Nov 21, 2024Ravie LakshmananCyber Espionage / MalwareThe China-aligned advanced persistent threat (APT) actor known as Gelsemium has been observed using a new Linux backdoor dubbed WolfsBane as part of cyber attacks likely targeting East and Southeast Asia.That's according to findings from cybersecurity firm ESET based on multiple Linux samples uploaded to the VirusTotal platform from Taiwan, the Philippines, and Singapore in March 2023.WolfsBane has been assessed to be a Linux version of the threat actor's Gelsevirine backdoor, a Windows malware put to use as far back as 2014. Also discovered by the company is another previously undocumented implant named FireWood that's connected to another malware toolset known as Project Wood.FireWood has been attributed to Gelsemium with low confidence, given the possibility that it could be shared by multiple China-linked hacking crews."The goal of the backdoors and tools discovered is cyber espionage targeting sensitive data such as system information, user credentials, and specific files and directories," ESET researcher Viktor perka said in a report shared with The Hacker News."These tools are designed to maintain persistent access and execute commands stealthily, enabling prolonged intelligence gathering while evading detection."The exact initial access pathway used by the threat actors is not known, although it's suspected that the threat actors exploited an unknown web application vulnerability to drop web shells for persistent remote access, using it to deliver the WolfsBane backdoor by means of a dropper.Besides using the modified open-source BEURK userland rootkit to conceal its activities on the Linux host, it's capable of executing commands received from an attacker-controlled server. In a similar vein, FireWood employs a kernel driver rootkit module called usbdev.ko to hide processes, and run various commands issued by the server. The use of WolfsBane and FireWood is the first documented use of Linux malware by Gelsemium, signaling an expansion of the targeting focus."The trend of malware shifting towards Linux systems seems to be on the rise in the APT ecosystem," perka said. "From our perspective, this development can be attributed to several advancements in email and endpoint security.""The ever-increasing adoption of EDR solutions, along with Microsoft's default strategy of disabling VBA macros, are leading to a scenario where adversaries are being forced to look for other potential avenues of attack."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 21, 2024Ravie LakshmananVulnerability / Cyber AttackAs many as 2,000 Palo Alto Networks devices are estimated to have been compromised as part of a campaign abusing the newly disclosed security flaws that have come under active exploitation in the wild.According to statistics shared by the Shadowserver Foundation, a majority of the infections have been reported in the U.S. (554) and India (461), followed by Thailand (80), Mexico (48), Indonesia (43), Turkey (41), the U.K. (39), Peru (36), and South Africa (35).Earlier this week, Censys revealed that it had identified 13,324 publicly exposed next-generation firewall (NGFW) management interfaces, with 34% of these exposures located in the U.S. However, it's important to note that not all of these exposed hosts are necessarily vulnerable.The flaws in question, CVE-2024-0012 (CVSS score: 9.3) and CVE-2024-9474 (CVSS score: 6.9), are a combination of authentication bypass and privilege escalation that could allow a bad actor to perform malicious actions, including modifying configurations and executing arbitrary code.Palo Alto Networks, which is tracking the initial zero-day exploitation of the flaws under the name Operation Lunar Peek, said they are being weaponized to achieve command execution and drop malware, such as PHP-based web shells, on hacked firewalls.The network security vendor has also warned that cyber attacks targeting the security flaws are likely to escalate following the availability of an exploit combining them.To that end, it said it "assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity."It further noted that it has observed both manual and automated scanning activity, necessitating that users apply the latest fixes as soon as possible and secure access to the management interface as per recommended best practice deployment guidelines.This particularly includes restricting access to only trusted internal IP addresses to prevent external access from the internet.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 21, 2024Ravie LakshmananFinancial Fraud / Data BreachThreat hunters are warning about an updated version of the Python-based NodeStealer that's now equipped to extract more information from victims' Facebook Ads Manager accounts and harvest credit card data stored in web browsers."They collect budget details of Facebook Ads Manager accounts of their victims, which might be a gateway for Facebook malvertisement," Netskope Threat Labs researcher Jan Michael Alcantara said in a report shared with The Hacker News."New techniques used by NodeStealer include using Windows Restart Manager to unlock browser database files, adding junk code, and using a batch script to dynamically generate and execute the Python script."NodeStealer, first publicly documented by Meta in May 2023, started off as JavaScript malware before evolving into a Python stealer capable of gathering data related to Facebook accounts in order to facilitate their takeover.It's assessed to be developed by Vietnamese threat actors, who have a history of leveraging various malware families that are centered around hijacking Facebook advertising and business accounts to fuel other malicious activities.The latest analysis from Netskopke shows that NodeStealer artifacts have begun to target Facebook Ads Manager accounts that are used to manage ad campaigns across Facebook and Instagram, in addition to striking Facebook Business accounts.In doing so, it's suspected that the intention of the attackers is not just to take control of Facebook accounts, but to also weaponize them for use in malvertising campaigns that further propagate the malware under the guise of popular software or games."We recently found several Python NodeStealer samples that collect budget details of the account using Facebook Graph API," Michael Alcantara explained. "The samples initially generate an access token by logging into adsmanager.facebook[.]com using cookies collected on the victim's machine."Aside from collecting the tokens and business-related information tied to those accounts, the malware includes a check that's explicitly designed to avoid infecting machines located in Vietnam as a way to evade law enforcement actions, further solidifying its origins.On top of that, certain NodeStealer samples have been found to use the legitimate Windows Restart Manager to unlock SQLite database files that are possibly being used by other processes. This is done so in an attempt to siphon credit card data from various web browsers.Data exfiltration is achieved using Telegram, underscoring that the messaging platform still continues to be a crucial vector for cybercriminals despite recent changes to its policy.Malvertising via Facebook is a lucrative infection pathway, often impersonating trusted brands to disseminate all kinds of malware. This is evidenced by the emergence of a new campaign starting November 3, 2024, that has mimicked the Bitwarden password manager software through Facebook sponsored ads to install a rogue Google Chrome extension."The malware gathers personal data and targets Facebook business accounts, potentially leading to financial losses for individuals and businesses," Bitdefender said in a report published Monday. "Once again, this campaign highlights how threat actors exploit trusted platforms like Facebook to lure users into compromising their own security."Phishing Emails Distribute I2Parcae RAT via ClickFix TechniqueThe development comes as Cofense has alerted to new phishing campaigns that employ website contact forms and invoice-themed lures to deliver malware families like I2Parcae RAT and PythonRatLoader, respectively, with the latter acting as a conduit to deploy AsyncRAT, DCRat, and Venom RAT.I2Parcae is "notable for having several unique tactics, techniques, and procedures (TTPs), such as Secure Email Gateway (SEG) evasion by proxying emails through legitimate infrastructure, fake CAPTCHAs, abusing hardcoded Windows functionality to hide dropped files, and C2 capabilities over Invisible Internet Project (I2P), a peer-to-peer anonymous network with end-to-end encryption," Cofense researcher Kahng An said."When infected, I2Parcae is capable of disabling Windows Defender, enumerating Windows Security Accounts Manager (SAM) for accounts/groups, stealing browser cookies, and remote access to infected hosts."Attack chains involve the propagation of booby-trapped pornographic links in email messages that, upon clicking, lead message recipients to an intermediate fake CAPTCHA verification page, which urges victims to copy and execute an encoded PowerShell script in order to access the content, a technique that has been called ClickFix.ClickFix, in recent months, has become a popular social engineering trick to lure unsuspecting users into downloading malware under the pretext of addressing a purported error or completing a reCAPTCHA verification. It's also effective at sidestepping security controls owing to the fact that users infect themselves by executing the code.Enterprise security firm Proofpoint said that the ClickFix technique is being used by multiple "unattributed" threat actors to deliver an array of remote access trojans, stealers, and even post-exploitation frameworks such as Brute Ratel C4. It has even been adopted by suspected Russian espionage actors to breach Ukrainian government entities."Threat actors have been observed recently using a fake CAPTCHA themed ClickFix technique that pretends to validate the user with a 'Verify You Are Human' (CAPTCHA) check," security researchers Tommy Madjar and Selena Larson said. "Much of the activity is based on an open source toolkit named reCAPTCHA Phish available on GitHub for 'educational purposes.'""What's insidious about this technique is the adversaries are preying on people's innate desire to be helpful and independent. By providing what appears to be both a problem and a solution, people feel empowered to 'fix' the issue themselves without needing to alert their IT team or anyone else, and it bypasses security protections by having the person infect themselves."The disclosures also coincide with a rise in phishing attacks that make use of bogus Docusign requests to bypass detection and ultimately conduct financial fraud."These attacks pose a dual threat for contractors and vendors immediate financial loss and potential business disruption," SlashNext said. "When a fraudulent document is signed, it can trigger unauthorized payments while simultaneously creating confusion about actual licensing status. This uncertainty can lead to delays in bidding on new projects or maintaining current contracts."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 21, 2024Ravie LakshmananArtificial Intelligence / Software SecurityGoogle has revealed that its AI-powered fuzzing tool, OSS-Fuzz, has been used to help identify 26 vulnerabilities in various open-source code repositories, including a medium-severity flaw in the OpenSSL cryptographic library."These particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets," Google's open-source security team said in a blog post shared with The Hacker News.The OpenSSL vulnerability in question is CVE-2024-9143 (CVSS score: 4.3), an out-of-bounds memory write bug that can result in an application crash or remote code execution. The issue has been addressed in OpenSSL versions 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl.Google, which added the ability to leverage large language models (LLMs) to improve fuzzing coverage in OSS-Fuzz in August 2023, said the vulnerability has likely been present in the codebase for two decades and that it "wouldn't have been discoverable with existing fuzz targets written by humans."Furthermore, the tech giant noted that the use of AI to generate fuzz targets has improved code coverage across 272 C/C++ projects, adding over 370,000 lines of new code."One reason that such bugs could remain undiscovered for so long is that line coverage is not a guarantee that a function is free of bugs," Google said. "Code coverage as a metric isn't able to measure all possible code paths and statesdifferent flags and configurations may trigger different behaviors, unearthing different bugs."These AI-assisted vulnerability discoveries are also made possible by the fact that LLMs are proving to be adept at emulating a developer's fuzzing workflow, thereby allowing for more automation.The development comes as the company revealed earlier this month that its LLM-based framework called Big Sleep facilitated the detection of a zero-day vulnerability in the SQLite open-source database engine.In tandem, Google has been working towards transitioning its own codebases to memory-safe languages such as Rust, while also retrofitting mechanisms to address spatial memory safety vulnerabilities which occur when it's possible for a piece of code to access memory that's outside of its intended bounds within existing C++ projects, including Chrome.This includes migrating to Safe Buffers and enabling hardened libc++, which adds bounds checking to standard C++ data structures in order to eliminate a significant class of spatial safety bugs. It further noted that the overhead incurred as a result of incorporating the change is minimal (i.e., an average 0.30% performance impact)."Hardened libc++, recently added by open source contributors, introduces a set of security checks designed to catch vulnerabilities such as out-of-bounds accesses in production," Google said. "While C++ will not become fully memory-safe, these improvements reduce risk [...], leading to more reliable and secure software."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 20, 2024The Hacker NewsIdentity Security / Cyber DefenseThe frequency and sophistication of modern cyberattacks are surging, making it increasingly challenging for organizations to protect sensitive data and critical infrastructure. When attackers compromise a non-human identity (NHI), they can swiftly exploit it to move laterally across systems, identifying vulnerabilities and compromising additional NHIs in minutes. While organizations often take months to detect and contain such breaches, rapid detection and response can stop an attack in its tracks.The Rise of Non-Human Identities in Cybersecurity By 2025, non-human identities will rise to be the primary attack vector in cybersecurity. As businesses increasingly automate processes and adopt AI and IoT technologies, the number of NHIs grows exponentially. While these systems drive efficiency, they also create an expanded attack surface for cybercriminals. NHIs differ fundamentally from human users, making traditional security tools like multi-factor authentication and user behavior analytics less effective. Attackers can impersonate NHIs, gaining unauthorized access to systems and bypassing conventional defenses. Moreover, AI models themselves are becoming targets for manipulation, enabling attackers to deceive detection mechanisms. With their scalability and efficiency, NHIs allow malicious actors to orchestrate large-scale breaches, exploit APIs, and launch sophisticated supply chain attacks.Introducing NHIDRRecognizing the unique challenges posed by NHIs, Entro developed Non-Human Identity Detection and Response (NHIDR) to address this critical security gap. NHIDR empowers organizations to proactively identify and mitigate risks associated with non-human identities by analyzing their behavior and detecting anomalies in real-time.At the heart of NHIDR is its ability to establish baseline behavioral models for each NHI using historical data. This eliminates the need for "soak time" or extended observation periods, accessing the data it needs immediately. Once these baselines are established, NHIDR continuously monitors NHIs, identifying deviations that indicate misuse, abuse, or compromise. Unlike static inventory-based methods, NHIDR ensures constant vigilance with dynamic, real-time analysis.Real-Time Detection and Automated Response Imagine this scenario: a cybercriminal in another country attempts to access sensitive secrets stored in your system. NHIDR detects the unauthorized activity instantly, flagging the anomaly and initiating an automated response. This could involve revoking access tokens, rotating credentials, or isolating the compromised identity. Simultaneously, NHIDR alerts your security team, enabling them to take swift, informed action. This proactive capability is vital for addressing day 0 threatsattacks that emerge before security teams have time to react. By automating the response process, NHIDR not only contains threats faster but also reduces the manual workload on security teams, allowing them to focus on strategic initiatives rather than firefighting.Proactive Security for a New Era NHIDR represents a paradigm shift from reactive to proactive security. By continuously monitoring and analyzing NHIs and secrets, it ensures organizations can prevent breaches before they occur. Automated remediation processes, such as revoking compromised tokens, minimize downtime and enhance overall security posture.Conclusion NHIDR technology is revolutionizing cybersecurity by providing real-time detection, automated responses, and a proactive approach to securing non-human identities. With NHIDR, organizations can safeguard their assets, maintain compliance, and stay ahead of the threat landscape because when it comes to protecting critical systems, proactive defense is essential. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 20, 2024Ravie LakshmananPayment Security / CybercrimeThreat actors are increasingly banking on a new technique that leverages near-field communication (NFC) to cash out victim's funds at scale.The technique, codenamed Ghost Tap by ThreatFabric, enables cybercriminals to cash-out money from stolen credit cards linked to mobile payment services such as Google Pay or Apple Pay and relaying NFC traffic."Criminals can now misuse Google Pay and Apple Pay to transmit your tap-to-pay information globally within seconds," the Dutch security company told The Hacker News in a statement. "This means that even without your physical card or phone, they can make payments from your account anywhere in the world."These attacks typically work by tricking victims into downloading mobile banking malware that can capture their banking credentials and one-time passwords using an overlay attack or a keylogger. Alternatively, it can involve a voice phishing component.Once in possession of the card details, the threat actors move to link the card to Google Pay or Apple Pay. But in an attempt to avoid getting the cards blocked by the issuer, the tap-to-pay information is relayed to a mule, who is responsible for making fraudulent purchases at a store.This is accomplished by means of a legitimate research tool called NFCGate, which can capture, analyze, or modify NFC traffic. It can also be used to pass the NFC traffic between two devices using a server."One device operates as a 'reader' reading an NFC tag, the other device emulates an NFC tag using the Host Card Emulation (HCE)," according to researchers from the Secure Mobile Networking Lab at TU Darmstadt.While NFCGate has been previously put to use by bad actors to transmit the NFC information from victim's devices to the attacker, as documented by ESET back in August 2024 with NGate malware, the latest development marks the first time the tool is being misused to relay the data."Cybercriminals can establish a relay between a device with stolen card and PoS [point-of-sale] terminal at a retailer, staying anonymous and performing cash-outs on a larger scale," ThreatFabric noted."The cybercriminal with the stolen card can be far away from the location (even different country) where the card will be used as well as use the same card in multiple locations within a short period of time."The tactic offers more advantages in that it can be used to purchase gift cards at offline retailers without the cybercriminals having to be physically present. Even worse, it can be used to scale the fraudulent scheme by enlisting the help of several mules at different locations within a short span of time.Complicating the detection of Ghost Tap attacks is the fact that the transactions appear as if they are originating from the same device, thereby bypassing anti-fraud mechanisms. The device with the linked card can also be in airplane mode, which can complicate efforts to detect their actual location and that it was not actually used to make the transaction at the PoS terminal."We suspect that the evolution of networks with increasing speed of communication together with a lack of proper time-based detection on ATM/POS terminals made these attacks possible, where the actual devices with cards are physically located far away from the place where transaction is performed (device is not present at PoS or ATM)," ThreatFabric noted."With the ability to scale rapidly and operate under a cloak of anonymity, this cash-out method presents significant challenges for financial institutions and retail establishments alike."