Attack Articles 2021

Attack 2024 2023 2022 2021 2020

New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability
20.12.2021 Attack Thehackernews

Cybersecurity researchers have discovered an entirely new attack vector that enables adversaries to exploit the Log4Shell vulnerability on servers locally by using a JavaScript WebSocket connection.

"This newly-discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability," Matthew Warner, CTO of Blumira, said. "At this point, there is no proof of active exploitation. This vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network."

WebSockets allow for two-way communications between a web browser (or other client application) and a server, unlike HTTP, which is unidirectional where the client sends the request and the server sends the response.

While the issue can be resolved by updating all local development and internet-facing environments to Log4j 2.16.0, Apache on Friday rolled out version 2.17.0, which remediates a denial-of-service (DoS) vulnerability tracked as CVE-2021-45105 (CVSS score: 7.5), making it the third Log 4j2 flaw to come to light after CVE-2021-45046 and CVE-2021-44228.

The complete list of flaws discovered to date in the logging framework after the original Log4Shell remote code execution bug was disclosed is as follows —

CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)
"We shouldn't be surprised that additional vulnerabilities were discovered in Log4j given the additional specific focus on the library," Jake Williams, CTO and co-founder of incident response firm BreachQuest, said. "Similar to Log4j, this summer the original PrintNightmare vulnerability disclosure led to the discovery of multiple additional distinct vulnerabilities. The discovery of additional vulnerabilities in Log4j shouldn't cause concern about the security of log4j itself. If anything, Log4j is more secure because of the additional attention paid by researchers."

The latest development comes as a number of threat actors have piled on the Log4j flaws to mount a variety of attacks, including ransomware infections involving the Russia-based Conti group and a new ransomware strain named Khonsari. What's more, the Log4j remote code execution flaw has also opened the door to a third ransomware family known as TellYouThePass that's being used in attacks against Windows and Linux devices, according to researchers from Sangfor and Curated Intel.

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway
The easily exploited, ubiquitous vulnerability, aside from spawning as many as 60 variations, has presented a perfect window of opportunity for adversaries, with Romanian cybersecurity firm Bitdefender noting that more than 50% of the attacks are leveraging the Tor anonymity service to mask their true origins.

"In other words, threat actors exploiting Log4j are routing their attacks through machines that are closer to their intended targets and just because we don't see countries commonly associated with cybersecurity threats at the top of the list does not mean that attacks did not originate there," Martin Zugec, technical solutions director at Bitdefender, said.

According to telemetry data collected between December 11 and December 15, Germany and the U.S. alone accounted for 60% of all the exploitation attempts. The most common attack targets during the observation period were the U.S., Canada, the U.K., Romania, Germany, Australia, France, the Netherlands, Brazil, and Italy.

Google: Over 35,000 Java Packages Affected by the Log4j Flaw
The development also coincides with an analysis from Google's Open Source Insights Team, which found that roughly 35,863 Java packages — accounting for over 8% of the Maven Central repository — use vulnerable versions of the Apache Log4j library. Of the affected artifacts, only around 7,000 packages have a direct dependency on Log4j.

"User's lack of visibility into their dependencies and transitive dependencies has made patching difficult; it has also made it difficult to determine the full blast radius of this vulnerability," Google's James Wetter and Nicky Ringland said. But on the positive side of things, 2,620 of the impacted packages have already been fixed less than a week after disclosure.

"There will likely be some time before we understand the full fallout of the log4j vulnerability, but only because it's embedded in so much software," Williams said. "This has nothing to do with threat actor malware. It has to do with the difficulty in finding the myriad places the library is embedded. The vulnerability itself will provide initial access for threat actors who will later perform privilege escalation and lateral movement – that's where the real risk is."

Researchers Uncover New Coexistence Attacks On Wi-Fi and Bluetooth Chips
20.12.2021 Attack Thehackernews

Cybersecurity researchers have demonstrated a new attack technique that makes it possible to leverage a device's Bluetooth component to directly extract network passwords and manipulate traffic on a Wi-Fi chip, putting billions of electronic devices at risk of stealthy attacks.

The novel attacks work against the so-called "combo chips," which are specialized chips that are equipped to handle different types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, and LTE.

"We provide empirical evidence that coexistence, i.e., the coordination of cross-technology wireless transmissions, is an unexplored attack surface," a group of researchers from the Technical University of Darmstadt's Secure Mobile Networking Lab and the University of Brescia said in a new paper.

"Instead of escalating directly into the mobile [operating system], wireless chips can escalate their privileges into other wireless chips by exploiting the same mechanisms they use to arbitrate their access to the resources they share, i.e., the transmitting antenna and the wireless medium."

Coexistence refers to a mechanism wherein Bluetooth, Wi-Fi, and LTE share the same components and resources — e.g., antenna or wireless spectrum — necessitating that these communication standards coordinate the spectrum access to avoid collisions when operating in the same frequency. Chipset vendors use this principle to allow Wi-Fi and Bluetooth to operate virtually concurrently.

While these combo wireless chips are key to high-performance spectrum sharing, coexistence interfaces also pose a side-channel risk as demonstrated by the same set of researchers at the Black Hat security conference last year, effectively permitting a malicious party to glean details from other wireless technologies supported by the combo chip.

Dubbed "Spectra," the vulnerability class banks on the fact that transmissions happen in the same spectrum and wireless chips need to arbitrate the channel access. This breaks the separation between Wi-Fi and Bluetooth to result in denial-of-service on spectrum access, information disclosure, and even enable lateral privilege escalations from a Bluetooth chip to code execution on a Wi-Fi chip.

"The Wi-Fi chip encrypts network traffic and holds the current Wi-Fi credentials, thereby providing the attacker with further information," the researchers said. "Moreover, an attacker can execute code on a Wi-Fi chip even if it is not connected to a wireless network."

In addition, the researchers found that it's possible for an adversary with control over the Wi-Fi core to observe Bluetooth packets, which, in turn, allows determining keystroke timings on Bluetooth keyboards, ultimately granting the attacker the ability to reconstruct text entered using the keyboard.

Some of the attack scenarios were first reported to the impacted vendors as early as August 2019, but the coexistence flaws continue to remain unpatched on Broadcom SoCs to date.

"As of November 2021, more than two years after reporting the first coexistence bug, coexistence attacks, including code execution, still work on up-to-date Broadcom chips," the academics said. "This highlights how hard these issues are to fix in practice."

To minimize the risk of such wireless attacks, it's recommended that users remove unnecessary Bluetooth pairings, delete unused Wi-Fi networks, and restrict to using cellular instead of Wi-Fi at public spaces.

"Cellular data plans got more affordable during recent years and cellular network coverage increased," the researchers concluded. "Disabling Wi-Fi by default and only enabling it when using trusted networks can be considered a good security practice, even if cumbersome."

Microsoft Fended Off a Record 2.4 Tbps DDoS Attack Targeting Azure Customers
13.10.21 Attack Thehackernews
Microsoft on Monday revealed that its Azure cloud platform mitigated a 2.4 Tbps distributed denial-of-service (DDoS) attack in the last week of August targeting an unnamed customer in Europe, surpassing a 2.3 Tbps attack stopped by Amazon Web Services in February 2020.

"This is 140 percent higher than 2020's 1 Tbps attack and higher than any network volumetric event previously detected on Azure," Amir Dahan, senior program manager for Azure Networking, said in a post, calling it a "UDP reflection" lasting for about 10 minutes.

Reflected amplification attacks are a type of denial of service attacks wherein a threat actor takes advantage of the connectionless nature of UDP protocol with spoofed requests so as to overwhelm a target server or network with a flood of packets, causing disruption or rendering the server and its surrounding infrastructure unavailable.

The attack is said to have originated from a botnet of approximately 70,000 compromised devices primarily located across the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as the U.S.

Microsoft said it observed three short-lived bursts, each ramping up in seconds to terabit volumes — the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.

News of the DDoS attack comes a month after Russian internet giant Yandex became the target of a record-breaking distributed denial-of-service (DDoS) attack by a new botnet called Mēris, which battered the company's web infrastructure with millions of HTTP requests, before hitting a peak of 21.8 million requests per second (RPS).

"Bad actors, now more than ever, continuously look for ways to take applications offline," Dahan said. "Attacks of this size demonstrate the ability of bad actors to wreak havoc by flooding targets with gigantic traffic volumes trying to choke network capacity."

Creating Wireless Signals with Ethernet Cable to Steal Data from Air-Gapped Systems
9.10.21 Attack Thehackernews

A newly discovered data exfiltration mechanism employs Ethernet cables as a "transmitting antenna" to stealthily siphon highly-sensitive data from air-gapped systems, according to the latest research.

"It's interesting that the wires that came to protect the air-gap become the vulnerability of the air gap in this attack," Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the Negev in Israel, told The Hacker News.

Dubbed "LANtenna Attack," the novel technique enables malicious code in air-gapped computers to amass sensitive data and then encode it over radio waves emanating from Ethernet cables just as if they are antennas. The transmitted signals can then be intercepted by a nearby software-defined radio (SDR) receiver wirelessly, the data decoded, and sent to an attacker who is in an adjacent room.

"Notably, the malicious code can run in an ordinary user-mode process and successfully operate from within a virtual machine," the researchers noted in an accompanying paper titled "LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables."

Air-gapped networks are designed as a network security measure to minimize the risk of information leakage and other cyber threats by ensuring that one or more computers are physically isolated from other networks, such as the internet or a local area network. They are usually wired since machines that are part of such networks have their wireless network interfaces permanently disabled or physically removed.

This is far from the first time Dr. Guri has demonstrated unconventional ways to leak sensitive data from air-gapped computers. In February 2020, the security researcher devised a method that employs small changes in LCD screen brightness, which remain invisible to the naked eye, to modulate binary information in morse-code-like patterns covertly.

Then in May 2020, Dr. Guri showed how malware could exploit a computer's power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker to leak data in an attack called "POWER-SUPPLaY."

Lastly, in December 2020, the researcher showed off "AIR-FI," an attack that leverages Wi-Fi signals as a covert channel to exfiltrate confidential information without even requiring the presence of dedicated Wi-Fi hardware on the targeted systems.

The LANtenna attack is no different in that it works by using the malware in the air-gapped workstation to induce the Ethernet cable to generate electromagnetic emissions in the frequency bands of 125 MHz that are then modulated and intercepted by a nearby radio receiver. In a proof-of-concept demo, data transmitted from an air-gapped computer through its Ethernet cable was received at a distance of 200 cm apart.

Like other data leakage attacks of this kind, triggering the infection requires the deployment of the malware on the target network via any one of different infection vectors that range from supply chain attacks or contaminated USB drives to social engineering techniques, stolen credentials, or by using malicious insiders.

As countermeasures, the researchers propose prohibiting the use of radio receivers in and around air-gapped networks and monitoring the network interface card link layer activity for any covert channel, as well as jamming the signals, and using metal shielding to limit electromagnetic fields from interfering with or emanating from the shielded wires.

"This paper shows that attackers can exploit the Ethernet cables to exfiltrate data from air-gapped networks," the researchers said in the paper. "Malware installed in a secured workstation, laptop, or embedded device can invoke various network activities that generate electromagnetic emissions from Ethernet cables."

"Dedicated and expensive antennas yield better distance and could reach tens of meters with some cables," Dr. Guri added.

New SpookJS Attack Bypasses Google Chrome's Site Isolation Protection
19.9.21 Attack Thehackernews

A newly discovered side-channel attack demonstrated on modern processors can be weaponized to successfully overcome Site Isolation protections weaved into Google Chrome and Chromium browsers and leak sensitive data in a Spectre-style speculative execution attack.

Dubbed "Spook.js" by academics from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv University, the technique is a JavaScript-based line of attack that specifically aims to get around barriers Google put in place to potentially prevent leakage by ensuring that content from different domains is not shared in the same address space after Spectre and Meltdown vulnerabilities came to light in January 2018.

"An attacker-controlled webpage can know which other pages from the same websites a user is currently browsing, retrieve sensitive information from these pages, and even recover login credentials (e.g., username and password) when they are autofilled," the researchers said, adding "the attacker can retrieve data from Chrome extensions (such as credential managers) if a user installs a malicious extension."

As a consequence, any data stored in the memory of a website being rendered or a Chrome extension can be extracted, including personally identifiable information displayed on the website, and auto-filled usernames, passwords, and credit card numbers.

Spectre, designated as CVE-2017-5753 and CVE-2017-5715, refers to a class of hardware vulnerabilities in CPUs that breaks the isolation between different applications and permits attackers to trick a program into accessing arbitrary locations associated with its memory space, abusing it to read the content of accessed memory, and thus potentially obtain sensitive data.

"These attacks use the speculative execution features of most CPUs to access parts of memory that should be off-limits to a piece of code, and then use timing attacks to discover the values stored in that memory," Google noted. "Effectively, this means that untrustworthy code may be able to read any memory in its process's address space."

Site Isolation, rolled out in July 2018, is Google's software countermeasure designed to make the attacks harder to exploit, among others that involve reducing timer granularity. With the feature enabled, Chrome browser versions 67 and above will load each website in its own process, and as a result, thwart attacks between processes, and thus, between sites.

However, researchers of the latest study found scenarios where the site isolation safeguards do not separate two websites, effectively undermining Spectre protections. Spook.js exploits this design quirk to result in information leakage from Chrome and Chromium-based browsers running on Intel, AMD, and Apple M1 processors.

"Thus, Chrome will separate 'example.com' and 'example.net' due to different [top-level domains], and also 'example.com' and 'attacker.com.'" the researchers explained. "However, 'attacker.example.com' and 'corporate.example.com' are allowed to share the same process [and] this allows pages hosted under 'attacker.example.com' to potentially extract information from pages under 'corporate.example.com.'"

"Spook.js shows that these countermeasures are insufficient in order to protect users from browser-based speculative execution attacks," the researchers added. That said, as with other Spectre variants, exploiting Spook.js is difficult, requiring substantial side-channel expertise on the part of the attacker.

In response to the findings, the Chrome Security Team, in July 2021, extended Site Isolation to ensure that "extensions can no longer share processes with each other," in addition to applying them to "sites where users log in via third-party providers." The new setting, called Strict Extension Isolation, is enabled as of Chrome versions 92 and up.

"Web developers can immediately separate untrusted, user-supplied JavaScript code from all other content for their website, hosting all user-supplied JavaScript code at a domain that has a different eTLD+1," the researchers said. "This way, Strict Site Isolation will not consolidate attacker-supplied code with potentially sensitive data into the same process, putting the data out of reach even for Spook.js as it cannot cross process boundaries."

HAProxy Found Vulnerable to Critical HTTP Request Smuggling Attack
10.9.21 Attack Thehackernews

A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks.

Tracked as CVE-2021-40346, the Integer Overflow vulnerability has a severity rating of 8.6 on the CVSS scoring system and has been rectified in HAProxy versions 2.0.25, 2.2.17, 2.3.14 and 2.4.4.

HTTP Request Smuggling, as the name implies, is a web application attack that tampers the manner a website processes sequences of HTTP requests received from more than one user. Also called HTTP desynchronization, the technique takes advantage of parsing inconsistencies in how front-end servers and back-end servers process requests from the senders.

Front-end servers are typically load balancers or reverse proxies that are used by websites to manage a chain of inbound HTTP requests over a single connection and forward them to one or more back-end servers. It's therefore crucial that the requests are processed correctly at both ends so that the servers can determine where one request ends and the next one begins, a failure of which can result in a scenario where malicious content appended to one request gets added to the start of the next request.

In other words, due to a problem arising from how front-end and back-end servers work out the beginning and end of each request by using the Content-Length and Transfer-Encoding headers, the end of a rogue HTTP request is miscalculated, leaving the malicious content unprocessed by one server but prefixed to the beginning of the next inbound request in the chain.

"The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request — specifically — in the logic that deals with Content-Length headers," researchers from JFrog Security said in a report published on Tuesday.

In a potential real-world attack scenario, the flaw could be used to trigger an HTTP request smuggling attack with the goal of bypassing ACL (aka access-control list) rules defined by HAProxy, which enables users to define custom rules for blocking malicious requests.

Following responsible disclosure, HAProxy remediated the weakness by adding size checks for the name and value lengths. "As a mitigation measure, it is sufficient to verify that no more than one such [content-length] header is present in any message," Willy Tarreau, HAProxy's creator and lead developer, noted in a GitHub commit pushed on September 3.

Customers who cannot upgrade to the aforementioned versions of the software are recommended to add the below snippet to the proxy's configuration to mitigate the attacks —

http-request deny if { req.hdr_cnt(content-length) gt 1 }

http-response deny if { res.hdr_cnt(content-length) gt 1 }

New Microsoft Exchange 'ProxyToken' Flaw Lets Attackers Reconfigure Mailboxes
3.9.21 Attack Thehackernews
Details have emerged about a now-patched security vulnerability impacting Microsoft Exchange Server that could be weaponized by an unauthenticated attacker to modify server configurations, thus leading to the disclosure of Personally Identifiable Information (PII).

The issue, tracked as CVE-2021-33766 (CVSS score: 7.3) and coined "ProxyToken," was discovered by Le Xuan Tuyen, a researcher at the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC), and reported through the Zero-Day Initiative (ZDI) program in March 2021.

"With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users," the ZDI said Monday. "As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker."

Microsoft addressed the issue as part of its Patch Tuesday updates for July 2021.

The security shortcoming resides in a feature called Delegated Authentication, which refers to a mechanism whereby the front-end website — the Outlook web access (OWA) client — passes authentication requests directly to the back-end when it detects the presence of a SecurityToken cookie.

However, since Exchange has to be specifically configured to use the feature and have the back-end carry out the checks, it leads to a scenario in which the module handling this delegation ("DelegatedAuthModule") isn't loaded under default configuration, culminating in a bypass as the back-end fails to authenticate incoming requests based on the SecurityToken cookie.

"The net result is that requests can sail through, without being subjected to authentication on either the front or back end," ZDI's Simon Zuckerbraun explained.

The disclosure adds to a growing list of Exchange Server vulnerabilities that have come to light this year, including ProxyLogon, ProxyOracle, and ProxyShell, which have been actively exploited by threat actors to take over unpatched servers, deploy malicious web shells and file-encrypting ransomware such as LockFile.

Troublingly, in-the-wild exploit attempts abusing ProxyToken have already been recorded as early as August 10, according to NCC Group security researcher Rich Warren, making it imperative that customers move quickly to apply the security updates from Microsoft.

Cloudflare mitigated one of the largest DDoS attack involving 17.2 million rps
20.8.21 Attack Thehackernews

Web infrastructure and website security company Cloudflare on Thursday disclosed that it mitigated the largest ever volumetric distributed denial of service (DDoS) attack recorded to date.

The attack, launched via a Mirai botnet, is said to have targeted an unnamed customer in the financial industry last month. "Within seconds, the botnet bombarded the Cloudflare edge with over 330 million attack requests," the company noted, at one point reaching a record high of 17.2 million requests-per-second (rps), making it three times bigger than previously reported HTTP DDoS attacks.

Volumetric DDoS attacks are designed to target a specific network with an intention to overwhelm its bandwidth capacity and often utilize reflective amplification techniques to scale their attack and cause as much operational disruption as possible.

They also typically originate from a network of malware-infected systems — consisting of computers, servers, and IoT devices — enabling threat actors to seize control and co-opt the machines into a botnet capable of generating an influx of junk traffic directed against the victim.

In this specific incident, the traffic originated from more than 20,000 bots in 125 countries worldwide, with almost 15% of the attack originating from Indonesia, followed by India, Brazil, Vietnam, and Ukraine. What's more, the 17.2 million rps alone accounted for 68% of the average rps rate of legitimate HTTP traffic processed by Cloudflare in Q2 2021, which is at 25 million HTTP rps.

This is far from the first time similar attacks have been detected in recent weeks. Cloudflare noted that the same Mirai botnet was used to strike a hosting provider with an HTTP DDoS attack that peaked a little below 8 million rps.

Separately, a Mirai-variant botnet was observed launching over a dozen UDP and TCP-based DDoS attacks that peaked multiple times above 1 Tbps. The company said the unsuccessful attacks were aimed at a gaming company and a major Asia Pacific-based internet services, telecommunications, and hosting provider.

"While the majority of attacks are small and short, we continue to see these types of volumetric attacks emerging more often," Cloudflare said. "It's important to note that these volumetric short burst attacks can be especially dangerous for legacy DDoS protection systems or organizations without active, always-on cloud-based protection."

Pair of Apex Legends Players Banned for DDoS Server Attacks
30.3.2021 Attack Securityaffairs

Predator-ranked players on Xbox console game version rigged matches with DDoS attacks.

Two high-ranked Apex Legends players have been banned from the platform for cheating by launching distributed denial-of-service (DDoS) attacks on an Xbox server.

The players, who had achieved the rank of “Apex Predators” in the console version of the game haven’t been named, but the whole thing went down publicly on Reddit’s r/apexlegends forum over the weekend.

Confirmation of the ban came from the game’s security analyst, Connor Ford, on Reddit, who first posted a video showing “undeniable proof that the No. 4 and No. 6 Xbox Preds are DDoSing servers after we knock them,” Ford wrote. “I’m posting on Twitter for more attention but please help get this traction. Console Ranked is literally unplayable with five of every six gamed being DDoSed in Pred lobbies.”

The video was taken down following the ban, but Ford, who works for Apex Legends parent company Respawn, signaled more sweeping actions to come in a March 22 tweet.

“Console reckoning for DDoSers and DDoS customers incoming,” he tweeted. “You can’t hide any of it.”

The now-removed videos showed the top-ranking players get knocked down, then the game lost connectivity. When the honest players were able to rejoin, they were the ones knocked down and the offending ranked players were instead standing over them.

Threatpost reached out to Respawn and Connor Ford for additional details but hasn’t yet received a response.

Cyberattacks On Gaming Are Like ‘Digital Doping’
Cyberattacks against gaming aren’t anything new, but the stakes are higher than ever, which is driving innovation in gaming the games.

“eSports is a market where the top 10 teams are valued at about $2 billion in total, and where money is involved, there are folks trying to use dirty tricks,” Dirk Schrader from New Net Technologies told Threatpost. “We might want to call it ‘digital doping,’ since as the tournaments and the prize pools are getting bigger, the likelihood of attacks and hacks is also growing. For businesses already affected by recent attacks (CD Projekt Red), it is time to include essential controls and protection mechanism to an appropriate level.”

The rise of mobile gaming is also driving cyberthreats, including account takeover (ATO) attacks, according to Hank Schless with Lookout, a mobile security solutions provider.

“They often achieve this by sending targeted mobile phishing links to steal their login credentials. What happens a lot is that threat actors will send a phishing link through the in-game messaging system, directing the player to a fake login page,” Schless told Threatpost. “Usually, the actor will pose as a member of the game’s support team to convince the target to go to that fake page. This is just another iteration of mobile phishing. Malicious links can be sent to you through any app now, not just in emails.”

Attackers are also expanding into building alternate versions of games for distribution on third-party app stores without the same security protections as Google Play or iOS App Store, Schless explained.

“These alternative apps are often trojanized, meaning they function like the legitimate version but have malicious code injected in them,” Schless said.

Gaming Security Too Invasive?
Tim Wade who serves as the CTO of Vectra, which uses AI to find cyberattackers, said he becoming increasingly concerned about the flip side of the equation — that gaming companies becoming too aggressive and are developing anti-cheating solutions that Wade warns are increasingly invasive..

“So long as games are played online, attempts at cheating will continue, and include all of the classic ways a traditional web application may be attacked – including exploiting weakness in client-side code, server-side injection, and yes even DDoS attacks against other players or infrastructure,” Wade told Threatpost. “However, what’s most concerning to me is how invasive some of the anti-cheating countermeasures have become, essentially acting like rootkits and not only potentially creating a dangerous attack surface for users but also raising questions of precedents set for personal privacy.”

New Bugs Could Let Hackers Bypass Spectre Attack Mitigations On Linux Systems
30.3.2021 Attack Thehackernews
Cybersecurity researchers on Monday disclosed two new vulnerabilities in Linux-based operating systems that, if successfully exploited, could let attackers circumvent mitigations for speculative attacks such as Spectre and obtain sensitive information from kernel memory.

Discovered by Piotr Krysiuk of Symantec's Threat Hunter team, the flaws — tracked as CVE-2020-27170 and CVE-2020-27171 (CVSS scores: 5.5) — impact all Linux kernels prior to 5.11.8. Patches for the security issues were released on March 20, with Ubuntu, Debian, and Red Hat deploying fixes for the vulnerabilities in their respective Linux distributions.

While CVE-2020-27170 can be abused to reveal content from any location within the kernel memory, CVE-2020-27171 can be used to retrieve data from a 4GB range of kernel memory.

First documented in January 2018, Spectre and Meltdown take advantage of flaws in modern processors to leak data that are currently processed on the computer, thereby allowing a bad actor to bypass boundaries enforced by the hardware between two programs to get hold of cryptographic keys.

Put differently, the two side-channel attacks permit malicious code to read memory that they would typically not have permission to. Even worse, the attacks could also be launched remotely via rogue websites running malicious JavaScript code.

Although isolation countermeasures have been devised and browser vendors have incorporated defenses to offer protection against timing attacks by reducing the precision of time-measuring functions, the mitigations have been at an operating system level rather than a solution for the underlying issue.

The new vulnerabilities uncovered by Symantec aim to get around these mitigations in Linux by taking advantage of the kernel's support for extended Berkeley Packet Filters (eBPF) to extract the contents of the kernel memory.

"Unprivileged BPF programs running on affected systems could bypass the Spectre mitigations and execute speculatively out-of-bounds loads with no restrictions," Symantec said. "This could then be abused to reveal contents of the memory via side-channels."

Specifically, the kernel ("kernel/bpf/verifier.c") was found to perform undesirable out-of-bounds speculation on pointer arithmetic, thus defeating fixes for Spectre and opening the door for side-channel attacks.

In a real-world scenario, unprivileged users could leverage these weaknesses to gain access to secrets from other users sharing the same vulnerable machine.

"The bugs could also potentially be exploited if a malicious actor was able to gain access to an exploitable machine via a prior step — such as downloading malware onto the machine to achieve remote access — this could then allow them to exploit these vulnerabilities to gain access to all user profiles on the machine," the researchers said.

News of the two flaws come weeks after Google published a proof-of-concept (PoC) code written in JavaScript to demonstrate Spectre in a web browser and leak data at a speed of 1 kilobyte per second (kB/s) when running on Chrome 88 on an Intel Skylake CPU.

QNAP urges users to take action to protect devices against Brute-Force attacks
29.3.2021 Attack Securityaffairs

Taiwanese manufacturer QNAP published an alert urging its customers to secure their devices after a growing number of users reported that their devices have been hit by brute-force attacks.
This week the Taiwanese vendor QNAP has published an alert urging users to secure their devices after a growing number of users reported that their devices have been hit by brute-force attacks.

“With increasing reports of brute-force attacks, QNAP urges its users to take immediate action to enhance the security of their devices.” reads the alert published by the vendor. “Recently QNAP has received multiple user reports of hackers attempting to log in to QNAP devices using brute-force attacks – where hackers would try every possible password combination of a QNAP device user account.”

The vendor suggests actions like using strong passwords, changing the default access port number, and disabling any admin account. The company also suggests avoiding exposing their devices on public networks avoid using default network ports for public services.

“Other steps to strengthen the security of QNAP appliances and mitigate brute-force attacks include setting complex (strong) passwords for user accounts, enabling password policies, and disabling the admin account.” continues the alert.

Additional steps that users can take to ensure that their devices are not targeted include keeping them away from public networks and ensuring that no default network ports are used for public services.

Furthermore, QNAP recommends that users set complex passwords for their accounts, that password policies are enabled, and that the admin account is disabled. These steps, the company says, can improve device security and mitigate brute-force attacks.

The Taiwanese manufacturer also published a FAQ page that explains how to detect unauthorized login attempts on a device, and how to prevent attackers from compromising the device.

QNAP Urges Users to Secure Devices Against Brute-Force Attacks
27.3.2021 Attack Securityweek

Network-attached storage appliance manufacturer QNAP Systems this week published an alert urging users to take the necessary steps to secure their devices against brute-force attacks.

Recognized globally for its network-attached storage (NAS) and professional network video recorder (NVR) solutions, the Taiwan-based company has long advocated for improved device security in the face of various threats.

This week’s alert, the company underlines, has been published after a growing number of users reported that their devices have been targeted in brute-force attacks.

“QNAP urges its users to take immediate action to enhance the security of their devices. These actions include using strong passwords, changing the default access port number, and disabling the admin account,” the device manufacturer says.

QNAP also reveals that users have been complaining about adversaries attempting to log into QNAP devices by trying out a broad range of possible password combinations for the identified user accounts.

“If a simple, weak, or predictable password is used (such as ‘password’ or ‘12345’) hackers can easily gain access to the device, breaching security, privacy, and confidentiality,” QNAP says.

The device manufacturer also published an FAQ to provide users with additional information on how they can detect unauthorized login attempts on their devices, and on the steps they can take to prevent hackers from accessing the targeted device.

All users should remember that the use of weak passwords can render any device vulnerable to brute-force attacks, not only QNAP products. To prevent the use of common passwords, some tech companies have adopted policies that force users to choose stronger protections for their accounts.

New 5G Flaw Exposes Priority Networks to Location Tracking and Other Attacks
27.3.2021 Attack Mobil Vulnerebility Thehackernews

New research into 5G architecture has uncovered a security flaw in its network slicing and virtualized network functions that could be exploited to allow data access and denial of service attacks between different network slices on a mobile operator's 5G network.

AdaptiveMobile shared its findings with the GSM Association (GSMA) on February 4, 2021, following which the weaknesses were collectively designated as CVD-2021-0047.

5G is an evolution of current 4G broadband cellular network technology, and is based on what's called a service-based architecture (SBA) that provides a modular framework to deploy a set of interconnected network functions, allowing consumers to discover and authorize their access to a plethora of services.

The network functions are also responsible for registering subscribers, managing sessions and subscriber profiles, storing subscriber data, and connecting the users (UE or user equipment) to the internet via a base station (gNB). What's more, each network function of the SBA can offer a specific service but at the same time can also request a service from another network function.

One of the ways the core SBA of the 5G network is orchestrated is through a slicing model. As the name indicates, the idea is to "slice" the original network architecture in multiple logical and independent virtual networks that are configured to meet a specific business purpose, which, in turn, dictates the quality of service (QoS) requirements necessary for that slice.

5G QoS Network Slicing Vulnerability
Additionally, each slice in the core network consists of a logical group of network functions (NFs) that can be exclusively assigned to that slice or be shared among different slices.

Put differently, by creating separate slices that prioritize certain characteristics (e.g., large bandwidths), it enables a network operator to carve out solutions that are customized to particular industries.

For instance, a mobile broadband slice can be used to facilitate entertainment and Internet-related services, an Internet of Things (IoT) slice can be used to offer services tailored to retail and manufacturing sectors, while a standalone low latency slice can be designated for mission-critical needs such as healthcare and infrastructure.

"The 5G SBA offers many security features which includes lessons learned from previous generations of network technologies," AdaptiveMobile said in a security analysis of 5G core network slicing. "But on the other hand, 5G SBA is a completely new network concept that opens the network up to new partners and services. These all lead to new security challenges."

According to the mobile network security firm, this architecture not only poses fresh security concerns that stem from a need to support legacy functions but also from a "massive increase in protocol complexity" as a consequence of migrating from 4G to 5G, and in the process opening the door to a multitude of attacks, including —

Malicious access to a slice by brute-forcing its slice differentiator, an optional value set by the network operator for distinguishing between slices of the same type, thereby allowing a rogue slice to gain unauthorized information from a second slice like Access and Mobility Management Function (AMF), which maintains knowledge of a user equipment's location.
Denial-of-service (DoS) against another network function by taking advantage of a compromised slice.
The attacks hinge on a design quirk that there are no checks to ensure that the slice identity in the signaling layer request matches that used in the transport layer, thus permitting an adversary connected to the 5G operator's SBA through a rogue network function to get hold of the core network as well as the network slices.

It's worth noting that the signaling layer is the telecommunication-specific application layer used for exchanging signaling messages between network functions that are located in different slices.

As countermeasures, AdaptiveMobile recommends partitioning the network into different security zones by applying signaling security filters between different slices, the core network, and external partners, and the shared and not-shared network functions, in addition to deploying a signaling layer protection solution to safeguard against data leakage attacks that leverage the missing correlation between layers.

While the current 5G architecture doesn't support such a protection node, the study suggests enhancing the Service Communication Proxy (SCP) to validate the correctness of message formats, match the information between layers and protocols, and provide load-related functionality to prevent DoS attacks.

"This kind of filtering and validation approach allows division of the network into security zones and safeguarding of the 5G core network," the researchers said. "Cross-correlation of attack information between those security network functions maximizes the protection against sophisticated attackers and allows better mitigations and faster detection while minimizing false alarms."

Insurer CNA Says Cyberattack Caused Network Disruption
25.3.2021 Attack Securityweek

Commercial insurer CNA on Tuesday announced that it was recently targeted in what it described as a sophisticated cyberattack.

The Chicago, Illinois-based company is one of the largest commercial insurers in the United States, offering cyber insurance policies alongside a broad range of other insurance products.

In a March 23 announcement, the company revealed that, over the weekend, it fell victim to a cyberattack that impacted certain systems, and which resulted in network disruptions.

“On March 21, 2021, CNA determined that it sustained a sophisticated cybersecurity attack. The attack caused a network disruption and impacted certain CNA systems, including corporate email,” the company says in an incident notification on its website.

The insurance giant says that it has started an investigation immediately after learning of the attack, to determine the full scope of the incident. The investigation is ongoing and law enforcement has been alerted.

“Out of an abundance of caution, we have disconnected our systems from our network, which continue to function,” CNA also says.

The company also revealed that employees were notified of the attack, and that they were “provided workarounds where possible,” so that they would be able to continue operating.

CNA has yet to determine whether any information related to its clients or other type of data has been impacted in the incident.

“The security of our data and that of our insureds’ and other stakeholders is of the utmost importance to us. Should we determine that this incident impacted our insureds’ or policyholders’ data, we’ll notify those parties directly,” the company notes.

While CNA hasn’t revealed the nature of the cyber-attack, there is a possibility that the company fell victim to ransomware operators, which would explain why systems were disconnected from the network (likely to prevent further data encryption).

Energy Giant Shell Is Latest Victim of Accellion Attacks
24.3.2021 Attack Threatpost

Attackers accessed personal and business data from the company’s legacy file-transfer service in a recent data-security incident but core IT systems remained untouched.

Energy giant Royal Dutch Shell is the latest victim of a series of attacks on users of the Accellion legacy File Transfer Appliance (FTA) product, which already has affected numerous companies and been attributed to the FIN11 and the Clop ransomware gang.

“Shell has been impacted by a data-security incident involving Accellion’s File Transfer Appliance,” the company revealed on its website last week. “Shell uses this appliance to securely transfer large data files.”

