Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for An employee, fired ...

 Business

When it comes to internal cyberthreats, fired employees tend to fall into the same category as embedded insiders. More often than not, however, employers view that scenario as hypothetical and fail to pay sufficient attention to it. Who would ruin their own reputation and complicate the lives of former colleagues?   show more ...

Well, practice shows that such people absolutely do exist, and this recent Stradis Healthcare incident provides a glaring example. A study in revenge A few weeks after being fired from the medical equipment supply company, a healthcare exec used a secret account to delay the shipping process. As a result, Stradis was unable to deliver supplies on time, including personal protective equipment (PPE) for doctors. The company was forced to shut down all business processes temporarily, and interruptions persisted even months later. In the end, the company resorted to contacting law-enforcement agencies. Given current circumstances, mainly around the COVID-19 pandemic, the problem was less about losses caused by downtime and missed delivery times, more that medical staff needed PPE like never before. In other words, the culprit not only disrupted the lives of former colleagues, but also put doctors and patients at risk. How to foil vengeful ex-employees The Stradis incident shows that workplace revenge, far from being a hypothetical threat, is very real. It must be factored in from the start — when planning a company’s security system. Abandon the practice of “secret accounts” from the outset. Regardless of a person’s position, convenience, or business process specifics, IT security service must be aware of all employee access channels to corporate systems or services. Revoke access to all accounts of outgoing colleagues immediately, and also change the passwords to any shared resources they had access to (social networks, office Wi-Fi, etc.). Back up all business-critical information regularly. After all, the simplest action that a vindictive insider can take is to delete something important. Install security solutions on all work computers. Having appropriate security in place makes infecting the corporate network with malware a lot harder. For configuring backup and protecting servers and workstations from cyberthreats, look no further than Kaspersky Small Office Security.

image for Microsoft Patch Tues ...

 Time to Patch

Microsoft today released updates to plug more than 80 security holes in its Windows operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could   show more ...

be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users. Most concerning of this month’s batch is probably a critical bug (CVE-2021-1647) in Microsoft’s default anti-malware suite — Windows Defender — that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it’s not entirely clear how this is being exploited. But Kevin Breen, director of research at Immersive Labs, says depending on the vector the flaw could be trivial to exploit. “It could be as simple as sending a file,” he said. “The user doesn’t need to interact with anything, as Defender will access it as soon as it is placed on the system.” Fortunately, this bug is probably already patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle. Breen called attention to another critical vulnerability this month — CVE-2020-1660 — which is a remote code execution flaw in nearly every version of Windows that earned a CVSS score of 8.8 (10 is the most dangerous). “They classify this vulnerability as ‘low’ in complexity, meaning an attack could be easy to reproduce,” Breen said. “However, they also note that it’s ‘less likely’ to be exploited, which seems counterintuitive. Without full context of this vulnerability, we have to rely on Microsoft to make the decision for us.” CVE-2020-1660 is actually just one of five bugs in a core Microsoft service called Remote Procedure Call (RPC), which is responsible for a lot of heavy lifting in Windows. Some of the more memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities. Allan Liska, senior security architect at Recorded Future, said while it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC — CVE-2019-1409 and CVE-2018-8514 — were not widely exploited. The remaining 70 or so flaws patched this month earned Microsoft’s less-dire “important” ratings, which is not to say they’re much less of a security concern. Case in point: CVE-2021-1709, which is an “elevation of privilege” flaw in Windows 8 through 10 and Windows Server 2008 through 2019. “Unfortunately, this type of vulnerability is often quickly exploited by attackers,” Liska said. “For example, CVE-2019-1458 was announced on December 10th of 2019, and by December 19th an attacker was seen selling an exploit for the vulnerability on underground markets. So, while CVE-2021-1709 is only rated as [an information exposure flaw] by Microsoft it should be prioritized for patching.” Trend Micro’s ZDI Initiative pointed out another flaw marked “important” — CVE-2021-1648, an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI prior to today. “It was also discovered by Google likely because this patch corrects a bug introduced by a previous patch,” ZDI’s Dustin Childs said. “The previous CVE was being exploited in the wild, so it’s within reason to think this CVE will be actively exploited as well.” Separately, Adobe released security updates to tackle at least eight vulnerabilities across a range of products, including Adobe Photoshop and Illustrator. There are no Flash Player updates because Adobe retired the browser plugin in December (hallelujah!), and Microsoft’s update cycle from last month removed the program from Microsoft’s browsers. Windows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you have ample opportunity to back up your files and/or system, see this guide. Please back up your system before applying any of these updates. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. You never know when a patch roll-up will bork your system or possibly damage important files. For those seeking more flexible and full-featured backup options (including incremental backups), Acronis and Macrium are two that I’ve used previously and are worth a look. That said, there don’t appear to be any major issues cropping up yet with this month’s update batch. But before you apply updates consider paying a visit to AskWoody.com, which usually has the skinny on any reports about problematic patches. As always, if you experience glitches or issues installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

 Malware and Vulnerabilities

A few days ago, FortiGuard Labs detected a phishing campaign in the wild that was spreading a fresh variant of the Ursnif Trojan via an attached MS Word document that is continuously targeting Italy.