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 20, 2024Ravie LakshmananSoftware Security / VulnerabilityOracle is warning that a high-severity security flaw impacting the Agile Product Lifecycle Management (PLM) Framework has been exploited in the wild.The vulnerability, tracked as CVE-2024-21287 (CVSS score: 7.5), could be exploited sans authentication to leak sensitive information."This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password," it said in an advisory. "If successfully exploited, this vulnerability may result in file disclosure."CrowdStrike security researchers Joel Snape and Lutz Wolf have been credited with discovering and reporting the flaw.There is currently no information available on who is exploiting the vulnerability, the targets of the malicious activity, and how widespread these attacks are."If successfully exploited, an unauthenticated perpetrator could download, from the targeted system, files accessible under the privileges used by the PLM application," Eric Maurice, vice president of Security Assurance at Oracle, said.In light of active exploitation, users are recommended to apply the latest patches as soon as possible for optimal protection.The Hacker News has reached out to Oracle and CrowdStrike for comment. We will update this story if we get a reply.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 20, 2024Ravie LakshmananZero Day / VulnerabilityApple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild.The flaws are listed below -CVE-2024-44308 - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web contentCVE-2024-44309 - A cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack when processing malicious web contentThe iPhone maker said it addressed CVE-2024-44308 and CVE-2024-44309 with improved checks and improved state management, respectively. Not much is known about the exact nature of the exploitation, but Apple has acknowledged that the pair of vulnerabilities "may have been actively exploited on Intel-based Mac systems."Clment Lecigne and Benot Sevens of Google's Threat Analysis Group (TAG) have been credited with discovering and reporting the two flaws, indicating that they were likely put to use as part of highly-targeted government-backed or mercenary spyware attacks.The updates are available for the following devices and operating systems -iOS 18.1.1 and iPadOS 18.1.1 - iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and lateriOS 17.7.2 and iPadOS 17.7.2 - iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and latermacOS Sequoia 15.1.1 - Macs running macOS SequoiavisionOS 2.1.1 - Apple Vision ProSafari 18.1.1 - Macs running macOS Ventura and macOS SonomaApple has so far addressed a total of four zero-days in its software this year, including one (CVE-2024-27834) that was demonstrated at the Pwn2Own Vancouver hacking competition. The other three were patched in January and March 2024.Users are advised to update their devices to the latest version as soon as possible to safeguard against potential threats.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 20, 2024Ravie LakshmananCyber Espionage / Telecom SecurityA new China-linked cyber espionage group has been attributed as behind a series of targeted cyber attacks targeting telecommunications entities in South Asia and Africa since at least 2020 with the goal of enabling intelligence collection.Cybersecurity company CrowdStrike is tracking the adversary under the name Liminal Panda, describing it as possessing deep knowledge about telecommunications networks, the protocols that undergird telecommunications, and the various interconnections between providers.The threat actor's malware portfolio includes bespoke tools that facilitate clandestine access, command-and-control (C2), and data exfiltration."Liminal Panda has used compromised telecom servers to initiate intrusions into further providers in other geographic regions," the company's Counter Adversary Operations team said in a Tuesday analysis."The adversary conducts elements of their intrusion activity using protocols that support mobile telecommunications, such as emulating global system for mobile communications (GSM) protocols to enable C2, and developing tooling to retrieve mobile subscriber information, call metadata, and text messages (SMS)."It's worth noting that some aspects of the intrusion activity were documented by the cybersecurity company back in October 2021, attributing it then to a different threat cluster dubbed LightBasin (aka UNC1945), which also has a track record of targeting telecom entities since at least 2016.CrowdStrike noted that its extensive review of the campaign revealed the presence of an entirely new threat actor, and that the misattribution three years ago was the result of multiple hacking crews conducting their malicious activities on what it said was a "highly contested compromised network."Some of the custom tools in its arsenal are SIGTRANslator, CordScan, and PingPong, which come with the following capabilities -SIGTRANslator, a Linux ELF binary designed to send and receive data using SIGTRAN protocolsCordScan, a network-scanning and packet-capture utility containing built-in logic to fingerprint and retrieve data relating to common telecommunication protocols from infrastructure such as the Serving GPRS Support Node (SGSN)PingPong, a backdoor that listens for incoming magic ICMP echo requests and sets up a TCP reverse shell connection to an IP address and port specified within the packetLiminal Panda attacks have been observed infiltrating external DNS (eDNS) servers using password spraying extremely weak and third-party-focused passwords, with the hacking crew using TinyShell in conjunction with a publicly available SGSN emulator called sgsnemu for C2 communications."TinyShell is an open-source Unix backdoor used by multiple adversaries," CrowdStrike said. "SGSNs are essentially GPRS network access points, and the emulation software allows the adversary to tunnel traffic via this telecommunications network."The end goal of these attacks is to collect network telemetry and subscriber information or to breach other telecommunications entities by taking advantage of the industry's interoperation connection requirements."Liminal Panda's known intrusion activity has typically abused trust relationships between telecommunications providers and gaps in security policies, allowing the adversary to access core infrastructure from external hosts," the company said.The disclosure comes as U.S. telecom providers like AT&T, Verizon, T-Mobile, and Lumen Technologies have become the target of another China-nexus hacking group dubbed Salt Typhoon. If anything, these incidents serve to highlight how telecommunications and other critical infrastructure providers are vulnerable to compromise by state-sponsored attackers.French cybersecurity company Sekoia has characterized the Chinese offensive cyber ecosystem as a joint enterprise that includes government-backed units such as the Ministry of State Security (MSS) and the Ministry of Public Security (MPS), civilian actors, and private entities to whom the work of vulnerability research and toolset development is outsourced."China-nexus APTs are likely to be a mix of private and state actors cooperating to conduct operations, rather than strictly being associated with single units," it said, pointing out the challenges in attribution."It ranges from the conduct of operations, the sale of stolen information or initial access to compromised devices to providing services and tools to launch attacks. The relationships between these military, institutional and civilian players are complementary and strengthened by the proximity of the individuals part of these different players and the CCP's policy."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 20, 2024Ravie LakshmananLinux / VulnerabilityMultiple decade-old security vulnerabilities have been disclosed in the needrestart package installed by default in Ubuntu Server (since version 21.04) that could allow a local attacker to gain root privileges without requiring user interaction.The Qualys Threat Research Unit (TRU), which identified and reported the flaws early last month, said they are trivial to exploit, necessitating that users move quickly to apply the fixes. The vulnerabilities are believed to have existed since the introduction of interpreter support in needrestart 0.8, which was released on April 27, 2014."These needrestart exploits allow Local Privilege Escalation (LPE) which means that a local attacker is able to gain root privileges," Ubuntu said in an advisory, noting they have been addressed in version 3.8. "The vulnerabilities affect Debian, Ubuntu, and other Linux distributions."Needrestart is a utility that scans a system to determine the services that need to be restarted after applying shared library updates in a manner that avoids a complete system reboot.The five flaws are listed below -CVE-2024-48990 (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variableCVE-2024-48991 (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreterCVE-2024-48992 (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variableCVE-2024-11003 (CVSS score: 7.8) and CVE-2024-10224 (CVSS score: 5.3) - Two vulnerabilities that allows a local attacker to execute arbitrary shell commands as root by taking advantage of an issue in the libmodule-scandeps-perl package (before version 1.36)Successful exploitation of the aforementioned shortcomings could allow a local attacker to set specially crafted environment variables for PYTHONPATH or RUBYLIB that could result in the execution of arbitrary code pointing to the threat actor's environment when needrestart is run."In CVE-2024-10224, [...] attacker-controlled input could cause the Module::ScanDeps Perl module to run arbitrary shell commands by open()ing a 'pesky pipe' (such as by passing 'commands|' as a filename) or by passing arbitrary strings to eval()," Ubuntu noted."On its own, this is not enough for local privilege escalation. However, in CVE-2024-11003 needrestart passes attacker-controlled input (filenames) to Module::ScanDeps and triggers CVE-2024-10224 with root privilege. The fix for CVE-2024-11003 removes needrestart's dependency on Module::ScanDeps."While it's highly advised to download the latest patches, Ubuntu said users can disable interpreter scanners in needrestart the configuration file as a temporary mitigation and ensure that the changes are reverted after the updates are applied."These vulnerabilities in the needrestart utility allow local users to escalate their privileges by executing arbitrary code during package installations or upgrades, where needrestart is often run as the root user," Saeed Abbasi, product manager of TRU at Qualys, said."An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 19, 2024Ravie LakshmananCloud Security / PiracyMalicious actors are exploiting misconfigured JupyterLab and Jupyter Notebooks to conduct stream ripping and enable sports piracy using live streaming capture tools.The attacks involve the hijack of unauthenticated Jupyter Notebooks to establish initial access, and perform a series of actions designed to facilitate illegal live streaming of sports events, Aqua said in a report shared with The Hacker News.The covert piracy campaign within interactive environments widely used for data science applications was discovered by the cloud security firm following an attack against its honeypots."First, the attacker updated the server, then downloaded the tool FFmpeg," Assaf Morag, director of threat intelligence at cloud security firm Aqua. "This action alone is not a strong enough indicator for security tools to flag malicious activity.""Next, the attacker executed FFmpeg to capture live streams of sports events and redirected them to their server."In a nutshell, the end goal of the campaign is to download FFmpeg from MediaFire and use it to record live sports events feeds from the Qatari beIN Sports network and duplicate the broadcast on their illegal server via ustream[.]tv.It's not clear who is behind the campaign, although there are indications that they could be of Arab-speaking origin owing to one of the IP addresses used (41.200.191[.]23)."However, it's crucial to remember that the attackers gained access to a server intended for data analysis, which could have serious consequences for any organization's operations," Morag said."Potential risks include denial-of-service, data manipulation, data theft, corruption of AI and ML processes, lateral movement to more critical environments, and, in the worst-case scenario, substantial financial and reputational damage."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 19, 2024Ravie LakshmananBotnet / IoT SecurityThe malware known as Ngioweb has been used to fuel a notorious residential proxy service called NSOCKS, as well as by other services such as VN5Socks and Shopsocks5, new findings from Lumen Technologies reveal."At least 80% of NSOCKS bots in our telemetry originate from the Ngioweb botnet, mainly utilizing small office/home office (SOHO) routers and IoT devices," the Black Lotus Labs team at Lumen Technologies said in a report shared with The Hacker News. "Two-thirds of these proxies are based in the U.S.""The network maintains a daily average of roughly 35,000 working bots, with 40% remaining active for a month or longer."Ngioweb, first documented by Check Point way back in August 2018 in connection with a Ramnit trojan campaign that distributed the malware, has been the subject of extensive analyses in recent weeks by LevelBlue and Trend Micro, the latter of which is tracking the financially motivated threat actor behind the operation as Water Barghest.Capable of targeting devices running both Microsoft Windows and Linux, the malware gets its name from the command-and-control (C2) domain that was registered in 2018 under the name "ngioweb[.]su."According to Trend Micro, the botnet comprises over 20,000 IoT devices as of October 2024, with Water Barghest using it to find and infiltrate vulnerable IoT devices using automated scripts and deploy the Ngioweb malware, registering them as a proxy. The infected bots are then enlisted for sale on a residential proxy marketplace."The monetization process, from initial infection to the availability of the device as a proxy on a residential proxy marketplace, can take as little as 10 minutes, indicating a highly efficient and automated operation," researchers Feike Hacquebord and Fernando Mercs said.Attack chains using the malware leverage an arsenal of vulnerabilities and zero-days it uses to breach routers and household IoT devices like cameras, vacuum cleaners, and access controls, among others. The botnet employs a two-tiered architecture: The first being a loader network comprising 15-20 nodes, which directs the bot to a loader-C2 node for retrieval and execution of the Ngioweb malware.A breakdown of the residential proxy provider's proxies by device type shows that the botnet operators have targeted a broad spectrum of vendors, including NETGEAR, Uniview, Reolink, Zyxel, Comtrend, SmartRG, Linear Emerge, Hikvision, and NUUO.The latest disclosures from LevelBlue and Lumen reveal that the systems infected with the Ngioweb trojan are being sold as residential proxy servers for NSOCKS, which has been previously put to use by threat actors in credential-stuffing attacks aimed at Okta."NSOCKS sells access to SOCKS5 proxies all over the world, allowing buyers to choose them by location (state, city, or ZIP code), ISP, speed, type of infected device, and newness," LevelBlue said. "The prices vary between $0.20 to $1.50 for 24-hour access and depends on the device type and time since infection."The victim devices have also been found to establish long-term connections with a second stage of C2 domains that are created by a domain generation algorithm (DGA). These domains, amounting to about 15 in number at any given point in time, act as the "gatekeeper," determining if the bots are worth adding to the proxy network.Should the devices pass the eligibility criteria, the DGA C2 nodes connect them to a backconnect C2 node that, in turn, makes them available for use through the NSOCKS proxy service."NSOCKS users route their traffic through over 180 'backconnect' C2 nodes that serve as entry/exit points used to obscure, or proxy, their true identity," Lumen Technologies said. "The actors behind this service have not only provided a means for their customers to proxy malicious traffic, but the infrastructure has also been engineered to enable various threat actors to create their own services."To make matters worse, open proxies powered by NSOCKS have also emerged as an avenue for various actors to launch powerful distributed denial-of-service (DDoS) attacks at scale.The commercial market for residential proxy services and the underground market of proxies is expected to grow in the coming years, in part driven by the demand from advanced persistent threat (APT) groups and cybercriminal groups alike."These networks are often leveraged by criminals who find exploits or steal credentials, providing them with a seamless method to deploy malicious tools without revealing their location or identities," Lumen said."What is particularly alarming is the way a service like NSOCKS can be used. With NSOCKS, users have the option to choose from 180 different countries for their endpoint. This capability not only allows malicious actors to spread their activities across the globe but also enables them to target specific entities by domain, such as .gov or .edu, which could lead to more focused and potentially more damaging attacks."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 19, 2024Ravie LakshmananVulnerability / Data SecurityNow-patched security flaws impacting Progress Kemp LoadMaster and VMware vCenter Server have come under active exploitation in the wild, it has emerged.The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added CVE-2024-1212 (CVSS score: 10.0), a maximum-severity security vulnerability in Progress Kemp LoadMaster to its Known Exploited Vulnerabilities (KEV) catalog. It was addressed by Progress Software back in February 2024."Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution," the agency said.Rhino Security Labs, which discovered and reported the flaw, said successful exploitation enables command execution on LoadMaster should an attacker have access to the administrator web user interface, granting them full access to the load balancer.CISA's addition of CVE-2024-1212 coincides with a warning from Broadcom that attackers are now exploiting two security flaws in the VMware vCenter Server, which were demonstrated at the Matrix Cup cybersecurity competition held in China earlier this year.The flaws, CVE-2024-38812 (CVSS score: 9.8) and CVE-2024-38813 (CVSS score: 7.5), were originally resolved in September 2024, although the company rolled out fixes for the former a second-time last month, stating the previous patches "did not fully address" the problem.CVE-2024-38812 - A heap-overflow vulnerability in the implementation of the DCERPC protocol that could permit a malicious actor with network access to obtain remote code execution CVE-2024-38813 - A privilege escalation vulnerability that could permit a malicious actor with network access to escalate privileges to rootWhile there are currently no details on the observed exploitation of these vulnerabilities in real-world attacks, CISA is recommending that Federal Civilian Executive Branch (FCEB) agencies remediate CVE-2024-1212 by December 9, 2024, to secure their networks.The development comes days after Sophos revealed that cybercrime actors are actively weaponizing a critical flaw in Veeam Backup & Replication (CVE-2024-40711, CVSS score: 9.8) to deploy a previously undocumented ransomware called Frag.