Attackers “gained access to “various files” containing personal and company data from both Shell and some of its stakeholders, acknowledged the company. However, because its Accellion implementation its core IT systems were unaffected by the breach, “as the file transfer service is isolated from the rest of Shell’s digital infrastructure,” the company said.

Shell, the fifth largest company in the world, also revealed several of its global petrochemical and energy company affiliates were impacted.

According to the company, once it learned of the incident, Shell immediately addressed the vulnerabilities with its service provider and cybersecurity team, and started an investigation to better understand the nature and extent of the incident.

“Shell is in contact with the impacted individuals and stakeholders and we are working with them to address possible risks,” the company said in a statement. “We have also been in contact with relevant regulators and authorities and will continue to do so as the investigation continues.”

Shell did not say specifically how attackers accessed its Accellion implementation, but the breach is likely related to a series of attacks on vulnerabilities in Accellion FTA, a 20-year-old legacy product used by large corporations around the world. Accellion revealed that it became aware of a then zero-day security vulnerability in the product in mid-December, and subsequently scrambled to patch it.

However, the first flaw turned out to be just one of a cascade of now patched zero-day bugs in the platform that Accellion discovered only after they came under attack from cyber-adversaries well into the new year, the company acknowledged. Other victims of third-party attacks on Accellion FTA include Jones Day Law Firm and telecom giant Singtel.

Eventually, four security vulnerabilities (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) were found to be exploited in the attacks, according to the investigation. Accellion tried to patch each subsequent vulnerability as soon as it was discovered; however, as evidenced by Shell’s disclosure, unpatched systems likely remain and further attacks seem likely.

Indeed, patching is a complicated endeavor even for the most well-run IT organizations and many companies struggle to achieve complete coverage across their environments, observed Chris Clements, vice president of solutions architecture for cybersecurity firm Cerberus Sentinel, in an email to Threatpost.

“This is especially true for non-Microsoft Windows based systems, the unfortunate reality is that for many organizations, their patching strategy starts and stops with Windows,” he said. “Infrastructure equipment and especially network appliances like Accellion often lag significantly in patch adoption.”

There are a number of reasons for why patches aren’t immediately applied when they’re made available, including lack of communication from vendors when patches are released, complex and manual patching processes, and organizational confusion around who’s responsible for patch application, Clements added.

The Accellion attacks also once again shed light on the importance of choosing technology partners carefully when relying on them for critical digital processes that are exposed to potential exploit, said another security expert.

“The Shell data breach illustrates the criticality of securing vendors and ensuring their systems don’t compromise your own business,” Demi Ben-Ari, CTO and co-founder of security firm Panorays said in an email to Threatpost. “Vulnerabilities in vendors’ legacy software can serve as an easy gateway to breach data in target companies — or worse.”

Electricity Distribution Systems at Increasing Risk of Cyberattacks, GAO Warns
23.3.2021 Attack Securityweek

A newly published report form the U.S. Government Accountability Office (GAO) describes the risks of cyber-attacks on the electricity grid’s distribution systems, along with the scale of the potential impact of such attacks.

Following a performance audit conducted between September 2019 and March 2021, GAO has discovered that the electricity grid's distribution systems are increasingly vulnerable to cyber-attacks and that the potential impact of such attacks is not yet clear.

According to GAO, the Department of Energy (DOE), the lead agency for the energy sector, hasn’t included in its plans for the grid’s cyber-security the necessary measures to fully address risks to distribution systems. DOE has updated its plans following a 2019 GAO report on grid cyber-security issues.

“For example, DOE’s plans do not address distribution systems’ vulnerabilities related to supply chains. According to officials, DOE has not fully addressed such risks in its plans because it has prioritized addressing risks to the grid’s generation and transmission systems,” GAO notes in the new report.

Electricity distribution vulnerabilities After conducting semistructured interviews with 38 key federal and nonfederal entities associated with the cyber-security of grid distribution systems and reviewing reports from both DOE and the Department of Homeland Security (DHS) and other relevant documentation, GAO has concluded that, in its plans to implement the national cyber-security strategy, DOE needs to fully address cyber-risks to the grid's distribution systems.

“The grid’s distribution systems face significant cyber-security risks—that is, threats, vulnerabilities, and impacts—and are increasingly vulnerable to cyber-attacks. Threat actors are growing more adept at exploiting these vulnerabilities to execute cyber-attacks. However, the scale of the potential impacts of such cyber-attacks on the grid’s distribution systems is unclear,” GAO says.

The growing exposure to cyber-risks, GAO points out, is the result of an increased use of monitoring and control technologies within distribution systems, such as remote control capabilities in industrial control systems (ICS), global positioning systems (GPS) for grid operations, and the connecting of networked consumer devices and distributed energy resources to distribution systems networks.

Vulnerabilities related to the increased use of technology advancements are “compounded for distribution systems because the sheer size and dispersed nature of the systems present a large attack surface,” the report reads.

GAO also says that threat actors may target vulnerabilities in industrial control systems for initial access and then employ other tactics to achieve a foothold onto the compromised environment and move laterally to other systems.

Such vulnerabilities may exist due to the use of legacy systems that do not feature the necessary cyber-security protections (some were never designed to be connected to the Internet), the lack of conventional IT vulnerability scanning, and lack of timely patching due to the need to take systems or components offline to apply security fixes.

Attackers may exploit these issues to “manipulate, interrupt, or disrupt distribution utilities’ physical control processes or industrial control systems to cause disruptions,” GAO says.

GPS, which is used for synchronizing real-time measurements among multiple devices, is prone to exploitation through jamming and spoofing, which could result in unsynchronized measurements, equipment misoperation, and power outages.

Consumer networked devices, some of which are high-wattage systems, are vulnerable to cyber-attacks and, once connected to the distribution systems, they introduce vulnerabilities, exposing the grid to attacks in which adversaries increase or decrease the electricity demands to disrupt grid operations.

Distributed energy resources, such as rooftop solar units and battery storage units, may introduce vulnerabilities too, especially through their control and communication requirements -- some of these devices may be updated remotely and improperly secured update processes may impact the grid as well.

GAO also notes that a multitude of cyber-actors are increasingly capable of targeting the grid’s distribution systems, including nation states, cyber-crime groups, terrorists, hackers and hacktivists, and insiders.

The effects of a cyber-attack on the distribution systems, however, are not well understood. While none of the cybersecurity incidents reported in the U.S. disrupted the grid’s distribution systems, attacks on foreign grid systems have resulted in localized power outages. However, if such an attack would target a large city in the U.S., the outage could have national impact.

Both states and industry have taken actions to improve the cyber-security of electricity distribution systems, with cyber-security incorporated into oversight responsibilities of some states, and some are even hiring cybersecurity personnel, but these actions aren’t uniform across jurisdictions.

According to GAO, the DOE’s plans and assessment to implement a cyber-security strategy for the energy grid do address some of the risks associated with the grid’s distribution systems, but vulnerabilities associated with industrial control systems, supply chain, devices that use GPS, and networked consumer devices are not addressed.

“Unless DOE more fully addresses risks to the grid’s distribution systems from cyberattacks, including their potential impacts, in its plans to implement the national cybersecurity strategy for the grid, the […] documents will likely be of limited use in prioritizing federal support to help states and industry improve grid distribution systems’ cybersecurity,” GAO says.

Researchers Raise Alarm for F5 BIG-IP Malware Attacks
23.3.2021 Attack Securityweek

The urgency to patch gaping security holes in F5 Networks BIG-IP and BIG-IQ products escalated over the weekend after researchers spotted malicious in-the-wild attack activity.

Malware hunters at U.K.-based NCC Group are raising the alarm for mass scanning and “multiple exploitation attempts” with exploits targeting critical security flaws in the F5 enterprise networking infrastructure products.

The vulnerabilities were patched on March 10 and are considered high-priority fixes because of the risk of exposure to authentication bypass and remote code execution attacks.

Less than a week after the release of the patches, proof-of-concept code started circulating and, over the last weekend, NCC Group’s researchers said its honeypot infrastructure was being hit with exploitation attempts.

“This knowledge, combined with having reproduced the full exploit-chain we assess that a public exploit is likely to be available in the public domain soon,” NCC Group warned.

The researchers explain the exploitation path:

Exploitation of this vulnerability requires two steps. First, authentication has to be bypassed by leveraging the SSRF vulnerability to gain an authenticated session token. This authenticated session can then be used to interact with REST API endpoints, which would otherwise require authentication.

The most useful endpoint for an attacker is the tm/util/bash endpoint, which allows an (authenticated) user to execute commands on the underlying server with root privileges. However, as the REST API is designed for remote administration, there are many endpoints which an attacker might wish to take advantage of.

As part of the F5 patches, a command injection vulnerability was also patched in the tm/access/bundle-install-tasks REST endpoint – which could be used as an alternative way to execute arbitrary commands once authentication has been bypassed.

NCC Group also released Suricata network rules to help defenders mitigate this threat.

The U.S. government’s CISA (Cybersecurity and Infrastructure Security Agency (CISA) also released an advisory to underline the importance of reviewing F5’s advisory and applying the updates.

Microsoft Ships One-Click Mitigation Tool for Exchange Attacks

16.3.2021 Attack Securityweek

Microsoft’s scramble to address the fallout from the zero-day attacks against on-prem Exchange Server installations continued this week with the release of a one-click mitigation tool help businesses contain the damage.

The new Exchange On-premises Mitigation Tool (EOMT) is aimed at companies without dedicated security or IT teams to manage patching and post-incident forensics.

Microsoft said the tool has been tested across Exchange Server 2013, 2016, and 2019 deployments and is meant to be “an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.”

The EOMT has been combined with the Microsoft Safety Scanner to automatically mitigate the dangerous CVE-2021-26855 vulnerability on any Exchange server on which it is deployed.

“This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching,” Microsoft warned.

Here’s the latest list of Redmond’s recommendations:

• Download the EOMT tool.

• Run it on Exchange servers immediately.

• Follow the more detailed guidance here to ensure that your on-premises Exchange is protected.

• If you are already using Microsoft Safety Scanner, it is still live and Microsoft recommends keeping this running as it can be used to help with additional mitigations.

SecurityWeek has compiled a list of resources to help incident response teams and IT administrators respond to this global incident:

ProxyLogon — the researchers who reported some of the actively exploited vulnerabilities to Microsoft have named the issues ProxyLogon and have set up a dedicated website. They plan on publishing a technical paper in the future.

CISA advisory with instructions on how organizations can conduct a forensic analysis if they see evidence of compromise.

CISA Emergency Directive with instructions for federal agencies, including for identifying potential compromises, conducting a forensic investigation, and responding to an incident.

Huntress has been tracking attacks and vulnerable servers. The company has shared some recommendations for MSPs and technical information on the attacks.

Joint advisory from CISA and FBI containing information on targeted sectors, attack techniques, mitigations, as well as technical details for detecting exploitation and attacker activities.

Praetorian has reproduced the Exchange exploit chain and it has shared detailed technical information on the vulnerabilities.

Unit 221B provides an online tool named Check My OWA, which is designed to “aid victim notification based on lists of compromised Exchange servers with Outlook Web Access(OWA) enabled, which were obtained from perpetrators of this mass breach event.”

Indicators of compromise (IOC) and other threat hunting resources

Volexity has shared information on the Exchange exploits, post-exploitation activity observed in attacks, and IOCs.

Microsoft provides technical details on the attacks it observed, instructions for checking if a system has been compromised, host IOCs, endpoint and Azure detections, and advanced hunting queries.

FireEye has shared information on attacks targeting Exchange servers, investigation tips and technical IOCs.

Scripts from Microsoft for checking IOCs related to the China-linked threat actor HAFNIUM, and for detecting malicious files on Exchange servers.

Pwndefend has made available a list of bad IP addresses, as well as an IOC hunting script that should provide a more detailed view in some areas.

Latvia’s CERT-LV has released a script that detects web shells dropped on Exchange servers following successful exploitation of the vulnerabilities.

Tools and other resources for defenders

Nmap script made by researcher Kevin Beaumont can be used to scan a network for potentially vulnerable Microsoft Exchange servers.

DomainTools has conducted an analysis of the attacks and has shared some recommendations for network detection.

Google Chrome Zero-Day Under Attack, Again
16.3.2021 Attack Securityweek

For the third time this year, Google has shipped an urgent fix to block in-the-wild zero-day attacks hitting its flagship Chrome browser.

The latest emergency Chrome patch, available for Windows, MacOS and Linux, provides cover for at least five (5) documented vulnerabilities. Three of the five bugs are rated “high-risk,” Google’s highest severity rating.

Buried in Google’s advisory is a throwaway line that “Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild.”

The company did not release any additional information on the live attacks or the operating system platforms being targeted.
It is the third in-the-wild zero-day attack hitting Chrome users in 2021, and in all three cases, Google has been stingy with information on the malware used, the OS platforms targeted or the indicators of compromise that help enterprise defenders.

In one prominent case, the North Korean state-sponsored hacks against security researchers, Google has barely confirmed the existence of the Chrome zero-day with a one-line mentioned that fully-patched Chrome installations were being compromised.

The latest zero-day is described simply as a use-after-free vulnerability in Chrome’s Blink rendering engine that was anonymously reported to Google.

By contrast, when Google research teams discovered a massive cyber-espionage operation rampant on Apple’s iOS platform, the company produced a riveting blog post with “a very deep dive into iOS Exploit chains found in the wild.”

The Chrome patch is being pushed to Chrome users via the browser’s automatic updating mechanism but users are urged to restart browser sessions to properly apply the fixes.

Use This One-Click Mitigation Tool from Microsoft to Prevent Exchange Attacks
16.3.2021 Attack Thehackernews

Microsoft on Monday released a one-click mitigation software that applies all the necessary countermeasures to secure vulnerable environments against the ongoing widespread ProxyLogon Exchange Server cyberattacks.

Called Exchange On-premises Mitigation Tool (EOMT), the PowerShell-based script serves to mitigate against current known attacks using CVE-2021-26855, scan the Exchange Server using the Microsoft Safety Scanner for any deployed web shells, and attempt to remediate the detected compromises.

"This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update," Microsoft said.

The development comes in the wake of indiscriminate attacks against unpatched Exchange Servers across the world by more than ten advanced persistent threat actors — most of the government-backed cyberespionage groups — to plant backdoors, coin miners, and ransomware, with the release of proof-of-concept (PoC) fueling the hacking spree even further.

Based on telemetry from RiskIQ, 317,269 out of 400,000 on-premises Exchange Servers globally have been patched as of March 12, with the U.S., Germany, Great Britain, France, and Italy leading the countries with vulnerable servers.

Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its guidance to detail as many as seven variants of the China Chopper web shell that are being leveraged by malicious actors.

Taking up just four kilobytes, the web shell has been a popular post-exploitation tool of choice for cyber attackers for nearly a decade.

While the breadth of the intrusions is being assessed, Microsoft is also reportedly investigating how the "limited and targeted" attacks it detected in early January picked up steam to quickly morph into a widespread mass exploitation campaign, forcing it to release the security fixes a week before it was due.

The Wall Street Journal on Friday reported that investigators are focused on whether a Microsoft partner, with whom the company shared information about the vulnerabilities through its Microsoft Active Protections Program (MAPP), either accidentally or purposefully leaked it to other groups.

It is also being claimed that some tools used in the "second wave" of attacks towards the end of February are similar to proof-of-concept attack code that Microsoft shared with antivirus companies and other security partners on February 23, raising the possibility that threat actors may have gotten their hands on private disclosure that Microsoft shared with its security partners.

The other theory is that the threat actors independently discovered the same set of vulnerabilities, which were then exploited to stealthily conduct reconnaissance of target networks and steal mailboxes before ramping up the attacks once the hackers figured out Microsoft was readying a patch.

"This is the second time in the last four months that nation-state actors have engaged in cyberattacks with the potential to affect businesses and organizations of all sizes," Microsoft said. "While this began as a nation-state attack, the vulnerabilities are being exploited by other criminal organizations, including new ransomware attacks, with the potential for other malicious activities."

Molson Coors Cracks Open a Cyberattack Investigation
13.3.2021 Attack Threatpost

The multinational brewing company did not say what type of incident caused a ‘systems outage,’ but it’s investigating and working to get networks back online.

Another high-profile company has been hit with a cyber attack that’s causing a major disruption to its business. Brewing company Molson Coors acknowledged on Thursday that it has “experienced a systems outage that was caused by a cybersecurity incident,” according to a Form 8-K filed with the SEC.

The company did not say which type of attack has caused widespread issues across its entire business — including its brewery operations, production and shipments — but given recent major attacks on other mainstream companies, security experts are speculating that it could have been a ransomware attack.

Molson Coors has employed forensic IT firms and legal counsel to investigate and “is working around the clock to get its systems back up as quickly as possible,” according to the filing.

The company operates seven breweries and packaging plants in the United States, as well as three in Canada and 10 in Europe. It produces several brands of beer in addition to its namesake, including Blue Moon, Miller Lite and Pilsner Urquell.

Potential Ransomware Attack
“High-profile attacks are becoming all too common, as attackers have realized they are immensely more profitable when they target large organizations and disrupt their critical business operations — in this case, the brewing operations of the world’s biggest, well-known beer brands,” observed Edgard Capdevielle, CEO at Nozomi Networks, in an email to Threatpost.

Although the company hasn’t released specific details of the incident, given the seriousness of the disruption and recent cyberattack activity, “it could be ransomware,” he said.

Tony Lambert, intelligence analyst at Red Canary, noted that the impact of ransomware of operations like Molson Coors can be much more damaging than it would be for other kinds of enterprises.

“For manufacturing organizations, ransomware poses a major threat to data and system availability,” he said via email. “Not only do corporate systems lose access to data, systems managing the manufacturing process may come to a halt as well, preventing the successful production and even delivery of products. This obviously presents a huge problem for companies that sell the products: Every hour their lines are down can mean major profit losses.”

This type of situation should be factored into an organization’s incident response and business-continuity plans, Capdevielle added: “Beyond a technical response, decision-makers need to be prepared to weigh the risks and consequences of alternate actions.”

Those actions could be both on the part of Molson itself — i.e., paying the ransom, which security experts tend to discourage — or further nefarious activity by attackers, such as dumping information obtained from the attack online or maintaining a persistent presence on a system.

Ransomware Attacks Ramp Up in 2021
Indeed, a number of ransomware groups have been active recently, with several large organizations falling victim and suffering disruption due to attack activity.

Several of these ransomware attacks have happened just within the last month. For instance, the Spanish State Employment Service (SEPE) was recently hit by a Ryuk ransomware attack, suspending its communications systems across hundreds of offices and delaying thousands of appointments. And, Kia Motors was disrupted by a ransomware attack in February for which known attackers DoppelPaymer took credit.

Meanwhile, WestRock – the second-largest packaging company in the U.S, that counts General Motors, Heinz and Home Depot as customers – also had its business disrupted by a ransomware attack in February. And Finnish IT giant TietoEVRY also was a victim of a ransomware attack last month.

Known ransomware groups that have been linked to recent attacks include the aforementioned DoppelPaymer and Ryuk; the Clop ransomware gang, which was tied to recent global zero-day attacks on users of the Accellion legacy File Transfer Appliance product; and HelloKitty, which is suspected to be behind the attack of CD Projekt Red — the videogame-development company behind Cyberpunk 2077 — which also happened in February.

Another potential culprit for the Molson Coors attack could be related to an onslaught of attacks by Chinese and other advanced persistent threat (APT) groups on recently patched Microsoft Exchange vulnerabilities. The flaws are under fire from at least 10 different APTs, all focused on compromising email servers around the world, with researchers observing a snowball of exploitation activity.

To avoid cyberattacks from taking down entire operations and causing significant business disruptions, Capdevielle made a number of cybersecurity best-practice suggestions, including strong segmentation, user training, proactive cyber-hygiene programs, multifactor authentication and the use of continuously updated threat intelligence, he said.

Researchers warn of a surge in cyber attacks against Microsoft Exchange
13.3.2021 Attack Securityaffairs

Researchers warn of a surge in cyber attacks against Microsoft Exchange servers exploiting the recently disclosed ProxyLogon vulnerabilities.
Researchers at Check Point Research team reported that threat actors are actively exploiting the recently disclosed ProxyLogon zero-day vulnerabilities in Microsoft Exchange.

On March 2nd, Microsoft released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported MS Exchange versions that are actively exploited in the wild.

Check Point Research team reported that that in a time span of 24 hours the exploitation attempts are doubling every two hours.

“CPR has seen hundreds of exploit attempts against organizations worldwide” reads the post published by CheckPoint. “In the past 24 hours alone, CPR has observed that the number exploitation attempts on organizations it tracks doubled every two to three hours.”

Most of exploit attempts targeted organizations in Turkey (19%), followed by United States (18%) and Italy (10%). Most targeted sectors have been Government/Military (17% of all exploit attempts), followed by Manufacturing (14%), and then Banking (11%).

Below the details of the ProxyLogon vulnerabilities:

The first zero-day, tracked as CVE-2021-26855, is a server-side request forgery (SSRF) vulnerability in Exchange that could be exploited by an attacker to authenticate as the Exchange server by sending arbitrary HTTP requests.
The second flaw, tracked as CVE-2021-26857, is an insecure deserialization vulnerability that resides in the Unified Messaging service. The flaw could be exploited by an attacker with administrative permission to run code as SYSTEM on the Exchange server.
The third vulnerability, tracked as CVE-2021-26858, is a post-authentication arbitrary file write vulnerability in Exchange.
The last flaw, tracked as CVE-2021-27065, is a post-authentication arbitrary file write vulnerability in Exchange.
The IT giant reported that at least one China linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.

According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations. The group historically launched cyber espionage campaigns aimed at US-based organizations in multiple industries, including law firms and infectious disease researchers.

In past campaigns, HAFNIUM attackers also interacted with victim Office 365 tenants.

The availability online of PoC exploit tool online pose a serious risk to organizations.

This week, the independent security researcher Nguyen Jang published on GitHub a proof-of-concept tool to hack Microsoft Exchange servers. The tool chains two of the ProxyLogon vulnerabilities recently addressed by Microsoft.

The availability of the proof-of-concept code was first reported by The Record.

The availability of the exploit online was immediately noticed by several cyber security experts, including Marcus Hutchins.

A few hours after the publication, GitHub took down the PoC hacking tool because it posed a threat to Microsoft’s customers using the Microsoft Exchange solution.

Experts believe that cybercrime organizations and state-sponsored group could exploit the code in like attacks,

ESET researchers pointed out that other threat actors, such as cybercrime Tick, LuckyMouse, and Calypso, had also been exploiting the ProxyLogon flaws before Microsoft addressed them.

Microsoft researchers also spotted a ransomware gangs that is exploiting ProxyLogon flaws to spread a piece of malware tracked as DearCry.

New Browser Attack Allows Tracking Users Online With JavaScript Disabled

12.3.2021 Attack Thehackernews

Researchers have discovered a new side-channel that they say can be reliably exploited to leak information from web browsers that could then be leveraged to track users even when JavaScript is completely disabled.

"This is a side-channel attack which doesn't require any JavaScript to run," the researchers said. "This means script blockers cannot stop it. The attacks work even if you strip out all of the fun parts of the web browsing experience. This makes it very difficult to prevent without modifying deep parts of the operating system."

In avoiding JavaScript, the side-channel attacks are also architecturally agnostic, resulting in microarchitectural website fingerprinting attacks that work across hardware platforms, including Intel Core, AMD Ryzen, Samsung Exynos 2100, and Apple M1 CPUs — making it the first known side-channel attack on the iPhone maker's new ARM-based chipsets.

The findings, which come from a group of academics from the Ben-Gurion Univ. of the Negev, the University of Michigan, and the University of Adelaide, will be presented at the USENIX Security Symposium in August.

Side-channel attacks typically rely on indirect data such as timing, sound, power consumption, electromagnetic emissions, vibrations, and cache behavior in an effort to infer secret data on a system. Specifically, microarchitectural side-channels exploit the shared use of a processor's components across code executing in different protection domains to leak secret information like cryptographic keys.

Additionally, studies have also previously demonstrated fully automated attacks such as "Rowhammer.js" that rely on nothing but a website with malicious JavaScript to trigger faults on remote hardware, thereby gaining unrestricted access to systems of website visitors.

While these leaky side-channels can be effectively plugged by domain isolation techniques, browser vendors have incorporated defenses to offer protection against timing attacks and fingerprinting by reducing the precision of time-measuring functions, aside from adding support for completely disabling JavaScript using add-ons like NoScript.

However, the latest research released this week aims to bypass such browser-based mitigations by implementing a side-channel attack called "CSS Prime+Probe" constructed solely using HTML and CSS, allowing the attack to work even in hardened browsers like Tor, Chrome Zero, and DeterFox that have JavaScript fully disabled or limit the resolution of the timer API.

"A common trend in these approaches is that they are symptomatic and fail to address the root cause of the leakage, namely, the sharing of microarchitectural resources," the researchers outlined. "Instead, most approaches attempt to prevent leakage by modifying browser behavior, striking different balances between security and usability."

First, a small primer about cache-based side-channels: Unlike Flush+Reload attacks, wherein a spy can use a cache flush instruction (e.g., clflush in x86) to flush specific cache lines, and determine if the victim accessed this data by re-accessing the same memory line and timing the access for a hit (data is back in the cache) or miss (not accessed by the victim), Prime+Probe requires the attacker to populate the entire shared cache in order to evict victim's data from the cache, and then timing its own accesses after it fills the cache — the presence of a cache miss indicating that the victim accessed the corresponding cache line causing the spy's data to be removed.

Although these methods exploit a covert timing channel in the CPU cache, the new attack devised by Ben-Gurion researchers targets a cache-based side-channel in modern web browsers.

Specifically, the CSS Prime+Probe technique hinges on rendering a web page that includes a long HTML string variable covering the entire cache (e.g., a <div> element with a class name containing two million characters), then performing a search for a short, non-existent substring in the text, in turn forcing the search to scan the whole string. In the final step, the time to carry out this probe operation is sent to an attacker-controlled server.

"The attacker first includes in the CSS an element from an attacker-controlled domain, forcing DNS resolution," the researchers explained. "The malicious DNS server logs the time of the incoming DNS request. The attacker then designs an HTML page that evokes a string search from CSS, effectively probing the cache. This string search is followed by a request for a CSS element that requires DNS resolution from the malicious server. Finally, the time difference between consecutive DNS requests corresponds to the time it takes to perform the string search, which [...] is a proxy for cache contention."

To evaluate the effectiveness of the methods via website fingerprinting attacks, the researchers used the aforementioned side-channel, among others, to collect traces of cache use while loading different websites — including Alexa Top 100 websites — using the "memorygrams" to train a deep neural network model to identify a specific set of websites visited by a target.

While JavaScript-based cache occupancy attacks offer higher accuracy of over 90% across all platforms when compared to CSS Prime+Probe, the study noted that the accuracy achieved by the latter is high enough to leak data that could allow malicious parties to identify and track users.

"So, how can security-conscious users access the web?," the researchers concluded. "One complicating factor to this concept is the fact that the web browser makes use of additional shared resources beyond the cache, such as the operating system's DNS resolver, the GPU, and the network interface. Cache partitioning seems a promising approach, either using spatial isolation based on cache coloring, or by OS-based temporal isolation."

Third French Hospital Hit by Cyberattack
10.3.2021 Attack Securityweek

A hospital in southwest France has seen some of its IT systems paralysed by a "ransomware" cyberattack, its management said Tuesday, the third such incident in the last month.

The 320-bed facility in Oloron-Sainte-Marie near the Pyrenees mountains was hit by the attack on Monday, with screens displaying a demand in English for $50,000 in Bitcoin.

Hospital workers have had to revert to working with pens and paper, since digital patient records are not available.

The management system, used to monitor medicine stocks and other supplies, has also been affected at a time when the hospital is taking part in vaccination efforts against Covid-19.

"We might get our systems back in 48 hours or in three months," hospital director Frederic Lecenne told local newspaper La Republique des Pyrenees.

He said personnel had disconnected some computers from the internet and the hospital's network to try to limit the spread of the ransomware.

In February, hospitals in Dax in southwest France and in Villefranche-sur-Saône in the southeastern Rhone region were subjected to ransomware attacks, while in 2019 a hospital in northern Rouen was also hit.

"Ransomware" attacks see criminals infiltrate and paralyse a target's IT systems, then demand payments in order to restore them.

Newest Intel Side-Channel Attack Sniffs Out Sensitive Data

9.3.2021 Attack Threatpost

intel side channel attack
A new side-channel attack takes aim at Intel’s CPU ring interconnect in order to glean sensitive data.

Intel processors are vulnerable to a new side-channel attack, which researchers said can allow attackers to steal sensitive information such as encryption keys or passwords.

Unlike previous side-channel attacks, this attack does not rely on sharing memory, cache sets and other former tactics. Instead it leverages a component called CPU ring interconnect contention. This component facilitates communication across various CPU units – including cores, the last-level cache, system agent, and graphics unit – on modern Intel processors, such as the Skylake and Coffee Lake CPUs.

Riccardo Paccagnella, one of the researchers with the University of Illinois at Urbana-Champaign who discovered the attack, told Threatpost that the side-channel attack could give attackers the means to infer “key bits” from both vulnerable cryptographic implementations and from the precise timing of keystrokes typed by a victim user.

“The attacker needs to be able to already run unprivileged code on the machine under attack,” Paccagnella told Threatpost. “This may be possible by either fooling the user into downloading some code (e.g. a malicious app/malware) and run it, stealing the credentials of an unprivileged user of the same machine (and then, e.g., SSH-ing into it), or exploiting remote code execution vulnerabilities.”

In their research paper [PDF]: “Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical,” researchers said the attack is unique because it works in spite of some previous side-channel defenses.

“In this paper, we present the first on-chip, cross-core side channel attack that works despite [previous] countermeasures,” said the team of University of Illinois at Urbana-Champaign researchers in their paper, which will be presented at USENIX Security 2021.

What is CPU Ring Interconnect?
Intel’s CPU architecture includes several unique clock domains – including a per-CPU core clock domain, a processor graphics clock domain and a ring interconnect clock domain. The latter is an on-die “bus” that works to pass information between CPU cores, caches and Intel processor graphics. Researchers said, there are two challenges that make it “uniquely difficult” to leverage this channel in an attack. Firstly, little is known about the ring interconnect’s functioning and architecture. Secondly, data that can be gleaned through ring contention is “noisy by nature” making it difficult to learn sensitive data.

“Not only is the ring a contention-based channel—requiring precise measurement capabilities to overcome noise—but also it only sees contention due to spatially coarse-grained events such as private cache misses,” said researchers.

The Side-Channel Attack
In order to launch the attack, researchers were able to reverse engineer of the various protocols that handle the communication on the ring interconnect. From there, at a high level, they were able to piece together the conditions needed for two processes to incur the ring contention. They then came up with various side-channel attacks that “leverage the fine-grained temporal patterns of ring contention to infer a victim program’s secrets.”

This allowed researchers to create two proof-of-concept (PoC) attacks. One attack extracts “key bits” from vulnerable RSA and Edwards-curve Digital Signature Algorithm (EdDSA) encryption algorithm implementations.

“Specifically, [the attack] abuses mitigations to preemptive scheduling cache attacks to cause the victim’s loads to miss in the cache, monitors ring contention while the victim is computing, and employs a standard machine learning classifier to de-noise traces and leak bits,” according to researchers.

The second attack, meanwhile, targets keystroke timing information, which researchers said can be used to infer data like passwords. The attack stems from the fact that keystroke events cause spikes in ring contention that can be detected by an attacker – even with obstacles like background noise.

“We show that our attack implementations can leak key bits and keystroke timings with high accuracy,” said researchers, who published their experimental code for the attack on GitHub.

Intel for its part pointed to existing security best practices for mitigating against the side-channel attack: “We appreciate the ongoing work and coordination with the research community,” said Intel. “After reviewing the paper, we believe developers and system administrators can employ a number of security best practices that help protect against various types of side channel attacks, including those found in this paper.”

What Are Side-Channel Attacks?
Side-channel attacks extract sensitive information, such as cryptographic keys, from signals created by electronic activity within computing devices as they carry out computation. There are an array of techniques to launch side-channel attacks, including using caches, branch predictors or analog signals.

Intel and other CPU manufacturers have stepped up their defenses of such attacks. Many existing side-channel attacks can be mitigated by disabling simultaneous multi-threading (SMT) architecture used in CPUs; or disabling shared memory between processes in different security domains (by partitioning the last-level cache) in order to block cross-core cache-based attacks.

However, researchers argue, this latest side-channel attack bypasses these existing defenses.

“The main novelty of our attack compared to previous ‘traditional side channel’ attacks is that our attack does not rely on sharing memory, cache sets, core-private resources or any specific uncore structures,” Paccagnella told Threatpost. “As a consequence, it is hard to mitigate using existing ‘domain isolation’ techniques.”

While the Spectre and Meltdown side-channel attacks have garnered widespread attention, Intel said these are speculative execution attacks. This most recent discovery, however, is a different “traditional side-channel” attack, more similar to a side-channel attack like PortSmash. According to Intel, “traditional” side channels leverage “architecturally committed operations” in order to infer information. Meanwhile, speculative execution attacks take advantage of operations “that only execute speculatively and thus are not committed into the architectural state.”

Researchers also noted that AMD CPUs utilize different proprietary technologies known as Infinity Fabric/Architecture for their on-chip interconnect.

“Investigating the feasibility of our attack on these platforms requires future work,” said researchers. “However, the techniques we use to build our contention model can be applied on these platforms too.”

New Side-Channel Attack Targets Intel CPU Ring Interconnect
9.3.2021 Attack Securityweek

A team of researchers from the University of Illinois at Urbana-Champaign has published a paper detailing a new side-channel attack method that can be launched against devices with Intel CPUs.

Following the disclosure of the Meltdown and Spectre vulnerabilities back in January 2018, researchers have increasingly focused on finding CPU side-channel attack methods — and in many cases they have been successful.

The latest attack method can allow an attacker who has access to the targeted device to obtain potentially sensitive information. The attack, described by the researchers as “the first on-chip, cross-core side-channel attack,” is related to the ring interconnect, or ring bus, the component that enables communication between the various CPU units (e.g. cores, last level cache, system agent and GPU) on many Intel processors.

The attack leverages contention — the conflict over access to a shared resource — and involves monitoring ring contention, allowing the attacker to obtain potentially valuable information.

The researchers demonstrated the method by successfully extracting EdDSA and RSA cryptographic keys and by inferring the precise timing of the victim’s keystrokes.

Other researchers previously demonstrated that keystroke timing attacks can allow an attacker to reconstruct sensitive information typed by the victim, such as passwords.

Intel has been informed about this new side-channel attack.

