Cyber Security News

Over a Dozen Android Apps on Google Play Store Caught Dropping Banking Malware

The Hacker News - Fri, 07/29/2022 - 09:25
A malicious campaign leveraged seemingly innocuous Android dropper apps on the Google Play Store to compromise users' devices with banking malware. These 17 dropper apps, collectively dubbed DawDropper by Trend Micro, masqueraded as productivity and utility apps such as document scanners, QR code readers, VPN services, and call recorders, among others. All these apps in question have been
Categories: Cyber Security News

Strong Authentication – Robust Identity and Access Management Is a Strategic Choice

Security Affairs - Fri, 07/29/2022 - 08:29
Passwords no longer meet the demands of today’s identity and access requirements. Therefore, strong authentication methods are needed.

Usernames and passwords are insufficient and vulnerable means of authentication on their own; therefore, it is essential to employ strong authentication techniques like multi-factor authentication (MFA) to confirm users’ identities before granting secure access to resources,” Sarah Lefavrais, Product Marketing Manager, Thales states in her recent article. It’s true. Passwords no longer meet the demands of today’s identity and access requirements. Therefore, strong authentication methods are needed to improve security without hindering user convenience.

What is Strong Authentication?

Tech Target states that strong authentication is “any method of verifying the identity of a user or device that is intrinsically stringent enough to ensure the security of the system it protects by withstanding any attacks it is likely to encounter.” It is commonly referred to as a way to confirm a user’s identity when passwords are not enough. As Tech Target continues, the European Bank and many that adopt its guidelines state that strong authentication must include “at least two mutually-independent factors” so that the compromise of one will not lead to the compromise of the other. These factors are:

  • Knowledge – Something the user knows
  • Possession – Something the user has
  • Inherence – Something the user is

As Lefavrais states, employing more than one of these measures is needed to ensure only legitimate users can access applications and services,  and when applications contain sensitive data such as confidential, personally identifiable information that needs to be protected. 

In IAM strategy, strong authentication methods like MFA and Modern Authentication are quickly replacing traditional methods like passwords, especially as the new gold standard for how IT and security teams enforce access controls, and gain visibility into access events – especially as workloads move to the cloud, VMs and across remote and hybrid environments.

The IAM Security Boundary
Strong authentication is a critical component of modern-day identity and access management. It not only provides additional layers of security around entry points, but allows for customizable levels of authentication, authorization, and access control throughout your environment, giving users only the permissions (and sign-in requirements) they need. To illustrate that point, we’ll investigate two of the primary methods, MFA and Modern Authentication, further in-depth.

Multi-factor Authentication (MFA) is widely seen as the strongest mode of authentication. MFA allows you to:

  • Protect against the compromise made possible by weak passwords. With MFA, a password alone is insufficient to grant access, so credential stuffing and brute force attacks are rendered useless.
  • Reduce identity theft from phishing and other social engineering schemes. Even if you do click on that email and enter a few credentials, if your bank, work VPN, or other access point requires MFA (especially with tokenization, biometrics, or location-based entry), chances are those credentials won’t be enough, and hackers will move on to easier targets.
  • Stay within compliance boundaries like the OMB Memorandum for Zero Trust Cybersecurity and the European Union Agency for Cybersecurity (ENISA) and CERT-EU guidelines, as noted by Lefavrais. These require MFA use throughout subordinate enterprises.

A few MFA methods used in strong authentication include:

  • FIDO security keys
  • Certificate-based smart cards and certificate-based USB tokens
  • Mobile phone and software-based authentication
  • One Time Password (OTP) authenticators
  • Pattern-based (or grid) authenticators
  • Hybrid tokens

Modern Authentication relies on technologies, such as FIDO and Webauthn, contextual authentication and modern federation protocols, which ensure proper user identity and access controls in cloud environments.  That means you can implement more effective access security for cloud apps, alongside the existing access controls that are already in place for on-premises and legacy applications. Flexible policy-based access enable a friendly experience while maintaining a high level of security for roles or resources requiring it.