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 19, 2024Ravie LakshmananCyber Espionage / Data BreachU.S. telecoms giant T-Mobile has confirmed that it was also among the companies that were targeted by Chinese threat actors to gain access to valuable information.The adversaries, tracked as Salt Typhoon, breached the company as part of a "monthslong campaign" designed to harvest cellphone communications of "high-value intelligence targets." It's not clear what information was taken, if any, during the malicious activity."T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information," a spokesperson for the company was quoted as saying to The Wall Street Journal. "We will continue to monitor this closely, working with industry peers and the relevant authorities."With the latest development, T-Mobile has joined a list of major organizations like AT&T, Verizon, and Lumen Technologies that have been singled out as part of what appears to be a full-blown cyber espionage campaign.So far, the reports make no mention of the degree to which these attacks saw success, whether any kind of malware was installed, or what kinds of information they were after. Salt Typhoon's unauthorized access to Americans' cellular data records was previously disclosed by Politico.Last week, the U.S. government said its ongoing investigation into the targeting of commercial telecommunications infrastructure revealed a "broad and significant" hack orchestrated by the People's Republic of China (PRC)."PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders," it said.It further warned that the extent and scope of these compromises could grow as the probe continues.Salt Typhoon, which is also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is said to have been active since at least 2020, according to Trend Micro. In August 2023, the spy crew was linked to a series of attacks aimed at government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S.Analysis shows that the threat actors have methodically crafted their payloads and made use of an interesting combination of legitimate and bespoke tools and techniques to bypass defenses and maintain access to their targets."Earth Estries maintains persistence by continuously updating its tools and employs backdoors for lateral movement and credential theft," Trend Micro researchers Ted Lee, Leon M Chang, and Lenart Bermejo said in an exhaustive analysis published earlier this month."Data collection and exfiltration are performed using TrillClient, while tools like cURL are used for sending information to anonymized file-sharing services, employing proxies to hide backdoor traffic."The cybersecurity company said it observed two distinct attack chains employed by the group, indicating the tradecraft that Salt Typhoon has in its arsenal is broad as it's varied. Initial access to target networks is facilitated by exploiting vulnerabilities in outside-facing services or remote management utilities.In one set of attacks, the threat actor has been found taking advantage of vulnerable or misconfigured QConvergeConsole installations to deliver malware such as Cobalt Strike, a custom Go-based stealer called TrillClient, and backdoors like HemiGate and Crowdoor, a variant of SparrowDoor which has been previously put to use by another China-linked group called Tropic Trooper.Some of the other techniques include the use of PSExec to laterally install its backdoors and tools, and TrillClient to collect user credentials from web browser user-profiles and exfiltrate them to an attacker-controlled Gmail account via the Simple Mail Transfer Protocol (SMTP) to further its objectives.The second infection sequence, in contrast, is a lot more sophisticated, with the threat actors abusing susceptible Microsoft Exchange servers to implant the China Chopper web shell, which is then used to deliver Cobalt Strike, Zingdoor, and Snappybee (aka Deed RAT), a suspected successor to the ShadowPad malware."Delivery of these additional backdoors and tools is done either via a [command-and-control] server or by using cURL to download them from attacker-controlled servers," the researchers said. "These backdoor installations are also periodically replaced and updated.""The collection of documents of interest are done via RAR and are exfiltrated using cURL, with the data being sent to anonymized file sharing services."Also utilized in the attacks are programs like NinjaCopy to extract credentials and PortScan for network discovery and mapping. Persistence on the host is accomplished by means of scheduled tasks.In one case, Salt Typhoon is also believed to have repurposed a victim's proxy server to forward traffic to the actual command-and-control (C2) server in an attempt to conceal the malicious traffic.Trend Micro noted that one of the infected machines also harbored two additional backdoors named Cryptmerlin, which executes additional commands issued by a C2 server, and FuxosDoor, an Internet Information Services (IIS) implant that's deployed on a compromised Exchange Server and is also designed to run commands using cmd.exe."Our analysis of Earth Estries' persistent TTPs in prolonged cyber operations reveals a sophisticated and adaptable threat actor that employs various tools and backdoors, demonstrating not only technical capabilities, but also a strategic approach to maintaining access and control within compromised environments," the researchers said."Throughout their campaigns, Earth Estries has displayed a keen understanding of their target environments, by continually identifying exposed layers for re-entry. By using a combination of established tools and custom backdoors, they have created a multi-layered attack strategy that is difficult to detect and mitigate."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

According to research from GitGuardian and CyberArk, 79% of IT decision-makers reported having experienced a secrets leak, up from 75% in the previous year's report. At the same time, the number of leaked credentials has never been higher, with over 12.7 million hardcoded credentials in public GitHub repositories alone. One of the more troubling aspects of this report is that over 90% of valid secrets found and reported remained valid for more than 5 days. According to the same research, on average, it takes organizations 27 days to remediate leaked credentials. Combine that with the fact that non-human identities outnumber human identities by at least 45:1, and it is easy to see why many organizations are realizing stopping secrets sprawl means finding a way to deal with this machine identity crisis. Unfortunately, the research also shows that many teams are confused about who owns the security of these identities. It is a perfect storm of risk. Why Does Rotation Take So LongSo, why are we taking so long to rotate credentials if we know they are one of the easiest attack paths for adversaries? One major contributing factor is a lack of clarity on how our credentials are permissioned. Permissions are what authorize what specific things one entity, such as a Kubernetes workload or a microservice, can successfully request from another service or data source. Let's remember what remediation of a secrets sprawl incident means: you need to safely replace a secret without breaking anything or granting new, too-wide permissions, which would potentially introduce more security risks to your company. If you already have full insight into the lifecycle of your non-human identities and their associated secrets, this is a fairly straightforward process of replacing them with new secrets with the same permissions. This can take considerable time if you don't already have that insight, as you need to hope the developer who originally created it is still there and has documented what was done. Let's look at why permissions management is especially challenging in environments dominated by NHIs, examine the challenges developers and security teams face in balancing access control and productivity, and discuss how a shared responsibility model might help.Who Really Owns Secrets Sprawl?Secrets sprawl generally refers to the proliferation of access keys, passwords, and other sensitive credentials across development environments, repositories, and services like Slack or Jira. GitGuardian's latest Voice of the Practitioners report highlights that 65% of respondents place the responsibility for remediation squarely on the IT security teams. At the same time, 44% of IT leaders reported developers are not following best practices for secrets management. Secrets sprawl and the underlying issues of over-permissioned long-lived credentials will continue to fall in this gap until we figure out how to better work together in a shared responsibility model.The Developer's Perspective On PermissionsDevelopers face enormous pressure to build and deploy features quickly. However, managing permissions carefully, with security best practices, can be labor-intensive. Each project or application often has its own unique access requirements, which take time to research and properly set, almost feeling like a full-time job on top of the work making and deploying their applications. Best practices for creating and managing permissions too commonly do not get applied evenly across teams, are seldom documented appropriately, or are forgotten altogether after the developer gets the application working. Compounding the issue, in too many cases, developers are simply granting too wide of permissions to these machine identities. One report found that only 2% of granted permissions are actually used. If we take a closer look at what they are up against, it is easy to see why.For instance, think about managing permissions within Amazon Web Services. AWS's Identity and Access Management (IAM) policies are known for their flexibility but are also complex and confusing to navigate. IAM supports various policy typesidentity-based, resource-based, and permission boundariesall of which require precise configurations. AWS also offers multiple access paths for credentials, including IAM roles and KMS (Key Management Service) grants, which each come with its own unique access configurations. Learning this system is no small feat.Another common example of a service where permissions can become difficult to manage is GitHub. API keys can grant permissions to repositories across various organizations, making it challenging to ensure appropriate access boundaries. A single key can unintentionally provide excessive access across environments when developers are members of multiple organizations. The pressure is on to get it right, while the clock is always ticking and the backlog keeps getting bigger. Why Security Teams Alone Can't Fix ThisIt may seem logical to assign security teams responsibility for monitoring and rotating secrets; after all, this is a security concern. The reality is that these teams often lack the granular project-level knowledge needed to make changes safely. Security teams don't always have the context to understand what specific permissions are essential for keeping applications running. For instance, a seemingly minor permission change could break a CI/CD pipeline, disrupt production, or even cause a company-wide cascading failure if the wrong service disappears.The dispersed nature of secrets management across teams and environments also increases the attack surface. With no one really in charge, it becomes much harder to maintain consistency in access controls and audit trails. This fragmentation often results in excessive or outdated credentials and their associated permissions remaining active for far too long, possibly forever. It can make it difficult to know who has legitimate or illegitimate access to which secrets at any given time.A Shared Responsibility Model For Faster RotationDevelopers and security teams could help address these issues by meeting in the middle and building a shared responsibility model. In such a model, developers are more responsible for consistently managing their permissions through proper tooling, such as CyberArk's Conjur Secrets Manager or Vault by HashiCorp, while also better documenting the permissions and scope of the necessary permissions at the project level. Security teams should be helping developers by working to automate secrets rotation, investing in the proper observability tooling to gain clarity into the state of secrets, and working with IT to eliminate long-lived credentials altogether. If developers clearly document which permissions are needed in their requirements, it could help security teams conduct faster and more precise audits and speed remediation. If security teams work to ensure that the easiest and fastest overall path toward implementing a new non-human identity secret is also the safest and most scalable route, then there are going to be far fewer incidents that require emergency rotation, and everyone wins. The goal for developers should be to ensure that the security team can rotate or update credentials in their applications with confidence, on their own, knowing they're not jeopardizing production.Key Questions to Address around PermissioningWhen thinking through what needs to be documented, here are a few specific data points to help this cross-team effort flow more smoothly: Who Created the Credential? - Many organizations find it difficult to track credential ownership, especially when a key is shared or rotated. This knowledge is essential to understanding who is responsible for rotating or revoking credentials.What Resources Does It Access? - API keys can often access a range of services, from databases to third-party integrations, making it essential to limit permissions to the absolute minimum necessary.What Permissions Does It Grant? - Permissions vary widely depending on roles, resource-based policies, and policy conditions. For instance, in Jenkins, a user with `Overall/Read` permission can view general information, while `Overall/Administer` grants full control over the system.How Do We Revoke or Rotate It? - The ease of revocation varies by platform, and in many cases, teams must manually track down keys and permissions across systems, complicating remediation and prolonging exposure to threats.Is the Credential Active? - Knowing whether a credential is still in use is critical. When NHIs use long-lived API keys, these credentials may remain active indefinitely unless managed properly, creating persistent access risks.Permissions Are Challenging, But We Can Manage Them Together As One TeamAccording to the GitGuardian report, while 75% of respondents expressed confidence in their secrets management capabilities, the reality is often much different. The average remediation time of 27 days reflects this gap between confidence and practice. It is time to rethink how we implement and communicate secrets and their permissions as an organization.While developers work diligently to balance security and functionality, the lack of streamlined permissions processes and uncentralized or unstandardized documentation paths only amplify the risks. Security teams alone can't resolve these issues effectively due to their limited insight into project-specific needs. They need to work hand-in-hand with developers every step of the way. GitGuardian is building the next generation of secrets security tooling, helping security and IT teams get a handle on secrets sprawl. Knowing what plaintext, long-lived credentials are exposed in your code and other environments is a needed first step to eliminating this threat. Start today with GitGuardian.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Nov 18, 2024Ravie LakshmananThreat Intelligence / RansomwareCybersecurity researchers have shed light on a new stealthy malware loader called BabbleLoader that has been observed in the wild delivering information stealer families such as WhiteSnake and Meduza.BabbleLoader is an "extremely evasive loader, packed with defensive mechanisms, that is designed to bypass antivirus and sandbox environments to deliver stealers into memory," Intezer security researcher Ryan Robinson said in a report published Sunday.Evidence shows that the loader is being used in several campaigns targeting both English and Russian-speaking individuals, primarily singling out users looking for generic cracked software as well as business professionals in finance and administration by passing it off as accounting software.Loaders have become an increasingly prevalent method to deliver malware, like stealers or ransomware, often acting as the first stage in an attack chain in a manner that sidesteps traditional antivirus defenses by incorporating a bevy of anti-analysis and anti-sandboxing features.This is evidenced in the steady stream of new loader families that have emerged in recent years. This includes but is not limited to Dolphin Loader, Emmenhtal, FakeBat, and Hijack Loader, among others, which have been used to propagate various payloads like CryptBot, Lumma Stealer, SectopRAT, SmokeLoader, and Ursnif.What makes BabbleLoader stand out is that it packs various evasion techniques that can fool both traditional and AI-based detection systems. This encompasses the use of junk code and metamorphic transformations that modify the loader's structure and flow to bypass signature-based and behavioral detections.It also gets around static analysis by resolving necessary functions only at runtime, alongside taking steps to impede analysis in sandboxed environments. Furthermore, the excessive addition of meaningless, noisy code causes disassembly or decompilation tools like IDA, Ghidra, and Binary Ninja to crash, forcing a manual analysis."Each build of the loader will have unique strings, unique metadata, unique code, unique hashes, unique encryption, and a unique control flow," Robinson said. "Each sample is structurally unique with only a few snippets of shared code. Even the metadata of the file is randomized for each sample.""This constant variation in code structure forces AI models to continuously re-learn what to look for a process that often leads to missed detections or false positives."The loader, at its core, is responsible for loading shellcode that then paves the way for decrypted code, a Donut loader, which, in turn, unpacks and executes the stealer malware."The better that the loaders can protect the ultimate payloads, the less resources threat actors will need to expend in order to rotate burned infrastructure," Robinson concluded. "BabbleLoader takes measures to protect against as many forms of detection that it can, in order to compete in a crowded loader/crypter market."The development comes as Rapid7 detailed a new malware campaign that distributes a new version of LodaRAT that's equipped to steal cookies and passwords from Microsoft Edge and Brave, in addition to gathering all kinds of sensitive data, delivering more malware, and granting remote control of compromised hosts. It's been active since September 2016.The cybersecurity company said it "spotted new versions being distributed by Donut loader and Cobalt Strike," and that it "observed LodaRAT on systems infected with other malware families like AsyncRAT, Remcos, XWorm, and more." That said, the exact relationship between these infections remains unclear.It also follows the discovery of Mr.Skeleton RAT, a new malware based on njRAT, that has been advertised on the cybercrime underground and comes with functionality for "remote access and desktop operations, file/folder and registry manipulation, remote shell execution, keylogging, as well as remote control of the devices' camera."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