“We appreciate the ongoing work and coordination with the research community,” Intel told SecurityWeek in an emailed statement. “After reviewing the paper, we believe developers and system administrators can employ a number of security best practices that help protect against various types of side channel attacks, including those found in this paper. [Previously published guidance]”

The researchers said CPUs made by AMD use other proprietary technology and they haven’t tested the feasibility of their attack. However, they believe that the technique used to build their contention model could work on other platforms as well.

EU Banking Regulator Hit by Microsoft Email Hack
9.3.2021 Attack Securityweek

The European Banking Authority, a key EU financial regulator, says it has fallen victim to a hack of its Microsoft email system which the US company blames on a Chinese group.

Microsoft said last week that a state-sponsored group operating out of China was exploiting previously unknown security flaws in its Exchange email services to steal data from business and government users, believed to number in the tens of thousands so far.

The "Hafnium" group was a "highly skilled and sophisticated actor," it said.

Hafnium has previously targeted US-based companies including infectious disease researchers, law firms, universities, defence contractors, think-tanks and NGOs, it added.

In a statement on Monday, the EBA said its investigation had found no data theft so far.

"At this stage, the EBA email infrastructure has been secured and our analyses suggest that no data extraction has been performed," the statement said.

"We have no indication to think that the breach has gone beyond our email servers."

The authority said the probe was still ongoing and that it has deployed additional security measures "in view of restoring the full functionality of the email servers".

The EBA had said in a previous statement on Sunday that it had taken its email systems offline as a precaution, noting that access to personal data held on servers "may have been obtained by the attacker".

Microsoft executive Tom Burt said last Tuesday that the company provided updates to fix the security flaws and urged customers to apply them.

"We know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems," he added.

Beijing typically rejects US hacking charges out of hand and last year berated Washington following allegations that Chinese hackers were attempting to steal coronavirus research.

In January, the US said Russia was probably behind the massive SolarWinds hack that hit large swathes of the government and private sectors, and which experts say may constitute an ongoing threat.

Microsoft said Tuesday the Hafnium attacks "were in no way connected to the separate SolarWinds-related attacks."

*Updated with new statement from EBA

Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks
9.3.2021 Attack Thehackernews

A new research has yielded yet another means to pilfer sensitive data by exploiting what's the first "on-chip, cross-core" side-channel in Intel Coffee Lake and Skylake processors.

Published by a group of academics from the University of Illinois at Urbana-Champaign, the findings are expected to be presented at the USENIX Security Symposium coming this August.

While information leakage attacks targeting the CPU microarchitecture have been previously demonstrated to break the isolation between user applications and the operating system, allowing a malicious program to access memory used by other programs (e.g., Meltdown and Spectre), the new attack leverages a contention on the ring interconnect.

SoC Ring interconnect is an on-die bus arranged in a ring topology which enables intra-process communication between different components (aka agents) such as the cores, the last level cache (LLC), the graphics unit, and the system agent that are housed inside the CPU. Each ring agent communicates with the ring through what's called a ring stop.

To test their hypothesis, the researchers reverse-engineered the ring interconnect's protocols to uncover the conditions for two or more processes to cause a ring contention, in turn using them to build a covert channel with a capacity of 4.18 Mbps, which the researchers say is the largest to date for cross-core channels not relying on shared memory, unlike Flush+Flush or Flush+Reload.

"Importantly, unlike prior attacks, our attacks do not rely on sharing memory, cache sets, core-private resources or any specific uncore structures," Riccardo Paccagnella, one of the authors of the study, said. "As a consequence, they are hard to mitigate using existing 'domain isolation' techniques."

Observing that a ring stop always prioritizes traffic that is already on the ring over new traffic entering from its agents, the researchers said a contention occurs when existing on-ring traffic delays the injection of new ring traffic.

Armed with this information, an adversary can measure the delay in memory access associated with a malicious process due to a saturation of bandwidth capacity caused by a victim process' memory accesses. This, however, necessitates that the spy process consistently has a miss in its private caches (L1-L2) and performs loads from a target LLC slice.

In doing so, the repeated latency in memory loads from LLC due to ring contention can allow an attacker to use the measurements as a side-channel to leak key bits from vulnerable EdDSA and RSA implementations as well as reconstruct passwords by extracting the precise timing of keystrokes typed by a victim user.

Specifically, "an attacker with knowledge of our reverse engineering efforts can set itself up in such a way that its loads are guaranteed to contend with the first process' loads, [...] abuses mitigations to preemptive scheduling cache attacks to cause the victim's loads to miss in the cache, monitors ring contention while the victim is computing, and employs a standard machine learning classifier to de-noise traces and leak bits."

The study also marks the first time a contention-based microarchitectural channel has been exploited for keystroke timing attacks to infer sensitive data typed by the victim.

In response to the disclosures, Intel categorized the attacks as a "traditional side channel," which refers to a class of oracle attacks that typically take advantage of the differences in execution timing to infer secrets.

The chipmaker's guidelines for countering timing attacks against cryptographic implementations recommend adhering to constant time programming principles by ensuring that —

Runtime is independent of secret values
The order in which the instructions are executed (aka code access patterns) are independent of secret values, and
The order in which memory operands are loaded and stored (aka data access patterns) are independent of secret values
Additional guidance on safe development practices to mitigate traditional side-channel attacks can be found here. The source code to reproduce the experimental setup detailed in the paper can be accessed here.

Microsoft Exchange Cyber Attack — What Do We Know So Far?
9.3.2021 Attack Thehackernews
Microsoft on Friday warned of active attacks exploiting unpatched Exchange Servers carried out by multiple threat actors, as the hacking campaign is believed to have infected tens of thousands of businesses, government entities in the U.S., Asia, and Europe.

The company said "it continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM," signaling an escalation that the breaches are no longer "limited and targeted" as was previously deemed.

According to independent cybersecurity journalist Brian Krebs, at least 30,000 entities across the U.S. — mainly small businesses, towns, cities, and local governments — have been compromised by an "unusually aggressive" Chinese group that has set its sights on stealing emails from victim organizations by exploiting previously undisclosed flaws in Exchange Server.

Victims are also being reported from outside the U.S., with email systems belonging to businesses in Norway, the Czech Republic and the Netherlands impacted in a series of hacking incidents abusing the vulnerabilities. The Norwegian National Security Authority said it has implemented a vulnerability scan of IP addresses in the country to identify vulnerable Exchange servers and "continuously notify these companies."

The colossal scale of the ongoing offensive against Microsoft's email servers also eclipses the SolarWinds hacking spree that came to light last December, which is said to have targeted as many as 18,000 customers of the IT management tools provider. But as it was with the SolarWinds hack, the attackers are likely to have only gone after high-value targets based on an initial reconnaissance of the victim machines.

Unpatched Exchange Servers at Risk of Exploitation
A successful exploitation of the flaws allows the adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access. With multiple threat actors leveraging these zero-day vulnerabilities, the post-exploitation activities are expected to differ from one group to the other based on their motives.

Chief among the vulnerabilities is CVE-2021-26855, also called "ProxyLogon" (no connection to ZeroLogon), which permits an attacker to bypass the authentication of an on-premises Microsoft Exchange Server that's able to receive untrusted connections from an external source on port 443. This is followed by the exploitation of CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 post-authentication, allowing the malicious party to gain remote access.

Taiwanese cybersecurity firm Devcore, which began an internal audit of Exchange Server security, noted in a timeline that it uncovered CVE-2021-26855 originally on December 10, 2020, followed by the discovery of CVE-2021-27065 on December 20. After chaining these bugs into a workable pre-authentication RCE exploit, the company said it reported the issue to Microsoft on January 5, 2021, suggesting that Microsoft had almost two months to release a fix.

The four security issues in question were eventually patched by Microsoft as part of an emergency out-of-band security update last Tuesday, while warning that "many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems."

The fact that Microsoft also patched Exchange Server 2010 suggests that the vulnerabilities have been lurking in the code for more than ten years.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), which released an emergency directive warning of "active exploitation" of the vulnerabilities, urged government agencies running vulnerable versions of Exchange Server to either update the software or disconnect the products from their networks.

"CISA is aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities and urges scanning Exchange Server logs with Microsoft's IoC detection tool to help determine compromise," the agency tweeted on March 6.

It's worth noting that merely installing the patches issued by Microsoft would have no effect on servers that have already been backdoored. Organizations that have been breached to deploy the web shell and other post-exploitation tools continue to remain at risk of future compromise until the artifacts are completely rooted out from their networks.

Multiple Clusters Spotted
FireEye's Mandiant threat intelligence team said it "observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment" since the start of the year. Cybersecurity firm Volexity, one of the firms credited with discovering the flaws, said the intrusion campaigns appeared to have started around January 6, 2021.

Not much is known about the identities of the attackers, except that Microsoft has primarily attributed the exploits with high confidence to a group it calls Hafnium, a skilled government-backed group operating out of China. Mandiant is tracking the intrusion activity in three clusters, UNC2639, UNC2640, and UNC2643, adding it expects the number to increase as more attacks are detected.

In a statement to Reuters, a Chinese government spokesman denied the country was behind the intrusions.

"There are at least five different clusters of activity that appear to be exploiting the vulnerabilities," said Katie Nickels, director of threat intelligence at Red Canary, while noting the differences in the techniques and infrastructure from that of the Hafnium actor.

In one particular instance, the cybersecurity firm observed that some of the customers compromised Exchange servers had been deployed with a crypto-mining software called DLTminer, a malware documented by Carbon Black in 2019.

"One possibility is that Hafnium adversaries shared or sold exploit code, resulting in other groups being able to exploit these vulnerabilities," Nickels said. "Another is that adversaries could have reverse engineered the patches released by Microsoft to independently figure out how to exploit the vulnerabilities."

Microsoft Issues Mitigation Guidance
Aside from rolling out fixes, Microsoft has published new alternative mitigation guidance to help Exchange customers who need more time to patch their deployments, in addition to pushing out a new update for the Microsoft Safety Scanner (MSERT) tool to detect web shells and releasing a script for checking HAFNIUM indicators of compromise. They can be found here.

"These vulnerabilities are significant and need to be taken seriously," Mat Gangwer, senior director of managed threat response at Sophos said. "They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them."

"The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk," Gangwer added.

Multiple Cisco products exposed to DoS attack due to a Snort issue
7.3.2021 Attack Securityaffairs

Cisco announced that a vulnerability in the Snort detection engine exposes several of its products to denial-of-service (DoS) attacks.
Cisco announced this week that several of its products are exposed to denial-of-service (DoS) attacks due to a vulnerability in the Snort detection engine.

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine.

The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames.

“The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco. “A successful exploit could allow the attacker to exhaust disk space on the affected device, which could result in administrators being unable to log in to the device or the device being unable to boot up correctly.”
The vulnerability has been rated high severity and received a CVSS score of 7.4.

The CVE-2021-1285 flaw affects all open source Snort project releases earlier than release 2.9.17.

The flaw affects multiple Cisco products running a vulnerable release of Cisco UTD Snort IPS Engine Software for IOS XE or Cisco UTD Engine for IOS XE SD-WAN Software and that are configured to pass Ethernet frames to the Snort detection engine:

1000 Series Integrated Services Routers (ISRs)
4000 Series Integrated Services Routers (ISRs)
Catalyst 8000V Edge Software
Catalyst 8200 Series Edge Platforms
Catalyst 8300 Series Edge Platforms
Cloud Services Router 1000V Series
Integrated Services Virtual Router (ISRv)
The vulnerability does not affect the following Cisco products:

3000 Series Industrial Security Appliances (ISAs)
Adaptive Security Appliance (ASA) Software
Catalyst 8500 Series Edge Platforms
Catalyst 8500L Series Edge Platforms
Firepower Management Center (FMC) Software
Firepower Threat Defense (FTD) Software1
Meraki Security Appliances
Cisco has no evidence that this vulnerability has been exploited in malicious attacks.

Massive Supply-Chain Cyberattack Breaches Several Airlines

6.3.2021 Attack Threatpost

The cyberattack on SITA, a nearly ubiquitous airline service provider, has compromised frequent-flyer data across many carriers.

A communications and IT vendor for 90 percent of the world’s airlines, SITA, has been breached, compromising passenger data stored on the company’s U.S. servers in what the company is calling a “highly sophisticated attack.”

The affected servers are in Atlanta, and belong to the SITA Passenger Service System (SITA PSS), company spokeswoman Edna Ayme-Yahil told Threatpost. SITA PSS operates the systems for processing airline passenger data and belongs to a group of SITA companies, headquartered in the E.U.

Malaysia Air and Singapore Airlines have already made headlines in recent days after alerting their customers they’ve been compromised as part of the attack.

Yahil declined to say how many users have been affected for confidentiality reasons, but Singapore Airlines reported more than 580,000 impacted customers alone, meaning the compromise could ultimately impact millions of users.

“Each affected airline has been provided with the details of the exact type of data that has been compromised, including details of the number of data records within each of the relevant data categories,” Yahil said.

Frequent-Flyer Data Compromised
While the company didn’t comment specifically on the types of data exposed, “save to say that it does include some personal data of airline passengers,” Yahil added. “Many airlines have issued public statements confirming what types of data have been affected in relation to their passengers.”

Airline members of the Star Alliance, including Luthansa, New Zealand Air and Singapore Airlines, along with OneWorld members Cathay Pacific, Finnair, Japan Airlines and Malaysia Air, have already started communicating with its at-risk users, Yahil told Threatpost, adding that South Korean airline JeJu Air’s passenger data was also compromised.

“The data security incident occurred at our third-party IT service provider and not Malaysia Airlines’ computer systems,” the Malaysia Air’s Twitter account said about the breach earlier this week, without mentioning SITA by name. “However, the airline is monitoring any suspicious activity concerning its members’ accounts and in constant contact with the affected IT service provider to secure Enrich members’ data and investigate the incident’s scope and causes.”

The systems are linked by SITA PSS so that one airline can recognize frequent-flyer benefits from other carriers.

“SITA PSS was holding the data of airlines that are not its direct customers, but are alliance members, because other airlines that are SITA PSS customers have an obligation to recognize the frequent flyer status of individual passengers and ensure that such passengers receive the appropriate privileges when they fly with them,” Yahil explained to Threatpost. “That obligation arises from the contractual commitments that the other airline has agreed in its contractual arrangements with an alliance organization.”

She added, “It is common practice for alliance members to recognize the frequent-flyer scheme tiers of the passengers they carry. This mandates the sharing of frequent-flyer data amongst alliance members and, consequently, the service providers to those alliance members (such as SITA).”

Airline Supply-Chain Attacks on The Rise
While details on how the attack happened are scant, HackerOne solutions architect Shlomie Liberow said SITA’s trove of personal data would be tantalizing for cybercriminals.

“It’s not clear yet what the attack vector was in the SITA breach, but HackerOne vulnerability data shows that the aviation and aerospace industry see more privilege escalation and SQL-injection vulnerabilities than any other industry, accounting for 57 percent of the vulnerabilities reported to these companies by ethical hackers,” Liberow explained. “SITA would be an attractive target for criminals due to the sensitive nature of the information they hold — names, addresses, passport data.”

Liberow said it’s time for the airlines to dig in on securing their systems.

“We’ve seen the aviation industry particularly hard hit over the past year, perhaps because criminals know they will be vulnerable and their focus and priorities on remaining in business. However, traditional enterprises like airlines have always been an attractive target since few are digital-first businesses, and therefore have relied on legacy software, which is more likely to be out-of-date or have existing vulnerabilities that can be exploited,” Liberow added.

Locking Down the Software Supply Chain
The breach is yet another in a long list of recent brutal attacks on third-party supply-chain providers to target larger, more secure organizations. The most well-known recent event is the SolarWinds breach of the U.S. government; and there’s also the spate of global zero-day attacks on users of the Accellion legacy File Transfer Appliance product.

“The proliferated effect of the attack on SITA is yet another example of how vulnerable organizations can be solely on the basis of their connections to third-party vendors,” said Ran Nahmias, co-founder of Cyberpion. “If these kinds of seemingly legitimate connections are not properly monitored and protected, they can result in damaging breaches that unleash highly confidential data, as evidenced in this situation.”

That means it’s up to IT teams to evaluate the security of every company within their perimeter, Demi Ben-Air from Panorays said.

“You simply cannot know whether your third parties meet your company’s security controls and risk appetite until you’ve completed a full vendor security assessment on them,” Den-Air explained. “But through automated questionnaires, external footprint assessments and taking into consideration the business impact of the relationship, you can get a clear, up-to-date picture of supplier security risk. It’s important to note that the best practice is not a ‘one-and-done’ activity, but through real-time, continuous monitoring.”

David Wheeler, director of open-source supply-chain security at the Linux Foundation, explained during a recent Threatpost webinar on how to lock down the supply chain that security-savvy IT pros should start asking for SBOMs, or a software bill of materials, before using any third-party solution. This will help ensure that the platform was written securely and with reliable code.

“Today’s data breaches tell us it’s no longer enough to secure your perimeter; you also have to secure your third parties, and their third parties,” Ben-Ari warned.

Unpatched Bug in WiFi Mouse App Opens PCs to Attack
4.3.2021 Attack Threatpost

Wireless mouse-utility lacks proper authentication and opens Windows systems to attack.

The mobile application called WiFi Mouse, which allows users to control mouse movements on a PC or Mac with a smartphone or tablet, has an unpatched bug allowing adversaries to hijack desktop computers, according to researcher Christopher Le Roux who found the flaw.

Impacted is the Android app’s accompanying WiFi Mouse “server software” that is needed to be installed on a Windows system and allows the mobile app to control a desktop’s mouse movements. The flaw allows an adversary, sharing the same Wi-Fi network, to gain full access to the Windows PC via a communications port opened by the software.

WiFi Mouse, published by Necta, is available on Google Play and via Apple’s App Store marketplace under the publisher name Shimeng Wang. The only version tested by Le Roux was the Windows 1.7.8.5 version of WiFi Mouse software running on Windows (Enterprise Build 17763) system.

Despite multiple attempts to contact the app developer Necta, the company has not responded to either the researcher’s inquiries or Threatpost’s request for comment. Unclear is whether other versions of the WiFi Mouse desktop software, compatible with Mac, Debian and RPM, are also impacted.

Bug’s Impact: Limited to Desktops
According to Le Roux’s research, the unpatched bug does not impact the Android mobile phone’s running the WiFi Mouse application. According to the developer’s Google Play marketplace description of WiFi Mouse, the application has been downloaded over 100,000 times.

The vulnerability, according to the developer, is tied to poor password and PIN security required by the Windows desktop application.

“The password/PIN option in the Windows Desktop app does not prevent remote control of a target running the software,” Le Roux told Threatpost. “I believe this may be an oversight on the part of the developer.”

The researcher said the application doesn’t properly prompt mobile app users to enter a password or a PIN number in order to pair an Android mobile device running WiFi Mouse with the accompanying WiFi Mouse desktop server software. That lack of authentication opens the door to a potential rogue user to exploit the open data port used by WiFi Mouse, Le Roux said.

Open Port: Open Season for Attacks
“The WiFi Mouse mobile app scans for and connects to hosts with TCP port 1978 open. Upon connecting the desktop server responds with OS information and the handshake is complete,” he wrote. “From within the mobile app you have a mouse touchpad option as well as a file explorer. The file explorer allows a user to ‘open’ any file on the System. This includes executable files such as cmd.exe or powershell.exe, which will open each command terminal respectively.”

Le Roux noted that this type of “unfettered access to a targeted system makes it as easy as sending ASCII characters as HEX with some padding on either side followed by a packet for the enter key.”

“This process is quick and easy to program especially because there is no encryption between the server and app,” he wrote in an email-based interview with Threatpost.

Needed Ingredients For an Attack
An adversary needs only the WiFi Mouse server software running on a targeted PC to exploit it – no mobile app needed. “Adversaries gain full remote command execution,” he said.

“Sadly the app can be easily mimicked even if it is not installed or on the network. The WiFi Mouse desktop server will accept any connection so long as it is running on an endpoint and the firewall isn’t blocking it’s listening port 1978,” Le Roux told Threatpost.

From there, an adversary can run a simple command on the targeted Windows system to download any executable program from an HTTP server and run it to get a remote shell on a target’s PC.

“This could be turned into an encoded power shell command or invoke-expression call to drop malware or load a fileless processes,” he said. “Your limitations are those of the signed in user’s permissions and power shell.”

While the researcher said his tests were limited to PCs running Windows, he suspects – but cannot confirm – this issue may also impact other platforms.

“I have yet to do any testing on macOS. My testing on Debian Linux (Kali) shows that the file explorer option does not function appropriately. This does not eliminate the potential for ‘replaying’ mouse movement data and sending left click and enter key commands to substitute for lack of file explorer however,” he wrote.

“An attacker could still feasibly exploit a Unix based system with minimal effort,” he wrote.

Home-Office Photos: A Ripe Cyberattack Vector
4.3.2021 Attack Threatpost

Threat actors can use personal information gleaned from images to craft targeted scams, putting personal and corporate data at risk.

That photo that appears when someone disables his or her Zoom video, or those photos of a remote worker’s home office shared on Instagram may seem innocuous and playful. However, they could become ammunition for threat actors to launch targeted scams and put personal and critical data at risk, a cybersecurity researcher has warned.

Jason Nurse, an associate professor in cybersecurity at the University of Kent, and a visiting academic at the University of Oxford, cautioned that personal photos and information shared via various online platforms used by remote workers can expose not only the employee, but also corporate networks, to threats from savvy attackers who are looking to exploit personal data. He shared his thoughts in a post published Wednesday on Sophos Naked Security blog.

With more workers online than ever due to the COVID-19 pandemic, people have gotten so comfortable with sharing photos and other personal information online that they may not be aware of how it can be misused, Nurse said.

Moreover, the pandemic in general has been stressful for everyone as people try to juggle their everyday lives amid the disruption to daily routine, which means that people have their guard down more than ever when cyberattackers come calling.

“While the sharing of such photos may seem harmless and even a must-do at the time, the reality is that we are, once again, falling into the age-old trap of oversharing,” he wrote in the post. “We are forgetting to ask ourselves: What might a criminal or fraudster do with this information?”

The answer is quite a lot, Nurse surmised. That’s because the more a threat actor knows about a person, the more he or she and the company they are working for are vulnerable to attack, he said.

How Work-from-Home Photos Can Be Misused
Nurse posited several ways threat actors could misuse the information from the photos remote workers use on online — which are often shared with easy-to-track tags such as #WorkfromHome and #HomeOffice.

One is to make the workers themselves the targets of personalized scams that use their name or information gleaned from data they’re shared. for instance, a picture of a gift package from one’s company that shows a home address or reveals a birth date could be the tip of a spear-phish.

“Let’s say you are emailed an ‘e-gift card’ on your actual birthday by a long-lost friend looking to reconnect,” Nurse said. “Many people would be more likely than usual to open the gift-card attachment because the date is correct, unaware that it is actually a piece of malware or ransomware, and that the fraudster knows your birthday because it was posted online months earlier.”

Attackers also use personal information obtained by people’s online activity and photos to guess passwords to break into their accounts, which also expose them to risk not only to data theft, but also potential financial consequences.

There’s also plenty in the backgrounds of video calls and pictures for threat actors to exploit, Nurse said. For instance, people often share images of their work set-ups that appear harmless – but they may have a pet working next to their computer or there may be evidence of a child being home-schooled online. This is a treasure trove of info that can be used to guess passwords.

Photos and videos posted by home workers online also can expose corporate data and therefore the corporate networks to which they’re connected to, he added.

“Analysis of images of home-working environments has revealed work email inboxes, internal emails, names of individuals in emails, private web pages, potentially sensitive internal business correspondence, software installed on computers and internal identification numbers of devices,” he said.

An attacker can use this info to craft an email appearing to be a known supplier or business contact to dupe targets into downloading malware — which can then have a ripple effect on the corporate network, Nurse suggested. Or, a threat actor could impersonate someone from a company’s IT department and ask them to initiate what seems like a typical update, but which instead is nefarious activity, he said.

In all, overshared work-from-home backgrounds and photos are just part of the well-documented phenomenon of how businesses have struggled with the transition to having an almost entirely online workforce during the pandemic, with security suffering and thus already providing a wider playing field for attackers.

How to Protect a Work-from-Home Space
The good news is, it’s easy to avoid falling into the trap of oversharing and thus threat exposure when working remotely, by following some simple advice, Nurse said.

Remote workers should always keep in mind what’s in the background of photos or video-conference calls, and even consider using a virtual background when conducting the latter. People can also blur the background of video-related activity to obscure it so potential attackers can’t see anything clearly enough to exploit it, he said.

And while people working alone in relative solitude at home may be tempted to share their remote-working set-up on various social-media platforms using a fun and clever hashtag, Nurse advised against this behavior — it’s an easy way to protect personal data from being used against them.

Attackers took over the Perl.com domain in September 2020
4.3.2021 Attack Securityaffairs

The Perl.com domain was hijacked in January, but a senior editor at the site revealed that the hackers took control of the domain in September 2020.
The Perl.com domain was hijacked in January 2021, but according to Brian Foy, senior editor of Perl.com, the attack took place months before, in September 2020.

Attackers have taken over the official domain name of The Perl Foundation perl.com and pointed it to an IP address associated with malware campaigns.

The domain Perl.com was created in 1994 and was the official website for the Perl programming language, it is registered with the registrar key-systems(.)net.

“The perl.com domain was hijacked this morning, and is currently pointing to a parking site. Work is ongoing to attempt to recover it.” reads the announcement published on the Perl NOC in January.

“We encourage you NOT to visit the domain, as there are some signals that it may be related to sites that have distributed malware in the past.”

The attackers changed the IP address from 151.101.2.132 to 35.186.238[.]101.

After the hackers took over the site, it was displaying a blank page whose HTML contains Godaddy parked domain scripts.

Shortly after the domain hijacking, perl.com was offered for sale for $190k on afternic.com.

“John Berryhill provided some forensic work in Twitter that showed the compromise actually happened in September. The domain was transferred to the BizCN registrar in December, but the nameservers were not changed.” wrote Foy. “The domain was transferred again in January to another registrar, Key Systems, GmbH. This latency period avoids immediate detection, and bouncing the domain through a couple registrars makes the recovery much harder.”

The hijack took place in September, the domain was transferred in December to another registrar but the nameservers were not changed to avoid detection of the malicious activity. In January the domain was transferred again, at the end of January it was pointing to an IP address that was involved in past malware campaigns, including the distribution of Locky ransomware. Shortly after the second transfer, perl.com was offered for sale for $190k on afternic.com.

According to Foy, the attack might have resulted in the hack of several other domains.

“This part veers into some speculation, and Perl.com wasn’t the only victim. We think that there was a social engineering attack on Network Solutions, including phony documents and so on.” added Foy. “There’s no reason for Network Solutions to reveal anything to me (again, I’m not the injured party), but I did talk to other domain owners involved and this is the basic scheme they reported.”

The legitimate owner Tom Christiansen obtained back full control over the domain in early February.

The domain was back in the hands of Tom Christiansen, the rightful owner, in early February.

“The Perl.com domain is back in the hands of Tom Christiansen and we’re working on the various security updates so this doesn’t happen again. The website is back to how it was and slightly shinier for the help we received.” concludes Foy.

Microsoft: Multiple Exchange Server Zero-Days Under Attack by Chinese Hacking Group
4.3.2021 Attack Securityweek

Microsoft Exchange Vulnerabilities

Microsoft late Tuesday raised the alarm after discovering Chinese cyber-espionage operators chaining multiple zero-day exploits to siphon e-mail data from corporate Microsoft Exchange servers.

Redmond's warning includes the release of emergency out-of-band patches for four distinct zero-day vulnerabilities that formed part of the threat actor's arsenal.

Microsoft pinned the blame on a sophisticated Chinese APT operator called HAFNIUM that operates from leased VPS (virtual private servers) in the United States.

HAFNIUM primarily targets entities in the U.S. across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

The company said its analysts assess with high confidence that HAFNIUM is state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

Supply Chain Security Summit

In all, Microsoft said the attacker chained four zero-days into a malware cocktail targeting its Exchange Server (Outlook Web App) product. The vulnerabilities exposed Microsoft's customers to remote code excecution attacks, without requiring authentication.

"In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments," Microsoft said.

"We strongly urge customers to update on-premises systems immediately," the company urged.

Here are the raw details on the vulnerabilities being exploited in the wild.

* CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

* CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

* CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

* CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Enterprise defenders can find additional techincal details in this blog post from the Microsoft Server team.

Microsoft said the attacks included three steps. First, the group gained access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise as someone who should have access. Second, the attackers created a web shell to control the compromised server remotely. That remote access was then used – run from the U.S.-based private servers – to steal data from an organization’s network.

In campaigns unrelated to this new batch of zero-day vulnerabilities, Microsoft said it found HAFNIUM interacting with victim Office 365 tenants. "While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments," the company explained.

The attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users, Microsoft added.

Cybersecurity firm Volexity, which was credited by Microsoft for reporting different parts of the attack chain, has published a blog post with technical details and a video demonstrating exploitation in action, along with known attacker IP addresses connected to the attacks. Volexity said it detected anomalous activity from two of its customers’ Microsoft Exchange servers in January 2021, which led to discovery of the attacks.

Post-Cyberattack, Universal Health Services Faces $67M in Losses

3.3.2021 Attack Threatpost

universal health services cyberattack
The Fortune-500 hospital network owner is facing steep costs in damages after a cyberattack impacted patient care and billing in September and October.

The cyberattack that hit Universal Health Services (UHS) in September has cost the healthcare service provider a whopping $67 million in damages, according to financial statements.

A fourth-quarter earnings report last week from UHS highlighted the “significant incremental labor expense” needed to restore IT operations after the incident. UHS said that administrative functions – like billing – were also delayed, which had a “negative impact” on its operating cash flows in the fourth quarter.

“As a result of these factors, we estimate that this incident had an aggregate unfavorable pre-tax impact of approximately $67 million during the year ended December 31, 2020,” according to the UHS earnings report.

When it first occurred, the cyberattack disrupted various IT applications utilized by the Fortune-500 company, which is one of the nation’s largest hospital management firms. Throughout October, UHS said it worked to “substantially restore” these applications and its facilities “generally” resumed eventually.

“We estimate that approximately $12 million of the unfavorable pre-tax impact was experienced during the third quarter of 2020, and approximately $55 million was experienced during the fourth quarter of 2020,” the report said.

UHS Cyberattack: Breaking Down the Financial Damages
While UHS didn’t mention what kind of attack it suffered, reports pointed to the Ryuk ransomware as the culprit. However, there was no mention of ransomware – or losses incurred from a paid ransom – in the earnings report.

With UHS subsidiaries encompassing 26 acute care hospitals, 328 behavioral health inpatient facilities, and 42 outpatient facilities and ambulatory care centers in 38 states across the U.S., the impact of the cyberattack was far reaching. UHS said that a “substantial majority” of the financial damages stemmed from its acute care services, which lost operating income due to decreased patient activity.

That’s because the cyberattack forced UHS to both divert ambulance traffic and send patients with elective procedures to “competitor facilities.” The damages also stemmed in part from the associated billing delays for postponed or rescheduled appointments during the timeframe of the attack.

“Also included were certain labor expenses, professional fees and other operating expenses incurred as a direct result of this incident and the related disruption to our operations,” according to the earnings statement.

UHS mentioned that it has insurance and “although we can provide no assurance or estimation related to the receipt timing, or amount, of the proceeds that we may receive” it believes it is entitled to “recovery of the majority of the ultimate financial impact resulting from the cyberattack.”

In its initial statement on the attack, UHS did not disclose how it occurred other than to say it was “due to an IT security issue.” The cyberattack left the network scrambling to implement extensive IT security protocols and working to establish back-up processes such as offline documentation methods.

UHS said, no patient or employee data appears to have been accessed, copied or otherwise compromised.

Financial Damages Cripple Cyberattack Victims
The UHS earnings report gives a rare glimpse into the wide-ranging financial damages facing victims of cyberattacks.

In 2019, Oslo, Norway-based aluminum giant Norsk Hydro revealed that it incurred between $60 million to $71 million in damages from a ransomware attack, which forced it to shut down or isolate several plants and send several more into manual mode.

In 2020, Travelex paid out $2.3 million in Bitcoin to hackers to regain access to its global network after a malware attack at the new year knocked the global currency exchange offline and crippled its business – and that figure doesn’t include additional costs like brand damage, losses from operations disrupted by the attack and more.

Hospitals: A Dangerous Cyberattack Victim
Hospitals in particular face damages from cyberattacks that can go beyond financial challenges. Such cyberattacks can lead to hospitals diverting patients in need of critical care away to other locations at a further distance.

In November, for instance, a cyberattack left University of Vermont (UVM) health network scrambling to recover its systems. The attack caused widespread delays in patient appointments – including chemotherapy appointments, as well as mammograms and biopsies.

This can have dire consequences. In September, a ransomware attack at a Dusseldorf University hospital in Germany resulted in emergency-room diversions to other hospitals. According to a report by the Ministry of Justice of the State North Rhine-Westphalia, a patient died who had to be taken to a more distant hospital in Wuppertal because of the attack on the clinic’s servers.

At the same time, January report from Check Point Software found that healthcare organizations have seen a 45-percent increase in cyberattacks since November, as COVID-19 ravages international healthcare systems.

Threatpost has reached out to UHS for further comment.

French multinational dairy Lactalis hit by a cyber attack
3.3.2021 Attack Securityaffairs

French multinational dairy products corporation Lactalis discloses cyberattack, but claimed that had no evidence of a data breach.
France-based dairy giant Lactalis announced that it was hit by a cyber attack, but claimed that it had found no evidence of a data breach.

Lactalis employs more than 80,000 people worldwide, at more than 230 production sites in 43 different countries. Lactalis is the largest dairy products group in the world, it owns brands such as Parmalat, Président, Siggi’s Dairy, Skånemejerier, Rachel’s Organic, and Stonyfield Farm.
Lactalis disclose the cyberattack and revealed that a limited number of systems on its network were impacted in the incident.

“The Lactalis Group has detected an intrusion on part of its computer network. We immediately took steps to contain this attack and have notified the competent authorities. The results of our investigations establish that a malicious third party is seeking to break into our servers. For the sake of transparency, we are making this information.” reads the press release published by Lactalis Group.
A malicious third party attempted to hack into its network, but the company promptly responded to the intrusion to mitigate the attack.

In response to the incident, the company restricted access to public resources.

“Our IT teams are fully mobilized and supported by experts recognized in cyber security. Our investigation with them revealed no data breach at this point. Lactalis teams are working to protect the interests of our customers, our partners and our employees.” continues the press release. “This is why we have restricted, at our initiative to as a preventive measure, our access to the public Internet network. We organize ourselves to ensure all of our activities under usual conditions”

Lactalis notified the competent authorities and hired cybersecurity experts to investigate the incident.

The company did not provide details about the type of attack, but some experts speculate the company has been hit by ransomware.

Mobile Adware Booms, Online Banks Become Prime Target for Attacks
2.3.2021 Attack Threatpost

A snapshot of the 2020 mobile threat landscape reveals major shifts toward adware and threats to online banks.