 Malware and Vulnerabilities

A recent FBI advisory urges all private sector organizations to be on the alert for potential malicious activities from the threat actors behind Egregor ransomware.

 Malware and Vulnerabilities

The worst part about ransomware is that it encrypts data and removes the original encrypted copies, thereby eliminating any way to recover files that are not backed up without paying the ransom.

 Malware and Vulnerabilities

SAP has published 10 advisories to document flaws and fixes for a range of serious security vulnerabilities. SAP also published a total of 7 other updates for previously released security notes.

 Feed

Ubuntu Security Notice 4690-1 - It was discovered that coTURN allowed peers to connect and relay packets to loopback addresses in the range of 127.x.x.x. A malicious user could use this vulnerability to insert packages into the loopback interface.

 Feed

Red Hat Security Advisory 2021-0095-01 - .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address a security vulnerability are now available. The updated versions are .NET Core SDK 3.1.111 and .NET Core Runtime 3.1.11.

 Feed

Red Hat Security Advisory 2021-0094-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 5.0.102 and .NET Runtime 5.0.2.

 Feed

Gentoo Linux Security Advisory 202101-9 - Multiple vulnerabilities have been found in VirtualBox, the worst of which could allow an attacker to take control of VirtualBox. Versions prior to 6.1.12 are affected.

 Feed

Red Hat Security Advisory 2021-0096-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 5.0.102 and .NET Runtime 5.0.2.

 Feed

Red Hat Security Advisory 2021-0087-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.6.1. Issues addressed include a use-after-free vulnerability.

 Feed

Red Hat Security Advisory 2021-0088-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.6.1. Issues addressed include a use-after-free vulnerability.

 Feed

Red Hat Security Advisory 2021-0089-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 78.6.1. Issues addressed include a use-after-free vulnerability.

 Feed

Red Hat Security Advisory 2021-0084-01 - This release of Red Hat build of Quarkus 1.7.6 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.

 Feed

Europol on Tuesday said it shut down DarkMarket, the world's largest online marketplace for illicit goods, as part of an international operation involving Germany, Australia, Denmark, Moldova, Ukraine, the U.K.'s National Crime Agency (NCA), and the U.S. Federal Bureau of Investigation (FBI). At the time of closure, DarkMarket is believed to have had 500,000 users and more than 2,400 vendors,

 Feed

Mimecast said on Tuesday that "a sophisticated threat actor" had compromised a digital certificate it provided to certain customers to securely connect its products to Microsoft 365 (M365) Exchange. The discovery was made after the breach was notified by Microsoft, the London-based company said in an alert posted on its website, adding it's reached out to the impacted organizations to remediate

 Feed

For the first patch Tuesday of 2021, Microsoft released security updates addressing a total of 83 flaws spanning as many as 11 products and services, including an actively exploited zero-day vulnerability. The latest security patches cover Microsoft Windows, Edge browser, ChakraCore, Office and Microsoft Office Services, and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core

 Feed

Intel and Cybereason have partnered to build anti-ransomware defenses into the chipmaker's newly announced 11th generation Core vPro business-class processors. The hardware-based security enhancements are baked into Intel's vPro platform via its Hardware Shield and Threat Detection Technology (TDT), enabling profiling and detection of ransomware and other threats that have an impact on the CPU

 Feed

Ensuring the cybersecurity of your internal environment when you have a small security team is challenging. If you want to maintain the highest security level with a small team, your strategy has to be 'do more with less,' and with the right technology, you can leverage your team and protect your internal environment from breaches. The "buyer's guide for securing the internal environment with a

 Industry Intel

“It’s definitely dead,” says Tyler Moffitt, security analyst at Carbonite + Webroot, OpenText companies. “At least,” he amends, “for now.” Maze ransomware, which made our top 10 list for Nastiest Malware of 2020 (not to mention numerous headlines throughout the last year), was officially shut down in   show more ...