What do hijacked websites, fake job offers, and sneaky ransomware have in common? They're proof that cybercriminals are finding smarter, sneakier ways to exploit both systems and people.This week makes one thing clear: no system, no person, no organization is truly off-limits. Attackers are getting smarter, faster, and more creativeusing everything from human trust to hidden flaws in technology. The real question is: are you ready? Every attack holds a lesson, and every lesson is an opportunity to strengthen your defenses. This isn't just newsit's your guide to staying safe in a world where cyber threats are everywhere. Let's dive in. Threat of the WeekPalo Alto Networks Warns of Zero-Day: A remote code execution flaw in the Palo Alto Networks PAN-OS firewall management interface is the newest zero-day to be actively exploited in the wild. The company began warning about potential exploitation concerns on November 8, 2024. It has since been confirmed that it has been weaponized in limited attacks to deploy a web shell. The critical vulnerability has no patches as yet, which makes it all the more crucial that organizations limit management interface access to trusted IP addresses. The development comes as three different critical flaws in Palo Alto Networks Expedition (CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465) have also seen active exploitation attempts. Details are sparse on who is exploiting them and the scale of the attacks. Top NewsBrazenBamboo Exploits Unpatched Fortinet Flaw: A threat-actor known as BrazenBamboo has exploited an unresolved security flaw in Fortinet's FortiClient for Windows to extract VPN credentials as part of a modular framework called DEEPDATA. Volexity described BrazenBamboo as the developer of three distinct malware families DEEPDATA, DEEPPOST, and LightSpy, and not necessarily one of the operators using them. BlackBerry, which also detailed DEEPDATA, said it has been put to use by the China-linked APT41 actor.About 70,000 Domains Hijacked by Sitting Ducks Attack: Multiple threat actors have been found taking advantage of an attack technique called Sitting Ducks to hijack legitimate domains for using them in phishing attacks and investment fraud schemes for years. Sitting Ducks exploits misconfigurations in a web domain's domain name system (DNS) settings to take control of it. Of the nearly 800,000 vulnerable registered domains over the past three months, approximately 9% (70,000) have been subsequently hijacked.Got a Dream Job Offer on LinkedIn? It May Be Iranian Hackers: The Iranian threat actor known as TA455 is targeting LinkedIn users with enticing job offers intended to trick them into running a Windows-based malware named SnailResin. The attacks have been observed targeting the aerospace, aviation, and defense industries since at least September 2023. Interestingly, the tactics overlap with that of the notorious North Korea-based Lazarus Group.WIRTE Targets Israel With SameCoin Wiper: WIRTE, a Middle Eastern threat actor affiliated with Hamas, has orchestrated cyber espionage operations against the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, as well as carried out disruptive attacks that exclusively target Israeli entities using SameCoin wiper. The destructive operations were first flagged at the start of the year.ShrinkLocker Decryptor Released: Romanian cybersecurity company Bitdefender has released a free decryptor to help victims recover data encrypted using the ShrinkLocker ransomware. First identified earlier this year, ShrinkLocker is notable for its abuse of Microsoft's BitLocker utility for encrypting files as part of extortion attacks targeting entities in Mexico, Indonesia, and Jordan. Trending CVEsRecent cybersecurity developments have highlighted several critical vulnerabilities, including: CVE-2024-10924, CVE-2024-10470, CVE-2024-10979, CVE-2024-9463, CVE-2024-9465, CVE-2024-43451, CVE-2024-49039, CVE-2024-8068, CVE-2024-8069, CVE-2023-28649, CVE-2023-31241, CVE-2023-28386, CVE-2024-50381, CVE-2024-7340, and CVE-2024-47574. These security flaws are serious and could put both companies and regular people at risk. To stay safe, everyone needs to keep their software updated, upgrade their systems, and constantly watch out for threats. Around the Cyber WorldThe Top Routinely Exploited Vulnerabilities of 2023 Revealed: Cybersecurity agencies from the Five Eyes nations, Australia, Canada, New Zealand, the U.K., and the U.S., have released the list of top 15 vulnerabilities threat actors have been observed routinely exploiting in 2023. This includes security flaws from Citrix NetScaler (CVE-2023-3519, CVE-2023-4966), Cisco (CVE-2023-20198, CVE-2023-20273), Fortinet (CVE-2023-27997), Progress MOVEit Transfer (CVE-2023-34362), Atlassian (CVE-2023-22515), Apache Log4j (CVE-2021-44228), Barracuda Networks ESG (CVE-2023-2868), Zoho ManageEngine (CVE-2022-47966), PaperCut MF/NG (CVE-2023-27350), Microsoft Netlogon (CVE-2020-1472), JetBrains TeamCity (CVE-2023-42793), Microsoft Outlook (CVE-2023-23397), and ownCloud (CVE-2023-49103). "More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organizations and vendors alike as malicious actors seek to infiltrate networks," the U.K. NCSC said. The disclosure coincided with Google's announcement that it will begin issuing "CVEs for critical Google Cloud vulnerabilities, even when we do not require customer action or patching" to boost vulnerability transparency. It also came as the CVE Program recently turned 25, with over 400 CVE Numbering Authorities (CNAs) and more than 240,000 CVE identifiers assigned as of October 2024. The U.S. National Institute of Standards and Technology (NIST), for its part, said it now has a "full team of analysts on board, and we are addressing all incoming CVEs as they are uploaded into our system" to address the backlog of CVEs that built up earlier this calendar year.GeoVision Zero-Day Under Attack: A new zero-day flaw in end-of-life GeoVision devices (CVE-2024-11120, CVSS score: 9.8), a pre-auth command injection vulnerability, is being exploited to compromise and enlist them into a Mirai botnet for likely DDoS or cryptomining attacks. "We observed a 0day exploit in the wild used by a botnet targeting GeoVision EOL devices," the Shadowserver Foundation said. Users of GV-VS12, GV-VS11, GV-DSP_LPR_V3, GVLX 4 V2, and GVLX 4 V3 are recommended to replace them.New Banking Trojan Silver Shifting Yak Targets Latin America: A new Windows-based banking trojan named Silver Shifting Yak has been observed targeting Latin American users with the goal of stealing information from financial institutions such as Banco Ita, Banco do Brasil, Banco Bandresco, Foxbit, and Mercado Pago Brasil, among others, as well as credentials used to access Microsoft portals such as Outlook, Azure, and Xbox. The initial attack stages of the malware are believed to be initiated by phishing emails that lead the victims to malicious .ZIP archives hosted on fake websites. The development comes as the threat actor known as Hive0147 has begun to use a new malicious downloader called Picanha to deploy the Mekotio banking trojan. "Hive0147 also distributes other banking trojans, such as Banker.FN also known as Coyote, and is likely affiliated with several other Latin American cyber crime groups operating different downloaders and banking trojans to enable banking fraud," IBM X-Force said.Tor Network Faces IP Spoofing Attack: The Tor Project said the Tor anonymity network was the target of a "coordinated IP spoofing attack" starting October 20, 2024. The attacker "spoofed non-exit relays and other Tor-related IPs to trigger abuse reports aimed at disrupting the Tor Project and the Tor network," the project said. "The origin of these spoofed packets was identified and shut down on November 7, 2024." The Tor Project said the incident had no impact on its users, but said it did take a few relays offline temporarily. It's unclear who is behind the attack.FBI Warns About Criminals Sending Fraudulent Police Data Requests: The FBI is warning that hackers are obtaining private user information from U.S.-based tech companies by compromising U.S. and foreign government/police email addresses to submit "emergency" data requests. The abuse of emergency data requests by malicious actors such as LAPSUS$ has been reported in the past, but this is the first time the FBI has formally admitted that the legal process is being exploited for criminal purposes. "Cybercriminals understand the need for exigency, and use it to their advantage to shortcut the necessary analysis of the emergency data request," the agency said.New Trends in Ransomware: A financially-motivated threat actor known as Lunar Spider has been linked to a malvertising campaign targeting financial services that employs SEO poisoning to deliver the Latrodectus malware, which, in turn, is used to deploy the Brute Ratel C4 (BRc4) post-exploitation framework. In this campaign detected in October 2024, users searching for tax-related content on Bing are lured into downloading an obfuscated JavaScript. Upon execution, this script retrieves a Windows Installer (MSI) from a remote server, which installs Brute Ratel. The toolkit then connects to command-and-control (C2) servers for further instructions, allowing the attacker to control the infected system. It's believed that the end goal of the attacks is to deploy ransomware on compromised hosts. Lunar Spider is also the developer behind IcedID, suggesting that the threat actor is continuing to evolve their malware deployment approach to counter law enforcement efforts. It's not just Lunar Spider. Another infamous cybercrime gang called Scattered Spider has been acting as an initial access broker for the RansomHub ransomware operation, employing advanced social engineering tactics to obtain privileged access and deploy the encryptor to impact a critical ESXi environment in just six hours." The disclosure comes as ransomware attacks, including those aimed at cloud services, continue to be a persistent threat, even as the volume of the incidents is beginning to witness a drop and there is a steady decline in the ransom payment rates. The appearance of new ransomware families like Frag, Interlock, and Ymir notwithstanding, one of the noteworthy trends in 2024 has been the rise of unaffiliated ransomware actors, the so-called "lone wolves" who operate independently. Resources, Guides & Insights Expert WebinarHow to be Ready for Rapid Certificate Replacement Is certificate revocation a nightmare for your business? Join our free webinar and learn how to replace certificates with lightning speed. We'll share secrets to minimize downtime, automate replacements, master crypto agility, and implement best practices for ultimate resilience.Building Tomorrow, SecurelyAI Security in App Development AI is revolutionizing the world, but are you prepared for the risks? Learn how to build secure AI applications from the ground up, protect against data breaches and operational nightmares, and integrate robust security into your development process. Reserve your spot now and discover the essential tools to safeguard your AI initiatives. Cybersecurity ToolsGrafana Grafana is an open-source monitoring and observability platform that enables cybersecurity teams to query, visualize, and alert on security metrics from any data source. It offers customizable dashboards with flexible visualizations and template variables, allowing for real-time threat monitoring, intrusion detection, and incident response. Features such as ad-hoc queries and dynamic drill-downs facilitate the exploration of metrics related to network traffic, user behavior, and system logs. Seamless log exploration with preserved filters supports forensic investigations, while visual alert definitions ensure timely notifications to security operations centers through integrations with tools like Slack and PagerDuty. Additionally, Grafana's ability to mix different data sourcesincluding custom onesprovides comprehensive security monitoring across diverse environments, enhancing the organization's ability to maintain a robust cybersecurity posture.URLCrazy is an OSINT tool designed for cybersecurity professionals to generate and test domain typos or variations, effectively detecting and preventing typo squatting, URL hijacking, phishing, and corporate espionage. By creating 15 types of domain variants and leveraging over 8,000 common misspellings across more than 1,500 top-level domains, URLCrazy helps organizations protect their brand by registering popular typos, identifying domains diverting traffic intended for their legitimate sites, and conducting phishing simulations during penetration tests. Tip of the WeekUse Canary Tokens to Detect Intrusions Hackers rely on staying hidden, but canary tokens help you catch them early. These are fake files, links, or credentials, like "Confidential_Report_2024.xlsx" or a fake AWS key, placed in spots hackers love to snoopshared drives, admin folders, or cloud storage. If someone tries to access them, you get an instant alert with details like their IP address and time of access.They're easy to set up using free tools like Canarytokens.org and don't need any advanced skills. Just keep them realistic, put them in key places, and check for alerts. Make sure you test your tokens after setup to ensure they work and avoid overusing them to prevent unnecessary noise. Place them strategically in high-value areas, and monitor alerts closely to act quickly if triggered. It's a smart, low-effort way to spot hackers before they can do damage.ConclusionThat's it for this week's cybersecurity updates. The threats might seem complicated, but protecting yourself doesn't have to be. Start simple: keep your systems updated, train your team to spot risks, and always double-check anything that seems off.Cybersecurity isn't just something you doit's how you think. Stay curious, stay cautious, and stay protected. We'll be back next week with more tips and updates to keep you ahead of the threats.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

According to research from GitGuardian and CyberArk, 79% of IT decision-makers reported having experienced a secrets leak, up from 75% in the previous year's report. At the same time, the number of leaked credentials has never been higher, with over 12.7 million hardcoded credentials in public GitHub repositories alone. One of the more troubling aspects of this report is that over 90% of valid secrets found and reported remained valid for more than 5 days. According to the same research, on average, it takes organizations 27 days to remediate leaked credentials. Combine that with the fact that non-human identities outnumber human identities by at least 45:1, and it is easy to see why many organizations are realizing stopping secrets sprawl means finding a way to deal with this machine identity crisis. Unfortunately, the research also shows that many teams are confused about who owns the security of these identities. It is a perfect storm of risk. Why Does Rotation Take So LongSo, why are we taking so long to rotate credentials if we know they are one of the easiest attack paths for adversaries? One major contributing factor is a lack of clarity on how our credentials are permissioned. Permissions are what authorize what specific things one entity, such as a Kubernetes workload or a microservice, can successfully request from another service or data source. Let's remember what remediation of a secrets sprawl incident means: you need to safely replace a secret without breaking anything or granting new, too-wide permissions, which would potentially introduce more security risks to your company. If you already have full insight into the lifecycle of your non-human identities and their associated secrets, this is a fairly straightforward process of replacing them with new secrets with the same permissions. This can take considerable time if you don't already have that insight, as you need to hope the developer who originally created it is still there and has documented what was done. Let's look at why permissions management is especially challenging in environments dominated by NHIs, examine the challenges developers and security teams face in balancing access control and productivity, and discuss how a shared responsibility model might help.Who Really Owns Secrets Sprawl?Secrets sprawl generally refers to the proliferation of access keys, passwords, and other sensitive credentials across development environments, repositories, and services like Slack or Jira. GitGuardian's latest Voice of the Practitioners report highlights that 65% of respondents place the responsibility for remediation squarely on the IT security teams. At the same time, 44% of IT leaders reported developers are not following best practices for secrets management. Secrets sprawl and the underlying issues of over-permissioned long-lived credentials will continue to fall in this gap until we figure out how to better work together in a shared responsibility model.The Developer's Perspective On PermissionsDevelopers face enormous pressure to build and deploy features quickly. However, managing permissions carefully, with security best practices, can be labor-intensive. Each project or application often has its own unique access requirements, which take time to research and properly set, almost feeling like a full-time job on top of the work making and deploying their applications. Best practices for creating and managing permissions too commonly do not get applied evenly across teams, are seldom documented appropriately, or are forgotten altogether after the developer gets the application working. Compounding the issue, in too many cases, developers are simply granting too wide of permissions to these machine identities. One report found that only 2% of granted permissions are actually used. If we take a closer look at what they are up against, it is easy to see why.For instance, think about managing permissions within Amazon Web Services. AWS's Identity and Access Management (IAM) policies are known for their flexibility but are also complex and confusing to navigate. IAM supports various policy typesidentity-based, resource-based, and permission boundariesall of which require precise configurations. AWS also offers multiple access paths for credentials, including IAM roles and KMS (Key Management Service) grants, which each come with its own unique access configurations. Learning this system is no small feat.Another common example of a service where permissions can become difficult to manage is GitHub. API keys can grant permissions to repositories across various organizations, making it challenging to ensure appropriate access boundaries. A single key can unintentionally provide excessive access across environments when developers are members of multiple organizations. The pressure is on to get it right, while the clock is always ticking and the backlog keeps getting bigger. Why Security Teams Alone Can't Fix ThisIt may seem logical to assign security teams responsibility for monitoring and rotating secrets; after all, this is a security concern. The reality is that these teams often lack the granular project-level knowledge needed to make changes safely. Security teams don't always have the context to understand what specific permissions are essential for keeping applications running. For instance, a seemingly minor permission change could break a CI/CD pipeline, disrupt production, or even cause a company-wide cascading failure if the wrong service disappears.The dispersed nature of secrets management across teams and environments also increases the attack surface. With no one really in charge, it becomes much harder to maintain consistency in access controls and audit trails. This fragmentation often results in excessive or outdated credentials and their associated permissions remaining active for far too long, possibly forever. It can make it difficult to know who has legitimate or illegitimate access to which secrets at any given time.A Shared Responsibility Model For Faster RotationDevelopers and security teams could help address these issues by meeting in the middle and building a shared responsibility model. In such a model, developers are more responsible for consistently managing their permissions through proper tooling, such as CyberArk's Conjur Secrets Manager or Vault by HashiCorp, while also better documenting the permissions and scope of the necessary permissions at the project level. Security teams should be helping developers by working to automate secrets rotation, investing in the proper observability tooling to gain clarity into the state of secrets, and working with IT to eliminate long-lived credentials altogether. If developers clearly document which permissions are needed in their requirements, it could help security teams conduct faster and more precise audits and speed remediation. If security teams work to ensure that the easiest and fastest overall path toward implementing a new non-human identity secret is also the safest and most scalable route, then there are going to be far fewer incidents that require emergency rotation, and everyone wins. The goal for developers should be to ensure that the security team can rotate or update credentials in their applications with confidence, on their own, knowing they're not jeopardizing production.Key Questions to Address around PermissioningWhen thinking through what needs to be documented, here are a few specific data points to help this cross-team effort flow more smoothly: Who Created the Credential? - Many organizations find it difficult to track credential ownership, especially when a key is shared or rotated. This knowledge is essential to understanding who is responsible for rotating or revoking credentials.What Resources Does It Access? - API keys can often access a range of services, from databases to third-party integrations, making it essential to limit permissions to the absolute minimum necessary.What Permissions Does It Grant? - Permissions vary widely depending on roles, resource-based policies, and policy conditions. For instance, in Jenkins, a user with `Overall/Read` permission can view general information, while `Overall/Administer` grants full control over the system.How Do We Revoke or Rotate It? - The ease of revocation varies by platform, and in many cases, teams must manually track down keys and permissions across systems, complicating remediation and prolonging exposure to threats.Is the Credential Active? - Knowing whether a credential is still in use is critical. When NHIs use long-lived API keys, these credentials may remain active indefinitely unless managed properly, creating persistent access risks.Permissions Are Challenging, But We Can Manage Them Together As One TeamAccording to the GitGuardian report, while 75% of respondents expressed confidence in their secrets management capabilities, the reality is often much different. The average remediation time of 27 days reflects this gap between confidence and practice. It is time to rethink how we implement and communicate secrets and their permissions as an organization.While developers work diligently to balance security and functionality, the lack of streamlined permissions processes and uncentralized or unstandardized documentation paths only amplify the risks. Security teams alone can't resolve these issues effectively due to their limited insight into project-specific needs. They need to work hand-in-hand with developers every step of the way. GitGuardian is building the next generation of secrets security tooling, helping security and IT teams get a handle on secrets sprawl. Knowing what plaintext, long-lived credentials are exposed in your code and other environments is a needed first step to eliminating this threat. Start today with GitGuardian.