Hackers painted a bullseye on the backs of online financial institutions in 2020 as the pandemic shuttered local branch offices and forced customers online. Over the past 12 months, incidents of adware nearly tripled. And, overall in 2020 researchers saw a slight drop in the number of mobile cyberattacks, according to a report released Monday by Kaspersky.

In its’ Mobile Malware Evolution 2020, Kaspersky documents the current mobile threat landscape and identifies 2021 mobile security trends. It found that while mobile threats have dipped slightly over the past year, criminals have focused on the quality of mobile attacks versus mass infections.

“We saw a decrease in the number of attacks in the first half of the year, which can be attributed to the confusion of the first months of the pandemic,” wrote Victor Chebyshev, a mobile security researcher at Kaspersky and author of the report. “The attackers had other things to worry about [and] were back at it in the second half.”

What Are the Biggest Mobile Threats?

Leading mobile threat types in 2020 is adware, accounting for 57 percent of attacks. Risk tools came in second, representing 21 percent of attacks. Trojan droppers and mobile trojans each represented 4.5 percent of attacks and SMS-based trojans represented 4 percent of actual mobile criminal activity.

Risk tools, as Kaspersky calls them, are potentially dangerous or unwanted programs that are not inherently malicious, but are used to hide files or terminate applications and could be used with malicious intent.

Each of aforementioned threats, save adware, saw steep declines in attack occurrences. Compared to 2019, adware attacks against mobile users grew from representing 22 percent of attacks to 57 percent of all types of mobile threats.

The Most Popular Adware in 2020?

Leading adware families included Ewind (representing 65 percent of adware samples found) followed by FakeAdBlocker (representing 15 percent of samples) and trailed by HiddenAd (accounting for 10 percent of samples).

How did Ewind Adware Becomes to Potent?

Researchers credit the success of Ewind with the nearly 2 million Ewind.kp Android installer packages bundled successfully within legitimate applications, such as icons and resource files. These seemingly innocuous downloads, Chebyshev wrote, are readily available at seemingly trustworthy third-part Android application download sites.

What Mobile Malware Did Apple’s iOS Face?

Unlike Android handsets, Apple’s closed hardware and software ecosystem posed unique challenges for criminals, however it didn’t deter them completely.

Topping threats to Apple’s smattering of mobile devices – including its iPhone and iPad lines – are drive-by downloads abusing the company’s Safari browser rendering engine called WebKit, Kaspersky said.

“In 2020, our colleagues at TrendMicro detected the use of Apple WebKit exploits for remote code execution (RCE) in conjunction with Local Privilege Escalation exploits to deliver malware to an iOS device,” wrote Chebyshev.

“The payload was the LightSpy trojan whose objective was to extract personal information from a mobile device, including correspondence from instant messaging apps and browser data, take screenshots, and compile a list of nearby Wi-Fi networks,” he wrote.

The iOS malware LightSpy has a modular design. “One of the modules discovered was a network scanner that collected information about nearby devices including their MAC addresses and manufacturer names. TrendMicro said LightSpy distribution took advantage of news portals, such as COVID-19 update sites,” according to the report.

What’s the Most Common Android Trojans in 2020?

Popular malware families targeting the Android operating system in 2020 were banking trojans GINP, Cebruser, Ghimob and Cookiethief.

“The trojan Ghimob was one of 2020’s most exciting discoveries,” according to the Kaspersky report. “It stole credentials for various financial systems including online banking applications and cryptocurrency wallets in Brazil.”

The trojan was rudimentary, but effective, and abused the Android Accessibility feature with a common mobile overlay scheme.

“Whenever the user tried to access the Ghimob removal menu, the trojan immediately opened the home screen to protect itself from being uninstalled,” according to the report.

Cookiethief Android Trojan Abuses Cookies

As for Cookiethief malware, researchers said the trojan targeted mobile cookies, which store unique identifiers of web sessions and hence can be used for authorization. “For example, an attacker could log in to a victim’s Facebook account and post a phishing link or spread spam. Typically, cookies on a mobile device are stored in a secure location and are inaccessible to applications, even malicious ones. To circumvent the restriction, Cookiethief tried to get root privileges on the device with the help of an exploit, before it began its malicious activities,” the researcher wrote.

There was Significant Growth in Mobile Financial Threats in 2020.

“We detected 156,710 installation packages for mobile banking Trojans in 2020, which is twice the previous year’s figure and comparable to 2018,” Kaspersky wrote.

Top banking Trojans were Agent (72 percent of infections) followed by a long list of banking Trojans representing single-digit infections including Wroba, Rotexy and Anubis.

Interest in targeting financial institutions is tied to the pandemic, researchers said. “The inability to visit a bank branch forced customers to switch to mobile and online banking, and banks, to consider stepping up the development of those services,” they wrote.

On the Bright Side: Incidents of Mobile Ransomware Plummet

“Overall, the decrease in ransomware can be associated with the assumption that attackers have been converting from ransomware to bankers or combining the features of the two. Current versions of Android prevent applications from locking the screen, so even successful ransomware infection is useless,” researchers noted.

How Do Adware and Malware Criminal Gangs Work Together?

It is unclear how new the trend is, but the Kaspersky report offered insights into the seldom-described symbiotic relationship between adware pushers and those behind malware infections.

“Adware creators are interested in obstructing the removal of their products from a mobile device. They typically work with malware developers to achieve this. An example of a partnership like that is the use of various trojan botnets: we saw a number of these cases in 2020,” the report stated.

The mutually beneficial relationship starts with bots infecting mobile devices.

“As soon as the owners of the botnet and their [criminal] customers come to an agreement, the bot receives a command to download, install and run a payload, in this case, adware. If the victim is annoyed by the unsolicited advertising and removes the source, the bot will simply repeat the steps,” the report outlines.

Those infections can sometime also lead to “elevate access privileges on the device, placing adware in the system area and making the user unable to remove them without outside help,” they said.

How Android Gear Comes Pre-Installed with Malware?

Another example of the partnership between less-than-savory actors is a scheme called “preinstalls”. This is when the phone’s maker preloads an adware application or a component with the firmware.

“As a result, the device hits the shelves already infected. This is not a supply chain attack, but a premeditated step on the part of the manufacturer for which it receives extra profits,” Kaspersky explains.

Researchers explain this is a particularly difficult, if not impossible, infection to inoculate.

“[N]o security solution is yet capable of reading an OS system partition to check if the device is infected. Even if detection is successful, the user is left alone with the threat, without a possibility of removing the malware quickly or easily, as Android system partitions are write protected. This vector of spreading persistent threats is likely to become increasingly popular in the absence of new effective exploits for popular Android versions,” it said.

Boat Building Giant Beneteau Says Cyberattack Disrupted Production
2.3.2021 Attack Securityweek

French boat maker Groupe Beneteau is working on restoring operations after falling victim to a cyber-attack roughly ten days ago.

Founded in 1884, the Vendée, France-based company employs more than 8,000 people in France, the United States, Poland, Italy and China, and focuses on two business lines: boats and leisure homes.

Last week, Beneteau announced that it suffered a malware intrusion on some of its servers, and that it decided to disconnect all “information systems,” to prevent the malware from spreading.

“Several production units, notably in France, will have to slow down or stop their production activities for a few days,” the company said a few days after the attack.

The boat builder has immediately started recovery operations, which include “the deployment of a backup application and systems,” to help it restore activities securely, albeit in “degraded mode.”

The company also revealed that it contacted the relevant authorities and that the investigation into the incident would continue, while its teams will focus on restoring all systems. One week later, however, the giant was still struggling with the recovery operations.

In an update published on Thursday, Beneteau said production at some of its plants was expected to gradually recommence on February 26. However, the company did not provide information on when all of its systems would be fully operational again.

“The Group is continuing with its investigations in order to find solutions to restore its IT systems to a normal and secure way of operating,” the company also said.

While Beneteau did not share information on the malware it was targeted with, the attack appears to bear the marks of a ransomware assault. SecurityWeek reached out to the company for confirmation on this and to inquire whether any data was compromised during the incident.

T-Mobile customers were hit with SIM swapping attacks
28.2.2021 Attack Securityaffairs

The telecommunications giant T-Mobile disclosed a data breach after some of its customers were apparently affected by SIM swap attacks.
The telecommunications provider T-Mobile has disclosed a data breach after it became aware that some of its customers were allegedly victims of SIM swap attacks.
Crooks conduct SIM swapping attacks to take control of victims’ phone numbers tricking the mobile operator employees into porting them to SIMs under the control of the fraudsters. Once hijacked a SIM, the attackers can steal money, cryptocurrencies and personal information, including contacts synced with online accounts. The criminals could hijack social media accounts and bypass 2FA services based on SMS used by online services, including financial ones.
An unknown attacker gained access to customers’ account information, including personal info and personal identification numbers (PINs), T-Mobile already notified the impacted customers.

“Recent, we detected unauthorized activity on your T-Mobile account, during which an unknown actor gained access to your account information, including personal information and your personal identification number (PIN).” reads a data breach notification published by the company. “T-Mobile quickly identified and terminated the unauthorized activity, however, we do recommend that you change your customer account PIN.”

The exposed information may have included customers’ full name, address, email address, account number, social security number, customer account personal identification number (PIN), account security questions and answers, date of birth, plan information, and the number of lines subscribed associated with the account.

According to Bleeping Computer, the hackers used an internal T-Mobile application to target up to 400 customers in SIM swap attack attempts, the security breach did not impact business customers.

Impacted T-Mobile customers are recommended to change their password, PIN, and security questions.

T-Mobile offers two years of free credit monitoring and identity theft detection services to impacted customers.

Unfortunately, this isn’t the first data breach suffered by T-Mobile in the past years.

In 2017, hackers stole some personal information belonging to T-Mobile customers by exploiting a well-known vulnerability. Exploiting the vulnerability attackers were able to access certain customers’ data, including email addresses, billing account numbers, and the phone’s IMSI numbers. Such kind of info could be used by hackers in social engineering attack against T-Mobile’s customer support employees with the intent of stealing the victim’s phone number.

In May 2018, a flaw in T-Mobile’s website allowed anyone to access the personal account details of any customer by providing their mobile number.

In August 2018, T-Mobile suffered a security breach that exposed the personal information of up to 2 million T-mobile customers.

In November 2019, the US branch of the telecommunications giant T-Mobile disclosed a security breach that according to the company impacted a small number of customers of its prepaid service.

In March 2020, the wireless carrier T-Mobile was victims of a sophisticated cyber attack that targeted its email vendor. A data breach notification published by the telecommunications giant on its website revealed that the security breach impacted both employees and customers.

In December 2020, the company disclosed a new data breach that exposed customers’ network information (CPNI), including phone numbers and calls records.

Experts Warns of Notable Increase in QuickBooks Data Files Theft Attacks
25.2.2021 Attack Thehackernews

New research has uncovered a significant increase in QuickBooks file data theft using social engineering tricks to deliver malware and exploit the accounting software.

"A majority of the time, the attack involves basic malware that is often signed, making it hard to detect using antivirus or other threat detection software," researchers from ThreatLocker said in an analysis shared today with The Hacker News.

QuickBooks is an accounting software package developed and marketed by Intuit.

The spear-phishing attacks take the form of a PowerShell command that's capable of running inside of the email, the researchers said, adding, a second attack vector involves decoy documents sent via email messages that, when opened, runs a macro to download malicious code which uploads QuickBooks files to an attacker-controlled server.

Alternatively, bad actors have also been spotted running a PowerShell command called Invoke-WebRequests on target systems to upload relevant data to the Internet without the need for downloading specialized malware.

"When a user has access to the Quickbooks database, a piece of malware or weaponized PowerShell is capable of reading the user's file from the file server regardless of whether they are an administrator or not," the researchers said.

Furthermore, the attack surface increases exponentially in the event QuickBooks file permissions are set to the "Everyone" group, as an attacker can target any individual in the company, as opposed to a specific person with the right privileges.

That's not all. Besides selling the stolen data on the dark web, the researchers say they found instances where the operators behind the attacks resorted to bait-and-switch tactics to lure customers into making fraudulent bank transfers by posing as suppliers or partners.

Advising users to remain vigilant of these attacks, ThreatLocker recommends that file permissions are not set to the "Everyone" group to limit exposure.

"If you are using a Database Server Manager, be sure to check the permissions after running a database repair and confirm they are locked down," the researchers said.

Experts Find a Way to Learn What You're Typing During Video Calls
24.2.2021 Attack Thehackernews

A new attack framework aims to infer keystrokes typed by a target user at the opposite end of a video conference call by simply leveraging the video feed to correlate observable body movements to the text being typed.

The research was undertaken by Mohd Sabra, and Murtuza Jadliwala from the University of Texas at San Antonio and Anindya Maiti from the University of Oklahoma, who say the attack can be extended beyond live video feeds to those streamed on YouTube and Twitch as long as a webcam's field-of-view captures the target user's visible upper body movements.

"With the recent ubiquity of video capturing hardware embedded in many consumer electronics, such as smartphones, tablets, and laptops, the threat of information leakage through visual channel[s] has amplified," the researchers said. "The adversary's goal is to utilize the observable upper body movements across all the recorded frames to infer the private text typed by the target."
To achieve this, the recorded video is fed into a video-based keystroke inference framework that goes through three stages —

Pre-processing, where the background is removed, the video is converted to grayscale, followed by segmenting the left and right arm regions with respect to the individual's face detected via a model dubbed FaceBoxes
Keystroke detection, which retrieves the segmented arm frames to compute the structural similarity index measure (SSIM) with the goal of quantifying body movements between consecutive frames in each of the left and right side video segments and identify potential frames where keystrokes happened
Word prediction, where the keystroke frame segments are used to detect motion features before and after each detected keystroke, using them to infer specific words by utilizing a dictionary-based prediction algorithm
In other words, from the pool of detected keystrokes, words are inferred by making use of the number of keystrokes detected for a word as well as the magnitude and direction of arm displacement that occurs between consecutive keystrokes of the word.

This displacement is measured using a computer vision technique called Sparse optical flow that's used to track shoulder and arm movements across chronological keystroke frames.

Additionally, a template for "inter-keystroke directions on the standard QWERTY keyboard" is also charted to denote the "ideal directions a typer's hand should follow" using a mix of left and right hands.

The word prediction algorithm, then, searches for most likely words that match the order and number of left and right-handed keystrokes and the direction of arm displacements with the template inter-keystroke directions.

The researchers said they tested the framework with 20 participants (9 females and 11 males) in a controlled scenario, employing a mix of hunt-and-peck and touch typing methods, aside from testing the inference algorithm against different backgrounds, webcam models, clothing (particularly the sleeve design), keyboards, and even various video-calling software such as Zoom, Hangouts, and Skype.

The findings showed that hunt-and-peck typers and those wearing sleeveless clothes were more susceptible to word inference attacks, as were users of Logitech webcams, resulting in improved word recovery than those who used external webcams from Anivia.

The tests were repeated again with 10 more participants (3 females and 7 males), this time in an experimental home setup, successfully inferring 91.1% of the usernames, 95.6% of the email addresses, and 66.7% of the websites typed by participants, but only 18.9% of the passwords and 21.1% of the English words typed by them.

"One of the reasons our accuracy is worse than the In-Lab setting is because the reference dictionary's rank sorting is based on word-usage frequency in English language sentences, not based on random words produced by people," Sabra, Maiti, and Jadliwala note.

Stating that blurring, pixelation, and frame skipping can be an effective mitigation ploy, the researchers said the video data can be combined with audio data from the call to further improve keystroke detection.

"Due to recent world events, video calls have become the new norm for both personal and professional remote communication," the researchers highlight. "However, if a participant in a video call is not careful, he/she can reveal his/her private information to others in the call. Our relatively high keystroke inference accuracies under commonly occurring and realistic settings highlight the need for awareness and countermeasures against such attacks."

The findings are expected to be presented later today at the Network and Distributed System Security Symposium (NDSS).

Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs

24.2.2021 Attack Thehackernews

Researchers have demonstrated a novel class of attacks that could allow a bad actor to potentially circumvent existing countermeasures and break the integrity protection of digitally signed PDF documents.

Called "Shadow attacks" by academics from Ruhr-University Bochum, the technique uses the "enormous flexibility provided by the PDF specification so that shadow documents remain standard-compliant."

The findings were presented yesterday at the Network and Distributed System Security Symposium (NDSS), with 16 of the 29 PDF viewers tested — including Adobe Acrobat, Foxit Reader, Perfect PDF, and Okular — found vulnerable to shadow attacks.

To carry out the attack, a malicious actor creates a PDF document with two different contents: one which is the content that's expected by the party signing the document, and the other, a piece of hidden content that gets displayed once the PDF is signed.

"The signers of the PDF receive the document, review it, and sign it," the researchers outlined. "The attackers use the signed document, modify it slightly, and send it to the victims. After opening the signed PDF, the victims check whether the digital signature was successfully verified. However, the victims see different content than the signers."
In the analog world, the attack is equivalent to deliberately leaving empty spaces in a paper document and getting it signed by the concerned party, ultimately allowing the counterparty to insert arbitrary content in the spaces.

Shadow attacks build upon a similar threat devised by the researchers in February 2019, which found that it was possible to alter an existing signed document without invalidating its signature, thereby making it possible to forge a PDF document.

Although vendors have since applied security measures to fix the issue, the new study aims to extend this attack model to ascertain the possibility that an adversary can modify the visible content of a digitally signed PDF without invalidating its signature, assuming that they can manipulate the PDF before it's signed.

At its core, the attacks leverage "harmless" PDF features which do not invalidate the signature, such as "incremental update" that allows for making changes to a PDF (e.g., filling out a form) and "interactive forms" (e.g., text fields, radio buttons, etc.) to hide the malicious content behind seemingly innocuous overlay objects or directly replace the original content after it's signed.

A third variant called "hide and replace" can be used to combine the aforementioned methods and modify the contents of an entire document by simply changing the object references in the PDF.

"The attacker can build a complete shadow document influencing the presentation of each page, or even the total number of pages, as well as each object contained therein," the researchers said.

Put simply, the idea is to create a form, which shows the same value before and after signing, but a completely different set of values post an attacker's manipulation.

To test the attacks, the researchers have published two new open-source tools called PDF-Attacker and PDF-Detector that can be used to generate shadow documents and test a PDF for manipulation before it's signed and after it's been altered.

The flaws — tracked as CVE-2020-9592 and CVE-2020-9596 — have been since addressed by Adobe in an update released on May 12, 2020. As of December 17, 2020, 11 of the 29 tested PDF applications remain unpatched.

This is not the first time PDF security has come under the lens. The researchers have previously demonstrated methods to extract contents of a password-protected PDF file by taking advantage of partial encryption supported natively by the PDF specification to remotely exfiltrate content once a user opens that document.

Separately, the researchers last month uncovered another set of 11 vulnerabilities impacting the PDF standard (CVE-2020-28352 through CVE-2020-28359, and from CVE-2020-28410 to CVE-2020-28412) that could lead to denial-of-service, information disclosure, data manipulation attacks, and even arbitrary code execution.

TDoS Attacks Take Aim at Emergency First-Responder Services
23.2.2021 Attack Threatpost

The FBI has warned that telephony denial-of-service attacks are taking aim at emergency dispatch centers, which could make it impossible to call for police, fire or ambulance services.

Telephony denial-of-service (TDoS) attacks, which affect the availability and readiness of call centers, are hitting critical first-responder facilities, according to the Federal Bureau of Investigation (FBI).

A TDoS attack is designed to prevent incoming and outgoing calls, by flooding a target with junk calls.

“The objective is to keep the distraction calls active for as long as possible to overwhelm the victim’s telephone system, which may delay or block legitimate calls for service,” according to a recent announcement from the FBI.

Worryingly, TDoS attacks have been hitting Public Safety Answering Points (PSAPs), which are call centers responsible for connecting callers to emergency services, such as police, firefighting or ambulance services.

“PSAPs represent key infrastructure that enables emergency responders to identify and respond to critical events affecting the public,” according to the FBI. “The resulting increase in time for emergency services to respond may have dire consequences, including loss of life.”

The FBI also warned that TDoS attacks could be used in conjunction with a physical attack, when calls to 911 and other emergency numbers would crest.

How TDoS Attacks Work
TDoS attacks can be manual or automated, according to the FBI. In the case of the former, adversaries typically use social networks to encourage individuals to flood a particular number with a calling campaign.

An automated TDoS attack on the other hand uses VoIP software and session initiation protocol (SIP) to make tens or hundreds of calls, simultaneously or in rapid succession.

“Numbers and call attributes can be easily spoofed, making it difficult to differentiate legitimate calls from malicious ones,” according to the alert.

Why do Attackers Carry Out TDoS?
TDoS attacks are not a new phenomenon; Arbor Network started noticing an increase in attacks targeting telephony system infrastructure as far back as July 2012. They claimed that the method is a relatively cheap option for cybercriminals looking into diversifying their attack vectors.

There are a number of reasons why attackers might turn to TDoS. For instance, hacktivists or social-cause-motivated cybercriminals might target municipal services to advance or highlight a political cause, the FBI pointed out.

Pure financial gain is another motive. TDoS attacks are sometimes part of extortion schemes aimed at private companies in which attackers impersonate a collections agency representative collecting an outstanding (and fictional) loan or other fee. If the target doesn’t pay, the attacker launches the TDoS attack that, if successful, inundates the call-center with call traffic and ultimately overwhelms it, potentially making it impossible to complete ingoing and outgoing calls.

Malicious actors may also use TDoS attacks to harass call centers and distract operators just “for fun,” with a disregard for harmful effects. These attacks may be accompanied by messaging on social media platforms in order to increase the severity, according to the FBI.

How to Prepare for an Emergency
The FBI noted that citizens can be prepared for a TDoS attack.

“The public can protect themselves in the event that 911 is unavailable by identifying in advance non-emergency phone numbers and alternate ways to request emergency services in their area,” the FBI counseled.

Steps to take include:

Contact local emergency services authorities for information on how to request service in the event of a 911 outage.
Find out if text-to-911 is available in your area.
Have non-emergency contact numbers for fire, rescue and law enforcement readily available.
Sign up for automated emergency notifications from your locality.
Identify websites and follow social media for local emergency response.

FBI warns of the consequences of telephony denial-of-service (TDoS) attacks
22.2.2021 Attack BigBrothers Securityaffairs

The Federal Bureau of Investigation (FBI) has issued a warning about the risks of telephony denial-of-service (TDoS) attacks on call centers.
The United States’ Federal Bureau of Investigation (FBI) is warning of the consequences of telephony denial-of-service (TDoS) attacks on call centers, which in some cases could threaten people’s lives.

TDoS attacks could render telephone systems unavailable making it impossible to make and receive calls, a scaring scenario when the attackers target 911 or other emergency call centers.

TDoS attacks could be manual or automated. Threat actors behind manual TDoS attacks use social networks to encourage individuals to call a call center simultaneously flooding it.

An automated TDoS attack leverages specific applications that allows attackers to make tens or hundreds of calls simultaneously, caller attributes can be easily spoofed making it impossible to differentiate legitimate calls from malicious ones.
“A TDoS attack is an attempt to make a telephone system unavailable to the intended user(s) by preventing incoming and/or outgoing calls. The objective is to keep the distraction calls active for as long as possible to overwhelm the victim’s telephone system, which may delay or block legitimate calls for service. The resulting increase in time for emergency services to respond may have dire consequences, including loss of life.” reads the FBI’s public service announcement.

“TDoS attacks pose a genuine threat to public safety, especially if used in conjunction with a physical attack, by preventing callers from being able to request service. The public can protect themselves in the event that 911 is unavailable by identifying in advance non-emergency phone numbers and alternate ways to request emergency services in their area.”

The motivations behind this type of attacks are multiple, including hacktivism, financial gain through extortion, or harassment.

The FBI also provided a list of guidelines on how to prepare for a 911 outage:

Before there is an emergency, contact your local emergency services authorities for information on how to request service in the event of a 911 outage. Find out if text-to-911 is available in your area.
Have non-emergency contact numbers for fire, rescue, and law enforcement readily available in the event of a 911 outage.
Sign up for automated notifications from your locality if available to be informed of emergency situations in your area via text, phone call, or email.
Identify websites and follow social media for emergency responders in your area for awareness of emergency situations.

Credential stuffing attack hit RIPE NCC: Members have to enable 2FA
19.2.2021 Attack Securityaffairs

RIPE NCC has disclosed a failed credential stuffing attack against its infrastructure, it asking its members to enable 2FA for their accounts.
RIPE NCC announced to have suffered a credential stuffing attack attempting to gain access to single sign-on (SSO) accounts.

The RIPE NCC is a not-for-profit membership association, a Regional Internet Registry and the secretariat for the RIPE community supporting the Internet through technical coordination.

It has over 20,000 members from over 75 countries who act as Local Internet Registries (LIRs) and assign blocks of IP addresses to other organizations in their own country.

The organization mitigated the attack and its investigation confirmed that not SSO accounts have been compromised.

“Last weekend, RIPE NCC Access, our single sign-on (SSO) service was affected by what appears to be a deliberate ‘credential-stuffing’ attack, which caused some downtime,” reads a statement published by the organization.
“We mitigated the attack, and we are now taking steps to ensure that our services are better protected against such threats in the future. Our preliminary investigations do not indicate that any SSO accounts have been compromised.”

In response to the attack, RIPE is asking all its members to enable two-factor authentication for their Access accounts to protect them from account take over resulting from brute-force-like attacks.

Any users who will detect suspicious activity on their account could report it to RIPE.

DDoS Attacks Wane in Q4 Amid Cryptomining Resurgence

17.2.2021 Attack Threatpost

The volume of attacks fell 31 percent in the last part of 2020, as Bitcoin values skyrocketed. But there were still several notable trends, such as a rise in Linux botnets.

Distributed denial-of-service (DDoS) attacks dropped significantly at the end of 2020, down 31 percent in the fourth quarter, according to researchers. The reason? Cybercriminals have switched their efforts (and their botnets) to cryptomining.

According to an analysis from Kaspersky published Tuesday, cybercriminals began repurposing infected devices for cryptomining in response to rising cryptocurrency values.

“A surge in cryptocurrency costs may have prompted cybercriminals to re-profile some botnets so that the command-and-control (C2) servers typically used in DDoS attacks could repurpose infected devices and use their computing power to mine cryptocurrencies instead,” researchers said.

DDoS Trends in Q4 2020
DDoS of course didn’t go away – as people spent more time online in 2020, researchers observed a corresponding spike in DDoS attacks for most of the year. And in the fourth quarter, attacks schools in Sandwich and Tyngsboro, Mass., Telenor Norway and Laurentian University in Canada, according to Kaspersky. Online gaming services also continued to suffer DDoS attacks during the analyzed period.

Q4 2020 attacks were down 31% but still up 10% year-over-year. Source: Kaspersky

“The number of DDoS attacks was still 10 percent higher than the same period the year before, but overall reflected a declining trend, after attacks spiked dramatically in response to global lockdown measures earlier in the year,” analysis explained.

They added, “Cybercriminals used the names of well-known APT groups to intimidate victims, demanded ransoms in cryptocurrency, and carried out demonstration attacks to back up their threats.”

Another notable attack in December targeted the website Bitcoin.org, which hosts Bitcoin Core, one of the most widely used software versions of Bitcoin.

“While the resource was down, cryptocurrency newbies were invited to download a copy of Bitcoin Core via a torrenting service,” according to the report. “Most likely, the attack is related to the Bitcoin price, which has steadily risen over the past quarter. According to one of the developers behind Bitcoin.org, the site is always hit whenever Bitcoin is on the up.”

Attacking Citrix ADC
Interestingly, the DDoS perpetrators also began abusing Citrix application delivery controller (ADC) devices – specifically taking advantage of the interface for Datagram Transport Layer Security protocol is used to establish secure connections over UDP, through which most DNS queries, as well as audio and video traffic, are sent.

Notable DDoS trends for Q4. Click to enlarge. Source: Kaspersky.

“To amplify the attack, the attackers sent requests to devices with the DTLS interface enabled, spoofing victims’ IP addresses,” according to Kaspersky. “Consequently, the victims received reply packets several times larger in size. In the case of Citrix devices, the amount of junk traffic could increase by up to 36 times. After the attacks came to light, the manufacturer promptly released a firmware update for configuring verification of incoming requests. For those who do not use DTLS, it is recommended to simply disable this protocol.”

Kaspersky also found that there were no unexpected changes in the geographical distribution of DDoS attacks and targets. However, the top attack types shifted significantly: “The share of UDP flooding was up; ICMP attacks were displaced by GRE flooding. In addition, for the first time in our observation history, Linux botnets have almost totally captured the DDoS market.”

DDoS Predictions for 2021
The macro-trends shaping 2021, such as the pandemic and cryptocurrency prices, remain unpredictable, Kaspersky noted. Thus when it comes to forecasting the current quarter’s trend, researchers offered only a tentative assessment: A period of stability, with no major growth or decline, both in Q1 and throughout 2021.

“The DDoS attack market is currently affected by two opposite trends,” said Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “On the one hand, people still highly rely on stable work of online resources, which can make DDoS attacks a common choice for malefactors. However, with a spike in cryptocurrency prices, it may be more profitable for them to infect some devices with miners. As a result, we see that the total number of DDoS attacks in Q4 remained quite stable. And we can predict that this trend will continue in 2021.”

How to Protect Against DDoS Attacks
To stay protected against DDoS attacks, Kaspersky researchers noted that in addition to putting resources and technology in place, businesses should also validate third-party agreements and contact information, including those made with internet service providers.

DDoS attacks in Q4 2020
17.2.2021 Attack Securelist
Cybercriminals are constantly on the lookout for means and methods to make attacks more destructive. In Q4 2020, Citrix ADC (application delivery controller) devices became one such tool, when perpetrators abused their DTLS interface. The DTLS (Datagram Transport Layer Security) protocol is used to establish secure connections over UDP, through which most DNS queries, as well as audio and video traffic, are sent. To amplify the attack, the attackers sent requests to devices with the DTLS interface enabled, spoofing victims’ IP addresses. Consequently, the victims received reply packets several times larger in size. In the case of Citrix devices, the amount of junk traffic could increase by up to 36 times. After the attacks came to light, the manufacturer promptly released a firmware update for configuring verification of incoming requests. For those who do not use DTLS, it is recommended to simply disable this protocol.

Another notable attack in December targeted the website Bitcoin.org, which hosts Bitcoin Core, one of the most widely used software versions of bitcoin. While the resource was down, cryptocurrency newbies were invited to download a copy of Bitcoin Core via a torrenting service. Most likely, the attack is related to the bitcoin price, which has steadily risen over the past quarter. According to one of the developers behind Bitcoin.org, the site is always hit whenever bitcoin is on the up.

Overall, Q4 remained within the parameters of 2020 trends. Cybercriminals used the names of well-known APT groups to intimidate victims, demanded ransoms in cryptocurrency, and carried out demonstration attacks to back up their threats. Extortionists’ activity regularly made the news throughout 2020. In October, telecommunications firm Telenor Norway was another to fall victim.

Since the transition of schools and universities to remote learning, cybercriminals have tried to disrupt classes by flooding educational platforms with garbage traffic. This trend continued in the last months of 2020. In October, schools in Sandwich and Tyngsboro, Massachusetts, suffered network outages. In both cases, the institutions initially put the incident down to technical failure, and only later discovered the attack. In December, Canada’s Laurentian University reported a DDoS attack. But it dealt with the problem in a matter of minutes. Still, such attacks by year’s end were serious enough for the FBI to flag them in its December advisory as a major threat to teaching facilities. Educational institutions are recommended to use anti-DDoS solutions and strong firewall settings, and partner up with ISPs.

Gaming platforms didn’t escape cybercriminal attention either. According to ZDNet, Xbox and Steam were the targets of amplification attacks through Citrix devices. In early October, a DDoS attack was reported by the PUBG Mobile team.

And Blizzard’s European servers were hit by threat actors twice in the quarter.

In late December, several dozen top streamers planned to celebrate the end of 2020 playing through Rust all on the same server. The show failed at the first attempt, apparently due to a DDoS attack, although there is no reliable data on this. Given the hype surrounding the event, it may have been caused by an influx of fans tuning in. In 2020, when much of life shifted online, internet resources repeatedly suffered from surges in totally legitimate activity.

As for the fightback, the most notable Q4 event was the conviction of a former Apophis Squad member responsible for a string of DDoS attacks, including for ransom, as well as for disrupting school classes worldwide through fake bomb alerts, and for storing child pornography. For his efforts, the perpetrator was sentenced to eight years in prison.

The resistance against individual attack vectors also continues. The Internet Engineering Task Force (IETF) published a proposal for Network Time Security (NTS), a secure standard for data transmission over the Network Time Protocol (NTP), which is used to synchronize time across a network. The document addresses, in particular, the problem of DDoS amplification through this protocol and prohibits the sending, in response to a request, of data packets larger than the request packet.

Quarter and year trends
This time, our forecasts came true exactly 50%: as expected, in Q4 2020 we observed indicators comparable to those for the same period in 2019, and even slightly higher. However, growth relative to Q3 2020, which we predicted as a possible alternative, did not occur. On the contrary, the total number of attacks fell by about 30%, and smart attacks by 10%.

Comparative number of DDoS attacks, Q3/Q4 2020 and Q4 2019; data for Q4 2019 is taken as 100%

All the same, the qualitative indicators are noteworthy: the share of smart attacks increased slightly in Q4, and the data on attack duration showed a downward trend for short attacks and an upward trend for long ones.

Share of smart attacks, Q3/Q4 2020 and Q4 2019

Duration of DDoS attacks, Q3/Q4 2020 and Q4 2019; data for Q4 2019 is taken as 100%

The drop in the number of DDoS attacks can be explained by growth in the cryptocurrency market. We already mentioned several times, including in the previous report, the inverse relationship between DDoS activity and the price of cryptocurrencies. When we made our Q4 forecasts, hardly anyone expected such rapid, frankly unprecedented growth. Unsurprisingly, then, botnet operators turned some of their capacity over to mining.

Interestingly, the noticeable fall in the number of DDoS attacks compared to the previous quarter came at the expense of easy-to-organize attacks, while smart attacks declined only insignificantly. This is perfectly logical: it is unprofitable for botnet operators to sell capacity on the cheap, losing out on mining profits; so when prices rise, the first to be cut loose are amateurs — schoolkids, prankers, hotheads — who have no real reason to organize a DDoS. As for professionals, their interests are undented by market fluctuations, especially in Q4 with its many holidays and online sales, so they continue to order and carry out attacks, and mostly smart ones, because they are focused on the result, not the attempt.

What Q1 2021 will bring is hard to say. However, we are becoming increasingly convinced that the DDoS market has stopped growing, having completely stabilized after the decline in 2018. The current fluctuations are mainly due to the dynamics of cryptocurrency prices, and will depend directly on them going forward. If cryptocurrencies begin to fall in price in Q1 2021, the number of DDoS attacks will rise, and vice versa. At the same time, we do not expect to see any explosive growth or dramatic fall. Barring the unexpected (although the unexpected was the name of the game last year), DDoS market fluctuations will remain within 30%.

