat actors by exploiting Proxyshell vulnerabilities. Then attackers used publicly available exploit tools to deploy their custom malicious tools.

The experts found two variants of PNGLoad, both used to decode the malicious code hidden in the image and run a PowerShell script or a .NET C#-based payload.

The PowerShell script has continued to be elusive, although the cybersecurity company noted it was able to flag a few PNG files belonging to the second category that dispensed a steganographically embedded C# malware.

“At first glance, the PNG pictures look innocent, like a fluffy cloud,” Avast said.

Avast extends the compromise chain detailed by ESET with the discovery of a .NET C# payload that they tracked as DropBoxControl, which represents a third stage.

DropboxControl is an information-stealing backdoor that communicates abuses the DropBox service for C2 communication.

“Noteworthy, the C&C server is a DropBox account, and whole communications, such as commands, uploads, and downloads, are performed using regular files in specific folders. Therefore, the backdoor commands are represented as files with a defined extension. DropBoxControl periodically checks the DropBox folder and executes commands based on the request files.” continues the report. “The response for each command is also uploaded to the DropBox folder as the result file.”

The backdoor can run arbitrary executables, download and upload data, delete and rename files, capture file information, sniff network communications, and exfiltrate metadata.

According to Avast, DropboxControl was not developed by the author of CLRLoad and PNGLoad due to important differences into the source code and its quality.

“The key finding of this research is the interception of the PNG files, as predicted by ESET. The stenographically embedded C# payload (DropBoxControl) confirms Worok as the cyberespionage group. They steal data via the DropBox account registered on active Google emails.” concludes AVAST. “The prevalence of Worok’s tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Worok)

The post Avast details Worok espionage group’s compromise chain appeared first on Security Affairs.

Categories: Cyber Security News

Google to Pay $391 Million Privacy Fine for Secretly Tracking Users' Location

The Hacker News - Tue, 11/15/2022 - 01:11
Internet giant Google has agreed to pay a record $391.5 million to settle with 40 states in the U.S. over charges the company misled users about the collection of personal location data. "Google misled its users into thinking they had turned off location tracking in their account settings, when, in fact, Google continued to collect their location information," Oregon Attorney General Ellen
Categories: Cyber Security News

Kolejna fałszywa reklama w Google, tym razem MSI Afterburner

Sekurak.pl - Mon, 11/14/2022 - 18:00

Ostatnio pisaliśmy o fałszywym GIMPie oraz DBeaverze. Tym razem na naszej grupie na Facebooku kolega Michał podzielił się spostrzeżeniem w sprawie kolejnego ataku typu fałszywa reklama polegającego na wykupieniu przez przestępców reklamy w wyszukiwarce i wypozycjonowaniu na pierwszym miejscu fałszywej strony. W tym przypadku sfałszowaniu miało ulec narzędzie MSI Afterburner,...

Artykuł Kolejna fałszywa reklama w Google, tym razem MSI Afterburner pochodzi z serwisu Sekurak.

Massive Black hat SEO campaign used +15K WordPress sites

Security Affairs - Mon, 11/14/2022 - 10:53
Experts warn of a malicious SEO campaign that has compromised over 15,000 WordPress websites to redirect visitors to fake Q&A portals.

Since September 2022, researchers from security firm Sucuri have tracked a surge in WordPress malware redirecting website visitors to fake Q&A sites via ois[.]is. The campaign’s end goal appears to be black hat SEO aimed at increasing the reputation of the attacker’s sites.

The Sucuri SiteCheck scanner has detected redirects on over 2,500 sites during September and October, while PublicWWW results show nearly 15,000 websites affected by this malware. 

“What makes this campaign especially unusual is that attackers are found to be promoting a handful of fake low quality Q&A sites.” reads the analysis published by Sucuri. “Some website malware infections limit themselves to a small number of files, often to limit their footprint and avoid detection. This malware is the opposite — with on average over 100 files infected per website.”

Experts noticed that the threat actor behind this campaign modify on average over 100 files infected per website. The attackers mainly modify core WordPress files along with malicious .php files created by other unrelated malware campaigns.

Below is the list of the top 10 most commonly infected files.