What to Look for in a Strong Authentication Service

When choosing a strong authentication service, be it on-premises or in the cloud, features to consider are:

  1. Policy-based access with ability to implement conditional access. In order to optimize the end user experience while maintain the best access security for a particular user and application, look for a solution that can enforce a range of authentication methods through policies and risk scoring.
  2. Resistant to phishing. Phishing accounts for roughly a quarter of all data breaches, according to Verizon’s 2021 DBIR. Strong authentication solutions with FIDO2 can both authenticate securely and prevent attacks.
  3. User experience. Do the methods involved create security fatigue, or is it simple to secure multiple-use authentication journeys?
  4. Adaptability and customizability. Can you assign different access controls based on role or asset? What about context, environment, or use case?

Ultimately, you need to ensure your strong authentication provider supports your industry’s identity and access regulations and integrates smoothly with your current identity environment, deploying flexibly and maintaining equilibrium as you transition over. To maintain a risk-based authentication posture, IAM solutions must continue evolving alongside increased digitization demands.  When a single lock and key no longer suffice to safeguard the VMs, remote environments, and cloud-based assets of today, we must adopt the access management and strong authentication methods that can.

About the Author: Katrina Thompson is an ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Strong Authentication)

The post Strong Authentication – Robust Identity and Access Management Is a Strategic Choice appeared first on Security Affairs.

Categories: Cyber Security News

Exploitation is underway for a critical flaw in Atlassian Confluence Server and Data Center

Security Affairs - Fri, 07/29/2022 - 07:27
Threat actors are actively exploiting the recently patched critical flaw in Atlassian Confluence Server and Data Center

Recenlty Atlassian released security updates to address a critical hardcoded credentials vulnerability in Confluence Server and Data Center tracked as CVE-2022-26138.

A remote, unauthenticated attacker can exploit the vulnerability to log into unpatched servers.

Once installed the Questions for Confluence app (versions 2.7.34, 2.7.35, and 3.0.2), a Confluence user account with the username “disabledsystemuser” is created.

According to Atlassian, the account allows administrators to migrate data from the app to Confluence Cloud. The bad news is that the account is created with a hard-coded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default.

“When the Questions for Confluence app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default.”  reads the advisory published by Atlassian. “A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the group has access to.”

The affected versions are:

Questions for Confluence 2.7.x2.7.34
2.7.35Questions for Confluence 3.0.x3.0.2

The company pointed out that uninstalling the Questions for Confluence app does not solve this vulnerability because the disabledsystemuser account is not removed after the app has been uninstalled. Admins of impacted Confluence Server or Data Center instances can remediate this vulnerability with the following actions:

  • Option 1: Update to a non-vulnerable version of Questions for Confluence
  • Option 2: Disable or delete the disabledsystemuser account

The attacks exploiting the issue began after the release of the hard-coded credentials on Twitter.

CVE-2022-26138

Default Atlassian Confluence password has been leaked

– Username
disabledsystemuser
– Email
[email protected]
– Password
disabled1system1user6708

Update Questions for Confluence app ver 2.7.x >= 2.7.38 or > 3.0.5

Credits to @fluepke#CyberSecurity

— Anton (@therceman) July 23, 2022

Rapid7 researchers pointed out that the exploitation of the CVE-2022-26138 flaw is underway.

“This easily allows a remote, unauthenticated attacker to browse an organization’s Confluence instance. Unsurprisingly, it didn’t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks.” reads the post published by Rapid7 researchers.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Atlassian)

The post Exploitation is underway for a critical flaw in Atlassian Confluence Server and Data Center appeared first on Security Affairs.