Comparative number of DDoS attacks, 2019 and 2020; data for 2019 is taken as 100%

As for the results of 2020 as a whole, the market slightly less than doubled over the year. Note that this growth is purely quantitative: the share of smart attacks remained practically unchanged.

Share of smart attacks, 2019 and 2020

The attack duration data is of particular interest. In 2020, the average duration decreased by roughly a third, while the maximum increased noticeably overall, despite remaining almost on a par with last year in the case of smart attacks. This suggests that short attacks are getting shorter and long ones longer; we saw a similar trend in Q4. Although the reasons are hard to pinpoint, we can assume, as with every other trend last year, that it is related to the pandemic, the serious global instability and the eruptive growth in the cryptocurrency market. The DDoS market is changing under the influence of these factors, as too are the targets of attacks and those who order them, and with them the average attack duration.

Duration of DDoS attacks, 2019 and 2020; data for 2019 is taken as 100%

Statistics
Methodology
Kaspersky has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q4 2020.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Note that Q4 2020 saw a rise in the number of botnets whose activity is included in the DDoS Intelligence statistics. This may be reflected in the data presented in this report.

Quarter summary
In Q4, as before, China (58.95%), the US (20.98%) and Hong Kong (3.55%) led the pack by number of DDoS attacks.
Ditto the TOP 3 regions by number of targets: China (44.49%), the US (23.57%) and Hong Kong (7.20%).
On the “quietest” days, the number of DDoS attacks did not exceed one per day.
The most active day of the quarter in terms of DDoS was December 31, which recorded 1,349 attacks.
The most DDoS attacks this quarter we saw on Thursdays, and the fewest on Sundays.
The shares of very short attacks (71.63%) and very long attacks (0.14%) decreased in Q4, while the shares of all intermediate categories increased.
Q4 reshuffled the distribution of DDoS attacks by type: UDP flooding returned to second place (15.17%), and GRE flooding, previously unmentioned in our reports, became the fourth most common (0.69%).
Linux botnets were used in almost 100% of attacks.
The majority of botnet C&C servers were located in the US (36.30%), the Netherlands (19.18%) and Germany (8.22%).
Attack geography
The TOP 3 countries by number of DDoS attacks in Q4 2020 remained the same as in the previous reporting period. China is still top (58.95%), but its share fell by 12.25 p.p. Second place goes to the US (20.98%), whose share, in contrast, climbed by 5.68 p.p. A similar pattern — a decline in China’s and an increase in the US share against Q3 — we also observed in the last three months of 2019.

Despite losing 0.92 p.p., the Hong Kong Special Administrative Region (3.55%) clung on to third place, which it has not vacated since the beginning of 2020. This is where the similarity with the Q3 picture ends: Singapore, fourth in the last reporting period, dropped out of the TOP 10. It was replaced by the UK (1.99%), which gained 1.72 p.p.

The fifth line is occupied by South Africa (1.31%), displacing Australia (0.97%), which dropped to seventh, despite increasing its share by 0.32 p.p.; Canada (1.04%) ranked sixth after missing out on the TOP 10 in Q3.

The Netherlands moved down one position to eighth (0.86%). India and Vietnam, like Singapore, left the TOP 10. The ranking is rounded out by Germany (0.71%) and France (0.64%), which both fell short of the Q3 TOP 10.

Distribution of DDoS attacks by country, Q3 and Q4 2020

The TOP 10 countries list by number of DDoS targets is traditionally similar to the ranking by number of attacks. The three leaders are the same: ahead is China (44.49%), whose share decreased by 28.34 p.p., but remains unchallenged. Second is the US (23.57%), whose share increased by 7.82 p.p., and in third place is Hong Kong, adding 7.20%.

South Africa failed to make the TOP 10 by number of targets, but not Singapore (2.21%), despite dropping out of the ranking by number of attacks. While its share increased by 1.74 p.p., it lost ground relative to Q3 and moved down to fifth place. This is because all the TOP 10 countries, except China, increased their share. For instance, the fourth-placed Netherlands (4.34%) grew by 4.07 p.p.

As for countries lower down, only their order of appearance distinguishes this list from the ranking by number of attacks. Canada (1.97%) outstrips the UK (1.77%), while Australia (1.29%) places last, behind France (1.73%) and Germany (1.62%).

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2020

Dynamics of the number of DDoS attacks
As expected, Q4 was more turbulent than its predecessor. The start of the reporting period was quite calm: on October 3–6, we observed only one attack per day. However, come October 20, 347 attacks were recorded, which exceeds the Q3 maximum (323 attacks in one day). In late October and November, DDoS activity fluctuated between close to zero and 200 attacks per day.

The last days of November saw the start of significant growth, which continued through quarter’s end, most likely due to the increase in the number of botnets monitored by Kaspersky, as well as the Christmas and New Year vacations, the runup to which is usually accompanied by a spike in cybercriminal activity. The overall rise in online shopping (holiday-related and other) probably also played a role. The hottest day in terms of DDoS this quarter was December 31, with 1,349 attacks recorded worldwide.

Dynamics of the number of DDoS attacks, Q4 2020

In Q4, Thursday remained the most active day of the week (17.67%), although its share dropped by 1.35 p.p. against the previous quarter. But the title of quietest day changed hands again: this time, cybercriminals preferred to put their feet up on Sundays (11.19%). What’s more, the spread in the number of attacks on “calm” and “stormy” days narrowed to 6.48 p.p., down from almost 9 p.p. last quarter. In the last three months of the year, the number of attacks conducted on Tuesdays, Wednesdays and Fridays increased, and for other weekdays, decreased.

Distribution of DDoS attacks by day of the week, Q3 and Q4 2020

Duration and types of DDoS attacks
The average duration of DDoS attacks in Q4 increased relative to the previous reporting period. This can be attributed to the significant decline in the share of very short attacks lasting under four hours (71.62% versus 91.06% in Q3), as well as the increase in the number of longer attacks. Specifically, the share of attacks lasting 5–9 (11.78%), 10–19 (8.40%), 20–49 (6.10%), 50–99 (1.86%) and 100–139 (0.10%) hours increased this quarter.

In contrast, the share of ultra-long attacks decreased by 0.09 p.p. to 0.14%, yet remained higher than the share of attacks lasting 100–139 hours, while the duration of the longest attack exceeded 12 days (302 hours), which is noticeably longer than the Q3 maximum (246 hours).

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2020

The distribution of DDoS attacks by type changed dramatically in Q4. The lead is still held by SYN flooding, but its share fell by 16.31 p.p. to 78.28%. Meanwhile, the share of UDP flooding shot up (15.17%), having been under 2% in the first three quarters. TCP attacks (5.47%) also increased in number, but ICMP flooding, previously ranked second after SYN attacks, was negligible in Q4, so we did not include it in the statistics.

Instead, a type of attack previously unmentioned in our reports, GRE flooding (0.69%), showed up on the Q4 radar. GRE (Generic Routing Encapsulation) is a traffic-tunneling protocol used primarily for creating virtual private networks (VPNs). GRE flooding was employed, for instance, by the Mirai botnet to attack the blog of journalist Brian Krebs in 2016.

Distribution of DDoS attacks by type, Q4 2020

This quarter, for the first time since our observations began, the share of Windows botnets fell to almost zero (0.20%). Almost all recorded DDoS attacks were carried out using Linux-based bots.

Ratio of Windows/Linux botnet attacks, Q3 and Q4 2020

Botnet distribution by country
The bulk of C&C servers in control of DDoS botnets in Q4 2020 were located in the US, which accounted for 36.30% of the total number of servers. In second place was the Netherlands with a 19.18% slice. Germany completes the TOP 3 with 8.22%.

Romania came fourth by number of C&C servers (4.79%), while fifth and sixth positions were shared by France and the UK, both on 4.11%. This quarter’s seventh-, eighth- and ninth-ranking countries likewise had the same share: Canada, Hungary and Vietnam all posted 3.42%. China (2.05%) wraps up the TOP 10 countries by number of recorded botnet C&C servers.

Distribution of botnet C&C servers by country, Q4 2020

Conclusion
Q4 was both ordinary and extraordinary. On the one hand, there were no unexpected changes in the geographical distribution of DDoS attacks and targets; on the other, the distribution by attack type shifted radically: the share of UDP flooding was up; ICMP attacks were displaced by GRE flooding. In addition, for the first time in our observation history, Linux botnets have almost totally captured the DDoS market.

We would very much like to see the data for an alternative 2020 — one with no pandemic, no dramatic cryptocurrency growth, no shocks to the DDoS market. The coronavirus outbreak spurred the market (see our Q1 and Q2 reports), while the cryptocurrency upswing curbed it (see our Q3 report). Perhaps these opposing forces ultimately canceled each other out, and the picture would have been similar without them, but in 2020 they combined to create a perfect storm on the DDoS market, blowing half of our predictions off course.

It is hard to guess what to expect in 2021 — we cannot predict how the pandemic or cryptocurrency prices will behave. Therefore, our forecast is very tentative: no sharp shocks will equal little change on the DDoS market. We see no preconditions for major growth or decline, both in Q1 and throughout 2021. The watchword is stability, which is what we expect.

Accellion to Retire File Transfer Service Targeted in Attacks
16.2.2021 Attack Securityweek

Accellion has formally announced plans to retire FTA, the large file transfer service that was at the heart of several recently disclosed data breaches.

The 20-year-old service is planned for retirement on April 30, 2021, past which Accellion won’t renew licenses for the software.

FTA runs on CentOS 6, an operating system that reached end-of-life on November 30, 2020, a matter that Accellion brought to the attention of FTA customers six months ago.

Despite efforts to completely move away from FTA, however, Accellion still had approximately 50 customers using the product back in December 2020, when a critical vulnerability was identified in it.

On December 23, the company said, FTA customers were alerted of a sophisticated cyber-attack targeting the file sharing service.

At least three organizations have been hacked through the vulnerable file sharing service, namely the Office of the Washington State Auditor (SAO), the Australian Securities and Investments Commission (ASIC), and the Reserve Bank of New Zealand.

Following the discovery of the critical flaw in FTA in mid-December, a “concerted cyberattack” on FTA continued into January. During that time, Accellion identified additional exploits and released necessary patches.

According to the company, all of the known FTA vulnerabilities that the attackers have been exploiting are now patched and new monitoring and alerting capabilities have been added, to identify and warn of anomalies associated with these attack vectors.

“All vulnerabilities are limited exclusively to FTA. They do not in any way impact Accellion’s enterprise content firewall platform known as kiteworks,” the company says.

In fact, Accellion has been long touting the more robust security capabilities of the kiteworks platform, asking customers to migrate to it and leave FTA aside. With the legacy product set to reach end-of-life at the end of April, moving to kiteworks is now unavoidable (Accellion will offer support for the migration for free).

“We have encouraged all FTA customers to migrate to kiteworks for the last three years and have accelerated our FTA end-of-life plans in light of these attacks. We remain committed to assisting our FTA customers, but strongly urge them to migrate to kiteworks as soon as possible,” Frank Balonis, Accellion’s chief information security officer, commented.

The company says it will honor FTA licenses that will expire past April 2021, and will continue to offer support to those customers for the duration of the licensing terms.

Singtel Suffers Zero-Day Cyberattack, Damage Unknown

13.2.2021 Attack Threatpost

The Tier 1 telecom giant was caught up in a coordinated, wide-ranging attack using unpatched security bugs in the Accellion legacy file-transfer platform.

Singtel, Tier 1 telecom carrier throughout Asia and owner of Australian telco Optus, has been impacted by a software security hole in a third-party file transfer appliance targeted by attackers. Singtel is one of multiple organizations affected by the bug, including an Australian medical research institution.

The point of entry for the attack was software company Accellion, maker of (among other things) a legacy large file transfer product called File Transfer Appliance, or FTA. FTA is a 20-year-old product that was targeted by a “sophisticated cyberattack” on Dec. 23, according to a company notice in early February.

Singtel, one of the largest telecom companies in the world, announced Thursday that it was a victim of a cohesive set of cyberattacks. The statement coincided with Accellion’s own public acknowledgment that an ongoing vulnerability in FTA eventually led to an information compromise with Singtel and other customer systems.

Accellion’s Bug-Riddled File Transfer Software
Accellion noted that it became aware of a zero-day security vulnerability in FTA in mid-December, which it scrambled to patch quickly. But that turned out to be just one of a cascade of zero-days in the platform that the company discovered only after they came under attack from cyber-adversaries.

“This initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021,” the company explained. “Accellion identified additional exploits in the ensuing weeks, and rapidly developed and released patches to close each vulnerability. Accellion continues to work closely with FTA customers to mitigate the impact of the attack and to monitor for anomalies.”

The system is now fully patched – as far as the company knows. But in the midst of the mad scramble of discovery, attacks and patching, companies like Singtel were caught in the crossfire.

“The Accellion file transfer product used by Singtel is 20 years old, and continues to be used by many organizations in the financial, governmental and commercial sector to transfer large files, despite Accellion’s offering of newer and more secure file-sharing solutions,” Chloé Messdaghi, chief strategist, Point3 Security, said via email. “That’s problematic – it’s the kind of decision that puts companies at sharply increased risk. The fact is that breaches are going to happen, and possibly through a third party.”

Singtel: Unpatched Security Bug Led to Attack
Accellion disclosed the initial vulnerability to Singtel on Dec. 23 when it discovered it. The telco applied the given patches, starting the next day.

“The second and last patch was applied on 27 December,” according to the telecom giant. “There were no patches issued by Accellion since.”

But then a month later on Jan. 23, Accellion issued another advisory citing a new vulnerability that bypassed the Dec. 27 patch, Singtel said.

“We immediately took the system offline,” according to the statement. “On 30 January, Accellion provided another patch for the new vulnerability which triggered an anomaly alert when we tried to apply it. Accellion informed thereafter that our system could have been breached and this had likely occurred on 20 January.”

Singtel Zero-Day Attack: Damage Unknown
Singtel used Accellion FTA “to share information internally as well as with external stakeholders,” it said in a website statement.

It is working to uncover the scope of the damage, according to the statement. That could be extensive, given that Singtel has both business- and consumer-focused operations in Singapore; throughout Australia via its subsidiary Optus; across India, South Asia and Africa via Bharti Airtel; in Indonesia via Telkomsel; in the Philippines via Globe Telecom; and in Thailand via Advanced Info Service.

“We are currently conducting an impact assessment with the utmost urgency to ascertain the nature and extent of data that has been potentially accessed. Customer information may have been compromised. Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks. We will reach out to them at the earliest opportunity once we identify which files relevant to them were illegally accessed.”

Garret Grajek, CEO at YouAttest, noted that espionage-motivated hackers are usually inside an enterprise, undetected, for a long time – weeks if not months, as evidenced in the sprawling Solar Winds campaign.

“By this time, we have to assume that an attacker is going to penetrate our network, servers, applications in some form or another,” he said via email. “Billions of scans are running daily — looking for known, published vulnerabilities. It is known conduct in the attacker’s kill chain that the hacker will usually do the two following actions: conduct lateral movement across the enterprise (to find valued resources) and to escalate their own privileges (say to admin account) to help move to all resources have the privileges and access to exfiltrate the data.”

Medical Research Under Attack
QIMR Berghofer, an Australian medical research institute, also announced this week that it was a victim of the attack.

It said in a statement that it uses Accellion FTA “to receive and share data from clinical trials of anti-malarial drugs,” and that about 4 percent of data held on the file-sharing was accessed by an unknown party on Christmas Day.

“These clinical trials are conducted with healthy volunteers,” QIMR Berghofer said. “No names, contact details or other personally identifiable details of study participants are in the files held in Accellion. Instead, codes are used to refer to study participants. Some of the documents in Accellion include de-identified information such as the initials, date of birth, age, gender, and ethnic group of clinical trial participants, as well as the participant codes. Some other documents include participants’ de-identified medical histories, along with their codes.”

QIMR Berghofer had been scheduled to migrate the software in March.

The Accellion Victim List Grows
Singtel and QIMR Berghofer join other victims, such as the Reserve Bank of New Zealand – Te Pūtea Matua, in being affected by the attack. In a short statement in January, the bank said that it used FTA to “share and store some sensitive information” which has been illegally accessed.

“We are working closely with domestic and international cyber security experts and other relevant authorities as part of our investigation and response to this malicious attack,” Governor Adrian Orr said in the statement. “The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information.”

The system was taken offline, Orr added.

For its part, the Silicon Valley-based Accellion said it has things under control. “Our latest release of FTA has addressed all known vulnerabilities at this time,” Frank Balonis, Accellion CISO, said in a statement. “Future exploits, however, are a constant threat. We have encouraged all FTA customers to migrate…and have accelerated our FTA end-of-life plans in light of these attacks.”

Hybrid, Older Users Most-Targeted by Gmail Attackers

11.2.2021 Attack Threatpost

Researchers at Google and Stanford analyzed a 1.2 billion malicious emails to find out what makes users likely to get attacked. 2FA wasn’t a big factor.

Users whose personal details have been exposed by a third-party breach, Australians, older folks and those who use both desktops and mobile devices are at the highest risk of becoming the victim of a malicious email attack, according to Google and researchers from Stanford, who teamed up to determine who has the highest risk of being targeted.

The researchers looked at the 1.2 billion phishing and malware emails automatically blocked by Gmail over five months. For privacy, the team used something they called “k-anonymity” to look at broad trends across the data, rather than individual users.

“We modeled the likelihood of receiving any phishing or malware emails in a given week as a function of geographic location, demographics, security posture, device access and prior security incidents (such as having personal data revealed by a third-party data breach),” the report explained.

This research comes at a time when users are getting crushed by record numbers of malware-stuffed emails. COVID-19 and the pandemic’s push to a remote workforce have supercharged email attckers’ efforts over the past year.

In fact, according to Proofpoint’s 2020 State of the Phish report, the pandemic has driven a 14 percent increase in phishing attacks in the U.S. alone over 2019.

Attackers Are Trolling for Stolen Data
Users who had personal data exposed in a third-party breach were five-times more likely to be targeted by phishing or malware, according to the report, which highlights just how damaging these types of data breaches can be, even in the long run.

“This suggests that attackers actively harvest data breach information, both for enumerating email addresses, but also potentially for demographic information in order to identify a user’s age or country of access,” the report found. “As such, our results suggest that data breaches expose users to lasting harms due to the lack of viable remediation options.”

Where Do Most Gmail Attacks Take Place?
Users’ location is also a big factor in how likely they are to be targeted by malicious emails. The United States is the most popular country for attackers in terms of sheer numbers, perhaps unsurprisingly. However, the report reveals that Gmail users in Australia actually face twice the odds of being targeted versus Americans.

“We find that the country where a user accesses Gmail represents a considerable risk factor,” the report explained. “The highest-risk countries are concentrated in Europe and Africa…. Overall, 16 countries exhibited a higher risk on average than the United States, even though the United States is the largest target by volume of emails.”

Are Older People More Vulnerable? Yes.
Age is also a factor when it comes to being targeted, according to the report’s findings. The report said, “the odds of someone 55 to 64 experiencing an attack is, on average, 1.64 times that of an 18 to 24-year-olds.”

There are two possible explanations for this, the report explained. First is that attackers simply see older users as easier to dupe and coerce. The second is that older people tend to have “larger online footprints,” the report said, “thus making the discovery of their accounts easier.”

Mobile-Only and Desktop-Only Are Safest
Meanwhile, mobile-only and desktop-only users were less likely to be victimized than those who use both to access their Gmail accounts, the report found.

“This may be due to the socioeconomic (SES) factors affecting device ownership (i.e., lower SES groups are more likely to own only mobile or only desktop devices), and attackers targeting wealthier groups,” according to the analysis. “Device ownership may also be correlated with technical savviness and online footprint; users that only sign in from one type of device may sign up for less online services and accounts, further reducing their likelihood of being targeted.”

Another factor which correlates with a higher risk of email attacks include the amount of activity a person has on Gmail, with “frequent” users being more than five times as likely to be targeted.

Can 2FA Protect Against Email Threats?
Surprisingly, the researchers said they found only a “nominal difference” in the mitigation of risk with two-factor authentication (2FA).

“This suggests that many users who are at risk of attack have yet to enable additional protections,” the report said. “At the same time, we find that users who have proactively established a recovery mechanism face a higher odds of attack (µ = 2.34). These users would likely be better protected by strict two-factor authentication.”

Regardless of how likely a user is to be attacked by a scam, it’s still basic security awareness and human behavior that offers the best protection, Gretel Egan, senior security awareness and training strategist for Proofpoint explained.

“Most attacks require human interaction to be successful — and they are overwhelmingly aimed at specific people,” she said.

Google suggests that users boost their security by completing a security checkup and enabling safe-browsing protections in Google Chrome. Google also offers an Advanced Protection program for users who have a high risk of being targeted.

Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple
11.2.2021 Attack Threatpost

Ethical hacker Alex Birsan developed a way to inject malicious code into open-source developer tools to exploit dependencies in organizations internal applications.

An ethical hacker has demonstrated a novel supply-chain attack that breached the systems of more than 35 technology players, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla and Uber, by exploiting public, open-source developer tools.

The attack, devised by security researcher Alex Birsan, injects malicious code into common tools for installing dependencies in developer projects which typically use public depositories from sites like GitHub. The malicious code then uses these dependencies to propagate malware through a targeted company’s internal applications and systems.

Once he began to target companies with his attack, “the success rate was simply astonishing,” Birsan said in a post on Medium that elaborately details the attack.

All told, the vulnerability he exploited, which he called dependency confusion, was detected inside more than 35 organizations to date, across three tested programming languages—Python, Ruby and Java.

“The vast majority of the affected companies fall into the 1000+ employees category, which most likely reflects the higher prevalence of internal library usage within larger organizations,” Birsan noted.

The researcher received more than $130,000 in both bug bounties and pre-approved financial arrangements with targeted organizations, who all agreed to be tested. The hack’s original target PayPal, as well as Apple and Canada’s Shopify, each contributed $30,000 to that amount.

Birsan said he came up with an idea to explore the trust that developers put in a “simple command,” “pip install package_name,” which they commonly use with programming languages such as Python, Node, Ruby and others to install dependencies, or blocks of code shared between projects,.

These installers—such as Python Package Index for Python or npm and the npm registry for Node–are usually tied to public code repositories where anyone can freely upload code packages for others to use, Birsan noted.

However, using these packages comes with a level of trust that the code is authentic and not malicious, he observed.

“When downloading and using a package from any of these sources, you are essentially trusting its publisher to run code on your machine,” Birsan wrote. “So can this blind trust be exploited by malicious actors?”

Code-Inspired Idea
Birsan decided to answer this question last summer while attempting to hack PayPal with another ethical hacker, Justin Gardner, who shared with him “an interesting bit of Node.js source code found on GitHub,” Birsan said.

The code, which was meant for internal PayPal use, had in its package.json file a mix of public and private dependencies, including public packages from npm, as well as non-public package names, most likely hosted internally by PayPal, that did not exist on the public npm registry at the time.

“What happens if malicious code is uploaded to npm under these names?” Birsan wondered, according to the post. “Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?”

The short answer is, “yes,” he discovered. Birsan applied his idea to upload his own “malicious” Node packages to the npm registry under all the unclaimed names, which would “phone home” from each computer they were installed on, he explained. The code would notify him if it was installed on any of the PayPal-owned servers.

He created a Node package that collects basic information about each machine it is installed on through its preinstall script. Then, to strike a balance between the ability to identify an organization based on the data, he logged the username, hostname and current path of each unique installation.

“Along with the external IPs, this was just enough data to help security teams identify possibly vulnerable systems based on my reports, while avoiding having my testing be mistaken for an actual attack,” he said.

DNS for Data Exfiltration
Once he orchestrated his way in, Birsan decided to use DNS exfiltration for sending data from organizations back to him, “knowing that most of the possible targets would be deep inside well-protected corporate networks,” he said. Birsan also surmised that it would make it less likely that the data would be blocked or detected on the way out, and

To do this, he hex-coded the data and used it as part of a DNS query, which reached his custom authoritative name server, either directly or through intermediate resolvers. He configured the server to log each received query, essentially keeping a record of every machine where the packages were downloaded, Birsan explained.

Once he had the basic attack method in place, Birsan explored how to cast as wide a net as possible in terms of targeted organizations, expanding the number of ecosystems he could attack. He ported the code to both Python and Ruby so he could upload similar packages to PyPI (Python Package Index) and RubyGems respectively.

More importantly, he combed private package names belonging to targeted companies to find as many relevant dependency names as possible. His search revealed that many other names could be found on GitHub, as well as on the major package hosting services–inside internal packages which had been accidentally published–and even within posts on various internet forums.

His efforts discovered that the best place to find private package names turned out to be javascript files. This is because it’s common for package.json files, which contain the names of a javascript project’s dependencies, to become embedded into public script files during their build process, exposing internal package names, Birsan said.

Similarly, leaked internal paths or require() calls within these files may also contain dependency names, scenarios he discovered at Apple, Yelp and Tesla, he added.

However, javascript’s susceptibility to the attack does not necessarily mean that Python and Ruby are less susceptibl, Birsan noted. In fact, though he only identified internal Ruby gem names belonging to eight organizations during his searches, four of those companies—including Shopify–turned out to be vulnerable to dependency confusion through RubyGems, he said.

Software Dependencies Exposed Microsoft, Apple to High-Impact Attacks
11.2.2021 Attack Securityweek

Security researcher Alex Birsan discovered a way to breach tens of organizations through software dependencies, and he earned tens of thousands of dollars in bug bounties from Microsoft, Apple and some of the other affected companies.

Organizations leverage software dependencies for various purposes within their environments, but they are not always aware of the risks associated with this practice, especially if they are not able to efficiently keep track of packages that are used from public repositories.

To show the risks associated with using improperly managed public packages, Birsan decided to look for dependencies that known companies use, and show how these dependencies could be abused by threat actors to breach the targeted organizations.

The main issue that he discovered was that, although code used internally within the targeted environments does say which packages to use, it doesn’t always dictate where these packages should be sourced from.

Thus, Birsan came up with the idea of researching for the names of both private and public packages used by the targeted companies, creating his own packages using the same names, and storing these packages on public repositories, in hopes that they would be loaded instead of legitimate packages.

Birsan started with his own “malicious” Node package uploaded to the npm registry, which contained code to fingerprint the system and report back with enough information to allow for the identification of the targeted organization.

“To strike a balance between the ability to identify an organization based on the data, and the need to avoid collecting too much sensitive information, I settled on only logging the username, hostname, and current path of each unique installation. Along with the external IPs, this was just enough data to help security teams identify possibly vulnerable systems based on my reports,” the researcher explains.

With most targets within corporate networks, the researcher leveraged DNS exfiltration as means to ensure that the gathered information is indeed sent back to his server.

Furthermore, to ensure that he could identify as many targets as possible, the researcher ported the code to both Python and Ruby, and uploaded packages to PyPI (Python Package Index) and RubyGems.

During his research, Birsan discovered multiple package names on GitHub and other major package hosting services (including the names of internal packages that were accidentally made public), as well as in posts on internet forums.

“Apparently, it is quite common for internal package.json files, which contain the names of a javascript project’s dependencies, to become embedded into public script files during their build process, exposing internal package names. Similarly, leaked internal paths or require() calls within these files may also contain dependency names,” the researcher notes.

During the second half of 2020, Birsan discovered hundreds of JavaScript package names not claimed on the npm registry, and proceeded to upload his own code to hosting services under all the discovered names.

“One thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds,” Birsan reveals.

More than 35 organizations were found vulnerable to this type of attack – which the researcher called dependency confusion – most of them with over 1,000 employees each. Because JavaScript dependency names were easier to find, most of the callbacks (75%) came from npm packages.

Affected organizations include Shopify, which issued a $30,000 bug bounty for the discovery, Apple, also with a $30,000 reward, PayPal, also with a $30,000 bounty payout, and Microsoft, with a $40,000 reward. Other major companies that were found to be impacted include Netflix, Yelp and Uber.

All of the targeted organizations had provided permissions to have their security tested, either through public bug bounty programs, or through private agreements, the researcher notes.

Dependency Confusion Supply-Chain Attack Hit Over 35 High-Profile Companies
11.2.2021 Attack Thehackernews
In what's a novel supply chain attack, a security researcher managed to breach over 35 major companies' internal systems, including that of Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, and achieve remote code execution.

The technique, called dependency confusion or a substitution attack, takes advantage of the fact that a piece of software may include components from a mix of private and public sources.

These external package dependencies, which are fetched from public repositories during a build process, can pose an attack opportunity when an adversary uploads a higher version of a private module to the public feed, causing a client to automatically download the bogus "latest" version without requiring any action from the developer.

"From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds," security researcher Alex Birsan detailed in a write-up.

Birsan has been collectively awarded over $130,000 in bug bounties for his efforts.

To carry out the attack, Birsan began by collecting names of private internal packages used by major companies off GitHub, posts on various internet forums, and JavaScript files that list a project's dependencies, and then uploaded rogue libraries using those same names to open-source package hosting services such as npm, PyPI, and RubyGems.

"[Shopify's] build system automatically installed a Ruby gem named 'shopify-cloud' only a few hours after I had uploaded it, and then tried to run the code inside it," Birsan noted, adding a Node package that he uploaded to npm in August 2020 was executed on multiple machines inside Apple's network, affecting projects related to the company's Apple ID authentication system.

Birsan ultimately used the counterfeit packages to obtain a record of every machine where the packages were installed and exfiltrated the details over DNS for the reason that the "traffic would be less likely to be blocked or detected on the way out."

The concern that a package with the higher version would be pulled by the app-building process regardless of wherever it's located hasn't escaped Microsoft's notice, which released a new white paper on Tuesday outlining three ways to mitigating risks when using private package feeds.

Chief among its recommendations are as follows —

Reference one private feed, not multiple
Protect private packages using controlled scopes, namespaces, or prefixes, and
Utilize client-side verification features such as version pinning and integrity verification

Attackers Leverage Locally-Loaded Chrome Extension for Data Exfiltration
9.2.2021 Attack Securityweek

A recently investigated malicious attack was abusing a locally loaded Chrome extension to exfiltrate data and establish communication with the command and control (C&C) server.

While the use of malicious Chrome extensions in attacks is not something new, this attack stands out from the crowd due to the use of ‘Developer mode’ in the browser to enable loading of a malicious extension locally.

The extension was dropped in a folder on the compromised workstation, while the ‘Developer mode’ was enabled directly from the browser (it is available in More Tools -> Extensions). Any user can leverage this legitimate function by clicking ‘Load unpacked.’

The malicious add-on used in this attack, SANS Internet Storm Center (ISC) handler Bojan Zdrnja explains, claimed to be Forcepoint Endpoint Chrome Extension for Windows, although it had nothing to do with the cyber-security firm, aside from the stolen name and logo.

The threat actor behind this attack, Zdrnja says, was focused on the manipulation of data in an internal web application their victim had access to.

“While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries,” the researcher says.

Analysis of the code revealed that the attackers were using a legitimate method to set up a listener and enable communication between extensions.

Furthermore, specific keys the code was found to set were being synced to the logged-in victim’s Google cloud, allowing the attackers to log into their own Chrome browser with the same account, and then abuse Google’s infrastructure to communicate with the browser on the victim’s network.

“While there are some limitations on size of data and amount of requests, this is actually perfect for C&C commands (which are generally small), or for stealing small, but sensitive data – such as authentication tokens,” Zdrnja points out.

After testing and verifying the method, the researcher confirmed that both C&C communication and data exfiltration can be performed this way. Detecting requests abused in this attack is rather difficult, due to the use of legitimate infrastructure.

The researcher recommends control over the Chrome extensions in the local environment, especially since Google does allow administrators to use group policies to allow/approve specific extensions and block all others.

Hackers abuse Plex Media servers for DDoS amplification attacks
6.2.2021 Attack Securityaffairs

Netscout experts warn of DDoS-for-hire services abusing Plex Media servers to bounce junk traffic and amplify DDoS attacks.
Security researchers from Netscout discovered DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify distributed denial of service (DDoS) attacks.

Plex Media Server is a personal media library and streaming system that runs on modern Windows, macOS, and Linux operating systems. Plex Media Server is also used in network-attached storage (NAS) devices, external RAID storage units, digital media players, and so on.
Upon startup, systems running the Plex Media Server app is will start scanning the local network for other UPnP gateways on broadband internet access routers via the Simple Service Discovery Protocol (SSDP).

Upon finding a local router with SSDP support enabled, the Plex Media Server will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service online through the UDP port 32414.

The servers exposed online could be abused to reflect/amplify DDoS attacks each response packet ranges from 52 bytes – 281 bytes in size, allowing the attacker to obtain an average amplification factor of ~4.68:1.

“In order to differentiate this particular reflection/amplification DDoS attack vector from generic SSDP reflection/amplification, it has been designated as Plex Media SSDP (PMSSDP) reflection/amplification. Approximately 27,000 abusable PMSSDP reflectors/amplifiers have been identified, to date.” reads the advisory published by Netscout.

“Observed single-vector PMSSDP reflection/amplification DDoS attacks to date range in size from ~2 Gbps – ~3 Gbps; multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps.”

In a real attack scenario, hackers only have to scan the internet for devices with the UDP port 32414 enabled.

Netscout researchers found 27,000 Plex Media servers left exposed online that could be abused for DDoS attacks. Experts pointed out that some of these servers have already been abused in attacks in the wild, unfortunately, this attack technique is becoming common, especially for DDoS-for-hire services.

“The collateral impact of PMSSDP reflection/amplification attacks is potentially significant for broadband internet access operators whose customers have inadvertently exposed PMSSDP reflectors/amplifiers to the internet. This may include partial or full interruption of end-customer broadband internet access, as well as additional service disruption due to access/distribution/aggregation/core/peering/transit link capacity consumption.” concludes the report.

“Wholesale filtering of all UDP/32414-sourced traffic by network operators may potentially overblock legitimate internet traffic.”

Plex Media Server Abused for DDoS Attacks
6.2.2021 Attack Securityweek

Malicious actors have been abusing Plex Media Server to amplify distributed denial-of-service (DDoS) attacks, according to application and network performance management company Netscout.

A popular personal media library and streaming solution, Plex Media Server can be used on Windows, macOS, and Linux systems, to stream content, including that from network-attached storage (NAS) devices, RAID storage, and the like.

Plex typically searches the local network for compatible media devices and streaming clients. The issue, NETSCOUT researchers explain, appears when, at launch, the application locates UPnP gateways on broadband Internet access routers with the Simple Service Discovery Protocol (SSDP) enabled.

Once it has identified an UPnP gateway, Plex attempts to set dynamic NAT forwarding rules on the router, which results in a Plex UPnP-enabled service registration responder becoming exposed to the Internet, thus enabling DDoS reflection and amplification.