  • ./wp-signup.php
  • ./wp-cron.php
  • ./wp-links-opml.php
  • ./wp-settings.php
  • ./wp-comments-post.php
  • ./wp-mail.php
  • ./xmlrpc.php
  • ./wp-activate.php
  • ./wp-trackback.php
  • ./wp-blog-header.php

Sucuri experts explained that if the malware does not detect a logged-in user or login attempt it then injects the malicious JavaScript code.

Experts observed two redirect techniques:

  • A combination of window.location.href and meta refresh redirects;
  • Attackers save information about the redirect in the visitor’s browser localStorage to avoid redirecting more than once in 2 or 6 hours, depending on the variant used. The value is hardcoded in the allowedHours variable.

In both scenarios, the malware redirects to .png files, then the malware uses the window.location.href function to redirect to a Google search result URL of a spam domain under his controlù.

The spam sites are populated with various questions and answers scraped from other Q&A sites.

Sucuri experts have yet to discover how the WordPress websites employed in the campaign have been hacked.

“It’s possible that these bad actors are simply trying to convince Google that real people from different IPs using different browsers are clicking on their search results. This technique artificially sends Google signals that those pages are performing well in search.” concludes the report.

“If this is the case, it’s a pretty clever black hat SEO trick that we’ve rarely seen used in massive hack campaigns. However, its effect is questionable given that Google will be getting lots of “clicks” on search results without any actual searches being performed. This black hat SEO theory is also backed by the fact that the second level domains of the Q&A sites seem to belong to the same people. The hosted websites use similar templates and pretty low quality content (mostly in Arabic language) that is either scraped from some other sites or created for search engines rather than real humans.”

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

The post Massive Black hat SEO campaign used +15K WordPress sites appeared first on Security Affairs.

Categories: Cyber Security News

New "Earth Longzhi" APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders

The Hacker News - Mon, 11/14/2022 - 08:03
Entities located in East and Southeast Asia as well as Ukraine have been targeted at least since 2020 by a previously undocumented subgroup of APT41, a prolific Chinese advanced persistent threat (APT). Cybersecurity firm Trend Micro, which christened the espionage crew Earth Longzhi, said the actor's long-running campaign can be split into two based on the toolset deployed to attack its victims
Categories: Cyber Security News

KmsdBot, a new evasive bot for cryptomining activity and DDoS attacks

Security Affairs - Mon, 11/14/2022 - 07:52
Researchers spotted a new evasive malware, tracked as KmsdBot, that infects systems via an SSH connection that uses weak credentials.

Akamai Security Research discovered a new evasive Golang-based malware, tracked as KmsdBot, that infects systems via an SSH connection that uses weak login credentials.

The malware was employed in cryptocurrency mining campaigns and to launch denial-of-service (DDoS) attacks. KmsdBot supports multiple architectures, including as Winx86, Arm64, and mips64, x86_64, and does not stay persistent to avoid detection.

The malicious code was used in attacks targeting multiple sectors including the gaming industry, technology industry, and luxury car manufacturers. The first DDoS attack observed by Akamai targeted a gaming company named FiveM, which allows gamers to host custom private servers for Grand Theft Auto Online. The malware employed specific targeted attacks along with generic Layer 4 and Layer 7 attacks.

“we found an interesting log entry: A cryptominer with distributed denial-of-service (DDoS) functionality tailored to the gaming industry. It’s not often we see these types of botnets actively attacking and spreading, especially ones written in Golang.” reads the post published by Akamai. “The targets range from gaming companies to luxury car brands to security companies — this malware is almost erratic with regard to its targets.”

The analysis of the ksmdx sample reveals functions to perform scanning operations, software updates and cryptomining activities.

Once a system has been infected, the ksmdx binary notifies the C2 that by sending it an HTTP POST request with the notification of ‘Bruh Started:’.

The bot downloads a list of login credentials to use when it scans for open SSH ports.

When analyzing the cryptomining activity, the experts noticed that operators used crypto wallets allegedly chosen randomly to contribute to various mining pools. 

The bot does implement its own functionality to launch cryptomining activity, however, it is actually launching a renamed xmrig binary.

“This botnet is a great example of the complexity of security and how much it evolves. What seems to have started as a bot for a game app has pivoted into attacking large luxury brands. What’s new is how it infects — via an SSH connection that uses weak login credentials.” concludes the report. “The good news is that the same techniques we recommend to keep most organizations’ systems and networks secure still apply here. 