November of 2020. The ransomware group behind it issued a kind of press release, announcing the shutdown and that they had no partners or successors who would be taking up the mantle. But before that, Maze had been prolific and successful. In fact, shortly before the shutdown, Maze accounted for an estimated 12% of all successful ransomware attacks. So why did they shut down? I sat down with Tyler to get his take on the scenario and find out whether Maze is well and truly gone. Why do you think Maze was so successful? Maze had a great business model. They were the group that popularized the breach leak/auction website. So, they didn’t just steal and encrypt your files like other ransomware; they threatened to expose the data for all to see or even sell it at auction. Why was this shift so revolutionary? The Maze group tended to target pretty huge organizations with 10,000 employees or more. Businesses that big are likely to have decent backups, so just taking the data and holding it for ransom isn’t much of an incentive.Now think about this: those huge businesses also would’ve been subject to pricey fines for data breaches because of regulations like GDPR; and they’re also more likely to have big budgets to pay a ransom. So, instead of simply saying, “we have your data, pay up,” they said, “we have your data and if you don’t pay, we’ll expose it to the world – which includes the regulators and your customers.” Most of the time, paying the ransom is going to be the more cost effective (and less embarrassing) option. We don’t know if the Maze group invented this tactic, but they definitely set the trend, and a bunch of other ransomware groups started following it. Other than the leak sites, did they do anything else noteworthy or different from other groups? One of the bigger threat trends we saw in 2020 was malware groups partnering up for different pieces of the infection chain, such as Trojans, backdoors, droppers, etc. The botnet Emotet, for example, was responsible for a huge percentage of ransomware infections from various different groups. Maze, however, was pretty self-contained. We saw them working with a few other groups throughout 2020, but they had their own malspam campaign for delivery and everything else they needed in-house, so to speak. They were like a one-stop shop. Do you think the move to remote work during the pandemic contributed to their success? Absolutely, though you could say that about any ransomware group. Phishing and RDP attacks really ramped up when people started working from home. Home networks and personal devices are generally much less secure than corporate ones, and cybercriminals are always looking for ways to exploit a given situation for their gain. If Maze was doing so well, why did they shut down? Probably because they’d gotten too much attention. The more notoriety you get, the harder it is to operate. We see this with a lot of malware groups. They shut down for a while, either to lie low because the heat is on, or to just spend the money they’ve gotten from their payouts and enjoy life. Or, sometimes, they don’t lie low at all but just rebrand themselves under a new name. Either way, they tend to come back. For example, a ransomware variant called Ryuk went dark and came back as Conti. Emotet went away for a long time too and then came back under the same group name. How can you tell when an old group has rebranded? Unless they announce it in some way, the only way to really tell is if you can get a sample of the malware and reverse engineer it and look at the code. One of our threat researchers did that with a sample of Sodinokibi and discovered it had “GandCrab version 6” in its code. So, that’s an example of a rebrand, but it can be hard to spot. Do you think Maze is done for good? Not a chance. They attacked huge targets and got massive payouts. Most ransomware groups attack smaller businesses who are less likely to have strong enough security measures. Even the ones that targeted larger corporations, like Ryuk, still attacked businesses one-fifth the size of a typical Maze target. Now, the Maze group can relax and take a lavish vacation with all the money they got. But I’d be pretty shocked if they just abandoned such a winning business model entirely. The verdict: Maze may be gone for now, but experts are fairly certain we haven’t seen the last of this virulent and highly successful malware group. In the meantime, Tyler advises businesses everywhere to use the lull as an opportunity to batten down their cyber resilience strategies by implementing layered security measures, locking down RDP, and educating employees on cybersecurity and risk avoidance. Stay tuned for more ransomware developments right here on the Webroot blog. The post Maze Ransomware is Dead. Or is it? appeared first on Webroot Blog.

 Industry Intel

Top gaming companies positioned to be next major cyberattack target After healthcare and higher education emerged as lucrative targets for cyberattacks in 2020, researchers have identified the video gaming industry as another key target. By scouring the dark web for stolen data belonging to any of the top 25 largest   show more ...

gaming firms, over a million unique and newly uploaded accounts were discovered. Additionally, researchers found credentials for over 500,000 gaming company employees exposed in previous data breaches but used for multiple accounts. Hardcoded backdoors discovered in Zyxel devices Researchers recently stumbled upon an undocumented admin account on multiple Zyxel devices using basic login credentials and granting full access to devices commonly used to monitor internet traffic. This vulnerability was first spotted when several warnings for unauthorized login attempts were identified using admin/admin as the username and password, presumably in hopes of accessing other unprotected devices on the network. This undocumented account can only be viewed through an SSH connection or a web interface and could be an issue for over 100,000 Zyxel devices currently connected to the internet. Vodafone operation reveals major data breach Vodafone’s budget operators ho. Mobile has revealed their systems were compromised late last month and a database containing sensitive information belonging to nearly 2.5 million customers was leaked. Along with personally identifiable information is data related to customer SIM-cards, which can be used to enable SIM-swap attacks that allow attackers to control specific users’ messaging services. The stolen database has been for sale on a dark web for a starting price of $50,000 since shortly after the attack was discovered. ElectroRAT quietly steals cryptocurrency across multiple operating systems After operating for nearly a year the silent cryptocurrency stealer ElectroRAT has finally been identified using multiple different Trojanized apps to operate on Windows, Mac and Linux systems. To make these malicious apps appear more credible, authors placed advertisments on social media and cryptocurrency-related websites that have led to thousands of installations. By spreading the attack across multiple different operating systems, the attackers increased their chances of accessing information of value. Vancouver’s TransLink Suffers Ransomware Attack Nearly a month after officials identified technical issues with IT systems at Metro Vancouver’s TransLink transportation authority, the interruption was discovered to be the work of the Egregor Ransomware group. While the attack didn’t compromise customer data, it is believed that employee banking and personal information was stolen. TransLink employees are working to restore systems to proper functionality, though some seem to have been more damaged than others. The post Cyber News Rundown: Gaming Industry in Crosshairs of Cybercriminals appeared first on Webroot Blog.

2021-01
Aggregator history
Wednesday, January 13
FRI
SAT
SUN
MON
TUE
WED
THU
JanuaryFebruaryMarch