To differentiate it from the typical SSDP reflection/amplification method, the new abuse technique has been called Plex Media SSDP (PMSSDP). More than 27,000 abusable PMSSDP reflectors/amplifiers were identified.

The amplified PMSSDP DDoS attack traffic that has been observed so far consists of SSDP HTTP/U responses on UDP port 32414. With the amplified response packet in the 52–281 bytes range, the average amplification factor is of approximately 4.68:1, the researchers explain.

The researchers also warn that DDoS-for-hire services have added PMSSDP to their arsenal and say that both single- and multi-vector reflection/amplification attacks that abuse PMSSDP have increased in incidence since November of 2020.

The abuse of PMSSDP for DDoS reflection or amplification can also impact broadband Internet providers and their customers. Disabling SSDP on broadband Internet access routers should prevent abuse.

“Network operators should perform reconnaissance to identify abusable PMSSDP reflectors/amplifiers on their networks and/or the networks of their customers. It is strongly recommended that SSDP be disabled by default on operator-supplied broadband internet access CPE, and that guidance on disabling SSDP on common CPE makes/models be supplied to end-customers,” NETSCOUT says.

NETSCOUT did not warn Plex of the issue prior to public disclosure, but the company is now preparing a simple patch to increase the protection of accidentally exposed servers, a Plex spokesperson told SecurityWeek via email.

“This issue appears to be limited to a small number of media server owners who have misconfigured their firewalls by allowing UDP traffic on device-discovery ports from the public internet to reach their servers, and our current understanding is that it does not allow an attacker to compromise any Plex user's device security or privacy,” the spokesperson added.

Cybercriminals Now Using Plex Media Servers to Amplify DDoS Attacks
6.2.2021 Attack Thehackernews

A new distributed denial-of-service attack (DDoS) vector has ensnared Plex Media Server systems to amplify malicious traffic against targets to take them offline.

"Plex's startup processes unintentionally expose a Plex UPnP-enabled service registration responder to the general Internet, where it can be abused to generate reflection/amplification DDoS attacks," Netscout researchers said in a Thursday alert.

Plex Media Server is a personal media library and streaming system that runs on modern Windows, macOS, and Linux operating systems, as well as variants customized for special-purpose platforms such as network-attached storage (NAS) devices and digital media players. The desktop application organizes video, audio, and photos from a user's library and from online services, allowing access to and stream the contents to other compatible devices.
DDoS attacks typically involve flooding a legitimate target with junk network traffic that comes from a large number of devices that have been corralled into a botnet, effectively causing bandwidth exhaustion and leading to significant service disruptions.

A DDoS amplification attack occurs when an attacker sends a number of specially-crafted requests to a third-party server that causes the server to respond with large responses to a victim. This is done by spoofing the source IP address to appear as if they are the victim instead of the attacker, resulting in traffic that overwhelms victim resources.

Thus when the third parties respond to the attacker's request, the replies are routed to the server being targeted rather than the attacker device that sent the request.

Now according to Netscout, DDoS-for-hire services are weaponizing Plex Media Servers to beef up their attack infrastructure, providing an average amplification factor of about 4.68.

Plex makes use of Simple Service Discovery Protocol (SSDP) to scan other media devices and streaming clients, but this gives way to a problem when the probe locates an SSDP-enabled broadband internet access router, and in the process, exposes the Plex service registration responder directly on the Internet on UDP port 32414.

Making matters worse, the cybersecurity firm said it identified about 27,000 abusable servers on the Internet to date.

"The collateral impact of PMSSDP reflection/amplification attacks is potentially significant for broadband Internet access operators whose customers have inadvertently exposed PMSSDP reflectors/amplifiers to the Internet," Netscout researchers Roland Dobbins and Steinthor Bjarnason said.

"This may include partial or full interruption of end-customer broadband internet access, as well as additional service disruption due to access/distribution/aggregation/core/peering/transit link capacity consumption."

Netscout recommends network operators to filter traffic directed towards UDP/32414 and disable SSDP on operator-supplied broadband internet access equipment to mitigate the attack.

The development comes after Netscout, earlier this month, reported that Windows Remote Desktop Protocol (RDP) servers are being abused by DDoS-for-hire services as a reflection/amplification DDoS vector.

Microsoft Office 365 Attacks Sparked from Google Firebase
5.2.2021 Attack Threatpost

A savvy phishing campaign manages to evade native Microsoft security defenses, looking to steal O365 credentials.

A phishing campaign bent on stealing Microsoft login credentials is using Google Firebase to bypass email security measures in Microsoft Office 365, researchers said.

Researchers at Armorblox uncovered invoice-themed emails sent to at least 20,000 mailboxes that purport to share information about an electronic funds transfer (EFT) payment. The emails carry a fairly vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” and contain a link to download an “invoice” from the cloud.

Clicking that link begins a series of redirects that eventually takes targets to a page with Microsoft Office branding that’s hosted on Google Firebase. That page is of course a phishing page, bent on harvesting Microsoft log-in information, secondary email addresses and phone numbers.

The attackers could use the information to take over accounts and steal information, but they could wreak other havoc as well.

“Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances and family members,” according to Armorblox.

Microsoft O365 Attack Flow
The link in the email claims to download a file called “Payment Notification – PDF.” It takes users to a landing page, which researchers said has a supposed “download” button on the top right. Hovering over the link shows that the file is hosted on Google Firebase, which is a development environment for building custom web and mobile apps – for, say, internal enterprise use.

“The downloaded ‘invoice’ might have PDF in its file name, but it’s actually an HTML file,” explained Armorblox researcher Rajat Upadhyaya, in a blog on Thursday. “Opening an HTML file loads an iframe with Office 365 branding. The page displays a thumbnail along with a link to view the invoice.”

Clicking the thumbnail or “View File” link leads to the final phishing page, asking victims to log in with their Microsoft credentials, and asks them to provide alternate email addresses or phone numbers – an effort to collect data that could be used to get around two-factor authentication (2FA) or account recovery mechanisms.

After the details are loaded, the login portal reloads with an error message, asking the user to enter correct details.

“This might point to some backend validation mechanism in place that checks the veracity of entered details,” Upadhyaya said. “Alternately, attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered.”

Bypassing Native Email Security
The campaign is perhaps most notable for the bevy of tactics employed to avoid email security defenses.

“This email attack bypassed native Microsoft email security controls,” the researcher noted. “Microsoft assigned a Spam Confidence Level (SCL) of ‘1’ to this email, which meant that Microsoft did not determine the email as suspicious and delivered it to end-user mailboxes.”

For one thing, the redirect flow is complex, which helps mask the malicious nature of the messages, according to Upadhyaya, who noted that this kind of obfuscation is a common tactic to thwart security defenses that check for fake login pages.

“Clicking the email link goes through a redirect and lands on a page with the parent domain ‘mystuff[.]bublup[.]com,'” he said. “The redirect has the parent domain ‘nam02[.]safelinks[.]protection[.]outlook[.]com’, showing that the link was rewritten by native Microsoft security controls even though it was a malicious link.”

Interestingly, by hosting the phishing page HTML on Google Firebase, an inherently trusted domain, the emails were able to nip past built-in Microsoft security filters, including Exchange Online Protection (EOP) and Microsoft Defender for Office 365.

“Reputed URLs like that of Firebase will fool people (and email security technologies) into thinking that clicking the link will retrieve the invoice whose thumbnail is displayed,” the researcher said.

Firebase has been leveraged in previous attacks; for instance, last year a series of phishing campaigns using Google Firebase storage URLs surfaced, showing that cybercriminals continue to leverage the reputation of Google’s cloud infrastructure to dupe victims and skate by secure email gateways.

And finally, the emails also passed authentication and anti-spoofing measures using a mass-email system used for newsletters and other legitimate communications.

“The email was sent from a personal Gmail account via SendGrid,” Upadhyaya said. “This resulted in the email successfully passing authentication checks such as SPF, DKIM and DMARC.”

DMARC (Domain-based Message Authentication, Reporting & Conformance) is considered the industry standard for email authentication to prevent attackers from sending mails with counterfeit addresses. It does so by authenticating the sender’s identity before allowing the message to reach its intended designation – and verifying that the purported domain of the sender has not been impersonated.

How to Mitigate Email Threats
For better protection against email-borne threats, employees should be trained to engage with emails related to money and data with an “eye test” that includes inspecting the sender name, sender email address, language within the email and any logical inconsistencies within the email (i.e., if a supposed PDF file has an HTML extension), according to Armorblox.

Other defenses include implementing 2FA and implementing password management best practices.

Critical Cisco Flaws Open VPN Routers Up to RCE Attacks
5.2.2021 Attack Threatpost

The vulnerabilities exist in Cisco’s RV160, RV160W, RV260, RV260P, and RV260W VPN routers for small businesses.

Cisco is rolling out fixes for critical holes in its lineup of small-business VPN routers. The flaws could be exploited by unauthenticated, remote attackers to view or tamper with data, and perform other unauthorized actions on the routers.

The flaws exist in the web-based management interface of Cisco’s small-business lineup of VPN routers. That includes its RV160, RV160W, RV260, RV260P, and RV260W models.

VPN routers have virtual private network functionality built directly into them; that means they have firmware that can handle VPN connections in order to establish a secure connection at the hardware level. These specific router models, which range in price from $150 to $250, are purpose-built for small- and medium-sized businesses and are touted as being ideal for remote offices.

“Cisco has released software updates that address these vulnerabilities,” according to Cisco on Wednesday. “There are no workarounds that address these vulnerabilities.”

Overall, the issue has been assigned seven CVEs (CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294, CVE-2021-1295). Cisco did not detail each CVE but did say that the CVEs have a base CVSS score of 9.8 out of 10 (making them critical in severity).

The flaws exist because HTTP requests are not properly validated in the management interface, according to Cisco. An attacker could exploit the vulnerabilities, merely by sending a specially crafted HTTP request to the management interface of one of the affected router models. From there, they would be able to execute arbitrary code as a root user, Cisco said.

The flaws affect the small business routers running a firmware release earlier than Release 1.0.01.02 – a fix has been rolled out as part of this release. Cisco has outlined further instructions on its security advisory for how to apply the update.

On Wednesday, Cisco also warned of two high-severity flaws (CVE-2021-1296 and CVE-2021-1297) across this same set of small-business VPN routers. The flaws could allow unauthenticated, remote attackers to launch directory traversal attacks and overwrite certain files that should be restricted on affected systems. Directory traversal attacks are typically launched against devices with insufficient security validation, in order to access files and directories that are stored outside the web root folder.

“These vulnerabilities are due to insufficient input validation,” said Cisco. “An attacker could exploit these vulnerabilities by using the web-based management interface to upload a file to location on an affected device that they should not have access to.”

These flaws are also fixed by firmware Release 1.0.01.02; The networking giant said that it’s not aware of any exploits in the wild of the critical flaws for any of these flaws.

High-Severity Flaws
Cisco on Wednesday pushed out a flurry of patches addressing high-severity vulnerabilities beyond its VPN small-business routers. Two Cisco product families are affected by these flaws.

One affected product is Cisco’s small business RV series routers – specifically, the RV016, RV042, RV042G, RV082, RV320, and RV325 models. Cisco warned of issues in these routers (tied to 30 CVEs) that could allow authenticated, remote attackers to execute arbitrary code or cause them to restart unexpectedly. The flaws, which stem from an improper validation of user-supplied input into the routers’ web-based interface, could be exploited by an attacker by sending crafted HTTP requests to affected devices.

“A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial-of-service (DoS) condition,” said Cisco.

Another set of glitches (tied to five CVEs) could also give an attacker the ability to inject arbitrary commands on the routers that are executed with root privileges. However, an attacker would first need administrative credentials, making this attack more complex to carry out.

Finally, Cisco patched various high-severity flaws affecting its IOS XR software, a train of Cisco Systems’ widely deployed Internetworking Operating System (IOS). The most serious of these flaws could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition on affected devices in order to cripple them.

Since the beginning of the year, Cisco has patched various vulnerabilities across its product lineup, including multiple, critical vulnerabilities in its software-defined networking for wide-area networks (SD-WAN) solutions for business users, and a high-severity flaw in its smart Wi-Fi solution for retailers that could allow a remote attacker to alter the password of any account user on affected systems.

Remote Attackers Can Now Reach Protected Network Devices via NAT Slipstreaming
28.1.2021 Attack Threatpost

A new version of NAT slipstreaming allows cybercriminals an easy path to devices that aren’t connected to the internet.

Disconnecting devices from the internet is no longer a solid plan for protecting them from remote attackers. A new version of a known network-address translation (NAT) slipstreaming attack has been uncovered, which would allow remote attackers to reach multiple internal network devices, even if those devices don’t have access to the internet.

According to researchers from Armis and Samy Kamkar, chief security officer and co-founder at Openpath Security, attackers can execute an attack by simply convincing one target with internet access on the network to click on a malicious link. From there, cybercriminals can gain access to other, non-exposed endpoints, including unmanaged devices like industrial controllers, with no further social engineering needed.

NAT is the process of connecting internal network devices to the outside internet; it essentially allows a router to securely allow multiple devices connected to it to share a single public IP address. In enterprise environments, NAT functions are combined with firewalls to provide better perimeter cybersecurity; products from Fortinet, Cisco and HPE all take this approach.

NAT Slipstreaming Overview
In the original NAT slipstreaming attack, revealed and mitigated in November, an attacker persuades a victim to visit a specially crafted website (via social engineering and other tactics); a victim within an internal network that clicks on it is then taken to an attacker’s website. The website in turn will fool the victim network’s NAT into opening an incoming path (of either a TCP or UDP port) from the internet to the victim device.

“Slipstreaming is easy to exploit as it’s essentially entirely automated and works cross-browser and cross-platform, and it doesn’t require any user interaction other than visiting the victim site,” Kamkar told Threatpost last fall.

In order to launch an attack, the victim’s device must also have an Application-Level Gateway (ALG) connection-tracking mechanism enabled, which is usually built into NATs. NAT slipstreaming exploits the user’s browser in conjunction with ALG.

“This attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers; the attack performs this new packet-injection technique across all major modern (and older) browsers,” explained Kamkar.

In the attack, when a victim device visits an attacker-controlled website, JavaScript code running in the victim’s browser sends out additional traffic to the attacker’s server, which traverses through the network’s NAT/firewall.

“This second-phase traffic is crafted in such a way that the NAT is fooled to believe this traffic actually originated from an application that requires a second connection to take place, from the internet to the victim device, and to an internal port that the attacker can choose,” researchers explained. “This second connection can thus lead the attacker to access any service (TCP/UDP) on the victim’s device, directly from the internet.”

If, for example, the victim’s device is a Windows device vulnerable to EternalBlue, the attacker can access the SMB port on the victim device using this technique, from the internet, exploit the vulnerability, and take over the device.

“The only thing required for this attack to take place, is that the victim clicks on link, or visits a web page of which the attacker has implanted some JavaScript code,” researchers noted.

NAT Slipstreaming 2.0
The just-discovered approach variant simply extends the attack, researchers said.

Now, “attackers [can] fool the NAT in such a way that it will create incoming paths to any device on the internal network, and not only to the victim device that clicked on the link,” they explained, in a blog posting on Tuesday.

The issue lies in the H.323 ALG, where supported. Unlike most other ALGs, H.323 enables an attacker to create a pinhole in the NAT/firewall to any internal IP, rather than just the IP of the victim that clicks on the malicious link.

Meanwhile, WebRTC TURN connections can be established by browsers over TCP to any destination port. The browsers restricted-ports list was not consulted by this logic, and was therefore bypassed.

“This allows the attacker to reach additional ALGs, such as the FTP and IRC ALGs (ports 21, 6667) that were previously unreachable due to the restricted-ports list,” researchers said. “The FTP ALG is widely used in NATs/firewalls.”

The ability to reach devices without human interaction means that attackers can reach not only desktops but also other devices that don’t typically have human operators — unmanaged devices like printers, industrial controllers, Bluetooth accessories, IP cameras, sensors, smart lighting and more. The impact of attack on these can be severe, ranging from denial-of-service (DoS) to a full-blown ransomware attack, researchers noted.

Unmanaged Corporate Devices at Risk
“Unmanaged devices [often] don’t have inherent security capabilities, and often offer interfaces for controlling them and accessing their data with little-to-no authentication, within the internal network,” researchers explained. “Exposing these interfaces directly to the internet is a serious security risk.”

Researchers gave the example of an office printer that can be controlled through its default printing protocol, or through its internal web server. Using NAT slipstreaming, an attacker could knock it offline or cause it to print arbitrary documents. Depending on the printer’s features, cybercriminals could also access stored documents.

The researchers added that in order to carry those types of actions out, the newly exposed interface would itself need to be insecure, as is the case for other targets. Thus, once attackers form a web connection to the target, they would then need to access that target. Many unmanaged devices not connected to the internet don’t require passwords, researchers noted, or often remain unpatched.

“In addition to interfaces that are unauthenticated by design, many unmanaged devices may also be vulnerable to vulnerabilities that are publicly known, that can be exploited if an attacker is able to bypass the NAT/firewall, and initiate network traffic that can trigger them,” they wrote.

An example of this risk includes the 97 percent of industrial controllers recently found to remain vulnerable to the URGENT/11 group of security bugs. In many industrial scenarios, regular patching of unmanaged devices is a challenge since they often can’t be taken offline thanks to production requirements, researchers explained. Thus, “many organizations rely on perimeter security (firewalls and NATs) to keep their unpatched devices from being accessed by potential attackers on the internet.”

Once the perimeter is breached, attackers are free to exploit and take over vulnerable and open devices, and install remote access tools for further attacks.

Mitigations via Browser Patching
Like the original attack, the new version has been mitigated with browser patches, for Chrome, Safari, Firefox and Edge. Chromium is tracking the new variant via CVE-2020-16043, while Firefox is tracking it via CVE-2021-23961.

“While the underlying issue of this attack is the way NATs are implemented (in various ways in routers and firewalls, throughout numerous vendors and applications), the easiest and fastest way to mitigate was through a patch to browsers,” according to the advisory.

The updates are Chrome v87.0.4280.141, Firefox v85.0 and Safari v14.0.3, and Microsoft’s Edge browser is also now patched, since it relies on the Chromium source code.

New Attack Could Let Remote Hackers Target Devices On Internal Networks
28.1.2021 Attack Thehackernews

A newly devised variant of the NAT Slipstreaming attack can be leveraged to compromise and expose any device in an internal network, according to the latest research.

Detailed by enterprise IoT security firm Armis, the new attack (CVE-2020-16043 and CVE-2021-23961) builds on the previously disclosed technique to bypass routers and firewalls and reach any unmanaged device within the internal network from the Internet.

First disclosed by security researcher Samy Kamkar in late October 2020, the JavaScript-based attack relied on luring a user into visiting a malicious website to circumvent browser-based port restrictions and allow the attacker to remotely access TCP/UDP services on the victim's device, even those that were protected by a firewall or NAT.

Although partial mitigations were released on November 11 to thwart the attack in Chrome 87, Firefox 84, and Safari by preventing connections on port 5060 or 5061, Armis researchers Ben Seri and Gregory Vishnipolsky revealed that "NAT Slipstreaming 2.0" puts "embedded, unmanaged, devices at greater risk, by allowing attackers to expose devices located on internal networks, directly to the Internet."

Vulnerable devices that could be potentially exposed as a consequence of this attack include office printers, industrial controllers, IP cameras, and other unauthenticated interfaces that could be exploited once the NAT/firewall is tricked into opening network traffic to the victim device.

"Using the new variant of the NAT Slipstreaming attack to access these types of interfaces from the Internet, can result in attacks that range from a nuisance to a sophisticated ransomware threat," the researchers said.

Google, Apple, Mozilla, and Microsoft have all released patches to Chrome (v87.0.4280.141), Safari (v14.0.3), Firefox (v85.0), and Edge (v87.0.664.75) browsers to address the new attack.

Using H.323 Packets to facilitate NAT Slipstreaming
Put simply, NAT Slipstreaming allows a bad actor to bypass NAT/firewall and remotely access any TCP/UDP service bound to a victim machine as a result of the target visiting a malware-infected website specially crafted for this purpose.

Particularly, the malicious JavaScript code running on the victim's browser extracts the internal IP address and takes advantage of TCP/IP packet segmentation to create large TCP/UDP beacons and subsequently smuggle a Session Initiation Protocol (SIP) packet containing the internal IP address inside an outbound HTTP POST request via TCP port 5060.

"This is achieved by carefully setting the [Maximum Segment Size] value of an attacker controlled TCP connection from the victim browser to an attacker's server, so that a TCP segment in the 'middle' of the HTTP request will be entirely controlled by the attacker," the researchers explained.

As a consequence, this causes the NAT application-level gateway (ALG) to open arbitrary ports for inbound connections to the client's device via the internal IP address.

NAT Slipstreaming 2.0 is similar to the aforementioned attack in that it uses the same approach but relies on H.323 VoIP protocol instead of SIP to send multiple fetch requests to the attacker's server on H.323 port (1720), thereby allowing the attacker to iterate through a range of IP addresses and ports, and opening each one of them to the Internet.

"A long lasting solution, unfortunately, would require some [overhaul] of the Internet infrastructure we're accustomed to," the researchers concluded.

"It is important to understand that security was not the principal agenda for the creation of NATs, rather it was mainly a by-product of the potential exhaustion of IPv4 addresses. Legacy requirements such as ALGs are still a dominant theme in the design of NATs today, and are the primary reason bypassing attacks are found again and again."

NAT Slipstreaming 2.0 Exposes Devices on Internal Networks to Remote Attacks
27.1.2021 Attack Securityweek

A newly devised variant of the NAT Slipstreaming attack can be leveraged to compromise any device on the local network, according to researchers at enterprise IoT security firm Armis.

Detailed in late October 2020, the NAT Slipstreaming attack relies on tricking the victim into accessing a specially crafted website and exploits the browser on the device, along with the Application Level Gateway (ALG), a connection tracking mechanism in Network Address Translation (NAT), firewalls, and routers.

The attack was meant to bypass existing browser-based port restrictions and allow the attacker to remotely access TCP/UDP services on the victim’s device, even if it was protected by a firewall or NAT.

In a research paper published on Tuesday, Armis security researchers detailed a variant of the attack, dubbed NAT Slipstreaming 2.0, that can bypass mitigations for NAT Slipstreaming, and which also expands the attacker’s reach, allowing them to create paths to any device on the internal network.

“This puts embedded, unmanaged, devices at greater risk, by allowing attackers to expose devices located on internal networks, directly to the Internet,” the security researchers note.

They underline that unmanaged devices are at greater risk, as they often lack security capabilities, require little-to-no authentication for data access, and may be impacted by vulnerabilities that have been publicly disclosed but remain unpatched.

Such devices may include printers exposed through the default printing protocol, industrial controllers using unauthenticated protocols, and IP cameras that have an internal web server secured with default credentials.

In this context, Armis says, the NAT Slipstreaming attack is no longer just a nuisance, as it can be abused to launch sophisticated ransomware campaigns.

In devising the new attack variant, Armis’ researchers Ben Seri and Gregory Vishnipolsky worked together with Samy Kamkar, the researcher who discovered the original NAT Slipstreaming attack. The new attack is based on new primitives and allows for connections to any destination ports, fully bypassing the mitigations that browser makers have introduced for NAT Slipstreaming.

Just as before, the attacker needs to craft a website containing malicious code and then trick the victim into accessing that website. The code sends multiple fetch requests from the victim browser on H.323 port (1720), thus allowing the attacker to “iterate through a range of IP addresses and ports, each time opening an IP/port to the Internet,” for reconnaissance.

Fixes for the issue were included in all major web browsers, namely Chrome v87.0.4280.142, Firefox v85.0, and Safari v14.0.3. Microsoft’s Edge, which relies on the Chromium source code, is also patched. The bug is tracked as CVE-2020-16043 in Chromium and CVE-2021-23961 in Firefox.

The mitigations all browser makers added to their software involved making two changes, namely adding the TCP/UDP ports of all known ALGs to the list of restricted ports, and enforcing the list on WebRTC connections as well.

“While this isn’t a ‘fix’, the issue discussed isn’t really a ‘bug’, as everything is working pretty much as intended. The real ‘fix’ would be every user and sysadmin disabling all ALGs, as this feature is fundamentally broken. We consider this mitigation sufficient to prevent this issue from being used as an actual attack vector,” Armis notes.

Several DDoS Attack Records Broken in 2020
27.1.2021 Attack Securityweek

Several companies that provide services for mitigating distributed denial-of-service (DDoS) attacks reported seeing records being broken in 2020.

In a report published on Tuesday, Akamai said it saw the largest global DDoS extortion campaign, more customers attacked than in any other previous year, the largest ever attack in terms of million packets per second (Mpps), and a record number of new customers that urgently needed protection due to an ongoing or imminent attack.

The largest attack in terms of Mpps was disclosed by the company in June — it reached 809 Mpps and it targeted a European bank. The company also saw a 1.44 terabit per second (Tbps) attack, but Amazon and Google this year reported seeing 2.3 Tbps and 2.5 Tbps attacks, respectively. The attack disclosed by Google was actually launched in 2017, but it still appears to be the largest observed to date.

Akamai also reported that it had seen more customers targeted in DDoS attacks in November 2020 than in any previous month.

As for the major DDoS extortion campaign, the company noticed it last summer.

“This campaign featured show-of-force attacks upwards of 500 Gbps - a sign the criminals were very determined and highly capable of causing business-impacting disruption,” Akamai said. “A notable characteristic of this campaign was the level of reconnaissance conducted by the attackers prior to sending the extortion letters.”

Netscout also published some DDoS attack data on Tuesday, revealing that the number of attacks it observed last year exceeded 10 million, nearly 1.6 million more than in 2019.

“From March until the end of the year, DDoS attackers operated amidst the COVID-19 pandemic,” Netscout said. “While most of the world saw an unprecedented global health crisis, malicious actors saw new vulnerabilities and opportunity. It is seldom that annual activity is so deeply affected by one event, but such is the case with 2020 DDoS attack activity and trends. It is no coincidence that this milestone number of global attacks comes at a time when businesses have relied so heavily on online services to survive.”

“As cybercriminals quickly exploited pandemic-driven opportunities, we saw another kind of ‘new normal.’ Monthly DDoS attacks regularly exceeded 800,000 starting in March, as the pandemic lockdown took effect,” the company noted.

Kaspersky reported seeing an 88% increase in the number of DDoS attacks launched in 2020 compared to 2019.

“We suggest that this growth is caused by the pandemic and an increased reliance on web resources,” said Alexander Gutnikov, system analyst at Kaspersky’s DDoS prevention service. “For instance, in the first quarter of 2020, we identified a three-fold increase in attacks on educational and administrative resources, as they were extremely important. If people see conflicting messages about the virus and what preventive measures can be taken, they may look for official sources of information for more assured guidance. Many schools and universities also shifted to online lessons. It’s worth noting that the growth is quantitative, not qualitative: the share of sophisticated attacks that require an attacker to have skills to find the most effective attack vector has practically not changed.”

Tom Emmons, principal architect at Akamai, told SecurityWeek that they too noticed a rise in the total number of DDoS attacks launched last year, but he believes this data can be misleading “because some customers and industries are more frequently and regularly targeted by DDoS attacks – easily swaying the data depending on attacker activity.”

“The frequency of attacks was up about ~6% YOY, but the more noteworthy trends have been around the significant increase in the number of customers attacked (~22% YOY), the steady growth of attack size >50 Gbps, and the diversity of industries and verticals targeted by threat actors,” Emmons said.Cloudflare also reported seeing some of the largest DDoS attacks in 2020.

Crane Maker Palfinger Says Cyberattack Had 'Massive' Impact on IT Infrastructure
27.1.2021 Attack Securityweek

Austria-based crane manufacturer Palfinger on Monday informed customers that its IT infrastructure suffered serious disruptions as a result of an “ongoing global cyber attack.”

Only limited information has been shared about the incident, but the company says the attack disrupted its email and enterprise resource planning (ERP) systems. The crane maker said a “large proportion” of its worldwide locations have been hit.

“Currently, the PALFINGER AG and the majority of its sites are the target of an ongoing global cyber-attack with massive effects on its IT infrastructure. The extent and consequences of the attack cannot be assessed at this time, but intensive efforts are being made to find a solution,” reads a message currently greeting users who access the company’s website. “For the time being, PALFINGER cannot be contacted via e-mail nor can it receive or process inquiries, orders, shipments and invoices. Your personal points of contact during this phase are only available by telephone.”

Palfinger’s description of the incident suggests that it may be a breach involving a piece of ransomware.

SecurityWeek has reached out to the company for more information and will update this article if it responds.

Palfinger provides lifting, loading and handling solutions to organizations in the construction, forestry and agriculture, industrial, infrastructure, railway, government, transportation and logistics, and waste management and recycling sectors. The company says it has 11,000 employees across 35 locations.

Also on Monday, American packaging giant WestRock informed customers that it was recently targeted in a ransomware attack that impacted both IT and OT systems.

UPDATE: Palfinger told SecurityWeek that the attackers have "partly encrypted data on several IT systems" belonging to the company, which confirms that this was a ransomware attack.

The company has shared the following statement:

PALFINGER AG is prepared for such a scenario and immediately set up a task force consisting of internal and external IT and forensics experts, who are currently conducting a thorough investigation of the incident.

At the same time, the law enforcement authorities have been called in and a criminal complaint has been filed. In addition, the responsible data protection authorities in Austria and abroad have been notified. As most of our employees are currently unable to continue their work, the Management Board has decided to reduce all operational activities to a minimum or to suspend them where necessary. Of course, we are keeping our customers, employees and the media continuously up to date and will provide the latest information in a timely manner.

Cisco DNA Center Bug Opens Enterprises to Remote Attack

26.1.2021 Attack Threatpost

The high-severity security vulnerability (CVE-2021-1257) allows cross-site request forgery (CSRF) attacks.

A cross-site request forgery (CSRF) vulnerability in the Cisco Digital Network Architecture (DNA) Center could open enterprise users to remote attack and takeover.

The flaw, tracked as CVE-2021-1257, exists in the web-based management interface of the Cisco DNA Center, which is a centralized network-management and orchestration platform for Cisco DNA. It carries a CVSS vulnerability-severity score of 7.1, making it high-severity.

Cisco DNA is the networking giant’s software-defined approach for aligning campus, branch, WAN and remote-worker elements of enterprise networks. The DNA Center allows admins to provision and configure all network devices, and it uses artificial intelligence (AI) and machine learning (ML) to proactively monitor, troubleshoot and optimize networks. It also integrates with third-party systems. In short, the DNA Center allows deep reach and visibility into an organization’s network, all from one point of entry.

The web-based management interface used for accessing and using the Cisco DNA Center has insufficient CSRF protections in software versions prior to 2.1.1.0. The patch issued today addresses the problem.

CSRF is an attack that forces an end user to execute unwanted actions on a web application in which the person is currently authenticated. Thus, the bug could allow an unauthenticated, remote attacker to “conduct an attack to manipulate an authenticated user into executing malicious actions without their awareness or consent,” according to Cisco’s advisory, issued on Monday.

An attacker could exploit the vulnerability by socially engineering a web-based management user into following a specially crafted link, say via a phishing email or chat. If the user clicks on the link, the attacker can then perform arbitrary actions on the device with the privileges of the authenticated user.

These actions include modifying the device configuration, disconnecting the user’s session and executing Command Runner commands, Cisco noted.

This vulnerability is fixed in Cisco DNA Center Software releases 2.1.1.0, 2.1.2.0, 2.1.2.3 and 2.1.2.4, and later. Cisco credited Benoit Malaboeuf and Dylan Garnaud from Orange for reporting the bug. vulnerability.

More 2021 Cisco Security Bugs
This is just the latest concerning security vulnerability for Cisco this year. Last week, it warned of multiple, critical vulnerabilities in its SD-WAN solutions and DNA Center, among others.

One critical-severity flaw (CVE-2021-1299) exists in the web-based management interface of Cisco SD-WAN vManage software. The bug (which ranks 9.9 out of 10 on the CVSS scale) could allow an authenticated, remote attacker to gain root-level access to an affected system and execute arbitrary commands as the root user on the system.

A second critical flaw is CVE-2021-1300, which ranks 9.8 out of 10 on the CVSS scale, could allow an attacker to execute arbitrary code on the underlying operating system with root privileges.

And, a critical-severity flaw was found in the Command Runner tool of Cisco DNA Center (CVE-2021-1264), which ranks 9.6 out of 10 on the CVSS scale. A successful exploit could allow the attacker to execute arbitrary CLI commands on devices managed by Cisco DNA Center, according to Cisco.

Earlier in January, Cisco fixed high-severity flaws tied to 67 CVEs overall, including ones found in its AnyConnect Secure Mobility Client and in its RV110W, RV130, RV130W and RV215W small-business routers.

The most serious flaw (CVE-2021-1144) afflicted Cisco Connected Mobile Experiences (CMX), a software solution that is utilized by retailers to provide business insights or on-site customer experience analytics. The solution uses the Cisco wireless infrastructure to collect a treasure trove of data from the retailer’s Wi-Fi network, including real-time customer-location tracking. The high-severity issue (8.8 out of 10 on the CVSS vulnerability-severity scale) could allow an authenticated attacker to impersonate any user on the system.

South Carolina County Suffers Weekend Cyberattack
26.1.2021 Attack Securityweek

A coastal South Carolina county says hackers broke into its computer network over the weekend.

A statement from Georgetown County’s local government Monday said the county’s computer network “suffered a major infrastructure breach over the weekend.” Most of the county’s electronic systems, including emails, were impacted.

The county’s 911 system and jail operations were not affected, according to the statement. The county said it does not know when its electronic systems will be up and running again.

According to the statement, the county has insurance against cyber attacks and is working with cybersecurity experts to find out what information may have been compromised in the attacks.

About 60,000 people live in Georgetown County.

Security firm SonicWall was victim of a coordinated attack
24.1.2021 Attack Securityweek

The Hacker News reported in exclusive that the security firm SonicWall was hacked as a result of a coordinated attack on its internal systems.
TheHackerNews revealed in an exclusive that the security provider SonicWall was hacked on Friday.

The company was targeted with a coordinated attack on its internal systems, threat actors exploited zero-day vulnerabilities in their VPN solutions, such as NetExtender VPN client version 10.x and Secure Mobile Access (SMA).

“The San Jose-based company said the attacks leveraged zero-day vulnerabilities in SonicWall secure remote access products such as NetExtender VPN client version 10.x and Secure Mobile Access (SMA) that are used to provide users with remote access to internal resources.” reported TheHackerNews.

SonicWall told The Hacker News that they believe the coordinated attack was conducted by highly sophisticated threat actors exploiting.

The Hacker News was the first media to receive reports that SonicWall’s internal systems were unavailable since Tuesday and that the source code hosted on the company’s GitLab repository was accessed by the attackers.

SonicWall has immediately launched an investigation into the incident. and would provide additional updates as more information emerges..