Categories: Cyber Security News

How to Combat the Biggest Security Risks Posed by Machine Identities

The Hacker News - Fri, 07/29/2022 - 07:15
The rise of DevOps culture in enterprises has accelerated product delivery timelines. Automation undoubtedly has its advantages. However, containerization and the rise of cloud software development are exposing organizations to a sprawling new attack surface. Machine identities vastly outnumber human ones in enterprises these days. Indeed, the rise of machine identities is creating cybersecurity
Categories: Cyber Security News

Dahua IP Camera Vulnerability Could Let Attackers Take Full Control Over Devices

The Hacker News - Fri, 07/29/2022 - 06:49
Details have been shared about a security vulnerability in Dahua's Open Network Video Interface Forum (ONVIF) standard implementation, which, when exploited, can lead to seizing control of IP cameras.  Tracked as CVE-2022-30563 (CVSS score: 7.4), the "vulnerability could be abused by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the
Categories: Cyber Security News

Researchers Warns of Increase in Phishing Attacks Using Decentralized IPFS Network

The Hacker News - Fri, 07/29/2022 - 06:26
The decentralized file system solution known as IPFS is becoming the new "hotbed" for hosting phishing sites, researchers have warned. Cybersecurity firm Trustwave SpiderLabs, which disclosed specifics of the attack campaigns, said it identified no less than 3,000 emails containing IPFS phishing URLs as an attack vector in the last three months. IPFS, short for InterPlanetary File System, is a
Categories: Cyber Security News

Malware-laced npm packages used to target Discord users

Security Affairs - Fri, 07/29/2022 - 04:06
Threat actors used multiple npm packages to target Discord users with malware designed to steal their payment card data.

A malicious campaign targeting Discord users leverages multiple npm packages to deliver malware that steals their payment card information, Kaspersky researchers warn.

The malicious code hidden in the packages, and tracked as Lofy Stealer, is a modified version of an open-source token logger called Volt Stealer,

“The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines, along with the victim’s IP address, and upload them via HTTP.” reads the analysis published by Kaspersky.

The malicious code can detect when a user logs in, change email or password, enable/disable multi-factor authentication (MFA) and add new payment methods, including complete bank card details. The harvested data are uploaded to the remote endpoint whose address is hardcoded (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co).

Below is the timeline of uploaded malicious packages, which include the small-smpern-validslifeculer, or proc-title malicious npm modules:

Package nameVersionTimestamp (UTC)small-sm8.2.02022-07-17 20:28:29small-sm4.2.02022-07-17 19:47:56small-sm4.0.02022-07-17 19:43:57small-sm1.1.02022-06-18 16:19:47small-sm1.0.92022-06-17 12:23:33small-sm1.0.82022-06-17 12:22:31small-sm1.0.72022-06-17 03:36:45small-sm1.0.52022-06-17 03:31:40pern-valids1.0.32022-06-17 03:19:45pern-valids1.0.22022-06-17 03:12:03lifeculer0.0.12022-06-17 02:50:34proc-title1.0.32022-03-04 05:43:31proc-title1.0.22022-03-04 05:29:58

Once harvested, this data is uploaded to one of several Replit-hosted instances whose addresses are hard-coded within the malware (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co).

Kaspersky states that they are constantly monitoring the updates to repositories to rapidly detect all new malicious packages.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Discord)

The post Malware-laced npm packages used to target Discord users appeared first on Security Affairs.

Categories: Cyber Security News

Spanish Police Arrest 2 Nuclear Power Workers for Cyberattacking the Radiation Alert System

The Hacker News - Fri, 07/29/2022 - 03:00
Spanish law enforcement officials have announced the arrest of two individuals in connection with a cyberattack on the country's radioactivity alert network (RAR), which took place between March and June 2021. The act of sabotage is said to have disabled more than one-third of the sensors that are maintained by the Directorate-General for Civil Protection and Emergencies (DGPCE) and used to
Categories: Cyber Security News

Latest Critical Atlassian Confluence Vulnerability Under Active Exploitation

The Hacker News - Thu, 07/28/2022 - 23:22
A week after Atlassian rolled out patches to contain a critical flaw in its Questions For Confluence app for Confluence Server and Confluence Data Center, the shortcoming has now come under active exploitation in the wild. The bug in question is CVE-2022-26138, which concerns the use of a hard-coded password in the app that could be exploited by a remote, unauthenticated attacker to gain
Categories: Cyber Security News

Akamai blocked the largest DDoS attack ever on its European customers

Security Affairs - Thu, 07/28/2022 - 16:59
This month Akamai blocked the largest distributed denial-of-service (DDoS) attack that hit an organization in Europe.