  • Don’t use weak or default credentials for servers or deployed applications. 
  • Ensure you’re keeping those deployed applications up-to-date with the latest security patches, and check in on them from time to time.  
  • Use public key authentication for your SSH connections. This is the best way to prevent this type of system compromise.”

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, KmsdBot)

The post KmsdBot, a new evasive bot for cryptomining activity and DDoS attacks appeared first on Security Affairs.

Categories: Cyber Security News

Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

The Hacker News - Mon, 11/14/2022 - 05:45
A new malicious campaign has compromised over 15,000 WordPress websites in an attempt to redirect visitors to bogus Q&A portals. "These malicious redirects appear to be designed to increase the authority of the attacker's sites for search engines," Sucuri researcher Ben Martin said in a report published last week, calling it a "clever black hat SEO trick." The search engine poisoning technique
Categories: Cyber Security News

What is an External Penetration Test?

The Hacker News - Mon, 11/14/2022 - 05:30
A penetration test (also known as a pentest) is a security assessment that simulates the activities of real-world attackers to identify security holes in your IT systems or applications.  The aim of the test is to understand what vulnerabilities you have, how they could be exploited, and what the impact would be if an attacker was successful. Usually performed first, an external pentest (also
Categories: Cyber Security News

CERT-UA warns of multiple Somnia ransomware attacks against organizations in Ukraine

Security Affairs - Mon, 11/14/2022 - 04:18
Russian threat actors employed a new ransomware family called Somnia in attacks against multiple organizations in Ukraine.

The Government Computer Emergency Response Team of Ukraine CERT-UA is investigating multiple attacks against organizations in Ukraine that involved a new piece of ransomware called Somnia.

Government experts attribute the attacks to the group ‘From Russia with Love’ (FRwL) (aka Z-Team, UAC-0118), which is believed to be a group of Pro-Russia hacktivists.

“FRwL (aka Z-Team), whose activity is monitored by CERT-UA under the identifier UAC-0118, took responsibility for the unauthorized intervention in the operation of automated systems and electronic computing machines of the target of the attack.” reads the advisory published by CERT-UA.

“The investigation found that the initial compromise occurred as a result of downloading and running a file that mimicked the “Advanced IP Scanner” software, but actually contained the Vidar malware.”

According to the alert, the Ukrainian organization was initially breached by a relevant access broker that then transferred the compromised data to the FRwL group that used it to carry out a cyber attack.

The “Advanced IP Scanner” software used as bait actually contained the Vidar malware, which is a data-stealing malware that is also able to capture Telegram session data and take over the victim’s account. 

Then the threat actors abused the victim’s Telegram account to steal VPN configuration data (authentication and certificates). If the VPN accounts aren’t protected with two-factor authentication, threat actors can use a VPN connection to gain an unauthorized connection to the corporate network. 

Once obtained access to the target network, the attackers conducted reconnaissance using tools like Netscan and deployed Cobalt Strike Beacons before exfiltrate data.

It is important to highlight that the threat actors behind Somnia attacks do not request the ransom payment, their operations aimed that disrupt the target’s networks.

CERT-UA also reported that the Somnia malware is evolving. The first version of the malware used the symmetric 3DES algorithm, while the second one used the AES algorithm. 

“Note that the Somnia malware has also undergone changes. The first version of the program used the symmetric 3DES algorithm. In the second version, the AES algorithm is implemented; at the same time, taking into account the dynamics of the key and the initialization vector, this version of Somnia, according to the attackers’ theoretical plan, does not provide for the possibility of data decryption.” concludes the report.

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Somnia)

The post CERT-UA warns of multiple Somnia ransomware attacks against organizations in Ukraine appeared first on Security Affairs.

Categories: Cyber Security News

Have board directors any liability for a cyberattack against their company?

Security Affairs - Mon, 11/14/2022 - 04:12
Are the directors of a company hit by a cyberattack liable for negligence in failing to take steps to limit the risk.

As the risk of a cyberattack grows, it is pivotal to consider whether the directors of a company hit by a ransomware attack, for example, can bear any liability for negligence in failing to take steps to limit the risk.

During the past few weeks, I had the pleasure of running a presentation on how to deal with the risk of ransomware cyberattacks on corporations for the benefit of members of the “In the Boardroom” training course dedicated to professionals who are or aspire to become board members of publicly traded companies.  As part of the presentation, we tried to give practical guidance and shared some “lessons learned” from previous cyberattacks.  And the number of questions showed how the issue is relevant and the possible liability for directors.