Below the list of affected products shared by THN:

NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls
Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance..
SonicWall published an Urgent Security Notice for NetExtender VPN Client 10.X, SMA 100 Series vulnerability that includes a series of recommendations for its customers.

“Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products. The impacted products are:

NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls
Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance
The NetExtender VPN client and SMB-oriented SMA 100 series are used for providing employees/users with remote access to internal resources. The SMA 1000 series is not susceptible to this vulnerability and utilizes clients different from NetExtender.” states the urgent security notice published by the security provider.

FOR SMA 100 SERIES the vendor recommends to use a firewall to only allow SSL-VPN connections to the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA directly itself.

FOR FIREWALLS WITH SSL-VPN ACCESS VIA NETEXTENDER VPN CLIENT the security firm recommends organizations using VERSION 10.X to disable NetExtender access to the firewall(s) or restrict access to users and admins via an allow-list/whitelist for their public IPs.
SonicWall also recommends enabling multi-factor authentication on all SONICWALL SMA, Firewall & MYSONICWALL accounts.

This incident could potentially have a significant impact on multiple organizations that use the above products. This is the last incident in order of time that impacted security vendors, recently MalwareBytes revealed that it was hit by SolarWinds attackers, the same that compromised FireEye, Microsoft, and Crowdstrike.

Amazon Kindle RCE Attack Starts with an Email
23.1.2021 Attack Threatpost

The “KindleDrip” attack would have allowed attackers to siphon money from unsuspecting victims.

Three vulnerabilities in the Amazon Kindle e-reader would have allowed a remote attacker to execute code and run it as root – paving the way for siphoning money from unsuspecting users.

Yogev Bar-On, researcher at Realmode Labs, found that it was possible to email malicious e-books to the devices via the “Send to Kindle” feature to start a chain of attack – a discovery that earned him $18,000 from the Amazon bug-bounty program.

“The first vulnerability allowed an attacker to send an e-book to the victim’s Kindle device,” he explained in a Thursday posting. “Then, the second vulnerability was used to run arbitrary code while the e-book is parsed, under the context of a weak user. The third vulnerability allows the attacker to escalate privileges and run code as root.”

To make the attack work (which the researcher calls KindleDrip), an attacker would first need to know the email address assigned to the victim’s device. There’s also a predefined list of approved emails that any e-books would need to be sent from. According to Bar-On, neither requirement is much of a hurdle.

The special destination email address assigned by Amazon is typically just the user’s regular email under the kindle.com domain (e.g. name@gmail.com becomes name@kindle.com), which “can be brute forced,” he explained.

And as for the list of approved addresses, spoofing can easily get around this. “Email authentication is still not as widespread as you may think,” he wrote. “Since many email servers still don’t support authentication, it is not unreasonable to assume that Amazon will not verify the authenticity of the sender.” And indeed, he was able to spoof an email message to send an e-book to his own device.

The KindleDrip Attack
With the emails sorted, the first step in a KindleDrip attack is to send a malicious e-book to a target. The file is sent as an attachment and automatically shows up in a user’s library. However, the victim doesn’t receive an alert that something new has been installed in the bookshelf.

“To make matters worse, there is no indication that the e-book was received from an email message,” said Bar-On. “It also appeared on the home page of the Kindle with a cover image of our choice, which makes phishing attacks much easier.”

Then, the victim enters the innocent-looking book and touches one of the links in the table of contents. The link opens the built-in browser with an HTML page that contains a malicious JPEG XR image.

The image is parsed, and malicious code now runs as root. The payload changes the boot background and restarts the device. Then, the attacker receives private credentials from the device and can log into the victim’s account.

Technical Details
To booby-trap the e-book with malicious code, the researcher found that the Kindle web browser supports the use of an obscure image format called JPEG XR. Conveniently, the Kindle itself has a firmware library called libjpegXR.so, which parses JPEG XR.

He found that it was possible to trigger a buffer overflow while parsing JPEG XR with the Kindle, with controlled bytes from an JPEG XR image file.

Immediately following the overflowed buffer, there is a pointer struct jxr_tile_qp *tile_quant. Bar-On found that using the overflow, the pointer could be overridden to be able to write data to an attacker-controlled address – what’s known as an absolute-write primitive.

“Using the absolute-write primitive, a shellcode could be written to the executable section,” he explained. “Then, the primitive could be used again to ‘spray’ the Global Offset Table (GOT) with the address of the shellcode. The mesquite process is multi-threaded, so one of the other threads would inevitably call a function from the GOT, causing the shellcode to execute.”

With code executed, the third step in the attack is privilege escalation.

“The mesquite process is run under chroot with a weak user called framework,” he wrote. “So the previous vulnerability couldn’t be used to even reboot the device. Privilege escalation was needed.”

In looking for root processes that listen on a local socket, he uncovered something called stackdumpd.

“This process is responsible for generating stack dumps of crashed processes,” he said. “It receives information like the crashed process id and thread id, and passes it to /usr/bin/dump-stack. This is a shell script that connects to the crashed process with GDB…and like the name suggests, dumps the stack.”

GDB is a remote debugger. He found that it can run arbitrary commands given in the command argument, and thus could be used to run arbitrary code as root. There are two security checks before one is able to do so, which can be bypassed with a “simple string,” he explained. “Thus, we had a vulnerability that allowed us to execute arbitrary code under the context of the root user.”

The three issues chained together allows root RCE on a vulnerable Kindle, as shown in a proof-of-concept video:

Armed with this attack, a threat actor can snoop on users’ web sessions, steal credentials – or, more worryingly, can steal money from the victim. To siphon cash, the attacker could publish an e-book and then log into the victim’s account, using their stored credit card to buy it.

The attack works on Kindles with firmware version 5.13.2 or below; Amazon fixed KindleDrip in the latest update, firmware version 5.13.4.

“Using three different vulnerabilities, I managed to execute arbitrary code on the Amazon Kindle as the root user, given only the email address assigned to the device,” said Bar-On. “This could have allowed an attacker to access device credentials and make purchases on the Kindle store. This could also have been used to jailbreak the newest Kindle devices. Amazon took the report seriously and fixed the issues in a reasonable time.”

Abusing Windows RDP servers to amplify DDoS attacks
23.1.2021 Attack Securityaffairs

Threat actors are abusing Windows Remote Desktop Protocol (RDP) servers to amplify Distributed Denial of Service (DDoS) attacks.
Attackers are abusing Windows Remote Desktop Protocol (RDP) servers to amplify Distributed Denial of Service (DDoS) attacks.

The Microsoft Remote Desktop Protocol (RDP) is a built-in service in Microsoft Windows operating systems that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. The RDP service can be configured to run on TCP/3389 and/or UDP/3389.

Researchers from Netscout reported that attackers could be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1 when enabled on UDP/3389,

“When enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1.” reads the post published by Netscout. “The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389 and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice.”

Attackers can send specially crafted UDP packets to the UDP ports of RDP servers that will be “reflected” to the target after being amplified in size.

The packets sent in such kind of attack have a length of 1,260 bytes and are padded with long strings of zeroes. Experts pointed out that this DDoS amplification technique could allow mounting attacks with a volume of traffic ranging from ~20 Gbps – ~750 Gbps.

The researchers already identified approximately 14,000 Windows RDP servers that could be abused.
These attacks may cause partial or full interruption of mission-critical remote-access services, while wholesale filtering of all UDP/3389 traffic by network operators may potentially block legitimate traffic, such as legitimate RDP remote session replies.

To prevent the abuse of an RDP server in reflection/amplification attacks, administrators should either disable UDP-based service or deploy Windows RDP servers behind VPN concentrators.

“It is strongly recommended that RDP servers should be accessible only via VPN services in order to shield them from abuse. If RDP servers offering remote access via UDP cannot immediately be moved behind VPN concentrators, it is strongly recommended that RDP via UDP/3389 be disabled as an interim measure.” concludes Netscout.

Thousands of Unprotected RDP Servers Can Be Abused for DDoS Attacks
23.1.2021 Attack Securityweek

Cybercriminals have been abusing unprotected servers running Microsoft’s Remote Desktop Protocol (RDP) service to launch distributed denial-of-service (DDoS) attacks, application and network performance management company NETSCOUT warned this week.

The Windows RDP service is designed to allow users to remotely connect to servers and other devices, often for performing maintenance, deploying updates, and providing help desk support.

Its usage increased significantly as more people work remotely due to the COVID-19 pandemic, which has also resulted in malicious actors increasingly targeting the service to gain access to corporate resources.

However, NETSCOUT warns that RDP has also been abused for UDP reflection and amplification attacks. Windows admins can configure RDP to run on TCP port 3389 or UDP port 3389, and if the latter is enabled, the system can be abused to launch DDoS attacks that have an amplification ratio of 85.9:1.

“The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389 and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice. In contrast to legitimate RDP session traffic, the amplified attack packets are consistently 1,260 bytes in length, and are padded with long strings of zeroes,” NETSCOUT explained in its alert.

The company has reported seeing roughly 14,000 unprotected RDP servers that can be abused for such attacks.

According to NETSCOUT, DDoS attacks that abuse RDP have already been used by DDoS-for-hire services. The firm has observed attacks ranging between approximately 20 and 750 Gbps.

Organizations whose RDP servers are abused for DDoS attacks may experience partial or full disruption to important remote access services, and blocking traffic on UDP port 3389 may not be a good solution as it can lead to legitimate traffic getting blocked as well.

Enterprises have been advised to identify potentially abusable Windows RDP servers on their own networks and the networks of downstream customers, and take action to mitigate the risk. Administrators should either stop running the RDP service on UDP or place servers behind VPN concentrators to reduce the risk of abuse.

“Organizations with business-critical public-facing internet properties should ensure that all relevant network infrastructure, architectural, and operational BCPs have been implemented, including situationally specific network access policies that only permit internet traffic via required IP protocols and ports. Internet access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links,” NETSCOUT said.

SolarWinds Attack: Microsoft sheds lights into Solorigate second-stage activation
22.1.2021 Attack Securityaffairs

Microsoft’s report provides details of the entire SolarWinds attack chain with a deep dive in the second-stage activation of malware and tools.
Microsoft published a new report that includes additional details of the SolarWinds supply chain attack. The new analysis shad lights on the handover from the Solorigate DLL backdoor to the Cobalt Strike loader.

The attackers focused on separate these two components of the attack chain as much as possible to evade detection.

The report provides details regarding the Solorigate second-stage activation that allowed the attacker to deliver Cobalt Strike loaders, such as Teardrop, and Raindrop.
The known information on the attacks confirms that the Solorigate DLL backdoor was compiled at the end of February 2020 and distributed to the potential victims in late March. Then attackers removed the Solorigate backdoor code from SolarWinds’ build environment in June 2020.

Considering that the Solorigate backdoor was designed to stay dormant for at least two weeks, the analysis of the timeline suggests that attackers spent approximately a month selecting the victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure. This means that the “hands-on-keyboard activity” likely started as early as May.

“The removal of the backdoor-generation function and the compromised code from SolarWinds binaries in June could indicate that, by this time, the attackers had reached a sufficient number of interesting targets, and their objective shifted from deployment and activation of the backdoor (Stage 1) to being operational on selected victim networks, continuing the attack with hands-on-keyboard activity using the Cobalt Strike implants (Stage 2).” states the report published by Microsoft.

Microsoft experts analyzed forensic data across the entire environment of impacted organizations to discover how the attackers made lateral movements and how long they remaining within their target networks.

The experts conducted a deep analysis of data collected by Microsoft 365 Defender data and Microsoft Defender telemetry.

While investigating the attack, Microsoft identified several second-stage malware and tools, including TEARDROP, Raindrop, and also other custom loaders for the Cobalt Strike beacon.

“TEARDROP, Raindrop, and the other custom Cobalt Strike Beacon loaders observed during the Solorigate investigation are likely generated using custom Artifact Kit templates.” continues the report. “Each custom loader loads either a Beacon Reflective Loader or a preliminary loader that subsequently loads the Beacon Reflective Loader. Reflective DLL loading is a technique for loading a DLL into a process memory without using the Windows loader.”

Microsoft added that additional attacker tactics, anti-forensic behavior, and operational security allowed them to avoid detection and outstand for operations security (OpSec) best practices.

Below a list of some examples of why threat actors stand out for their professional OpSec methodology and anti-forensic behavior:

Some examples of why these attackers stand out for their professional OpSec methodology and anti-forensic behavior are listed below:

Methodic avoidance of shared indicators for each compromised host. Attackers prepared a unique Cobalt Strike DLL implant for each machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched.
Camouflage and blending into the environment. Attackers always renamed tools and binaries they used (e.g., ADFIND legit tool) and placed them in folders that mimicked existing programs and files already present on a machine.
Disabling event logging using AUDITPOL and re-enabling it afterward.
To avoid noisy network enumeration activities (such as repeated NSLOOKUP or LDAP queries) being detected, the attackers created special firewall rules to minimize outgoing packets for certain protocols. Then the attackers methodically removed the rules after the reconnaissance was completed.
Lateral movement activities were never executed without preparation.
Attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments.
“As we continue to gain deeper understanding of the Solorigate attack, we get a clearer picture of the skill level of the attackers and the extent of planning they put into pulling off one of the most sophisticated attacks in recent history. The combination of a complex attack chain and a protracted operation means that defensive solutions need to have comprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting tools to investigate as far back as necessary.” concludes Microsoft.

Critical Cisco SD-WAN Bugs Allow RCE Attacks

21.1.2021 Attack Threatpost

Cisco is stoppering critical holes in its SD-WAN solutions and its smart software manager satellite.

Cisco is warning of multiple, critical vulnerabilities in its software-defined networking for wide-area networks (SD-WAN) solutions for business users.

Cisco issued patches addressing eight buffer-overflow and command-injection SD-WAN vulnerabilities. The most serious of these flaws could be exploited by an unauthenticated, remote attacker to execute arbitrary code on the affected system with root privileges.

“Cisco has released software updates that address these vulnerabilities,” according to Cisco in a Wednesday advisory. “There are no workarounds that address these vulnerabilities.”

One critical-severity flaw (CVE-2021-1299) exists in the web-based management interface of Cisco SD-WAN vManage aoftware. This flaw (which ranks 9.9 out of 10 on the CVSS scale) could allow an authenticated, remote attacker to gain root-level access to an affected system and execute arbitrary commands as the root user on the system.

“This vulnerability is due to improper input-validation of user-supplied input to the device template configuration,” according to Cisco. “An attacker could exploit this vulnerability by submitting crafted input to the device template configuration.”

Another serious flaw is CVE-2021-1300, which ranks 9.8 out of 10 on the CVSS scale. The buffer-overflow flaw stems from incorrect handling of IP traffic; an attacker could exploit the flaw by sending crafted IP traffic through an affected device, which may cause a buffer overflow when the traffic is processed. Ultimately, this allows an attacker to execute arbitrary code on the underlying operating system with root privileges.

The following products are affected if they are running a vulnerable release of the SD-WAN software: IOS XE SD-WAN Software, SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software and SD-WAN vSmart Controller Software. Cisco users can view a full list of the affected software versions as well as the deployed fixed versions, on its security advisory.

Cisco said it is not aware of any exploits targeting these SD-WAN flaws.

Other Critical Cisco Flaws
Three critical flaws (CVE-2021-1138, CVE-2021-1140, CVE-2021-1142) were found in Cisco smart software manager satellite, which offers businesses real-time visibility and reporting of their Cisco licenses.

These flaws, which rank 9.8 out of 10 on the CVSS scale, stem from the Cisco smart software manager satellite’s web user interface and could allow an unauthenticated, remote attacker to execute arbitrary commands as a high-privileged user on an affected device.

“These vulnerabilities are due to insufficient input validation,” according to Cisco. “An attacker could exploit these vulnerabilities by sending malicious HTTP requests to an affected device. A successful exploit could allow the attacker to run arbitrary commands on the underlying operating system.”

The flaws affect Cisco Smart Software Manager Satellite releases 5.1.0 and earlier; fixes are available in the Cisco Smart Software Manager On-Prem releases 6.3.0 and later.

Another critical-severity flaw was found in the Command Runner tool of Cisco DNA Center, which is Cisco’s network management and command center. The flaw (CVE-2021-1264) ranks 9.6 out of 10 on the CVSS scale. This vulnerability affects Cisco DNA Center software releases earlier than 1.3.1.0; fixes are available in software releases 1.3.1.0 and later.

The flaw stems from insufficient input validation by the Command Runner tool, which allows users to send diagnostic CLI commands to selected devices. An attacker could exploit this flaw by providing crafted input during command execution or via a crafted command runner API call, according to Cisco.

“A successful exploit could allow the attacker to execute arbitrary CLI commands on devices managed by Cisco DNA Center,” according to Cisco.

DNSpooq Flaws Expose Millions of Devices to DNS Cache Poisoning, Other Attacks
21.1.2021 Attack Securityweek

Researchers at Israel-based boutique cybersecurity consultancy JSOF this week disclosed the details of seven potentially serious DNS-related vulnerabilities that could expose millions of devices to various types of attacks.

The vulnerabilities, collectively tracked as DNSpooq, impact Dnsmasq, a widely used piece of open source software designed to provide DNS, DHCP, router advertisement and network boot capabilities for small networks. Its DNS subsystem “provides a local DNS server for the network, with forwarding of all query types to upstream recursive DNS servers and caching of common record types.”

The software is mainly written and maintained by Simon Kelley, who has informed users about the availability of patches. The vulnerability disclosure process began in August 2020 and several impacted vendors told customers that they are working on address the issues.DNSpooq

There are two types of DNSpooq vulnerabilities: buffer overflow bugs that can lead to remote code execution and DoS attacks (tracked as CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687); and DNS response validation issues that can be exploited for DNS cache poisoning (tracked as CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686).

The buffer overflow bugs, JSOF said, pose a limited risk on their own, but they can be highly useful if combined with the flaws that allow cache poisoning.

Launching a DNS cache poisoning attack against a device can allow an attacker to redirect users to arbitrary websites, and intercept traffic associated with email, SSH, remote desktop, communications and other types of systems. An attacker could also take complete control of a targeted device using the DNSpooq vulnerabilities.

“Combining the vulnerabilities found by JSOF with other recently-disclosed network attacks could potentially lead to much easier and more widespread attack possibilities, an area of research which can be explored further,” JSOF said. “This includes vulnerabilities such as NAT-slipstreaming, found by Samy Kamkar, SAD DNS, found by researchers at University of California Riverside, and the lack of destination-side source address validation as found by researchers at Brigham Young University, as well as other academic research on DNS.”

According to JSOF, malicious actors could easily exploit the DNSpooq vulnerabilities directly from the internet as there are roughly one million Dnsmasq servers exposed to the web. The flaws can also be exploited by an attacker who is on the same network as the targeted system, or through web browsers. However, JSOF noted that browser-based attacks are not easy to conduct and they only work against some browsers — exploitation has been confirmed to work against Safari on an iPhone, but it does not appear to work against Chrome.

Red Hat explained that DNS cache poisoning attacks can be conducted against clients that use Dnsmasq as a DNS server, and involves providing them incorrect name resolutions for poisoned entries. Exploitation of the memory corruption bugs involves “the collaboration of a dnsmasq client or other ways to make a client start a series of DNS queries to dnsmasq for an attacker-controlled domain.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory to warn organizations about the risks posed by the DNSpooq vulnerabilities.

Vendor response

An advisory issued on Tuesday by the CERT Coordination Center at Carnegie Mellon University lists hundreds of vendors that may be impacted, and over a dozen companies have confirmed that — at least to some extent — their products are affected.

Sophos has published an advisory informing customers that the vulnerabilities only appear to impact its Sophos Remote Ethernet Device (RED) appliance.

Cisco has released a long list of products impacted by the security flaws and says it’s working on developing patches. The networking giant noted that none of its products are affected by the memory corruption bugs that can lead to remote code execution and DoS attacks.

Siemens, on the other hand, says its SCALANCE and RUGGEDCOM industrial devices are impacted only by the three security holes that can be exploited for DNS cache poisoning. The German industrial giant is working on patches and, in the meantime, it has shared some workarounds and mitigations.

The OpenWrt Project, the developer of the popular Linux operating system for embedded devices, also issued an advisory, telling users that OpenWrt versions 19.07.0 through 19.07.5 are affected. Fixes will be included in the upcoming 19.07.6 release.

Red Hat says the vulnerabilities impact Red Hat Enterprise Linux 8 (non-default configuration), as well as Enterprise Linux 6, 7 and 8. Red Hat OpenStack Platform 10 and 13, and Red Hat Virtualization 4.3 and 4.4 may also be affected.

Ubuntu and SUSE have also released advisories.

Vishing attacks conducted to steal corporate accounts, FBI warns
20.1.2021 Attack Securityaffairs

The Federal Bureau of Investigation (FBI) has issued a notification warning of ongoing vishing attacks attempting to steal corporate accounts.
The Federal Bureau of Investigation (FBI) published a Private Industry Notification (PIN) that warns of ongoing vishing attacks aimed at stealing corporate accounts and credentials from US and international-based employees.

Vishing (also known as voice phishing) is a social engineering attack technique where attackers impersonate a trusted entity during a voice call in an attempt to trick victims into providing sensitive information.

The alert highlights that during the COVID-19 pandemic, organizations are more exposed to these attacks because had quickly changed their working processes to maintain the social distancing. As a result, network access and privilege escalation may not be fully monitored.

The threat actors are using Voice over Internet Protocol (VoIP) platforms to obtain employees’ credentials.

“Cyber criminals are trying to obtain all employees’ credentials, not justindividuals who would likely have more access based on their corporate position.” reads the FBI alert. “The cyber criminals vished these employees through the use of VoIP platforms.”

Once gained access to the network, crooks expand their network access, for example, escalating privileges of the compromised employees’ accounts.

The alert reports the case of an attack in which cyber criminals found an employee via the company’s chatroom, and tricked him into logging into the fake VPN page. Then attackers used these credentials to log into the company’s VPN and performed reconnaissance to find employees with higher privileges who could perform username and e-mail changes and found an employee through a cloud-based payroll service. Then the attackers used a chatroom messaging service to conduct a phishing attack against this employee

Below the mitigations recommended by the FBI:

Implement multi-factor authentication (MFA) for accessing employees’ accounts in order to minimize the chances of an initial compromise.
When new employees are hired, network access should be granted on a least privilege scale. Periodic review of this network access for all employees can significantly reduce the risk of compromise of vulnerable and/or weak spots within the network.
Actively scanning and monitoring for unauthorized access or modifications can help detect a possible compromise in order to prevent or minimize the loss of data.
Network segmentation should be implemented to break up one large network into multiple smaller networks which allows administrators to control the flow of network traffic.
Administrators should be issued two accounts: one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports.
In August, The FBI and CISA issued a joint alert to warn teleworkers of an ongoing vishing campaign targeting entities from multiple US sectors.

This is the second warning alerting of active vishing attacks targeting employees issued by the FBI since the start of the pandemic after an increasing number of them have become teleworkers.

In August 2020, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning remote workers of an ongoing vishing campaign targeting companies from several US industry sectors.

Attackers targeted Accellion FTA in New Zealand Central Bank attack
14.1.2021 Attack Securityaffairs

The root cause for the hack of the New Zealand Central Bank was the Accellion FTA (File Transfer Application) file sharing service.
During the weekend, the New Zealand central bank announced that a cyber attack hit its infrastructure. According to the Government organization, one of its data systems has been breached by an unidentified hacker, commercially and personally sensitive information might have been accessed by the attackers.

According to Governor Adrian Orr the attack did not impact the bank’s core operations, anyway, it added that the security breach has been contained. In response to the incident, the affected system had been taken offline.
“We are actively working with domestic and international cyber security experts and other relevant authorities as part of our investigation. This includes the GCSB’s National Cyber Security Centre which has been notified and is providing guidance and advice,” the bank’s governor, Adrian Orr, said.

“We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised.” “We recognise the public interest in this incident however we are not in a position to provide further details at this time.”

National authorities immediately launched an investigation into the incident with the help of cybersecurity experts.

According to the bank, threat actors compromised a service that stored commercially and personally sensitive information.

Early this week, the Reserve Bank of New Zealand confirmed that it uses Accellion FTA service to share information with external stakeholders.

“The Reserve Bank of New Zealand – Te Pūtea Matua continues to respond with urgency to a breach of a third party file sharing service used to share information with external stakeholders.” reads the press release published by the Reserve Bank.

The bank confirmed that a third party file sharing service provided by Accellion called FTA (File Transfer Application), which it was using, was illegally accessed in mid-December.

The bank is not providing additional information on the intrusion to avoid affecting the investigation.

According to Ancellion, less than 50 customers were affected by the flaw.

“In mid-December, Accellion was made aware of a P0 vulnerability in its legacy File Transfer Appliance (FTA) software. Accellion FTA is a 20 year old product that specializes in large file transfers.” reads the advisory published by the company. “Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected.”

Accellion pointed out that its enterprise content firewall platform, kiteworks, was not involved in any way.

“While Accellion maintains tight security standards for its legacy FTA product, we strongly encourage our customers to update to kiteworks, the modern enterprise content firewall platform,for the highest level of security and confidence,” concludes the US-based vendor.

New Zealand Central Bank Says Accellion Service at Heart of Cyberattack
14.1.2021 Attack Securityweek

The Reserve Bank of New Zealand – Te Pūtea Matua – says Accellion’s FTA (File Transfer Application) file sharing service was involved in a security incident disclosed on Sunday.

The malicious incident, the bank said, involved a service that stored commercially and personally sensitive information, but could not provide specific details on the type of data that might have been accessed.

On Monday, the Reserve Bank of New Zealand revealed that it uses Accellion’s FTA service for the sharing of information with external stakeholders. The incident, the bank said, was contained, the system taken offline, and an investigation launched into the matter.

“We are actively working with domestic and international cyber security experts and other relevant authorities as part of our investigation. This includes the GCSB’s National Cyber Security Centre which has been notified and is providing guidance and advice,” the bank's governor, Adrian Orr, said.

The root cause of the incident appears to be a critical vulnerability in FTA that Accellion identified in mid-December, and which was immediately addressed.

The Palo Alto, California-based company, which provides cloud solutions aiming to secure file sharing and collaboration, said a patch for the security bug was sent to all of the affected customers (less than 50 in total) within 72 hours after disclosure.

Accellion also underlines that FTA is a legacy product, and encourages customers to upgrade to the Kiteworks enterprise content firewall platform.

The Reserve Bank noted that Accellion informed them that the disclosed security incident did not appear to target the bank specifically, and that other customers of the FTA file sharing service were affected as well.

The bank would not provide additional information on the incident at the moment, as this “could adversely affect the investigation and the steps being taken to mitigate the breach,” but says its services remain functional.

Mimecast Certificate Hacked in Microsoft Email Supply-Chain Attack
13.1.2021 Attack Threatpost

A sophisticated threat actor has hijacked email security connections to spy on targets.

A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services has been “compromised by a sophisticated threat actor,” the company has announced.

Mimecast provides email security services that customers can apply to their Microsoft 365 accounts by establishing a connection to Mimecast’s servers. The certificate in question is used to verify and authenticate those connections made to Mimecast’s Sync and Recover (backups for mailbox folder structure, calendar content and contacts from Exchange On-Premises or Microsoft 365 mailboxes), Continuity Monitor (looks for disruptions in email traffic) and Internal Email Protect (IEP) (inspects internally generated emails for malicious links, attachments or for sensitive content).

A compromise means that cyberattackers could take over the connection, though which inbound and outbound mail flows, researchers said. It would be possible to intercept that traffic, or possibly to infiltrate customers’ Microsoft 365 Exchange Web Services and steal information.

2020 Reader Survey: Share Your Feedback to Help Us Improve

“The certificates that were compromised were used by Mimecast email security products,” Terence Jackson, CISO at Thycotic, told Threatpost. “These products would access customers Microsoft 365 exchange servers in order for them to provide security services (backup, spam and phishing protection). Since these certificates were legit, an adversary would have been able to connect without raising suspicions to eavesdrop and exfiltrate email communications.”

There would be additional steps necessary for the attacker to compromise sensitive information, according to Chris Clements, vice president of Solutions Architecture at Cerberus Sentinel.

“They don’t appear to have identified the exact nature and use case for the certificate compromised but two possibilities are likely,” he told Threatpost. “First, if the stolen certificate was used for Mimecast customers to verify the validity of the servers their users’ connect to (user -> Mimecast), it would allow an attacker that was able to man-in-the middle the user to server connection to easily decrypt the encrypted data stream and access potentially sensitive information.”

This would require the attackers to have compromised a device in the data path between the Mimecast customer’s users and servers; be present on the same local network to perform an ARP spoofing attack; or simply be connected to the same open Wi-Fi network.

“The other much worse possibility is that the stolen certificate was used to authenticate from Mimecast servers directly to Microsoft 365 (Mimecast -> MS365),” he said. “If this were the case and no other security controls limiting access were in place, attackers with this certificate could potentially use it to connect directly to Microsoft and access all of the customer’s data.”

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told Threatpost that attackers could also possibly disable Office 365’s Mimecast protections altogether to make an email-borne attack more effective.

“This would allow access to mail hosted on Office 365, possibly disable certain services like threat protection and alerts, and possibly more,” he said. “This is a compromise of a machine identity: the certificate is the identity of Mimecast services authenticating to Microsoft cloud.”

Mimecast Remains Mum
When reached for comment, a Mimecast spokesperson only said, “Our investigation is ongoing and we don’t have anything additional to share at this time. All updates from Mimecast will be delivered through our blog.”

Mimecast, in a short online posting on Tuesday, said that about 10 percent of its customers use the affected connections. It notes on its website that it has around 36,000 customers, so 3,600 could be potentially compromised. The company went on to say that out of those, “there are indications that a low single digit number of our customers’ Microsoft 365 tenants were targeted. We have already contacted these customers to remediate the issue.”

The hack was brought to Mimecast’s attention by Microsoft, which plans to disable the certificate’s use for Microsoft 365 starting on Jan. 18. In the meantime, Mimecast has issued a new certificate and is urging users to re-establish their connections with the fresh authentication.

The attack is reminiscent of the recently discovered SolarWinds hacks, because of the use of third-party software to reach targets. And indeed, researchers speaking anonymously to Reuters about the Mimecast incident told the outlet that they suspected the same advanced persistent threat responsible for the SolarWinds supply-chain attack is at work here.

Mimecast declined to comment on that assessment.

“The attack against Mimecast and their secure connection to Microsoft’s Office 365 infrastructure appears to be the work of the same sophisticated attackers that breached SolarWinds and multiple government agencies,” Saryu Nayyar, CEO at Gurucul, said via email. “This shows the skill and tenacity state and state-sponsored actors can bring to bear when they are pursuing their agenda. Against this sort of opponent, civilian organizations will need to up their game if they don’t want to become the next headline. Basic cybersecurity is not enough. Organizations need to employ industry best practices, and then go farther with user education, programs to review and update their security, and deploying best in breed security solutions…The long-term advantage is that defenses designed to resist a state-level attack should be more than enough to thwart the more common cybercriminal.”

New Zealand central bank hit by a cyber attack
11.1.2021 Attack Securityaffairs

A cyber attack hit the New Zealand central bank, sensitive information has been potentially accessed by the intruders
The New Zealand central bank announced today that a cyber attack hit its infrastructure. According to the Government organization, one of its data systems has been breached by an unidentified hacker, commercially and personally sensitive information might have been accessed by the attackers.

“A third party file sharing service used by the Reserve Bank of New Zealand to share and store sensitive information had been illegally accessed, the Wellington-based bank said in a statement.” reported the NBCNews.

National authorities are investigating the incident with the help of cybersecurity experts.

“We are working closely with domestic and international cybersecurity experts and other relevant authorities as part of our investigation and response to this malicious attack,” Orr said.

“The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information.”

“It will take time to understand the full implications of this breach and we are working with system users whose information may have been accessed,”

The New Zealand central bank did not provide details about the attack, it is not clear when it took place and how the attackers have breached its system.

Media pointed out that other organizations in New Zealand were hit by cyber attacks in the past months, including the New Zealand stock exchange (NZX) that was halted 2 days in August after a DDoS attack from abroad.

According to the latest report published by government agency CERT (Computer Emergency Response Team), cyber attacks in the country had increased 33% year-on-year.

New Zealand Central Bank Hit by Cyber Attack
11.1.2021 Attack Securityweek

New Zealand's central bank said Sunday it was responding with urgency to a "malicious" breach of one of its data systems, a third-party file sharing service that stored "sensitive information".

Reserve Bank of New Zealand governor Adrian Orr said the breach had been contained and the system was taken offline but it would take time to determine what information had been accessed.

"We are working closely with domestic and international cyber security experts and other relevant authorities as part of our investigation and response to this malicious attack," Orr said.

"The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information," he added.

"It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed."

In its latest report, the government agency CERT (Computer Emergency Response Team) said cyber attacks had increased 33 percent year-on-year in New Zealand.

The country's stock exchange was targeted by sustained DDoS (distributed denial of service) attacks last August, forcing trading to be halted on four consecutive days.

New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys
9.1.2021 Attack Thehackernews
Hardware security keys—such as those from Google and Yubico—are considered the most secure means to protect accounts from phishing and takeover attacks.

But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it.

The vulnerability (tracked as CVE-2021-3011) allows the bad actor to extract the encryption key or the ECDSA private key linked to a victim's account from a FIDO Universal 2nd Factor (U2F) device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections.

"The adversary can sign in to the victim's application account without the U2F device, and without the victim noticing," NinjaLab researchers Victor Lomne and Thomas Roche said in a 60-page analysis.

"In other words, the adversary created a clone of the U2F device for the victim's application account. This clone will give access to the application account as long as the legitimate user does not revoke its second factor authentication credentials."

The whole list of products impacted by the flaw includes all versions of Google Titan Security Key (all versions), Yubico Yubikey Neo, Feitian FIDO NFC USB-A / K9, Feitian MultiPass FIDO / K13, Feitian ePass FIDO USB-C / K21, and Feitian FIDO NFC USB-C / K40.

Besides the security keys, the attack can also be carried out on NXP JavaCard chips, including NXP J3D081_M59_DF, NXP J3A081, NXP J2E081_M64, NXP J3D145_M59, NXP J3D081_M59, NXP J3E145_M64, and NXP J3E081_M64_DF, and their respective variants.

The key-recovery attack, while doubtless severe, needs to meet a number of prerequisites in order to be successful.

An actor will have first to steal the target's login and password of an account secured by the physical key, then stealthily gain access to Titan Security Key in question, not to mention acquire expensive equipment costing north of $12,000, and have enough expertise to build custom software to extract the key linked to the account.

"It is still safer to use your Google Titan Security Key or other impacted products as a FIDO U2F two-factor authentication token to sign in to applications rather than not using one," the researchers said.

To clone the U2F key, the researchers set about the task by tearing the device down using a hot air gun to remove the plastic casing and expose the two microcontrollers soldered in it — a secure enclave (NXP A700X chip) that's used to perform the cryptographic operations and a general-purpose chip that acts as a router between the USB/NFC interfaces and the authentication microcontroller.

Once this is achieved, the researchers say it's possible to glean the ECDSA encryption key via a side-channel attack by observing the electromagnetic radiations coming off the NXP chip during ECDSA signatures, the core cryptographic operation of the FIDO U2F protocol that's performed when a U2F key is registered for the first time to work with a new account.

A side-channel attack typically works based on information gained from the implementation of a computer system, rather than exploiting a weakness in the software. Often, such attacks leverage timing information, power consumption, electromagnetic leaks, and acoustic signals as a source of data leakage.

By acquiring 6,000 such side-channel traces of the U2F authentication request commands over a six-hour period, the researchers said they were able to recover the ECDSA private key linked to a FIDO U2F account created for the experiment using an unsupervised machine learning model.

Although the security of a hardware security key isn't diminished by the above attack due to the limitations involved, a potential exploitation in the wild is not inconceivable.

"Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid [an] unnoticed security breach by attackers willing to put enough effort into it," the researchers concluded. "Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered."

Ezuri Memory Loader Abused in Linux Attacks
8.1.2021 Attack Securityweek

Security researchers at AT&T’s Alien Labs have identified multiple malware attacks leveraging the Ezuri memory loader to execute payloads without writing them to disk.

Executed directly in memory, without leaving traces on disk, fileless malware is commonly used in attacks targeting Windows systems, but isn’t often seen in malware attacks targeting Linux.

As part of the observed attacks, Ezuri is used to decrypt the malicious payloads and leverage memfd create to execute them, Ofer Caspi and Fernando Martinez of AT&T Alien Labs explain.

Written in Golang, the loader is based on the "Ezuri" code published on GitHub by a user going by the online handler of guitmz. The ELF loader was initially created around March 2019, with the same code posted again in August on a small forum, by a user named ‘TMZ’.

The tool first requests a path for the payload to be encrypted and a password for the AES encryption (though it can generate one if none is provided). Next, it compiles the loader with the payload encrypted within. The user needs to provide the file to be hidden, as well as a target process name and an AES key for encryption (optional).

Over the past few months, several malware authors used the Ezuri loader, including TeamTNT, a cybercrime group focused on injecting distributed denial-of-service malware and crypto-miners into victim machines.

Active since at least April 2020, the group appears to have evolved towards the end of the year, with new crypto-mining malware (named Black-T) designed to install network scanners and retrieve credentials from memory.

One of the samples used by the group, however, is actually an Ezuri loader, based on code similarities with the original tool, AT&T’s researchers say.

The packer also helps malware authors lower antivirus detection for their payloads, the researchers note.

Several samples of the distributed denial of service-capable Internet of Things (IoT) bot Gafgyt were also observed using the Ezuri loader and packer.

Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks
8.1.2021 Attack Securityweek

Several potentially serious vulnerabilities discovered in Fortinet’s FortiWeb web application firewall (WAF) could expose corporate networks to attacks, according to the researcher who found them.

Fortinet this week informed customers about the availability of patches for a total of four vulnerabilities affecting its FortiWeb product. According to advisories published by the company, the flaws can be exploited for denial-of-service (DoS) attacks and to execute unauthorized code or commands.

The CVE identifiers CVE-2020-29015, CVE-2020-29016, CVE-2020-29019 and CVE-2020-29018 have been assigned.

Three of the flaws, described as a SQL injection issue and two buffer overflows, can be exploited by a remote attacker without authentication. However, Fortinet only assigned them a CVSS score of 6.4 (medium severity) and a risk rating of 3/5.

Andrey Medov, lead security researcher at Positive Technologies, who discovered the vulnerabilities, told SecurityWeek that he does not agree with Fortinet’s assessment.

“We believe the severity is more critical than the score assigned by the vendor,” Medov said. “For example, CVE-2020-29016 can enable code execution, a risk usually rated very high, such as 9.8. It's highly likely it can be exploited, so we would not assign it a 3 out of 5, but under this flat scale, a 5 out of 5. Moreover, 3 out of 4 of the flaws we uncovered require no authorization for attackers to exploit them, signaling that they are very critical.”

The vulnerabilities were discovered in the FortiWeb administration interface.

“If the admin panel is accessed from outside an enterprise, the attacker can exploit the vulnerabilities and further develop attacks on the corporate network,” Medov explained.

The researcher said the vulnerability disclosure process took 120 days.

It’s important that users install the available patches as soon as possible considering that threat actors, including ones associated with nation states, have been known to exploit vulnerabilities in Fortinet products.

Recently disclosed CVE-2020-29583 Zyxel flaw already under opportunistic attack
7.1.2021 Attack Securityaffairs

Threat actors are attempting to hack Zyxel devices exploiting the recently disclosed vulnerability CVE-2020-29583, security researchers warn.
The Taiwanese vendor Zyxel has recently addressed a critical vulnerability in its firmware, tracked as CVE-2020-29583, related to the presence of a hardcoded undocumented secret account. The vulnerability received a CVSS score of 7.8, it could be exploited by an attacker to login with administrative privileges and take over the networking devices.

“Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware.” reads the advisory published by NIST. “This account can be used by someone to login to the ssh server or web interface with admin privileges.”

The CVE-2020-29583 flaw affects the firmware version 4.60 that is used by multiple Zyxel devices.

The vendor removed all vulnerable firmware versions from its cloud and website, except for USG FLEX 100W/700 due to base FW upgrade.

Impacted devices include Unified Security Gateway (USG), ATP, USG FLEX and VPN firewalls products.

According to the vendor, the hidden account was used to deliver automatic firmware updates to connected access points through FTP.
Unfortunately a few days after the disclosure of the flaw threat actors started attempting exploiting it.

Security experts observed a small number of attacks attempting to trigger the CVE-2020-29583 flaw.

Security experts from threat intelligence firm GreyNoise are observing the attempts to access the vulnerable device using the Zyxel undocumented account since early January.

According to GreyNoise, the attacks are opportunistic exploitation of the Zyxel backdoor, threat actors are also crawling SOHO Routers exposed online.

At the time of this writing, the attacks have yet to be attributed to a specific threat actor.

The vulnerability was discovered by the security researcher Niels Teusink from EYE.

The expert discovered an undocumented account (“zyfwp”) with the password “PrOw!aN_fXp” stored in plaintext. The credentials could be also used by a malicious third-party to login to the SSH server or web interface with admin privileges.

“When doing some research (rooting) on my Zyxel USG40, I was surprised to find a user account ‘zyfwp’ with a password hash in the latest firmware version (4.60 patch 0). The plaintext password was visible in one of the binaries on the system.” reads the post published by Teusink. “I was even more surprised that this account seemed to work on both the SSH and web interface.”

$ ssh zyfwp@192.168.1.252
Password: Pr*******Xp
Router> show users current
No: 1
Name: zyfwp
Type: admin
(...)
Router>
The expert pointed out that the user is not visible in the device’s interface and its password cannot be changed.

Teusink also revealed that more than 100,000 Zyxel devices have exposed the Web interface to the Internet, he added that around 10% of 1000 devices in the Netherlands run a vulnerable version of the firmware.

ElectroRAT Drains Cryptocurrency Wallet Funds of Thousands
6.1.2021 Cryptocurrency Threatpost

At least 6,500 cryptocurrency users have been infected by new, ‘extremely intrusive’ malware that’s spread via trojanized macOS, Windows and Linux apps.

A new remote access tool (RAT) has been discovered being used in an extensive campaign. The attack has targeted cryptocurrency users in an attempt to collect their private keys and ultimately to drain their wallets.

The never-before-seen RAT at the center of the campaign, which researchers dub ElectroRAT, is written in the Go programming language and is compiled to target a number of different operating systems, including Windows, Linux and MacOS.

The campaign was discovered in December 2020 – but researchers believe it initially began a year ago, and estimate that at least 6,500 victims have been infected, based on the number of unique visitors to the Pastebin pages used to locate command and control (C2) servers.

“ElectroRAT is extremely intrusive,” according to Intezer researchers in a Tuesday morning analysis. “It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console. The malware has similar capabilities for its Windows, Linux and MacOS variants.”

The Attack
The attacker behind the campaign first lured cryptocurrency users to download trojanized applications. These applications, which were promoted on cryptocurrency and blockchain-related forums such as bitcointalk and SteemCoinPan, relate directly to cryptocurrency. For instance, they purport to be “Jamm” and “eTrade,” which are cryptocurrency trade management applications, and “DaoPoker,” a cryptocurrency poker app.

One trojanized application used to spread ElectroRAT. Credit: Intezer

“The trojanized applications are applications developed by the attacker and hosted on websites which were also developed by the attacker,” Avigayil Mechtinger, security researcher at Intezer, told Threatpost. Though these applications do function, she said, “ElectroRAT is embedded inside of these applications, so upon execution a victim will see the application’s GUI, however ElectroRAT will run hidden in the background.”

The attacker also “went the extra mile” to create Twitter and Telegram personas for the “DaoPoker” application on social media, and even paid an unnamed social media influencer (with more than 25K followers on Twitter) to advertise the trojanized apps.

These apps were built using app-building platform Electron, with ElectroRAT embedded inside the app. Once a victim opens and runs the application, ElectroRat is running secretly in the background as “mdworker”.

The attack process. Credit: Intezer

Then, the RAT targets victims’ private crypto keys. A private key allows a user to access his or her cryptocurrency wallet; access to this would give attackers the ability to take hold of victim wallets, said researchers.

“We have evidence that it was used to steal crypto wallets, however it has the capability to gather any information from the victim’s machine,” said Mechtinger. She told Threatpost, researchers do not have information about how much money was stolen.

Upon closer inspection, researchers found that ElectroRAT contacts raw Pastebin pages to retrieve the C2 IP address. Upon viewing the Pastebin pages, researchers noted the first pages were posted on Jan. 8, 2020 – indicating the operation has been active for at least a year.

Potential scam victims should make sure to delete all files related to the malware, move their funds to a new wallet and change all of their passwords, said researchers.

Golang: An Increasing Cybercrime Favorite
Researchers noted that ElectroRAT is the latest example of attackers utilizing the Go programming language to develop multi-platform malware. Previously discovered Golang malware variants include the Blackrota backdoor and a “Golang” cryptomining worm.

“It is very uncommon to see a RAT written from scratch and used to steal personal information of cryptocurrency users,” said researchers. “It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps and websites, and marketing/promotional efforts via relevant forums and social media.”

Cyberattacks on Healthcare Spike 45% Since November

6.1.2021 Attack Threatpost

The relentless rise in COVID-19 cases is battering already frayed healthcare systems — and ransomware criminals are using the opportunity to strike.

As COVID-19 ravages international healthcare systems, cybercriminals have decided to leverage the increasingly dire circumstances to squeeze a few bucks out of the human suffering.

According to new findings from Check Point Software, healthcare organizations have seen a 45-percent increase in cyberattacks since November, which is more than double other industry sectors, which a average 22-percent increase.

Researchers said these attacks include botnets, remote code execution and DDoS, but it’s ransomware that’s really become the weapon-of-choice against healthcare organizations.

“Ransomware attacks against hospitals and related organizations are particularly damaging, because any disruption to their systems could affect their ability to deliver care and endanger life – all this aggravated with the pressures these systems are facing trying to cope with the global increase in COVID-19 cases,” the Check Point report said. “This is precisely why criminals are specifically and callously targeting the healthcare sector: because they believe hospitals are more likely to meet their ransom demands.”

The report added that the primary two ransomware variants used are Ryuk and Sodinokibi.

“The number of cyberattacks on the global healthcare sector are simply getting out of control. And so, the questions at large are why hospitals? Why now?” Check Point’s manager of Data Intelligence, Omer Dembinsky, said about the findings. “The short answer is that targeting hospitals equates to fast money for cybercriminals. These criminals view hospitals as most willing to meet demands and actually pay ransoms.”

The fact that the criminals are using Ryuk shows they’re getting more professionalized and targeted in their campaigns, he added.

“The usage of Ryuk emphasizes the trend of having more targeted and tailored ransomware attacks rather than using a massive spam campaign, which allows the attackers to make sure they hit the most critical parts of the organization and have a higher chance of getting paid,” he noted.

Ryuk Ransomware & Health Care
In October, a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and Department of Health and Human Services warned on the Ryuk ransomware, and later updated it to include Conti, TrickBot and BazarLoader. The advisory also pointed to an open-source tool to track TrickBot command-and-control (C2) servers.

The report explained that TrickBot and BazarLoader work as first-stage trojans to deploy ransomware, the most popular of which is Ryuk. Once the Ryuk actors are inside, they will map and enumerate the network. Then they can wait until they’re ready to strike, the report explained.

“Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key,” the advisory explained. “The Ryuk dropper drops a .BAT file that attempts to delete all backup files and volume shadow copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.”

That’s when the organization is contacted with ransom demands, and for many healthcare organizations fighting to keep up with patients, vaccines and staff shortages, paying the ransom is the only way to keep life-saving work going.

The first glimpses of the rise of ransomware attacks along with COVID-19 cases came last spring when researchers spotted malware campaigns against Canadian government healthcare systems.

The cases have skyrocketed since, especially this fall. Check Point said that in October the weekly number of attacks against healthcare organizations averaged 430, and by November, it had reached 626.

Ransomware-as-a-Service
Ransomware-as-a-service has made it easy for criminals with little technical know-how to get in on the criminal enterprise, according to Limor Kessem, executive security advisor for IBM Security.

“You don’t just get cybercriminals doing cybercrime, there are really organized gangs that are added as well and they’re the ones that are causing the biggest trouble,” Kessem said during a recent Threatpost webinar devoted to ransomware. “Those are the ones who are asking hospitals to pay $42 million.”

These gangs are powered by purchased services that require little technical know-how.

“I think that we’ve also seen how much more ransomware-as-a-service is being offered and used.” Kessem added. “Really it’s just software-as-a-service there. We have these people who are non-technical or who are just really looking to make some money. And they’re able to use these tools to get in on this.”

In addition to healthcare organizations, criminals have targeted COVID-19 vaccine manufacturers, COVID-19 researchers and even the cold supply chain necessary to get vaccines into the community.

Turns out nothing is sacred when there’s money to be made.

Ransomware Mitigation
The good news is that there are things that healthcare systems and organizations can do to get ahead of the next ransomware attack. For one, Check Point urges security professionals to keep an eye out for TrickBot, Emotet, Dridex and Cobalt Strike infections on their networks.

“All of these can open the door for Ryuk,” Check Point’s report advised.

And remember, criminals don’t take weekends or holidays off, so Check Point reminded IT staffs to keep their guard up outside of normal business hours.

Besides that, tried-and-true employee awareness education, anti-ransomware tools and regular patching are basic, critical steps every organization should take.

“As the world’s attention continues to focus on dealing with the pandemic, cybercriminals will also continue to use and try to exploit that focus for their own illegal purposes – so it is essential that both organizations and individuals maintain good cyber-hygiene to protect themselves against COVID-related online crime,” according to Check Point.

Healthcare organizations faced a 45% increase in attacks since November
6.1.2021 Attack Securityaffairs

According to a new report published by Check Point, organizations in the healthcare industry have faced a 45% increase in attacks since November.
Check Point researchers reported a surge in the number of attacks against organizations in the healthcare industry, +45% since November.

This is more than double the overall increase observed by the experts in the other sectors on a global scale during the same period.
The increase was announced by a Joint Cybersecurity Advisory issued by the CISA, FBI, and HHS published at the end of October that warned of an imminent cybercrime threat to US hospitals and healthcare providers.

The attacks involved a broad range of vectors, such as ransomware, botnets, phishing, and DDoS attacks. The researchers pointed out that ransomware represented the biggest threat to healthcare organizations.

According to Check Point, the average number of weekly attacks against organizations in the healthcare sector reached 626 per entity in November, compared with 430 in October. The main ransomware variants involved in were Ryuk, followed by Sodinokibi.

The report states that Healthcare organizations in some regions were more exposed to cyber threats.

“Central Europe tops the list of regions impacted by the spike in attacks against healthcare organizations, with a 145% increase in November, followed by East Asia, which suffered a 137% increase, and Latin America with a 112% increase.” continues the report. “Europe and North America saw 67% & 37% increases respectively.”

Healthcare organizations in Canada and Germany were most exposed to cyberattacks, with an uptick in the number of attacks of over 250% and 220%, respectively.

Most of the attacks are carried out by financially motivated attackers that attempt to rapidly maximize their efforts.

“Medical services and research organizations became targets for attacks seeking to steal valuable commercial and professional information, or to disrupt vital research operations.” concludes the report.

“As the world’s attention continues to focus on dealing with the pandemic, cybercriminals will also continue to use and try to exploit that focus for their own illegal purposes — so it’s essential that both organizations and individuals maintain good cyber-hygiene to protect themselves against covid-related online crime.”

How to bypass the Google Audio reCAPTCHA with a new version of unCaptcha2 attack
6.1.2021 Attack Securityaffairs

A German security researcher demonstrated how to break, once again, the Google Audio reCAPTCHA with Google’s own Speech to Text API.
Back in 2017, researchers from the University of Maryland demonstrated an attack method, dubbed unCaptcha, against Google’s audio-based reCAPTCHA v2.

The system receives the audio challenge, downloads it, and submits it to Speech To Text. The unCAPTCHA parses the response and types the answer, then it clicks submit and checks if the response to the challenge was correct.

Google experts introduced a couple of features to improve reCAPTCHA, they enhanced the browser automation detection and used spoken phrases instead of spoken digits. The unCaptcha system uses a screen clicker to mimic human movement on a page.

Since January 2019, unCaptcha was updated to bypass Google’s security service once again, the attack technique was dubbed unCaptcha2. The researchers behind unCaptcha2 shared their findings with Google that also agreed on the release of a proof-of-concept (PoC) code.
Google one again implemented some changes to make the attack technique ineffective, but once again a researcher modified the attack technique to use it again.

The Germany-based researcher Nikolai Tschacher was able to introduce some changes to the unCaptcha2 attack to bypass the reCAPTCHA once again.

The expert pointed out that Google introduced reCAPTCHA v3 in 2018, but reCAPTCHA v2 is still used as a fall-back mechanism.
Tschacher published a video PoC of the attack that demonstrates how a bot can solve the Google audio reCAPTCHA using the speech-to-text API.
“The idea of the attack is very simple: You grab the mp3 file of the audio reCAPTCHA and you submit it to Google’s own Speech to Text API.” reads the post published by the researcher. “Google will return the correct answer in over 97% of all cases.”

The German researcher published the PoC code.

Citrix Releases Updates to Prevent DDoS Attacks Abusing Its Appliances
6.1.2021 Attack Securityweek

Citrix on Monday informed customers that it released firmware updates for its Application Delivery Controller (ADC) and Gateway products to prevent threat actors from abusing the appliances to launch and amplify distributed denial-of-service (DDoS) attacks.

Several people reported a few days before Christmas that they had started seeing DDoS attacks abusing their Citrix ADC and Gateway devices. Citrix confirmed that malicious actors had been targeting its products in an advisory published on December 24 and the company promised to release updates that would prevent attacks by January 12. However, it managed to release the updates one week sooner.

“As part of this attack, an attacker or bots can overwhelm the Citrix ADC DTLS network throughput, potentially leading to outbound bandwidth exhaustion. The effect of this attack appears to be more prominent on connections with limited bandwidth,” Citrix said in its advisory.

The company claimed “the scope of attack is limited to a small number of customers around the world, and further, there are no known Citrix vulnerabilities associated with this event.”

The Datagram Transport Layer Security (DTLS) feature targeted by the recent DDoS attacks is designed to secure communications between applications. Marius Sandbu, one of the first people to spot the Citrix DDoS attacks, has published a blog post explaining the role of DTLS and why such attacks are possible.

In order to prevent abuse of its products for DDoS attacks, Citrix on Monday introduced a “feature enhancement” for DTLS. Users can either enable this feature, or they can disable DTLS if it’s not needed.

Another mitigation recommended by several experts involves blocking UDP port 443 traffic on the firewall. This is the port targeted by the attacks.

It’s not uncommon for Citrix’s ADC and Gateway products to be targeted by hackers. A vulnerability disclosed in late 2019 has been exploited by both profit-driven cybercriminals and state-sponsored threat groups.

Healthcare Industry Witnessed 45% Spike in Cyber Attacks Since Nov 20
6.1.2021 Attack Thehackernews
Cyberattacks targeting healthcare organizations have spiked by 45% since November 2020 as COVID-19 cases continue to increase globally.

According to a new report published by Check Point Research today and shared with The Hacker News, this increase has made the sector the most targeted industry by cybercriminals when compared to an overall 22% increase in cyberattacks across all industry sectors worldwide seen during the same time period.

The average number of weekly attacks in the healthcare sector reached 626 per organization in November as opposed to 430 the previous month, with attack vectors ranging from ransomware, botnets, remote code execution, and distributed denial-of-service (DDoS) attacks.

Ransomware attacks against hospitals also marked their biggest jump, with Ryuk and Sodinokibi emerging as the primary ransomware variants employed by various criminal groups.

"The usage of Ryuk emphasizes the trend of having more targeted and tailored ransomware attacks rather than using a massive spam campaign, which allows the attackers to make sure they hit the most critical parts of the organization and have a higher chance of getting paid," Omer Dembinsky, Check Point's manager of data intelligence, said.

Central Europe topped the list of regions impacted by the increase in attacks against healthcare organizations with a 145% uptick in November, followed by East Asia (up 137%) and Latin America (up 112% increase). Europe and North America saw increases of 67% and 37% respectively.

The development follows a joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) last October, warning of an "increased and imminent cybercrime threat to U.S. hospitals and healthcare providers."

The alert cautioned of adversaries targeting the Healthcare and Public Health (HPH) sector with TrickBot and BazarLoader malware, resulting in ransomware infections, data theft, and the disruption of healthcare services.

Over the past two months, state-sponsored actors have ramped up their cyber assaults against government health ministries and companies involved in COVID-19 vaccine distribution, not to mention staging ransomware attacks on pharmaceutical firms such as Dr. Reddy's Laboratories that are engaged in vaccine trials.

Ransomware cases, in particular, have capitalized on the coronavirus pandemic, not least because it boosts the likelihood that hospitals will meet attackers' demands to quickly recover access to critical systems and provide care to patients. The University of California paid the hackers 116 bitcoin ($1.14 million) after a NetWalker attack on its systems back in June.

"Medical services and research organizations [have become] targets for attacks seeking to steal valuable commercial and professional information, or to disrupt vital research operations," the researchers concluded.

"As the world's attention continues to focus on dealing with the pandemic, cybercriminals will also continue to use and try to exploit that focus for their own illegal purposes — so it's essential that both organizations and individuals maintain good cyber-hygiene to protect themselves against Covid-related online crime."

Google Speech-to-Text API Can Help Attackers Easily Bypass Google reCAPTCHA
6.1.2021 Attack Thehackernews

A three-year-old attack technique to bypass Google's audio reCAPTCHA by using its own Speech-to-Text API has been found to still work with 97% accuracy.

Researcher Nikolai Tschacher disclosed his findings in a proof-of-concept (PoC) of the attack on January 2.

"The idea of the attack is very simple: You grab the MP3 file of the audio reCAPTCHA and you submit it to Google's own speech-to-text API," Tschacher said in a write-up. "Google will return the correct answer in over 97% of all cases."

Introduced in 2000, CAPTCHAs (or Completely Automated Public Turing test to tell Computers and Humans Apart) are a type of challenge-response tests designed to protect against automated account creation and service abuse by presenting users with a question that is easy for humans to solve but difficult for computers.

reCAPTCHA is a popular version of the CAPTCHA technology that was acquired by Google in 2009. The search giant released the third iteration of reCAPTCHA in October 2018. It completely eliminates the need to disrupt users with challenges in favor of a score (0 to 1) that's returned based on a visitor's behavior on the website — all without user interaction.

The whole attack hinges on a research dubbed "unCaptcha," published by University of Maryland researchers in April 2017 targeting the audio version of reCAPTCHA. Offered for accessibility reasons, it poses an audio challenge, allowing people with vision loss to play or download the audio sample and solve the question.

To carry out the attack, the audio payload is programmatically identified on the page using tools like Selenium, then downloaded and fed into an online audio transcription service such as Google Speech-to-Text API, the results of which are ultimately used to defeat the audio CAPTCHA.

Following the attack's disclosure, Google updated reCAPTCHA in June 2018 with improved bot detection and support for spoken phrases rather than digits, but not enough to thwart the attack — for the researchers released "unCaptcha2" as a PoC with even better accuracy (91% when compared to unCaptcha's 85%) by using a "screen clicker to move to certain pixels on the screen and move around the page like a human."

Tschacher's effort is an attempt to keep the PoC up to date and working, thus making it possible to circumvent the audio version of reCAPTCHA v2 by leveraging a bot to simulate the entire process and defeat the protections.

"Even worse: reCAPTCHA v2 is still used in the new reCAPTCHA v3 as a fallback mechanism," Tschacher noted.

With reCAPTCHA used by hundreds of thousands of sites to detect abusive traffic and bot account creation, the attack is a reminder that it's not always foolproof and of the significant consequences a bypass can pose.

In March 2018, Google addressed a separate flaw in reCAPTCHA that allowed a web application using the technology to craft a request to "/recaptcha/api/siteverify" in an insecure manner and get around the protection every time.

Hardcoded Credentials Expose Zyxel Firewalls and WLAN Controllers to Remote Attacks
5.1.2021 Attack Securityweek

Several Zyxel firewall and WLAN controller products contain hardcoded credentials for an undocumented user account that has admin privileges.

Identified by EYE security researcher Niels Teusink, the vulnerability exists because the password for the “zyfwp” user account was stored in plaintext and was visible in one of the binaries on the system.

The account was designed for the delivery of automatic firmware updates through FTP and is present on Zyxel USG, ATP, VPN, ZyWALL, and USG FLEX devices.

While doing research on his personal Zyxel firewall, the security researcher discovered not only that the problematic user account exists with hardcoded credentials, but also that the account works both on SSH and the web interface.

The account, which has admin privileges, is not visible on the interface, and the device owner cannot change the password for it. The vulnerability is tracked as CVE-2020-29583.

In earlier firmware versions, the account did not have a password, with the security bug seemingly introduced in the latest firmware iteration. However, other vulnerabilities were found to impact previous firmware releases.

The security researcher notes that over 100.000 Zyxel USG/ATP/VPN devices worldwide appear to have their web interface exposed to the Internet. However, not all devices are running a vulnerable firmware version.

Because the zyfwp user account has admin privileges, exploitation could lead to compromised “confidentiality, integrity and availability of the device,” the researcher says. An attacker could change firewall settings, intercept traffic, or create VPN accounts to gain access to the local network.

Zyxel says the vulnerability impacts its ATP, USG, USG FLEX, and VPN series firewalls that are running firmware ZLD V4.60, as well as NXC2500 and NXC5500 AP controllers that are running firmware V6.00 through V6.10.

The company released ZLD V4.60 Patch1 firmware updates to address the vulnerability for the affected firewall products, and plans on releasing V6.10 Patch1 on January 8 for the vulnerable controllers.

Users are advised to update their devices as soon as possible, to ensure they are protected from the hardcoded credentials bug and from previously identified security flaws in these products.

Old Attack Method Against Google's Audio-Based reCAPTCHA Resurrected
5.1.2021 Attack Securityweek

An attack method discovered in 2017 for defeating the audio version of Google’s reCAPTCHA system using speech-to-text services has once again been resurrected.

A team of researchers from the University of Maryland showed in 2017 that online speech-to-text services could be used to automatically solve reCAPTCHA v2 audio challenges with a high degree of accuracy. The attack was named by the researchers unCaptcha.

After the method was disclosed, Google made some changes to its reCAPTCHA system and unCaptcha no longer worked. However, in January 2019, researchers announced that they had managed to revive the attack — they dubbed it unCaptcha2 — and they released proof-of-concept (PoC) code with Google’s permission.

At the time, the researchers noted that they would not be updating their code and that it would likely stop working at some point.

As expected, the PoC did stop working, but Germany-based researcher Nikolai Tschacher has managed to tweak the PoC for unCaptcha2 to make it work against the latest version of reCAPTCHA v2. Tschacher has published a video showing how a bot can solve the audio reCAPTCHA using Google’s own speech-to-text API with an accuracy of 97%.

Google introduced reCAPTCHA v3 in 2018, which improves user experience by running adaptive risk analysis in the background rather than displaying challenges, but Tschacher pointed out that “reCAPTCHA v2 is still used in the new reCAPTCHA v3 as a fall-back mechanism.”

The researcher has published PoC code, along with an explanation of the changes he made in unCaptcha3 compared to unCaptcha2.

It’s worth noting that others have created free web browser extensions that help users automatically solve reCAPTCHA challenges with the press of a button using the unCaptcha method.

SecurityWeek has reached out to Google for comment and will update this article if the company responds.

Inbox Attacks: The Miserable Year (2020) That Was
2.1.2021 Attack Threatpost

Reflecting on 2020’s record-breaking year of spam and inbox threats.

Purging your inbox has become a year-end tradition for many. A short hiatus for the holidays often provides a quiet moment to flush the previous year’s mountain of spam. And, from the looks of our 2020 inbox, years of herculean efforts to harden email defenses have fallen short. The most-targeted business attack vector continues to be our inboxes.

So, as we take a collective deep breath before plunging into 2021, here is look at past, present and future inbox threats and trends.

In 2020, our spam folders bulged with malware-laced emails, phishing lures linking to ransomware schemes, impersonation attacks, spoofed brand and fake domain missives, and dubious requests from legit-sounding companies. So, what defined 2020 in spam?

Spam Watch 2020

A Banner Year for Spam
COVID-19 was a dominant theme for spammers and phishers – a trend predicted to continue into 2021. As companies sent millions of cubicle workers to their home offices, they were left to fend for themselves when it came to being judge, jury and deleter of email. That alone was worry enough for some infosec professionals.

“Many global corporations have been forced to adopt remote-working policies for office-based employees to help ensure the safety of the workforce during the COVID-19 pandemic, and threat actors have followed them home,” wrote Mimecast in its yearly roundup on email trends.

The work-from-home reality created a wave of new criminal opportunities. Crooks changed their attacks quickly to reflect job insecurity, health concerns and product shortages. Cyberattackers reached a peak in April, sending 1.5 million malicious emails per day related to COVID-19, according to Forcepoint X-Labs.

In the first months of the pandemic, the retail sector was heavily targeted with spoofing of major retail brand domains that preyed on insecurities around product shortages, Mimecast reported.2020 Reader Survey: Share Your Feedback to Help Us Improve

Next, up the popularity of collaborative business tools, such as Zoom, Skype and Trello, spurred on by the work-from-home trend, triggered a flood of inbox attacks. A typical ploy circulated earlier this month when attackers sent malicious Zoom-themed initiations via email, text and social media messages. The goal was to steal credentials for the videoconferencing platform.

The other big trend in phishing lures? You guessed it – the 2020 United States presidential election. The hype gave crooks ample bipartisan opportunities to use inboxes to spread both misinformation and malware.

Beyond the Grift
Beyond inbox impersonation fraud, business email compromise (BEC) and email phishing attacks, criminals leveraged clever technical traps to ensnare victims.

A phishing campaign in September used overlay screens and email-quarantine policies to steal targets’ Microsoft Outlook credentials. In April, Apple patched two zero-day security vulnerabilities actively exploited by threat actors for the previous two years. The bugs were remotely exploitable by attackers who, in order to exploit, simply needed to send an email to victims’ default iOS Mail application on their iPhone or iPad to launch their attack.

Malicious attachments, once again, were dominant inbox attack vectors.

This year researchers at Kaspersky reported an uptick of malicious files disguised as notifications from delivery services. “We uncovered a mailing targeting employees connected to sales in some capacity. The scammers persuaded recipients to open the attached documents supposedly to pay customs duties for the import of goods. Instead of documents, the attachment contained [malware] Backdoor.MSIL.Crysan.gen,” they wrote.

The 2020 Verizon Data Breach Investigations Report (DBIR) found that malicious email attachments were the leading cause of data breaches and ransomware attacks. But email links beat out attachments as the most-used vector for infection, with 40 percent of attacks using this method.

Spam Watch2021 Inbox Mitigation
As threat groups hone their attacks — researching and testing out new tactics, techniques and procedures — the tools to protect our inboxes have seen near-Manhattan Project levels of investment over the years. Still, attacks such as BEC contributed to massive losses for companies in 2020. In the past five years BEC attacks have cost business $26 billion, according to the FBI.

That’s driven the popularity of solutions such as Domain-based Message Authentication, Reporting and Conformance (DMARC) – an authentication protocol sometimes called a zero-trust email model. DMARC is designed to give email domain owners the ability to protect their domain from unauthorized use. Of course DMARC is not new, but as impersonation attacks continue to rack up victims, it’s a technology getting a lot of second looks.

Microsoft, who dominates the email provider space with its Microsoft 365 office productivity suite, also made attempts to help with the inbox deluge. This year, it rolled out a beta version of its Application Guard for Office, which isolates Office 365 productivity application files (including Word, Powerpoint and Excel) that are potentially malicious.

But still, Mimecast researchers believe Microsoft is leaving room for improvement. In a study of Microsoft customers, the firm found nearly 60 percent of respondents said they suffered a Microsoft 365 service outage over the past year. That creaked open the door to attacks, researchers argue.

“At present there is no in-built or inherent business continuity within Microsoft 365 services should there be an interruption to Microsoft cloud services via common attack methodologies, such as a denial-of-service attack, a datacenter hardware failure, or other form of interruption in relation to their cloud services,” Mimecast researchers wrote.

“If there’s even a short outage, users are more likely to bypass corporate security with personal email accounts to conduct business,” they added.

That creates a thinner human-based line of defense — something that makes a system administrator’s hair stand on end.

human factor spamHumans: The Weakest Link
The TL;DR on spam threats past, future and present can be summed up in this dichotomy.

As employees, we are both fiercely guarded, skeptical – if not paranoid – users of email. But we are infinitely human and vulnerable to the foibles of emotion and impulsive behavior. Add to that our sometimes misguided trust and understanding of security tools — for example, VPNs protect connections, but can’t filter a spear-phishing attack — and inboxes become the soft underbelly of our cybersecurity armor.

Tech-based inbox security solutions and state and federal anti-spam laws can only solve part of the problem. A recent Iomart study of U.K. businesses found that only eight percent of firms offer regular security training to remote workers.

“Many businesses would not survive the operational — let alone financial — impact of a data breach. By understanding the potential risk and introducing positive behavior around cyber-awareness, they have a much better chance of surviving an incident,” wrote Bill Strain, security director at Iomart.

While some pin hopes on 2021 to herald new inbox-protection technologies such as advanced artificial intelligence to weed out threats, the reality is the bad guys are using the same core defensive tech to build offensive weapons. If 2o21 is anything like 2020, we are all going to have to keep on our toes.