On July 21, 2022, Akamai mitigated the largest DDoS attack that ever hit one of its European customers.

The attack hit an Akamai customer in Eastern Europe that was targeted 75 times in the past 30 days with multiple types of DDoS attacks, including UDP, UDP fragmentation, ICMP flood, RESET flood, SYN flood, TCP anomaly, TCP fragment, PSH ACK flood, FIN push flood, and PUSH flood.

“On Thursday, July 21, 2022, Akamai detected and mitigated the largest DDoS attack ever launched against a European customer on the Prolexic platform, with globally distributed attack traffic peaking at 853.7 Gbps and 659.6 Mpps over 14 hours.” reads the post published by Akamai. “The attack, which targeted a swath of customer IP addresses, formed the largest global horizontal attack ever mitigated on the Prolexic platform.”

The malicious traffic peaked at 853.7 Gbps and 659.6 Mpps over 14 hours, this is the largest global horizontal attack ever mitigated on the Akami Prolexic platform.

Source Akamai: Spike in BPS attack traffic

According to Akamai, threat actors used a highly-sophisticated, global botnet of compromised devices to launch the attack.

In September, the Russian Internet giant Yandex was hit by the largest DDoS attack in the history of Runet, the Russian Internet designed to be independent of the world wide web and ensure the resilience of the country to an internet shutdown. The attack was launched by the Mēris botnet and reached 21.8 million RPS (requests per second).

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, DDoS)

The post Akamai blocked the largest DDoS attack ever on its European customers appeared first on Security Affairs.

Categories: Cyber Security News

LibreOffice fixed 3 flaws, including a code execution issue

Security Affairs - Thu, 07/28/2022 - 14:45
LibreOffice maintainers addressed three security flaws in their productivity software, including an arbitrary code execution issue.

LibreOffice is an open-source office productivity software suite, a project of The Document Foundation (TDF).

LibreOffice maintainers addressed three security flaws in their suit, including an arbitrary code execution issue tracked as CVE-2022-26305. The CVE-2022-26305 flaw is classified as the execution of untrusted macros due to improper certificate validation. The issue could lead to the execution of malicious macros.

By default, LibreOffice executes macros only if they are stored in a trusted file location or if they are signed by a trusted certificate included in a list of certificates stored in the user’s configuration database.

“An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro was actually signed with the certificate.” reads the advisory published by LibreOffice. “An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted.”

This flaw cannot be exploited if the macro security level is set to very high or if the user has no trusted certificates.

The second issue fixed in the popular software is a static initialization vector that allows to recover passwords for Web Connections without knowing the master password.

“LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user.” reads the advisory. “A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user’s configuration data.”

The third issue addressed in the software, tracked as CVE-2022-26307, is related to the use of Weak Master Keys that could be guessed by attackers through a brute-force attack.

“LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user.” reads the advisory. “A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config.”

All the flaws were discovered by OpenSource Security GmbH on behalf of the German Federal Office for Information Security, they were fixed with the release of versions 7.2.7, 7.3.2, and 7.3.3.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, LibreOffice)

The post LibreOffice fixed 3 flaws, including a code execution issue appeared first on Security Affairs.

Categories: Cyber Security News

Threat actors use new attack techniques after Microsoft blocked macros by default

Security Affairs - Thu, 07/28/2022 - 13:34
Threat actors are devising new attack tactics in response to Microsoft’s decision to block Macros by default.

In response to Microsoft’s decision steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default in Microsoft Office applications, threat actors are adopting new attack techniques.