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Nov 18, 2024Ravie LakshmananVulnerability / Website SecurityA critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site.The vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The software is installed on over 4 million WordPress sites. "The vulnerability is scriptable, meaning that it can be turned into a large-scale automated attack, targeting WordPress websites," Wordfence security researcher Istvn Mrton said.Following responsible disclosure on November 6, 2024, the shortcoming has been patched in version 9.1.2 released a week later. This risk of possible abuse has prompted the plugin maintainers to work with WordPress to force-update all sites running this plugin prior to public disclosure.According to Wordfence, the authentication bypass vulnerability, found in versions 9.0.0 to 9.1.1.1, arises from improper user check error handling in a function called "check_login_and_get_user," thereby allowing unauthenticated attackers to login as arbitrary users, including administrators, when two-factor authentication is enabled."Unfortunately, one of the features adding two-factor authentication was insecurely implemented making it possible for unauthenticated attackers to gain access to any user account, including an administrator account, with a simple request when two-factor authentication is enabled," Mrton said.Successful exploitation of the vulnerability could have serious consequences, as it could permit malicious actors to hijack WordPress sites and further use them for criminal purposes.The disclosure comes days after Wordfence revealed another critical shortcoming in the WPLMS Learning Management System for WordPress, WordPress LMS (CVE-2024-10470, CVSS score: 9.8) that could enable unauthenticated threat actors to read and delete arbitrary files, potentially resulting in code execution.Specifically, the theme, prior to version 4.963, is "vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks," allowing unauthenticated attackers to delete arbitrary files on the server."This makes it possible for unauthenticated attackers to read and delete any arbitrary file on the server, including the site's wp-config.php file," it said. "Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 18, 2024Ravie LakshmananMobile Security / SpywareLegal documents released as part of an ongoing legal tussle between Meta's WhatsApp and NSO Group have revealed that the Israeli spyware vendor used multiple exploits targeting the messaging app to deliver Pegasus, including one even after it was sued by Meta for doing so.They also show that NSO Group repeatedly found ways to install the invasive surveillance tool on the target's devices as WhatsApp erected new defenses to counter the threat.In May 2019, WhatsApp said it blocked a sophisticated cyber attack that exploited its video calling system to deliver Pegasus malware surreptitiously. The attack leveraged a then zero-day flaw tracked as CVE-2019-3568 (CVSS score: 9.8), a critical buffer overflow bug in the voice call functionality.The documents now show that NSO Group "developed yet another installation vector (known as Erised) that also used WhatsApp servers to install Pegasus." The attack vector a zero-click exploit that could compromise a victim's phone without any interaction from the victim was neutralized sometime after May 2020, indicating that it was employed even after WhatsApp filed a lawsuit against it in October 2019.Erised is believed to be one of the many such malware vectors collectively dubbed Hummingbird that the NSO Group had devised to install Pegasus by using WhatsApp as a conduit, including those tracked as Heaven and Eden, the latter of which is a codename for CVE-2019-3568 and had been used to target about 1,400 devices."[NSO Group has] admitted that they developed those exploits by extracting and decompiling WhatsApp's code, reverse-engineering WhatsApp, and designing and using their own 'WhatsApp Installation Server' (or 'WIS') to send malformed messages (which a legitimate WhatsApp client could not send) through WhatsApp servers and thereby cause target devices to install the Pegasus spyware agentall in violation of federal and state law and the plain language of WhatsApp's Terms of Service," according to the unsealed court documents.Specifically, Heaven used manipulated messages to force WhatsApp's signaling servers which are used to authenticate the client (i.e. the installed app) to direct target devices to a third-party relay server controlled by NSO Group.Server-side security updates made by WhatsApp by the end of 2018 are said to have prompted the company to develop a new exploit named Eden by February 2019 that dropped the need for NSO Group's own relay server in favor of relays operated by WhatsApp."NSO refused to state whether it developed further WhatsApp-based Malware Vectors after May 10, 2020," per one of the documents. "NSO also admits the malware vectors were used to successfully install Pegasus on 'between hundreds and tens of thousands' of devices."Furthermore, the filings offer a behind-the-scenes look at how Pegasus is installed on a target's device using WhatsApp, and how it is NSO Group, and not the customer, that operates the spyware, contradicting prior claims from the Israeli company."NSO's customers' role is minimal," the documents state. "The customer only needed to enter the target device's number and 'press Install, and Pegasus will install the agent on the device remotely without any engagement.' In other words, the customer simply places an order for a target device's data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus."NSO Group has repeatedly maintained that its product is meant to be used to combat serious crime and terrorism. It has also insisted that its clients are responsible for managing the system and have access to the intelligence gathered by it.Back in September 2024, Apple filed a motion to "voluntarily" dismiss its lawsuit against NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information and that it "has the potential to put vital security information at risk."In the interim years, the iPhone maker has steadily added new security features to make it difficult to conduct mercenary spyware attacks. Two years ago, it introduced Lockdown Mode as a way to harden device defenses by reducing the functionality across various apps like FaceTime and Messages, as well as block configuration profiles.Then earlier this week, reports emerged of a novel security mechanism in beta versions of iOS 18.2 that automatically reboots the phone if it's not unlocked for 72 hours, requiring users, including law enforcement agencies that may have access to suspects' phones, to re-enter the password in order to access the device.Magnet Forensics, which offers a data extraction tool called GrayKey, confirmed the "inactivity reboot" feature, stating the trigger is "tied to the lock state of the device" and that "once a device has entered a locked state and has not been unlocked within 72 hours, it will reboot.""Because of the new inactivity reboot timer, it is now more imperative than ever that devices get imaged as soon as possible to ensure the acquisition of the most available data," it added.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 15, 2024Ravie LakshmananNetwork Security / VulnerabilityThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that two more flaws impacting the Palo Alto Networks Expedition have come under active exploitation in the wild.To that, it has added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary updates by December 5, 2024.The security flaws are listed below -CVE-2024-9463 (CVSS score: 9.9) - Palo Alto Networks Expedition OS Command Injection VulnerabilityCVE-2024-9465 (CVSS score: 9.3) - Palo Alto Networks Expedition SQL Injection VulnerabilitySuccessful exploitation of the vulnerabilities could allow an unauthenticated attacker to run arbitrary OS commands as root in the Expedition migration tool or reveal its database contents.This could then pave the way for disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls, or create and read arbitrary files on the vulnerable system.Palo Alto Networks addressed these shortcomings as part of security updates released on October 9, 2024. The company has since revised its original advisory to acknowledge that it's "aware of reports from CISA that there is evidence of active exploitation for CVE-2024-9463 and CVE-2024-9465."That said, not much is known about how these vulnerabilities are being exploited, by whom, and how widespread these attacks are. The development also came a week after CISA was notified of the active exploitation of CVE-2024-5910 (CVSS score: 9.3), another critical flaw affecting Expedition.Palo Alto Networks Confirms New Flaw Under Limited AttackPalo Alto Networks has since also confirmed that it has detected an unauthenticated remote command execution vulnerability being weaponized against a small subset of firewall management interfaces that are exposed to the internet, urging customers to secure them."Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the internet," it added.The company, which is investigating the malicious activity and has given the vulnerability a CVSS score of 9.3 (no CVE identifier), also said it's "preparing to release fixes and threat prevention signatures as early as possible."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 15, 2024Ravie LakshmananFinancial Fraud / BlockchainIlya Lichtenstein, who pleaded guilty to the 2016 hack of cryptocurrency stock exchange Bitfinex, has been sentenced to five years in prison, the U.S. Department of Justice (DoJ) announced Thursday.Lichtenstein was charged for his involvement in a money laundering scheme that led to the theft of nearly 120,000 bitcoins (valued at over $10.5 billion at current prices) from the crypto exchange. Heather Rhiannon Morgan, his wife, also pleaded guilty to the same crimes last year. They were both arrested in February 2022. Morgan is scheduled to be sentenced on November 18."Lichtenstein, 35, hacked into Bitfinex's network in 2016, using advanced hacking tools and techniques," the DoJ said in a press statement. "Once inside the network, Lichtenstein fraudulently authorized more than 2,000 transactions transferring 119,754 bitcoin from Bitfinex to a cryptocurrency wallet in Lichtenstein's control."Besides taking a string of actions to cover up the tracks by deleting access credentials and other log files from Bitfinex's network, the couple is said to have used fictitious identities to set up online banking accounts to launder the proceeds, depositing them in darknet markets and cryptocurrency exchanges.The funds were eventually withdrawn, converted to other cryptocurrencies (a technique referred to as chain hopping), depositing a chunk of the ill-gotten assets into mixing services like Bitcoin Fog, converting them to fiat currency and moving to a U.S. bank account, and exchanging a portion of the crypto for gold coins.The development comes days after Roman Sterlingov, the 36-year-old founder of Bitcoin Fog, was sentenced to 12 years and six months in prison for facilitating money laundering activities between 2011 and 2021. Earlier this year, Lichtenstein had testified in court that he had used Bitcoin Fog 10 times to launder the virtual assets.Blockchain analytics firm Chainalysis previously revealed how the couple's purchase of Walmart gift cards using the stolen bitcoin at an unnamed virtual currency exchange eventually proved to be their undoing, after it was found that the gift cards were redeemed using the retail giant's iPhone app under an account in Heather Morgan's name."That enabled agents to get a search warrant for Lichtenstein and Morgan's home and cloud storage accounts, where they found files containing details of the cryptocurrency addresses used to move the stolen funds including their private keys along with the false information used to open accounts at cryptocurrency exchanges and plans to acquire fake passports," Chainalysis said."That discovery enabled investigators to trace the flow of funds in its entirety."According to the Associated Press, Morgan is a business owner and writer. She also adopted the alter ego Razzlekhan to perform rap songs and record videos for her music. The pair had been living in San Francisco at the time of the hack."Lichtenstein masterminded and orchestrated the Bitfinex hack without telling [Morgan]," prosecutors said. "He also initially solicited the defendant's assistance without explaining exactly what he was doing. The defendant was certainly a willing participant and bears full responsibility for her actions, but she was a lower-level participant."Chinese National Faces 20 Years in U.S. Prison for Pig Butchering ScamThe sentencing also follows a guilty plea from Daren Li, 41, for partaking in a criminal scheme to launder $73.6 million stolen through cryptocurrency investment scams using a network of shell companies and international bank accounts. Li was arrested back in April 2024 at Atlanta. He is expected to be sentenced next March."Li admitted that he conspired with others to launder funds obtained from victims through cryptocurrency scams and related fraud," the DoJ said. "In furtherance of the conspiracy, he communicated with his co-conspirators through encrypted messaging services.""In order to conceal or disguise the nature, location, source, ownership, and control of the fraudulently obtained victim funds, Li would instruct co-conspirators to open U.S. bank accounts established on behalf of shell companies and would monitor the receipt and execution of interstate and international wire transfers of victim funds."The funds were subsequently deposited to financial accounts under their control, after which they would be converted to virtual currency like Tether, and distributed to wallets owned by Li and his co-conspirators. Li faces a maximum penalty of 20 years in prison."Financial criminals and the money launderers who enable them wreak untold harm, ruining lives in the process," said U.S. Attorney Martin Estrada for the Central District of California. "Investors should be diligent and on guard against anyone offering quick riches via new, exotic investments. A healthy dose of skepticism could prevent financial ruin down the road."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 15, 2024Ravie LakshmananVulnerability / Database SecurityCybersecurity researchers have disclosed a high-severity security flaw in the PostgreSQL open-source database system that could allow unprivileged users to alter environment variables, and potentially lead to code execution or information disclosure.The vulnerability, tracked as CVE-2024-10979, carries a CVSS score of 8.8.Environment variables are user-defined values that can allow a program to dynamically fetch various kinds of information, such as access keys and software installation paths, during runtime without having to hard-code them. In certain operating systems, they are initialized during the startup phase."Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g., PATH)," PostgreSQL said in an advisory released Thursday."That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user."The flaw has been addressed in PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Varonis researchers, Tal Peleg and Coby Abrams, who discovered the issue, said it could lead to "severe security issues" depending on the attack scenario.This includes, but is not limited to, the execution of arbitrary code by modifying environment variables such as PATH, or extraction of valuable information on the machine by running malicious queries. Additional details of the vulnerability are currently being withheld to give users enough time to apply the fixes. Users are also advised to restrict allowed extensions."For example, limiting CREATE EXTENSIONS permission grants to specific extensions and additionally setting the shared_preload_libraries configuration parameter to load only required extensions, limiting roles from creating functions per the principle of least privileges by restricting the CREATE FUNCTION permission," Varonis said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 15, 2024The Hacker NewsMachine Learning / Identity SecurityIn recent years, artificial intelligence (AI) has begun revolutionizing Identity Access Management (IAM), reshaping how cybersecurity is approached in this crucial field. Leveraging AI in IAM is about tapping into its analytical capabilities to monitor access patterns and identify anomalies that could signal a potential security breach. The focus has expanded beyond merely managing human identities now, autonomous systems, APIs, and connected devices also fall within the realm of AI-driven IAM, creating a dynamic security ecosystem that adapts and evolves in response to sophisticated cyber threats.The Role of AI and Machine Learning in IAMAI and machine learning (ML) are creating a more robust, proactive IAM system that continuously learns from the environment to enhance security. Let's explore how AI impacts key IAM components:Intelligent Monitoring and Anomaly DetectionAI enables continuous monitoring of both human and non-human identities, including APIs, service accounts, and other automated systems. Traditional monitoring systems typically miss subtle irregularities in these interactions, but AI's analytical prowess uncovers patterns that could be early signs of security threats. By establishing baselines for "normal" behavior for each identity, AI can quickly flag deviations, allowing for a fast response to potential threats.For example, in dynamic environments such as containerized applications, AI can detect unusual access patterns or large data transfers, signaling potential security issues before they escalate. This real-time insight minimizes risks and provides a proactive approach to IAM.Advanced Access GovernanceAI's role-mining capabilities analyze identity interaction patterns, helping organizations enforce the principle of least privilege more effectively. This involves analyzing each entity's access needs and limiting permissions accordingly, without the need for manual oversight. AI can continuously monitor for policy violations, generating compliance reports, and maintaining real-time adaptive governance. In risk-based authentication, AI also assesses machine-to-machine interactions by weighing the risk based on context, such as resource sensitivity or current threat intelligence. This creates a security framework that adapts in real-time, bolstering defenses without disrupting legitimate activities.Enhancing the User ExperienceAI in IAM isn't just about improving security; it also enhances user experience by streamlining access management. Adaptive authentication, where security requirements adjust based on assessed risk, reduces friction for legitimate users. AI-driven IAM systems can automate onboarding by dynamically assigning roles based on job functions, making the process smoother and more efficient.Usage patterns also enable AI to implement just-in-time (JIT) access, where privileged access is granted only when needed. This approach minimizes standing privileges, which can be exploited by attackers, and simplifies the overall access management process.Customization and PersonalizationAI enables a high level of customization within IAM, tailoring permissions to meet each user's needs based on their role and behavior. For instance, AI can dynamically adjust access rights for contractors or temporary workers based on usage trends. By analyzing user behaviors and organizational structures, AI-driven IAM systems can automatically recommend custom directory attributes, audit formats, and access workflows tailored to different user roles. This helps reduce risk and streamlines governance without one-size-fits-all policies that often overlook organizational nuances.In compliance reporting, AI customizes audit trails to capture data most relevant to specific regulatory standards. This streamlines reporting and enhances the organization's compliance posture, a critical factor in industries with stringent regulatory requirements.Reducing False Positives in Threat DetectionA significant challenge in traditional threat detection systems is the high rate of false positives, leading to wasted resources. AI addresses this by learning from massive datasets to improve detection accuracy, distinguishing between genuine threats and benign anomalies. This reduces false positives, streamlining operations, and enabling quicker, more precise responses to real threats.Practical Applications of AI in IAMBeyond conceptual improvements, AI has practical applications across various IAM components:- Privileged Access Management (PAM): AI can monitor privileged accounts in real-time, recognizing and halting unusual behavior. By analyzing past behaviors, it can detect and terminate suspicious sessions, proactively mitigating threats for both human and non-human identities. AI also optimizes access workflows by recommending time-based access or specific privilege levels, reducing over-privileged accounts and ensuring policies align across multi-cloud environments.- Identity Governance and Administration (IGA): AI automates the lifecycle management of non-human identities, continuously analyzing usage patterns to dynamically adjust permissions. This reduces the risk of over-privileged access and ensures each identity maintains the least privilege needed throughout its lifecycle. By analyzing organizational changes, AI can even preemptively adjust access as roles evolve.- Secrets Management: AI is invaluable in managing secrets, such as API keys and passwords, predicting expiration dates or renewal needs, and enforcing more frequent rotation for high-risk secrets. A non-human identity AI-powered approach, for instance, extends secret detection beyond code repositories to collaboration tools, CI/CD pipelines, and DevOps platforms, categorizing secrets by exposure risk and impact. Real-time alerts and automated mitigation workflows help organizations maintain a robust security posture across environments.Simulating Attack Patterns on Non-Human Identities (NHI)With machine learning, AI can simulate attack patterns targeting non-human identities, identifying weaknesses before they're exploited. These simulations enable organizations to reinforce defenses, adapt to emerging threats, and continuously improve IAM strategies.ConclusionAI is redefining Identity Access Management, bringing enhanced monitoring, smarter anomaly detection, and adaptive access governance. This evolution marks a shift from reactive to proactive cybersecurity, where AI not only defends but also anticipates and adapts to ever-evolving threats. With AI-driven IAM, organizations can achieve a more secure and efficient environment, safeguarding human and non-human identities alike.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