This article aims to provide recommendations to directors of listed and unlisted companies on actions to take in advance, during, and after a cyberattack.

The size of the cyber risk to companies cannot be underestimated

To indicate the size of the cyber risk to companies, there is, on average, a cyber-attack every 39 seconds, which does not mean that every attack is successful, but that there is an attempt to access companies’ computer systems with that frequency.

According to research conducted by IBM, the average cost to companies of a data breach in 2022 is US$ 4.35 million, which increases to US$ 4.54 in the case of ransomware attacks.  Of course, this amount is simply an estimate, and the average cost is higher in certain jurisdictions, such as the United States, where it is close to US$ 10 million, while in Italy, it is in line with the average.

Based on my experience, this estimate is even optimistic when considering cases where the company’s business is global.  In addition, the cost depends on the time it takes to identify abusive access to computer systems, which on average is more than six months.  If the identification time is longer, more data have been exfiltrated until the access has been identified.  And this often happens when the hacker, the so-called threat actor, starts encrypting the computer systems.

Moreover, the operational consequences of a cyber attack should not only be analyzed in terms of compromising the personal data of its customers and employees.  Encrypting computer systems can bring business operations to a standstill, partially because attacks usually occur when the company is least ready to respond e.g., at Christmas, during the summer, and on weekends.  If encrypted data cannot be restored, the production line, stores, eCommerce sites, and all business operations are brought to a standstill, and there may even be a problem with the reliability of the company’s balance sheet, not to mention the possible reputational damages that can lead to loss of customers.

Add to that, there is the risk of penalties and fines (which are not insurable in most jurisdictions) not only under privacy and data protection regulations but also on the basis of cybersecurity regulations that are now proliferating.  There have not been many class actions in Europe for cyberattacks, but if the attack impacts customers located in, for example, California, the risk of a class action is high.  Furthermore, serial civil actions by individuals whose data has been compromised by a data breach are increasing exponentially also in Europe, backed up by law firms with success fee arrangements in place.

What obligation and liability for directors have to prevent a cyberattack?

Given the scale of cyber risk to companies, the board of directors of companies, especially in the case of publicly traded companies, must monitor the actions taken by the company to prevent a cyberattack and promptly take corrective action.

Unfortunately, this situation, in some cases, does not happen.  Also, due to the costs of the pandemic, but in general due to the other overriding priorities, some companies sometimes

  • do not conduct periodic penetration tests and analyses of the state of maturity of technical and organizational measures taken to reduce cyber risk;
  • when these analyses flag weaknesses, they do not immediately handle them but are added to a “to-do-list” without a specific deadline in the short term; and
  • they rely on an incident response plan that has not been tested and, therefore, may not properly function in the event of an attack.

It is not just a matter of recommending investments in security measures because 95% of cyber attacks occur because of human error.  For example, an employee who clicks on a phishing e-mail always uses the same authentication credentials for work and private accounts or connects corporate devices to USB sticks or sites from which the threat actor can enter systems.

A cyber risk analysis must have a significant component of training and a review of organizational control processes.  Because it is not possible to completely rule out the risk of a cyberattack since cyber criminals are always ahead of their victims

  • companies have to be able to demonstrate to have taken all the measures required by privacy and cybersecurity regulations through a cybersecurity compliance program, which requires sophisticated legal as well as technical knowledge because the burden of proof will be on the company; and
  • the adoption of an insurance policy to cover cyber risk can minimize the negative economic effects on the company and allow it to rely on the incident response systems and consultants in the panel of insurance companies.
What should directors do if a cyberattack happens to the company?

Based on my experience, if a company suffers a major cyberattack, the CEO, the general manager, and the board of directors are immediately involved.  I have been “catapulted” in front of the CEO of multinational corporations to assess the risk arising from a cyberattack during the Christmas vacations, holidays, and endless weekends.  The risk to the company from a cyber attack is so high that the company’s top management is immediately involved.

In this context, some of the worst-case scenarios from the perspective of directors’ liability should a cyber attack occur are the following:

  • the actions listed above have been discussed at the board of directors meeting, but no activity has been undertaken;
  • risk analysis actions were undertaken, a weakness in the information systems was identified, but the company did nothing (or very little) to correct them in a timely manner;
  • the company realizes that it has not paid for the renewal of the insurance policy covering the cyber risk, considering it to be remote and assessing the policy to be excessively expensive.