Researchers from Proofpoint reported that threat actors are increasingly using container files such as ISO and RAR, and Windows Shortcut (LNK) files in their malware campaigns. Proofpoint researchers noticed that the of ISO, RAR and LNK file attachments reached nearly 175% during the same period and at least 10 malicious actors started using LNK files in their campaigns since February 2022.

“According to an analysis of campaigned threats, which include threats manually analyzed and contextualized by Proofpoint threat researchers, the use of macro-enabled attachments by threat actors decreased approximately 66% between October 2021 and June 2022.” reads the analysis published by Proofpoint.

Before October 2021, most of malicious phishing campaigns were spreading malware using weaponized Office documents. Upon tricking the victims into opening the file, the attack chain will start.

Microsoft’s move to block macros has pushed threat actors in finding alternative techniques to bypass Mark of the Web (MOTW) protections.

The Mark of the Web is a feature that was introduced by Microsoft to determine the origin of a file. If a file was downloaded from the Internet or from another location on a network, it would contain a comment in the file identifying the zone from which the file was downloaded from. Depending on this zone (e.g. intranet, internet etc) Windows would handle the file accordingly so as to avoid users from running or opening potentially harmful files from untrusted sources.

The researchers observed that the number of campaigns containing LNK files has increased by 1,675% since October 2021. Proofpoint tracked multiple threat actors, both cybercriminal gangs and APT groups, leveraging LNK files.

“Threat actors across the threat landscape are pivoting away from macro-enabled documents to increasingly use different filetypes for initial access. This change is led by the adoption ISO and other container file formats, as well as LNK files. Such filetypes can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft, and ransomware.” concludes the report. “Proofpoint researchers assess with high confidence this is one of the largest email threat landscape shifts in recent history. It is likely threat actors will continue to use container file formats to deliver malware, while relying less on macro-enabled attachments.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, macros)

The post Threat actors use new attack techniques after Microsoft blocked macros by default appeared first on Security Affairs.

Categories: Cyber Security News

ENISA provides data related to major telecom security incidents in 2021

Security Affairs - Thu, 07/28/2022 - 11:01
ENISA published a report that includes anonymised and aggregated information about major telecom security incidents in 2021.

ENISA published a report that provides anonymized and aggregated information about major telecom security incidents in 2021.

Every European telecom operator that suffers a security incident, notifies its national authorities which share a summary of these reports to ENISA at the start of every calendar year.

The reporting of security incidents has been part of the EU’s regulatory framework for telecoms
since the 2009 reform of the telecoms package.

This year the report includes data related to reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries.

The incident had a significant impact on the victim, the total user hours lost (resulted by
multiplying for each incident the number of users by the number of hours) was 5,106 million user
hours. Experts noticed a huge increase compared to 841 million user hours lost in 2020. The reason for this is the impact of a notable EU-wide incident that was reported separately by three MS. ENISA has published technical guidelines on incident reporting under the EECC1, including on thresholds and calculating hours lost.

Below are the takeaways from incidents that took place in 2021:

  • 4,16% of reported incidents in 2021 refer to OTT communication services, for this reason the European Agency required further attention for security incidents related to OTT services.
  • This is the first time that incidents concerning confidentiality and authenticity were reported.
  • The number of incidents labeled as malicious actions passed from 4% in 2020 to 8% in 2021.
  • System failures continue to dominate in terms of impact but the downward trend continues. System failures accounted for 363 million user hours lost compared to 419 million user hours in 2020.
  • The number of Incidents caused by human errors is the same as in 2020.
  • Only 22% of incidents were reported as being related to third-party failures compared to 29%

Let me suggest reading the full report for additional information:

Download

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, telecom security incidents)

The post ENISA provides data related to major telecom security incidents in 2021 appeared first on Security Affairs.