A Vietnamese-speaking threat actor has been linked to an information-stealing campaign targeting government and education entities in Europe and Asia with a new Python-based malware called PXA Stealer.The malware "targets victims' sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software," Cisco Talos researchers Joey Chen, Alex Karkins, and Chetan Raghuprasad said."PXA Stealer has the capability to decrypt the victim's browser master password and uses it to steal the stored credentials of various online accounts"The connections to Vietnam stem from the presence of Vietnamese comments and a hard-coded Telegram account named "Lone None" in the stealer program, the latter of which includes an icon of Vietnam's national flag and a picture of the emblem for Vietnam's Ministry of Public Security.Cisco Talos said it observed the attacker selling Facebook and Zalo account credentials, and SIM cards in the Telegram channel "Mua Bn Scan MINI," which has been previously linked to another threat actor called CoralRaider. Lone None has also been found to be active on another Vietnamese Telegram group operated by CoralRaider called "C Black Ads - Dropship."That said, it's currently not clear if these two intrusion sets are related, if they are carrying out their campaigns independently of each other."The tools shared by the attacker in the group are automated utilities designed to manage several user accounts. These tools include a Hotmail batch creation tool, an email mining tool, and a Hotmail cookie batch modification tool," the researchers said."The compressed packages provided by the threat actor often contain not only the executable files for these tools but also their source code, allowing users to modify them as needed."There is evidence to suggest that such programs are offered for sale via other sites like aehack[.]com that claim to provide free hack and cheat tools. Tutorials for using these tools are shared via YouTube channels, further highlighting that there is a concerted effort to market them.Attack chains propagating PXA Stealer commence with a phishing email containing a ZIP file attachment, which includes a Rust-based loader and a hidden folder that, in turn, packs in several Windows batch scripts and a decoy PDF file.The execution of the loader triggers the batch scripts, which are responsible for opening the lure document, a Glassdoor job application form, while also running PowerShell commands to download and run a payload capable of disabling antivirus programs running on the host, followed by deploying the stealer itself.A noteworthy feature of PXA Stealer is its emphasis on stealing Facebook cookies, using them to authenticate a session and interacting with Facebook Ads Manager and Graph API to gather more details about the account and their associated ad-related information.The targeting of Facebook business and advertisement accounts has been a recurring pattern among Vietnamese threat actors, and PXA Stealer proves to be no different.The disclosure comes as IBM X-Force detailed an ongoing campaign since mid-April 2023 that delivers StrelaStealer to victims across Europe, specifically Italy, Spain, Germany, and Ukraine. The activity has been attributed to a "rapidly maturing" initial access broker (IAB) it tracks as Hive0145, which is believed to be the sole operator of the stealer malware."The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials," researchers Golo Mhr, Joe Fasulo, and Charlotte Hammond said. "StrelaStealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird."The popularity of stealer malware is evidenced by the continuous evolution of exiting families like RECORDSTEALER (aka RecordBreaker or Raccoon Stealer V2) and Rhadamanthys, and the steady emergence of new ones like Amnesia Stealer and Glove Stealer, despite law enforcement efforts to disrupt them."Glove Stealer uses a dedicated supporting module to bypass app-bound encryption by using IElevator service," Gen Digital researcher Jan Rubn said. "While observed being spread via phishing emails resembling ClickFix, it itself also tries to mimic a fixing tool which users might use during troubleshooting problems they might have encountered."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Nov 15, 2024The Hacker NewsWebinar / Cyber SecurityIn the fast-paced digital world, trust is everythingbut what happens when that trust is disrupted? Certificate revocations, though rare, can send shockwaves through your operations, impacting security, customer confidence, and business continuity. Are you prepared to act swiftly when the unexpected happens?Join DigiCert's exclusive webinar, "When Shift Happens: Are You Ready for Rapid Certificate Replacement?", and discover how automation, crypto agility, and best practices can transform revocation challenges into opportunities for growth and resilience.Here's what you'll uncover:Revocations Uncovered: Understand why they happen, their ripple effects, and the role of post-quantum cryptography in mitigating risks.Automation to the Rescue: Learn how to minimize downtime and streamline certificate replacements with cutting-edge tools.Crypto Agility in Action: Stay ahead of evolving cryptographic standards with strategies that keep your organization secure and adaptable.Revocation Best Practices: Explore proven tactics to communicate effectively, update systems seamlessly, and maintain uninterrupted business operations.This isn't just another webinarit's a roadmap to mastering one of the most critical aspects of digital trust. Equip your team with the knowledge to handle revocations like a pro and future-proof your certificate management processes.Seats are limitedregister now and take the first step toward a more secure and resilient future. Don't wait for the shift to happenbe ready to lead through it!Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 16, 2024Ravie LakshmananVulnerability / VPN SecurityA threat actor known as BrazenBamboo has exploited an unresolved security flaw in Fortinet's FortiClient for Windows to extract VPN credentials as part of a modular framework called DEEPDATA.Volexity, which disclosed the findings Friday, said it identified the zero-day exploitation of the credential disclosure vulnerability in July 2024, describing BrazenBamboo as the developer behind DEEPDATA, DEEPPOST, and LightSpy."DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices," security researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres said Friday.The malware first came to light earlier this week, when BlackBerry detailed the Windows-based surveillance framework as used by the China-linked APT41 threat actor to harvest data from WhatsApp, Telegram, Signal, WeChat, LINE, QQ, Skype, Microsoft Outlook, DingDing, Feishu, KeePass, as well as application passwords, web browser information, Wi-Fi hotspots, and installed software."Since their initial development of the LightSpy spyware implant in 2022, the attacker has been persistently and methodically working on the strategic targeting of communication platforms, with the emphasis on stealth and persistent access," the BlackBerry threat research team noted.The core component of DEEPDATA is a dynamic-link library (DLL) loader called "data.dll" that's engineered to decrypt and launch 12 different plugins using an orchestrator module ("frame.dll"). Present among the plugins is a previously undocumented "FortiClient" DLL that can capture VPN credentials."This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the credentials for the user from memory of the client's process," the researchers said.Volexity said it reported the flaw to Fortinet on July 18, 2024, but noted that the vulnerability remains unpatched. The Hacker News has reached out to the company for comment, and we will update the story if we hear back.Another tool that's part of BrazenBamboo's malware portfolio is DEEPPOST, a post-exploitation data exfiltration tool that's capable of exfiltrating files to a remote endpoint.DEEPDATA and DEEPPOST add to the threat actor's already powerful cyber espionage capabilities, expanding on LightSpy, which comes in different flavors for macOS, iOS, and now Windows."The architecture for the Windows variant of LightSpy is different from other documented OS variants," Volexity said. "This variant is deployed by an installer that deploys a library to execute shellcode in memory. The shellcode downloads and decodes the orchestrator component from the [command-and-control] server."The orchestrator is executed by means of a loader called BH_A006, which has been previously put to use as early as by a suspected Chinese threat group referred to as Space Pirates, which has a history of targeting Russian entities.That said, it's currently not clear if this overlap is due to whether BH_A006 is a commercially available malware or is evidence of a digital quartermaster that's responsible for overseeing a centralized pool of tools and techniques among Chinese threat actors.The LightSpy orchestrator, once launched, uses WebSocket and HTTPS for communication for data exfiltration, respectively, and leverages as many as eight plugins to record webcam, launch a remote shell to execute commands, and collect audio, browser data, files, keystrokes, screen captures, and a list of installed software.LightSpy and DEEPDATA share several code- and infrastructure-level overlaps, suggesting that the two malware families are likely the work of a private enterprise that has been tasked with developing hacking tools for governmental operators, as evidenced by companies like Chengdu 404 and I-Soon."BrazenBamboo is a well-resourced threat actor who maintains multi-platform capabilities with operational longevity," Volexity concluded. "The breadth and maturity of their capabilities indicates both a capable development function and operational requirements driving development output."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 16, 2024Ravie LakshmananVulnerability / Network SecurityPalo Alto Networks has released new indicators of compromise (IoCs) a day after the network security vendor confirmed that a new zero-day vulnerability impacting its PAN-OS firewall management interface has been actively exploited in the wild.To that end, the company said it observed malicious activity originating from below IP addresses and targeting PAN-OS management web interface IP addresses that are accessible over the internet -136.144.17[.]*173.239.218[.]251216.73.162[.]*The company, however, warned that these IP addresses may possibly represent "third-party VPNs with legitimate user activity originating from these IPs to other destinations."Palo Alto Networks' updated advisory indicates that the flaw is being exploited to deploy a web shell on compromised devices, allowing threat actors to gain persistent remote access.The vulnerability, which is yet to be assigned a CVE identifier, carries a CVSS score of 9.3, indicating critical severity. It allows for unauthenticated remote command execution.According to the company, the vulnerability requires no user interaction or privileges to exploit, and its attack complexity has been deemed "low."That said, the severity of the flaw drops to high (CVSS score: 7.5) should access to the management interface be restricted to a limited pool of IP addresses, in which case the threat actor will have to obtain privileged access to those IPs first.On November 8, 2024, Palo Alto Networks began advising customers to secure their firewall management interfaces amid reports of a remote code execution (RCE) flaw. It has since been confirmed that the mysterious vulnerability has been abused against a "limited number" of instances.There are currently no details on how the vulnerability came to light, the threat actors behind the exploitation, and the targets of these attacks. Prisma Access and Cloud NGFW products are not impacted by the flaw.Patches for the vulnerability are yet to be released, making it imperative that users take immediate steps to secure access to the management interface, if not already.The advisory comes as three different critical flaws in the Palo Alto Networks Expedition (CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465) have come under active exploitation, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). At this stage, there is no evidence to suggest that the activities are related.(This is a developing story. Please check back for more updates.)Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 15, 2024Ravie LakshmananArtificial Intelligence / VulnerabilityCybersecurity researchers have disclosed two security flaws in Google's Vertex machine learning (ML) platform that, if successfully exploited, could allow malicious actors to escalate privileges and exfiltrate models from the cloud."By exploiting custom job permissions, we were able to escalate our privileges and gain unauthorized access to all data services in the project," Palo Alto Networks Unit 42 researchers Ofir Balassiano and Ofir Shaty said in an analysis published earlier this week."Deploying a poisoned model in Vertex AI led to the exfiltration of all other fine-tuned models, posing a serious proprietary and sensitive data exfiltration attack risk."Vertex AI is Google's ML platform for training and deploying custom ML models and artificial intelligence (AI) applications at scale. It was first introduced in May 2021.Crucial to leveraging the privilege escalation flaw is a feature called Vertex AI Pipelines, which allows users to automate and monitor MLOps workflows to train and tune ML models using custom jobs.Unit 42's research found that by manipulating the custom job pipeline, it's possible to escalate privileges to gain access to otherwise restricted resources. This is accomplished by creating a custom job that runs a specially-crafted image designed to launch a reverse shell, granting backdoor access to the environment.The custom job, per the security vendor, runs in a tenant project with a service agent account that has extensive permissions to list all service accounts, manage storage buckets, and access BigQuery tables, which could then be abused to access internal Google Cloud repositories and download images.The second vulnerability, on the other hand, involves deploying a poisoned model in a tenant project such that it creates a reverse shell when deployed to an endpoint, abusing the read-only permissions of the "custom-online-prediction" service account to enumerate Kubernetes clusters and fetch their credentials to run arbitrary kubectl commands."This step enabled us to move from the GCP realm into Kubernetes," the researchers said. "This lateral movement was possible because permissions between GCP and GKE were linked through IAM Workload Identity Federation."The analysis further found that it's possible to make use of this access to view the newly created image within the Kubernetes cluster and get the image digest which uniquely identifies a container image using them to extract the images outside of the container by using crictl with the authentication token associated with the "custom-online-prediction" service account.On top of that, the malicious model could also be weaponized to view and export all large-language models (LLMs) and their fine-tuned adapters in a similar fashion.This could have severe consequences when a developer unknowingly deploys a trojanized model uploaded to a public repository, thereby allowing the threat actor to exfiltrate all ML and fine-tuned LLMs. Following responsible disclosure, both the shortcomings have been addressed by Google."This research highlights how a single malicious model deployment could compromise an entire AI environment," the researchers said. "An attacker could use even one unverified model deployed on a production system to exfiltrate sensitive data, leading to severe model exfiltration attacks."Organizations are recommended to implement strict controls on model deployments and audit permissions required to deploy a model in tenant projects.The development comes as Mozilla's 0Day Investigative Network (0Din) revealed that it's possible to interact with OpenAI ChatGPT's underlying sandbox environment ("/home/sandbox/.openai_internal/") via prompts, granting the ability to upload and execute Python scripts, move files, and even download the LLM's playbook.That said, it's worth noting that OpenAI considers such interactions as intentional or expected behavior, given that the code execution takes place within the confines of the sandbox and is unlikely to spill out."For anyone eager to explore OpenAI's ChatGPT sandbox, it's crucial to understand that most activities within this containerized environment are intended features rather than security gaps," security researcher Marco Figueroa said."Extracting knowledge, uploading files, running bash commands or executing python code within the sandbox are all fair game, as long as they don't cross the invisible lines of the container."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 15, 2024Ravie LakshmananCyber Espionage / MalwareCybersecurity researchers have shed light on a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands.Cybersecurity company Check Point has codenamed the malware WezRat, stating it has been detected in the wild since at least September 1, 2023, based on artifacts uploaded to the VirusTotal platform."WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files," it said in a technical report. "Some functions are performed by separate modules retrieved from the command and control (C&C) server in the form of DLL files, making the backdoor's main component less suspicious."WezRat is assessed to be the work of Cotton Sandstorm, an Iranian hacking group that's better known under the cover names Emennet Pasargad and, more recently, Aria Sepehr Ayandehsazan (ASA).The malware was first documented late last month by U.S. and Israeli cybersecurity agencies, describing it as an "exploitation tool for gathering information about an end point and running remote commands."Attack chains, per the government authorities, involve the use of trojanized Google Chrome installers ("Google Chrome Installer.msi") that, in addition to installing the legitimate Chrome web browser, is configured to run a second binary named "Updater.exe" (internally called "bd.exe").The malware-laced executable, for its part, is designed to harvest system information and establish contact with a command-and-control (C&C) server ("connect.il-cert[.]net") to await further instructions.Check Point said it has observed WezRat being distributed to several Israeli organizations as part of phishing emails impersonating the Israeli National Cyber Directorate (INCD). The emails, sent on October 21, 2024, originated from the email address "alert@il-cert[.]net," and urged recipients to urgently install a Chrome security update."The backdoor is executed with two parameters: connect.il-cert.net 8765, which represents the C&C server, and a number used as a 'password' to enable the correct execution of the backdoor," Check Point said, noting that providing an incorrect password could cause the malware to "execute an incorrect function or potentially crash.""The earlier versions of WezRat had hard-coded C&C server addresses and didn't rely on 'password' argument to run," Check Point said. "WezRat initially functioned more as a simple remote access trojan with basic commands. Over time, additional features such as screenshot capabilities and a keylogger were incorporated and handled as separate commands."Furthermore, the company's analysis of the malware and its backend infrastructure suggests there are at least two different teams who are involved in the development of WezRat and its operations."The ongoing development and refinement of WezRat indicates a dedicated investment in maintaining a versatile and evasive tool for cyber espionage," it concluded."Emennet Pasargad's activities target various entities across the United States, Europe, and the Middle East, posing a threat not only to direct political adversaries but also to any group or individual with influence over Iran's international or domestic narrative."