All of these scenarios have occurred based on my professional career, and the Board of Directors meetings where they have been analyzed have not been pleasant.

The BoD will have to, among others,

  • analyze the corrective actions to be taken to minimize the negative consequences of the cyber attack,
  • assess the economic impact of the attack, including in terms of possible penalties, to possibly inform shareholders and create a budget reserve, and
  • decide whether the incident should be reported to the appropriate authorities and communicated to the individuals whose data was compromised.

But the “trickiest” topic certainly concerns the decision of whether or not to pay ransom in a ransomware attack.  Normally when a ransomware attack happens, “American cop movie”-style negotiations happen with cyber criminals to buy time, reduce the amount demanded, and get the potential approval from the insurance company.  In most cases, the company will do anything to avoid paying the ransom because

  • depending on the jurisdiction and the identity of the threat actor, it may be illegal,
  • the payment does not guarantee that the data will be decrypted, which also requires an analysis of the threat actor’s reputation and track record; and
  • there could be reputational damage.

However, in some cases, a company has no way out because, for example, even data backup copies have been encrypted, and there is no way to restore data.  In that case, the company might consider paying the ransom if it does not violate local regulations.  The more complex problem, though, is how to have a board approval of the payment of the ransom.  There is no single correct answer, and no answer is 100% perfect; one will have to analyze the circumstances of the case.

How should a cyberattack be reported to the public?

Beyond the regulatory reporting requirements, reporting a cyberattack to the public is definitely tricky.

The worst mistake one can make is to “lie,” denying what happened.  To date, hackers often have websites, and there are websites dedicated to information about cyberattacks.  In addition, the threat actor will probably publish exfiltrated data on the dark web to provide proof of exfiltration and solicit payment for the ransom.

It is necessary to ensure that the public is informed of the cyberattack from the company before they get it from the press to maintain trust.  Also, in the case of global cyberattacks, local culture must be taken into account in communications.  It is possible to create FAQs to answer questions, but a call center or, in any case, have dedicated people to answer (numerous) requests for clarification from customers and employees.

Most privacy authorities have a dedicated e-mail address to handle user complaints, and the cybersecurity authorities monitor all attacks that impact companies, making the risk of sanctions higher.

What should directors recommend after the emergency of the cyberattack?

It happens more and more often that companies that are victims of a cyberattack suffer another one in the following 12 to 24 months.  In these cases, companies have not thoroughly analyzed the dynamics of the attack, cannot ensure that the threat actor is not still in the company’s systems, and have not taken corrective actions to remedy the attack.

In these cases, the possible liability of administrators could be even more difficult to handle because the company would be a recidivist.

This article illustrates just some of the points of attention for directors in cyber risk management, with the understanding that the dynamics of attacks are constantly evolving and, therefore, corrective actions must also be adopted.  On a similar topic, you can read the article “ENISA 2022 ransomware report gives insights on recent changes“.

Original post at: https://www.gamingtechlaw.com/2022/10/board-directors-liability-cyberattack.html

Photo by Towfiqu barbhuiya on Unsplash

About the author: Giulio Coraggio

I am the location head of the Italian Intellectual Property & Technology department and the global co-head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what’s next for our client’s success.

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, cyberattack)

The post Have board directors any liability for a cyberattack against their company? appeared first on Security Affairs.

Categories: Cyber Security News

New KmsdBot Malware Hijacking Systems for Mining Crypto and Launch DDoS Attacks

The Hacker News - Mon, 11/14/2022 - 02:14
A newly discovered evasive malware leverages the Secure Shell (SSH) cryptographic protocol to gain entry into targeted systems with the goal of mining cryptocurrency and carrying out distributed denial-of-service (DDoS) attacks. Dubbed KmsdBot by the Akamai Security Intelligence Response Team (SIRT), the Golang-based malware has been found targeting a variety of companies ranging from gaming to
Categories: Cyber Security News

Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

The Hacker News - Mon, 11/14/2022 - 01:05
A recently discovered cyber espionage group dubbed Worok has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor's infection chain. Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that's used to facilitate information theft. "What is noteworthy is data collection from victims' machines using
Categories: Cyber Security News

Pages