Categories: Cyber Security News

Google Delays Blocking 3rd-Party Cookies in Chrome Browser Until 2024

The Hacker News - Thu, 07/28/2022 - 09:55
Google on Wednesday said it's once again delaying its plans to turn off third-party cookies in the Chrome web browser from late 2023 to the second half of 2024. "The most consistent feedback we've received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome," Anthony Chavez, vice president of Privacy Sandbox, said.
Categories: Cyber Security News

Hackers Opting New Attack Methods After Microsoft Blocked Macros by Default

The Hacker News - Thu, 07/28/2022 - 07:54
With Microsoft taking steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default across Office apps, malicious actors are responding by refining their new tactics, techniques, and procedures (TTPs). "The use of VBA and XL4 Macros decreased approximately 66% from October 2021 through June 2022," Proofpoint said in a report shared with The Hacker News. In its
Categories: Cyber Security News

Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits

The Hacker News - Thu, 07/28/2022 - 07:26
A cyber mercenary that "ostensibly sells general security and information analysis services to commercial customers" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities. The company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called DSIRF that's linked to the
Categories: Cyber Security News

Top MSSP CEOs Share 7 Must-Do Tips for Higher MSSP Revenue and Margin

The Hacker News - Thu, 07/28/2022 - 07:11
MSSPs must find ways to balance the need to please existing customers, add new ones, and deliver high-margin services against their internal budget constraints and the need to maintain high employee morale.In an environment where there are thousands of potential alerts each day and cyberattacks are growing rapidly in frequency and sophistication, this isn’t an easy balance to maintain. Customers
Categories: Cyber Security News

European firm DSIRF behind the attacks with Subzero surveillance malware

Security Affairs - Thu, 07/28/2022 - 07:04
Microsoft linked a private-sector offensive actor (PSOA) to attacks using multiple zero-day exploits for its Subzero malware.

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) researchers linked a threat group known as Knotweed to an Austrian surveillance firm named DSIRF, known for using multiple Windows and Adobe zero-day exploits. The group targets entities in Europe and Central America with a surveillance tool dubbed Subzero.

The DSIRF website states the provide services “to multinational corporations in the technology, retail, energy and financial sectors” and that they have “a set of highly sophisticated techniques in gathering and analyzing information.” They publicly offer several services including “an enhanced due diligence and risk analysis process through providing a deep understanding of individuals and entities” and “highly sophisticated Red Teams to challenge your company’s most critical assets.”

Microsoft states that multiple news reports have linked the company to the Subzero malware toolset used to hack a broad range of devices, phones, computers, and network and internet-connected devices.

The researchers found evidence that links DSIRF to the Knotweed’s operation, including the C2 infrastructure used by Subzero, and code signing certificate issued to DSIRF that is used to sign an exploit.

Microsoft reported Subzero attacks against Microsoft customers in Austria, the United Kingdom, and Panama. The targeted entities are law firms, banks, and strategic consultancies.

MSTIC states that the KNOTWEED’s Subzero malware was deployed in multiple ways, the IT giant referred the different stages of Subzero malware as Jumplump for the persistent loader and Corelump for the main malware.

Once compromised the system, threat actors drop the Corelump downloader and inject it directly in memory to evade detection. It supports multiple features, including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from KNOTWEED’s C2 server.

Microsoft researchers observed a variety of post-compromise actions on infected systems:

  • Setting of UseLogonCredential to “1” to enable plaintext credentials
  • Credential dumping via comsvcs.dll
  • Attempt to access emails with dumped credentials from a KNOTWEED IP address
  • Using Curl to download KNOTWEED tooling from public file shares such as vultrobjects[.]com
  • Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF

Researchers from threat intelligence firm RiskIQ, using passive DNS data related to Knotweed attacks, linked the C2 infrastructure used by the malware since February 2020 to DSIRF.

One of the zero-day exploits used in Knotweed attacks was triggering the recently patched CVE-2022-22047 issue. The attackers used this exploit to escalate privileges, escape sandboxes, and gain system-level code execution on the vulnerable system.

“In 2021, MSRC received a report of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) being used in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of which were patched in June 2021. MSTIC was able to confirm the use of these in an exploit chain used to deploy Subzero.” reads the report. £We were later able to link the deployment of Subzero to a fourth exploit, one related to a Windows privilege escalation vulnerability in the Windows Update Medic Service (CVE-2021-36948), which allowed an attacker to force the service to load an arbitrary signed DLL. The malicious DLL used in the attacks was signed by ‘DSIRF GmbH’.”

Below is the list of recommendations published by Microsoft for its customers to prevent Subzero infections:

  • All customers should prioritize patching of CVE-2022-22047.
  • Confirm that Microsoft Defender Antivirus is updated to security intelligence update 1.371.503.0 or later to detect the related indicators.
  • Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
  • Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.
  • Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. Note: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.
  • Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.

“Microsoft will continue to monitor KNOTWEED activity and implement protections for our customers. The current detections and IOCs detailed below are in place and protecting Microsoft customers across our security products. Additional advanced hunting queries are also provided below to help organizations extend their protections and investigations of these attacks.” concludes Microsoft.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Subzero malware)

The post European firm DSIRF behind the attacks with Subzero surveillance malware appeared first on Security Affairs.

Categories: Cyber Security News

How to Combat the Biggest Security Risks Posed by Machine Identities

The Hacker News - Thu, 07/28/2022 - 06:58
The rise of DevOps culture in enterprises has accelerated product delivery timelines. Automation undoubtedly has its advantages. However, containerization and the rise of cloud software development are exposing organizations to a sprawling new attack surface. Machine identities vastly outnumber human ones in enterprises these days. Indeed, the rise of machine identities is creating cybersecurity
Categories: Cyber Security News

Spain police arrested two men accused of cyber attacks on radioactivity alert network (RAR)

Security Affairs - Thu, 07/28/2022 - 03:57
The Spanish police arrested two individuals accused to have hacked the country’s radioactivity alert network (RAR) in 2021.

The Spanish police have arrested two men suspected to be the hackers behind cyberattacks that hit the country’s radioactivity alert network (RAR) between March and June 2021.

The RAR system is a mesh of gamma radiation detection sensors, deployed across the country in order to detect anomalous radiation levels and take protective measures to prevent damage to the environment and the population. The sensors are connected by telephone to the control center at the DGPCE headquarters that gathers the measures and transmits the necessary orders to the sensors. 

Source https://westobserver.com

The suspects are former workers of a company in charge of the maintenance of the RAR system, for this reason, they had technical knowledge of the system.

The duo was identified after a year-long investigation, the police carried out searches at two homes and one company in Madrid and San Agustín de Guadalix. The agents found numerous computers and communications devices that were used in the attack.

The two suspects had access to the network of the General Directorate of Civil Protection and Emergencies (DGPGE) and were able to disconnect the sensors from the system reducing their detection capacity even in the environment of nuclear power plants.

The Cyberattack Group of the National Police, with the help of the DGPGE, determined that once the attackers gained access to the network attempted to delete the RAR management web application in the control center. The suspects targeted more than 300 sensors out of the 800 existing ones.

The cyber attacks terminated in June 2021,

In parallel, the duo launched individual attacks against sensors, taking down 300 out of 800 spread across Spain, essentially breaking their link to the control center and disrupting the data exchange.

The cyberattacks against RAR stopped in June 2021 after the security breach was discovered by the Spanish authorities.

“During the investigation it was determined that the two detainees had been responsible for the maintenance program of the RAR system, through a company contracted by the DGPCE, for which they had a deep knowledge of it that made it easier for them to carry out the attacks and helped them in their efforts to mask their authorship, significantly increasing the difficulty of the investigation.” reads the announcement published by Policia National.

The police did not provide additional details about the attack, at this time the motivation behind the attack is unknown.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel)

The post Spain police arrested two men accused of cyber attacks on radioactivity alert network (RAR) appeared first on Security Affairs.

Categories: Cyber Security News

Pages