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 14, 2024Ravie LakshmananArtificial Intelligence / CryptocurrencyGoogle has revealed that bad actors are leveraging techniques like landing page cloaking to conduct scams by impersonating legitimate sites."Cloaking is specifically designed to prevent moderation systems and teams from reviewing policy-violating content which enables them to deploy the scam directly to users," Laurie Richardson, VP and Head of Trust and Safety at Google, said."The landing pages often mimic well-known sites and create a sense of urgency to manipulate users into purchasing counterfeit products or unrealistic products."Cloaking refers to the practice of serving different content to search engines like Google and users with the ultimate goal of manipulating search rankings and deceiving users.The tech giant said it has also observed a cloaking trend wherein users clicking on ads are redirected via tracking templates to scareware sites that claim their devices are compromised with malware and lead them to other phony customer support sites, which trick them into revealing sensitive information.Some of the other recent tactics adopted by fraudsters and cybercriminals are listed below -Misuse of artificial intelligence (AI) tools to create deepfakes of public figures, taking advantage of their credibility and reach to conduct investment fraudUsing hyper-realistic impersonation for bogus crypto investment schemesApp and landing page clone scams that dupe users into visiting lookalike pages of their legitimate counterparts, leading to credential or data theft, malware downloads, and fraudulent purchasesCapitalizing on major events and combining them with AI to defraud people or promote non-existent products and servicesGoogle told The Hacker News that it intends to release such advisories about online fraud and scams every six months as part of its efforts to raise awareness about the risks.Many of the cryptocurrency-related scams such as pig butchering originate from Southeast Asia and are run by organized crime syndicates from China, who lure individuals with the prospect of high-paying jobs, only to be confined within scam factories located across Burma, Cambodia, Laos, Malaysia, and the Philippines.A report published by the United Nations last month revealed that criminal syndicates in the region are stepping up by swiftly integrating "new service-based business models and technologies including malware, generative AI, and deepfakes into their operations while opening up new underground markets and cryptocurrency solutions for their money laundering needs."The U.N. Office on Drugs and Crime (UNODC) described the incorporation of generative AI and other technological advancements in cyber-enabled fraud as a "powerful force multiplier," not only making it more efficient but also lowering the bar for entry to technically less-savvy criminals.Google, earlier this April, sued two app developers based in Hong Kong and Shenzhen for distributing fake Android apps that were used to pull off consumer investment fraud schemes. Late last month, the company, alongside Amazon, filed a lawsuit against a website named Bigboostup.com for selling and posting fake reviews on Amazon and Google Maps."The website sold fake product reviews to bad actors to publish on their product listing pages in Amazon's store and fake reviews of business listings on Google Search and Google Maps," Amazon said.The development comes a little over a month after Google announced a partnership with the Global Anti-Scam Alliance (GASA) and DNS Research Federation (DNS RF) to tackle online scams.Furthermore, the company said it has blocked or removed more than 5.5 billion advertisements for violating its policies in 2023 alone, and that it's rolling out live scam detection in its Phone app for Android to secure users against potential scams and fraud by making use of its Gemini Nano on-device AI model."For example, if a caller claims to be from your bank and asks you to urgently transfer funds due to an alleged account breach, Scam Detection will process the call to determine whether the call is likely spam and, if so, can provide an audio and haptic alert and visual warning that the call may be a scam," it said.Another new security feature is the introduction of real-time alerts in Google Play Protect to notify users of potentially malicious apps like stalkerware installed on their devices."By looking at actual activity patterns of apps, live threat detection can now find malicious apps that try extra hard to hide their behavior or lie dormant for a time before engaging in suspicious activity," Google noted.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 14, 2024Ravie LakshmananOnline Fraud / Network SecurityMultiple threat actors have been found taking advantage of an attack technique called Sitting Ducks to hijack legitimate domains for using them in phishing attacks and investment fraud schemes for years.The findings come from Infoblox, which said it identified nearly 800,000 vulnerable registered domains over the past three months, of which approximately 9% (70,000) have been subsequently hijacked."Cybercriminals have used this vector since 2018 to hijack tens of thousands of domain names," the cybersecurity company said in a deep-dive report shared with The Hacker News. "Victim domains include well-known brands, non-profits, and government entities."The little-known attack vector, although originally documented by security researcher Matthew Bryant way back in 2016, didn't attract a lot of attention until the scale of the hijacks was disclosed earlier this August."I believe there is more awareness [since then]," Dr. Renee Burton, vice president of threat intelligence at Infoblox, told The Hacker News. "While we haven't seen the number of hijackings go down, we have seen customers very interested in the topic and grateful for awareness around their own potential risks. The Sitting Ducks attack, at its core, allows a malicious actor to seize control of a domain by leveraging misconfigurations in its domain name system (DNS) settings. This includes scenarios where the DNS points to the wrong authoritative name server.However, there are certain prerequisites in order to pull this off: A registered domain delegates authoritative DNS services to a different provider than the domain registrar, the delegation is lame, and the attacker can "claim" the domain at the DNS provider and set up DNS records without access to the valid owner's account at the domain registrar.Sitting Ducks is both easy to perform and stealthy, in part driven by the positive reputation that many of the hijacked domains have. Some of the domains that have fallen prey to the attacks include an entertainment company, an IPTV service provider, a law firm, an orthopedic and cosmetic supplier, a Thai online apparel store, and a tire sales firm.The threat actors who hijack such domains take advantage of the brand reposition and the fact that they are unlikely to be flagged by security tools as malicious to accomplish their strategic goals."It is hard to detect because if the domain has been hijacked, then it is not lame," Burton explained. "Without any other sign, like a phishing page or a piece of malware, the only signal is a change of IP addresses.""The number of domains is so vast that attempts to use IP changes to indicate malicious activity would lead to a lot of false positives. We 'back in' to tracking the threat actors that are hijacking domains by first understanding how they individually operate and then tracking that behavior."An important aspect that's common to the Sitting Ducks attacks is rotational hijacking, where one domain is repeatedly taken over by different threat actors over time."Threat actors often use exploitable service providers that offer free accounts like DNS Made Easy as lending libraries, typically hijacking domains for 30 to 60 days; however, we've also seen other cases where actors hold the domain for a long period of time," Infoblox noted."After the short-term, free account expires, the domain is 'lost' by the first threat actor and then either parked or claimed by another threat actor."Some of the prominent DNS threat actors that have been found "feasting on" Sitting Ducks attacks are listed below -Vacant Viper, which has used it to operate the 404 TDS, alongside running malicious spam operations, delivering porn, establishing command-and-control (C2), and dropping malware such as DarkGate and AsyncRAT (Ongoing since December 2019)Horrid Hawk, which has used it to conduct investment fraud schemes by distributing the hijacked domains via short-lived Facebook ads (Ongoing since at least February 2023)Hasty Hawk, which has used it to conduct widespread phishing campaigns that primarily mimic DHL shipping pages and fake donation sites that mimic supportukrainenow[.]org and claim to support Ukraine (Ongoing since at least March 2022)VexTrio Viper, which has used to operate its TDS (Ongoing since early 2020)Infoblox said a number of VexTrio Viper's affiliates, such as GoRefresh, have also engaged in Sitting Ducks attacks to conduct fake online pharmaceutical campaigns, as well as gambling and dating scams."We have a few actors who appear to use the domains for malware C2 in which exfiltration is sent over mail services," Burton said. "While others use them to distribute spam, these actors configure their DNS only to receive mail."This indicates that the bad actors are leveraging the seized domains for a broad spectrum of reasons, thereby putting both businesses and individuals at risk of malware, credential theft, and fraud."We have found several actors who have hijacked domains and held them for extensive periods of time, but we have been unable to determine the purpose of the hijack," Infoblox concluded. "These domains tend to have a high reputation and are not typically noticed by security vendors, creating an environment where clever actors can deliver malware, commit rampant fraud, and phish user credentials without consequences."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 13, 2024Ravie LakshmananVulnerability / Patch TuesdayMicrosoft on Tuesday revealed that two security flaws impacting Windows NT LAN Manager (NTLM) and Task Scheduler have come under active exploitation in the wild.The security vulnerabilities are among the 90 security bugs the tech giant addressed as part of its Patch Tuesday update for November 2024. Of the 90 flaws, four are rated Critical, 85 are rated Important, and one is rated Moderate in severity. Fifty-two of the patched vulnerabilities are remote code execution flaws.The fixes are in addition to 31 vulnerabilities Microsoft resolved in its Chromium-based Edge browser since the release of the October 2024 Patch Tuesday update. The two vulnerabilities that have been listed as actively exploited are below -CVE-2024-43451 (CVSS score: 6.5) - Windows NTLM Hash Disclosure Spoofing VulnerabilityCVE-2024-49039 (CVSS score: 8.8) - Windows Task Scheduler Elevation of Privilege Vulnerability"This vulnerability discloses a user's NTLMv2 hash to the attacker who could use this to authenticate as the user," Microsoft said in an advisory for CVE-2024-43451, crediting ClearSky researcher Israel Yeshurun with discovering and reporting the flaw.It's worth noting that CVE-2024-43451 is the third flaw after CVE-2024-21410 (patched in February) and CVE-2024-38021 (patched in July) that can be used to reveal a user's NTLMv2 hash and has been exploited in the wild this year alone."Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems," Satnam Narang, senior staff research engineer at Tenable, said in a statement.CVE-2024-49039, on the other hand, could allow an attacker to execute RPC functions that are otherwise restricted to privileged accounts. However, Microsoft notes that successful exploitation requires an authenticated attacker to run a specially crafted application on the target system to first elevate their privileges to a Medium Integrity Level.Vlad Stolyarov and Bahare Sabouri of Google's Threat Analysis Group (TAG) and an anonymous researcher have been acknowledged for reporting the vulnerability. This raises the possibility that the zero-day exploitation of the flaw is associated with some nation-state-aligned group or an advanced persistent threat (APT) actor.There are currently no insights into how the shortcomings are exploited in the wild or how widespread these attacks are, but the development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add them to the Known Exploited Vulnerabilities (KEV) catalog.One of the publicly disclosed, but not yet exploited, zero-day flaws is CVE-2024-49019 (CVSS score: 7.8), a privilege escalation vulnerability in Active Directory Certificate Services that could be leveraged to obtain domain admin privileges. Details of the vulnerability, dubbed EKUwu, were documented by TrustedSec last month.Another vulnerability of note is CVE-2024-43498 (CVSS score: 9.8), a critical remote code execution bug in .NET and Visual Studio that a remote unauthenticated attacker could exploit by sending specially crafted requests to a vulnerable .NET web app or by loading a specially crafted file into a vulnerable desktop app.The update also fixes a critical cryptographic protocol flaw impacting Windows Kerberos (CVE-2024-43639, CVSS score: 9.8) that could be abused by an unauthenticated attacker to perform remote code execution.The highest-rated vulnerability in this month's release is a remote code execution flaw in Azure CycleCloud (CVE-2024-43602, CVSS score: 9.9), which allows an attacker with basic user permissions to gain root-level privileges."Ease of exploitation was as simple as sending a request to a vulnerable AzureCloud CycleCloud cluster that would modify its configuration," Narang said. "As organizations continue to shift into utilizing cloud resources, the attack surface widens as a result."Lastly, a non-Microsoft-issued CVE addressed by Redmond is a remote code execution flaw in OpenSSL (CVE-2024-5535, CVSS score: 9.1). It was originally patched by OpenSSL maintainers back in June 2024."Exploitation of this vulnerability requires that an attacker send a malicious link to the victim via email, or that they convince the user to click the link, typically by way of an enticement in an email or Instant Messenger message," Microsoft said."In the worst-case email attack scenario, an attacker could send a specially crafted email to the user without a requirement that the victim open, read, or click on the link. This could result in the attacker executing remote code on the victim's machine."Coinciding with the November security update, Microsoft also announced its adoption of Common Security Advisory Framework (CSAF), an OASIS standard for disclosing vulnerabilities in machine-readable form, for all CVEs in order to accelerate response and remediation efforts."CSAF files are meant to be consumed by computers more so than by humans, so we are adding CSAF files as an addition to our existing CVE data channels rather than a replacement," the company said. "This is the beginning of a journey to continue to increase transparency around our supply chain and the vulnerabilities that we address and resolve in our entire supply chain, including Open Source Software embedded in our products."Software Patches from Other VendorsOther than Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 13, 2024Ravie LakshmananCloud Security / VulnerabilityA security analysis of the OvrC cloud platform has uncovered 10 vulnerabilities that could be chained to allow potential attackers to execute code remotely on connected devices."Attackers successfully exploiting these vulnerabilities can access, control, and disrupt devices supported by OvrC; some of those include smart electrical power supplies, cameras, routers, home automation systems, and more," Claroty researcher Uri Katz said in a technical report.Snap One's OvrC, pronounced "oversee," is advertised as a "revolutionary support platform" that enables homeowners and businesses to remotely manage, configure, and troubleshoot IoT devices on the network. According to its website, OvrC solutions are deployed at over 500,000 end-user locations.According to a coordinated advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), successful exploitation of the identified vulnerabilities could allow an attacker to "impersonate and claim devices, execute arbitrary code, and disclose information about the affected device."The flaws have been found to impact OvrC Pro and OvrC Connect, with the company releasing fixes for eight of them in May 2023 and the remaining two on November 12, 2024."Many of these issues we found arise from neglecting the device-to-cloud interface," Katz said. "In many of these cases, the core issue is the ability to cross-claim IoT devices because of weak identifiers or similar bugs. These issues range from weak access controls, authentication bypasses, failed input validation, hardcoded credentials, and remote code execution flaws."As a result, a remote attacker could abuse these vulnerabilities to bypass firewalls and gain unauthorized access to the cloud-based management interface. Even worse, the access could be subsequently weaponized to enumerate and profile devices, hijack devices, elevate privileges, and even run arbitrary code.The most severe of the flaws are listed below -CVE-2023-28649 (CVSS v4 score: 9.2), which allows an attacker to impersonate a hub and hijack a deviceCVE-2023-31241 (CVSS v4 score: 9.2), which allows an attacker to claim arbitrary unclaimed devices by bypassing the requirement for a serial numberCVE-2023-28386 (CVSS v4 score: 9.2), which allows an attacker to upload arbitrary firmware updates resulting in code executionCVE-2024-50381 (CVSS v4 score: 9.1), which allows an attacker to impersonate a hub and unclaim devices arbitrarily and subsequently exploit other flaws to claim it"With more devices coming online every day and cloud management becoming the dominant means of configuring and accessing services, more than ever, the impetus is on manufacturers and cloud service providers to secure these devices and connections," Katz said. "The negative outcomes can impact connected power supplies, business routers, home automation systems and more connected to the OvrC cloud."The disclosure comes as Nozomi Networks detailed three security flaws impacting EmbedThis GoAhead, a compact web server used in embedded and IoT devices, that could lead to a denial-of-service (DoS) under specific conditions. The vulnerabilities (CVE-2024-3184, CVE-2024-3186, and CVE-2024-3187) have been patched in GoAhead version 6.0.1.In recent months, multiple security shortcomings have also been uncovered in Johnson Controls' exacqVision Web Service that could be combined to take control of video streams from surveillance cameras connected to the application and steal credentials.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 13, 2024The Hacker NewsBrowser Security / SaaS SecurityThe rise of SaaS and cloud-based work environments has fundamentally altered the cyber risk landscape. With more than 90% of organizational network traffic flowing through browsers and web applications, companies are facing new and serious cybersecurity threats. These include phishing attacks, data leakage, and malicious extensions. As a result, the browser also becomes a vulnerability that needs to be protected.LayerX has released a comprehensive guide titled "Kickstarting Your Browser Security Program" This in-depth guide serves as a roadmap for CISOs and security teams looking to secure browser activities within their organization; including step-by-step instructions, frameworks, and use cases. Below, we bring its main highlights.Prioritizing Browser SecurityBrowsers now serve as the primary interface for SaaS applications, creating new malicious opportunities for cyber adversaries. The risks include:Data leakage - Browsers can expose sensitive data by allowing employees to unintentionally upload or download it outside of organizational controls. For example, pasting source code and business plans into GenAI tools.Credential theft - Attackers can exploit the browser to steal credentials using methods like phishing, malicious extensions, and reused passwords.Malicious access to SaaS resources - Adversaries can use the stolen credentials to perform account takeover and access SaaS applications from wherever they are, no need to infiltrate the network.Third-party risks - Attackers can exploit third-party vendors, who access internal environments using unmanaged devices with weaker security postures.Traditional network and endpoint security measures are not sufficient for protecting modern organizations from such browser-borne threats. Instead, a browser security program is required.How to Kickstart Your Browser Security ProgramThe guide emphasizes a strategic, phased approach to implementing browser security. Key steps include:Step 1: Mapping and PlanningTo kickstart your browser security program, the first step is mapping your threat landscape and understanding your organization's specific security needs. This begins with assessing the short-term exposure to browser-borne risks, such as data leakage, credential compromise, and account takeovers. You should also factor in regulatory and compliance requirements. A detailed assessment will help identify immediate vulnerabilities and gaps, allowing you to prioritize addressing these issues for faster results.Once the short-term risks are understood, set the long-term goal for your browser security. This involves considering how browser security integrates with your existing security stack, such as SIEM, SOAR, and IdPs, and determining whether browser security becomes a primary security pillar in your stack. This strategic analysis allows you to evaluate how browser security can replace or enhance other security measures in your organization, helping you future-proof your defenses.Step 2: ExecutionThe execution phase starts by bringing together key stakeholders from various teams like SecOps, IAM, data protection, and IT, who will be impacted by browser security. Using a framework like RACI (Responsible, Accountable, Consulted, Informed) can help define each team's role in the rollout. This ensures all stakeholders are involved, creating alignment and clear responsibilities across the teams. Collaboration will ensure smooth execution and to avoid siloed approaches to browser security implementation.Next, a short-term and long-term rollout plan should be defined.Start by prioritizing the most critical risks and users based on your initial assessment.Find and implement a browser security solution.The rollout should include a pilot phase where the solution is tested on select users and apps, monitoring user experience, false positives, and security improvements.Define clear KPIs and milestones for each phase to measure progress and ensure the solution is being fine-tuned as it is implemented across the organization.Enhance your program gradually by prioritizing specific applications, security domains, or addressing high-severity gaps. For example, you may choose to focus on specific SaaS apps for protection or focus on broad categories like data leakage or threat protection.As the program matures, address unmanaged devices and third-party access. This step requires ensuring that policies like least-privileged access are enforced, and that unmanaged devices are closely monitored.Lastly, assess your browser security program's overall success in detecting and preventing browser-borne risks. This step involves reviewing how effective your security measures have been in stopping threats like phishing, credential theft, and data leakage. A successful browser security solution should demonstrate tangible improvements in risk mitigation, false positives, and overall security posture, providing a clear return on investment for the organization.Future-Proofing Enterprise SecurityThe success of your security program depends on robust short-term and long-term planning. Your organization should regularly review your security strategy to ensure it is up-to-date and able to adapt to changing threats. Today, this means investing in browser security strategies and tools. To learn more about this approach and get practices and frameworks you can follow, read the complete guide.Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 14, 2024Ravie LakshmananMalware / VulnerabilityA newly patched security flaw impacting Windows NT LAN Manager (NTLM) was exploited as a zero-day by a suspected Russia-linked actor as part of cyber attacks targeting Ukraine.The vulnerability in question, CVE-2024-43451 (CVSS score: 6.5), refers to an NTLM hash disclosure spoofing vulnerability that could be exploited to steal a user's NTLMv2 hash. It was patched by Microsoft earlier this week."Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability," Microsoft revealed in its advisory.Israeli cybersecurity company ClearSky, which discovered the zero-day exploitation of the flaw in June 2024, said it's been abused as part of an attack chain that delivers the open-source Spark RAT malware."The vulnerability activates URL files, leading to malicious activity," the company said, adding the malicious files were hosted on an official Ukrainian government site that allows users to download academic certificates.The attack chain involves sending phishing emails from a compromised Ukrainian government server ("doc.osvita-kp.gov[.]ua") that prompts recipients to renew their academic certificates by clicking on a booby-trapped URL embedded in the message.This leads to the download of a ZIP archive containing a malicious internet shortcut (.URL) file. The vulnerability is triggered when the victim interacts with the URL file by right-clicking, deleting, or dragging it to another folder.The URL file is designed to establish connections with a remote server ("92.42.96[.]30") to download additional payloads, including Spark RAT."In addition, a sandbox execution raised an alert about an attempt to pass the NTLM (NT LAN Manager) Hash through the SMB (Server Message Block) protocol," ClearSky said. "After receiving the NTLM Hash, an attacker can carry out a Pass-the-Hash attack to identify as the user associated with the captured hash without needing the corresponding password."The Computer Emergency Response Team of Ukraine (CERT-UA) has linked the activity to a likely Russian threat actor it tracks as UAC-0194.In recent weeks, the agency has also warned that phishing emails bearing tax-related lures are being used to propagate a legitimate remote desktop software named LiteManager, describing the attack campaign as financially motivated and undertaken by a threat actor named UAC-0050."Accountants of enterprises whose computers work with remote banking systems are in a special risk zone," CERT-UA warned. "In some cases, as evidenced by the results of computer forensic investigations, it may take no more than an hour from the moment of the initial attack to the moment of theft of funds."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 13, 2024Ravie LakshmananRansomware / Data ProtectionRomanian cybersecurity company Bitdefender has released a free decryptor to help victims recover data encrypted using the ShrinkLocker ransomware.The decryptor is the result of a comprehensive analysis of ShrinkLocker's inner workings, allowing the researchers to discover a "specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted disks."ShrinkLocker was first documented in May 2024 by Kaspersky, which found the malware's use of Microsoft's native BitLocker utility for encrypting files as part of extortion attacks targeting Mexico, Indonesia, and Jordan.Bitdefender, which investigated a ShrinkLocker incident targeting an unnamed healthcare company in the Middle East, said the attack likely originated from a machine belonging to a contractor, once again highlighting how threat actors are increasingly abusing trusted relationships to infiltrate the supply chain.In the next stage, the threat actor moved laterally to an Active Directory domain controller by making use of legitimate credentials for a compromised account, followed by creating two scheduled tasks for activating the ransomware process.While the first task executed a Visual Basic Script ("Check.vbs") that copied the ransomware program to every domain-joined machine, the second task scheduled for two days later executed the locally deployed ransomware ("Audit.vbs").The attack, Bitdefender said, successfully encrypted systems running Windows 10, Windows 11, Windows Server 2016, and Windows Server 2019. That said, the ShrinkLocker variant used is said to be a modified version of the original version.Described as simple yet effective, the ransomware stands out for the fact that it's written in VBScript, a scripting language that Microsoft said is being deprecated starting the second half of 2024. Plus, instead of implementing its own encryption algorithm, the malware weaponizes BitLocker to achieve its goals.The script is designed to gather information about the system configuration and operating system, after which it attempts to check if BitLocker is already installed on a Windows Server machine, and if not, installs it using a PowerShell command and then performs a "forced reboot" using Win32Shutdown.But Bitdefender said it noted a bug that causes this request to fail with a "Privilege Not Held" error, causing the VBScript to be stuck in an infinite loop due to a failed reboot attempt."Even if the server is rebooted manually (e.g. by an unsuspecting administrator), the script does not have a mechanism to resume its execution after the reboot, meaning that the attack may be interrupted or prevented," Martin Zugec, technical solutions director at Bitdefender, said.The ransomware is designed to generate a random password that's derived from system-specific information, such as network traffic, system memory, and disk utilization, using it to encrypt the system's drives.The unique password is then uploaded to a server controlled by the attacker. Following the restart, the user is prompted to enter the password to unlock the encrypted drive. The BitLocker screen is also configured to display the threat actor's contact email address to initiate the payment in exchange for the password.That's not all. The script makes several Registry modifications to restrict access to the system by disabling remote RDP connections and turning off local password-based logins. As part of its cleanup efforts, it also disables Windows Firewall rules and deletes audit files.Bitdefender further pointed out that the name ShrinkLocker is misleading as the namesake functionality is limited to legacy Windows systems and that it doesn't actually shrink partitions on current operating systems."By using a combination of Group Policy Objects (GPOs) and scheduled tasks, it can encrypt multiple systems within a network in as little as 10 minutes per device," Zugec noted. "As a result, a complete compromise of a domain can be achieved with very little effort.""Proactive monitoring of specific Windows event logs can help organizations identify and respond to potential BitLocker attacks, even in their early stages, such as when attackers are testing their encryption capabilities.""By configuring BitLocker to store recovery information in Active Directory Domain Services (AD DS) and enforcing the policy "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives," organizations can significantly reduce the risk of BitLocker-based attacks."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 13, 2024Ravie LakshmananThreat Intelligence / Cyber EspionageA threat actor affiliated with Hamas has expanded its malicious cyber operations beyond espionage to carry out disruptive attacks that exclusively target Israeli entities.The activity, linked to a group called WIRTE, has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, Check Point said in an analysis."The [Israel-Hamas] conflict has not disrupted the WIRTE's activity, and they continue to leverage recent events in the region in their espionage operations," the company said. "In addition to espionage, the threat actor recently engaged in at least two waves of disruptive attacks against Israel."WIRTE is the moniker assigned to a Middle Eastern advanced persistent threat (APT) that has been active since at least August 2018, targeting a broad spectrum of entities across the region. It was first documented by the Spanish cybersecurity company S2 Grupo.The hacking crew is assessed to be part of a politically motivated group called the Gaza Cyber Gang (aka Molerats and TA402), the latter of which is known for using tools like BarbWire, IronWind, and Pierogi in its attack campaigns."This cluster's activity has persisted throughout the war in Gaza," the Israeli company said. "On one hand, the group's ongoing activity strengthens its affiliation with Hamas; on the other hand, it complicates the geographical attribution of this activity specifically to Gaza."WIRTE's activities in 2024 have been found to capitalize on the geopolitical tensions in the Middle East and the war to craft deceptive RAR archive lures that lead to the deployment of the Havoc post-exploitation framework. Alternate chains observed prior to September 2024 have leveraged similar RAR archives to deliver the IronWind downloader.Both these infection sequences employ a legitimate executable to sideload the malware-laced DLL and display to the victim the decoy PDF document.Check Point said it also observed a phishing campaign in October 2024 targeting several Israeli organizations, such as hospitals and municipalities, in which emails were sent from a legitimate address belonging to cybersecurity company ESET's partner in Israel. "The email contained a newly created version of the SameCoin Wiper, which was deployed in attacks against Israel earlier this year," it said. "In addition to minor changes in the malware, the newer version introduces a unique encryption function that has only been [...] found in a newer IronWind loader variant."Besides overwriting files with random bytes, the most recent version of the SameCoin wiper modifies the victim system's background to display an image bearing the name of Al-Qassam Brigades, the military wing of Hamas.SameCoin is a bespoke wiper that was uncovered in February 2024 as used by a Hamas-affiliated threat actor to sabotage Windows and Android devices. The malware was distributed under the guise of a security update.The Windows loader samples ("INCD-SecurityUpdate-FEB24.exe"), according to HarfangLab, had their timestamps altered to match October 7, 2023, the day when Hamas launched its surprise offensive on Israel. The initial access vector is believed to be an email impersonating the Israeli National Cyber Directorate (INCD)."Despite ongoing conflict in the Middle East, the group has persisted with multiple campaigns, showcasing a versatile toolkit that includes wipers, backdoors, and phishing pages used for both espionage and sabotage," Check Point concluded.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 12, 2024Ravie LakshmananEmail Security / Threat IntelligenceCybersecurity researchers are calling attention to a new sophisticated tool called GoIssue that can be used to send phishing messages at scale targeting GitHub users.The program, first marketed by a threat actor named cyberdluffy (aka Cyber D' Luffy) on the Runion forum earlier this August, is advertised as a tool that allows criminal actors to extract email addresses from public GitHub profiles and send bulk emails directly to user inboxes."Whether you're aiming to reach a specific audience or expand your outreach, GoIssue offers the precision and power you need," the threat actor claimed in their post. "GoIssue can send bulk emails to GitHub users, directly to their inboxes, targeting any recipient."SlashNext said the tool marks a "dangerous shift in targeted phishing" that could act as a gateway to source code theft, supply chain attacks, and corporate network breaches via compromised developer credentials."Armed with this information, attackers can launch customized mass email campaigns designed to bypass spam filters and target specific developer communities," the company said.A custom build of GoIssue is available for $700. Alternatively, purchasers can gain complete access to its source code for $3,000. As of October 11, 2024, the prices have been slashed to $150 and $1,000 for the custom build and the full source code for "the first 5 customers."In a hypothetical attack scenario, a threat actor could use this method to redirect victims to bogus pages that aim to capture their login credentials, download malware, or authorize a rogue OAuth app that requests for access to their private repositories and data.Another facet of cyberdluffy that bears notice is their Telegram profile, where they claim to be a "member of Gitloker Team." Gitloker was previously attributed to a GitHub-focused extortion campaign that involved tricking users into clicking on a booby-trapped link by impersonating GitHub's security and recruitment teams.The links are sent within email messages that are triggered automatically by GitHub after the developer accounts are tagged in spam comments on random open issues or pull requests using already compromised accounts. The fraudulent pages instruct them to sign in to their GitHub accounts and authorize a new OAuth application to apply for new jobs.Should the inattentive developer grant all the requested permissions to the malicious OAuth app, the threat actors proceed to purge all the repository contents and replace them with a ransom note that urges the victim to contact a persona named Gitloker on Telegram."GoIssue's ability to send these targeted emails in bulk allows attackers to scale up their campaigns, impacting thousands of developers at once," SlashNext said. "This increases the risk of successful breaches, data theft, and compromised projects."The development comes as Perception Point outlined a new two-step phishing attack that employs Microsoft Visio (.vdsx) files and SharePoint to siphon credentials. The email messages masquerade as a business proposal and are sent from previously breached email accounts to bypass authentication checks."Clicking the provided URL in the email body or within the attached .eml file leads the victim to a Microsoft SharePoint page hosting a Visio (.vsdx) file," the company said. "The SharePoint account used to upload and host the .vdsx files is often compromised as well."Present within the Visio file is another clickable link that ultimately leads the victim to a fake Microsoft 365 login page with the ultimate goal of harvesting their credentials."Two-step phishing attacks leveraging trusted platforms and file formats like SharePoint and Visio are becoming increasingly common," Perception Point added. "These multi-layered evasion tactics exploit user trust in familiar tools while evading detection by standard email security platforms."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Nov 12, 2024Ravie LakshmananVirtualization / VulnerabilityCybersecurity researchers have disclosed new security flaws impacting Citrix Virtual Apps and Desktop that could be exploited to achieve unauthenticated remote code execution (RCE)The issue, per findings from watchTowr, is rooted in the Session Recording component that allows system administrators to capture user activity, and record keyboard and mouse input, along with a video stream of the desktop for audit, compliance, and troubleshooting purposes.Particularly, the vulnerability exploits the "combination of a carelessly-exposed MSMQ instance with misconfigured permissions that leverages BinaryFormatter can be reached from any host via HTTP to perform unauthenticated RCE," security researcher Sina Kheirkhah said.The vulnerability details are listed below -CVE-2024-8068 (CVSS score: 5.1) - Privilege escalation to NetworkService Account accessCVE-2024-8069 (CVSS score: 5.1) - Limited remote code execution with the privilege of a NetworkService Account accessHowever, Citrix noted that successful exploitation requires an attacker to be an authenticated user in the same Windows Active Directory domain as the session recording server domain and on the same intranet as the session recording server. The defects have been addressed in the following versions -Citrix Virtual Apps and Desktops before 2407 hotfix 24.5.200.8Citrix Virtual Apps and Desktops 1912 LTSR before CU9 hotfix 19.12.9100.6Citrix Virtual Apps and Desktops 2203 LTSR before CU5 hotfix 22.03.5100.11Citrix Virtual Apps and Desktops 2402 LTSR before CU1 hotfix 24.02.1200.16It's worth noting that Microsoft has urged developers to stop using BinaryFormatter for deserialization, owing to the fact that the method is not safe when used with untrusted input. An implementation of BinaryFormatter has been removed from .NET 9 as of August 2024."BinaryFormatter was implemented before deserialization vulnerabilities were a well-understood threat category," the tech giant notes in its documentation. "As a result, the code does not follow modern best practices. BinaryFormatter.Deserialize may be vulnerable to other attack categories, such as information disclosure or remote code execution."At the heart of the problem is the Session Recording Storage Manager, a Windows service that manages the recorded session files received from each computer that has the feature enabled.While the Storage Manager receives the session recordings as message bytes via the Microsoft Message Queuing (MSMQ) service, the analysis found that a serialization process is employed to transfer the data and that the queue instance has excessive privileges.To make matters worse, the data received from the queue is deserialized using BinaryFormatter, thereby allowing an attacker to abuse the insecure permissions set during the initialization process to pass specially crafted MSMQ messages sent via HTTP over the internet."We know there is a MSMQ instance with misconfigured permissions, and we know that it uses the infamous BinaryFormatter class to perform deserialization," Kheirkhah said, detailing the steps to create an exploit. "The 'cherry on top' is that it can be reached not only locally, through the MSMQ TCP port, but also from any other host, via HTTP.""This combo allows for a good old unauthenticated RCE," the researcher added.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE