Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for WhatsApp Will Let iP ...

 Security

WhatsApp is working on a major security update for iOS users, as it plans to let them password-protect their backups before they are actually uploaded to iCloud. At this point, WhatsApp gives users the option to back up their chat history to iCloud, but once the data is uploaded to Apple’s cloud server, no   show more ...

encryption is being used. In other words, if required by law enforcement, Apple has no other option than to provide investigators with access to users’ backups, which can include anything from messages to photos and videos. But according to WABetaInfo, the Facebook-owned company is currently working on dealing with the whole thing by allowing iPhone users to set up a password before they back up the data in iCloud. No way to reset the password In other words, WhatsApp will soon provide users with a new encryption method that would make it impossible for the law enforcement... (read more)

image for Why you shouldn’t ...

 Business

Sometimes, reading an article about what to do in case of a ransomware attack, I come across words like: ‘Think about paying up’. It’s then when I sigh, exhale with puffed-out cheeks… and close the browser tab. Why? Because you should never pay extortionists! And not only because if you did   show more ...

you’d be supporting criminal activity. There are other reasons. Let me go over them here: First, you’re sponsoring malware Cybervillains, malicious actors, extortionists, cybercriminal groups… – they’re all bad guys, and if you pay them a ransom, you’re giving them the income they need to keep doing what they do: negatively affecting the lives of innocent people. A vicious circle would set in: they encrypt you, you pay them, they encrypt others… Basically, there are two ways to wean extortionists off their nasty habit: they can be rounded up (which we periodically assist with), or their activity can be made unprofitable, forcing them to find respectable employment. They don’t seem to realize that programmers earn quite a decent wage. So how can their activity be made unprofitable? If victims stop paying, that’s how. ‘That’s all very well,’ I hear you say, ‘we too want world peace and fairness and justice for all, but my data just got encrypted and my company could go bust without it.” Even so, don’t pay up! Bear with me… Second, you might not get your data back Agreements with cybercriminals are never written in stone – there’s no contract that’s signed. Even if there were, since when have you heard of criminals ever being respectful of legal niceties? Thus, the fact of paying up does not necessarily mean your files will in fact be decrypted. Recall ExPetr/NotPetya — since a unique user ID was generated completely randomly, it was simply impossible to decrypt the files. Even the attackers themselves couldn’t do it! So all the money in the world wouldn’t have helped at all. And ExPetr/NotPetya is hardly an isolated case. It’s not uncommon for cybercriminals to make coding errors. And while sometimes such errors allow us to create a decoder, other times, on the contrary, they prevent even the coders themselves from developing one. There was a recent case when a cybersecurity expert publicly asked a cybercriminal group to fix a bug in its ransomware Trojan to stop affected files from being corrupted irrevocably. It’s hard to know whether to laugh or cry! So, to sum up: if you decide to pay up, just remember there’s no guarantee you’ll get your files back – ever. Third, they can extort more from you It’s happened before: cybervillains attacked an organization that paid a whopping $6.5 million to get its data back. Two weeks later the same cybervillains encrypted the same data again with the same methods, and were rewarded with yet another hefty ransom! The real problem in that example was that two weeks wasn’t long enough for the organization to patch the hole that the intruders had crawled through the first time. Crooks who strike lucky once may try again, simply because they can: they’ll probably still have your data (they may have deleted it, but probably not). The only way out is to not pay up at all – not even once. If you do, you might get a second, third, then fourth demand, because the baddies will come to see you as an easy, steady source of income. So what should be done? Let’s say you’ve decided – correctly – not to pay the racketeers. Now what? Your files are encrypted/stolen, and the cybercrooks are threatening to publish everything. What a mess. Here’s what to do: Stay calm and look for a decryptor. One either already exists here or here, or, if not, may appear later. We release and update them regularly as part of our process of studying malware and catching intruders. Talk to the vendor you bought your protection system from. First, find out how it happened that you got encrypted. Second, ask the vendor for help with the decryption: it might be that the vendor knows what to do, and they probably will want to help you – a valued customer. They’ve got your security at the forefront of their minds, and they’ve also got their reputation to think about: fairly priceless for a security company. That said, it’s always better, of course, to strengthen your defenses so as to be able to prevent infections in the first place. But never pay up! If everyone stops paying, the cyberextortionists will gradually end their racket, and the world will be able to breathe a little easier.

image for A Basic Timeline of ...

 A Little Sunshine

Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Here’s a brief timeline of what we know leading up to last week’s mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and   show more ...

seeded with a powerful backdoor Trojan horse program. When did Microsoft find out about attacks on previously unknown vulnerabilities in Exchange? Pressed for a date when it first became aware of the problem, Microsoft told KrebsOnSecurity it was initially notified “in early January.” So far the earliest known report came on Jan. 5, from a principal security researcher for security testing firm DEVCORE who goes by the handle “Orange Tsai.” DEVCORE is credited with reporting two of the four Exchange flaws that Microsoft patched on Mar. 2. Reston, Va.-based Volexity first identified attacks on the flaws on Jan. 6, and officially informed Microsoft about it on Feb. 2. Volexity now says it can see attack traffic going back to Jan. 3. Microsoft credits Volexity with reporting the same two Exchange flaws as DEVCORE. Danish security firm Dubex says it first saw clients hit on Jan. 18, and reported their incident response findings to Microsoft on Jan. 27. In a blog post on their discovery, Please Leave an Exploit After the Beep, Dubex said the victims it investigated in January had a “web shell” backdoor installed via the “unifying messaging” module, a component of Exchange that allows an organization to store voicemail and faxes along with emails, calendars, and contacts in users’ mailboxes. “A unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App,” Dubex wrote. “Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone.” Dubex says Microsoft “escalated” their issue on Feb. 8, but never confirmed the zero-day with Dubex prior to the emergency patch plea on Mar. 2. “We never got a ‘real’ confirmation of the zero-day before the patch was released,” said Dubex’s Chief Technology Officer Jacob Herbst. How long have the vulnerabilities exploited here been around? On Mar. 2, Microsoft patched four flaws in Exchange Server 2013 through 2019. Exchange Server 2010 is no longer supported, but the software giant made a “defense in depth” exception and gave Server 2010 users a freebie patch, too. That means the vulnerabilities the attackers exploited have been in the Microsoft Exchange Server code base for more than ten years. The timeline also means Microsoft had almost two months to push out the patch it ultimately shipped Mar. 2, or else help hundreds of thousands of Exchange customers mitigate the threat from this flaw before attackers started exploiting it indiscriminately. Here’s a rough timeline as we know it so far: Jan. 5: DEVCORE alerts Microsoft of its findings. Jan. 6: Volexity spots attacks that use unknown vulnerabilities in Exchange. Jan. 8: DEVCORE reports Microsoft had reproduced the problems and verified their findings. Jan. 11: DEVCORE snags proxylogon.com, a domain now used to explain its vulnerability discovery process. Jan. 27: Dubex alerts Microsoft about attacks on a new Exchange flaw. Jan. 29: Trend Micro publishes a blog post about “Chopper” web shells being dropped via Exchange flaws (but attributes cause as Exchange bug Microsoft patched in 2020) Feb. 2: Volexity warns Microsoft about active attacks on previously unknown Exchange vulnerabilities. Feb. 8: Microsoft tells Dubex it has “escalated” its report internally. Feb. 18: Microsoft confirms with DEVCORE a target date of Mar. 9 (tomorrow) for publishing security updates for the Exchange flaws. That is the second Tuesday of the month — a.k.a. “Patch Tuesday,” when Microsoft releases monthly security updates (and yes that means check back here tomorrow for the always riveting Patch Tuesday roundup). Feb. 26-27: Targeted exploitation gradually turns into a global mass-scan; attackers start rapidly backdooring vulnerable servers. Mar. 2: A week earlier than previously planned, Microsoft releases updates to plug 4 zero-day flaws. Mar. 2: DEVCORE researcher Orange Tsai (noted for finding and reporting some fairly scary bugs in the past) jokes that nobody guessed Exchange as the source of his Jan. 5 tweet about “probably the most serious [remotely exploitable bug] I have ever reported.” Mar. 3: Tens of thousands of Exchange servers compromised worldwide, with thousands more servers getting freshly hacked each hour. Mar. 4: White House National Security Advisor Jake Sullivan tweets about importance of patching Exchange flaws, and how to detect if systems are already compromised. Mar. 5, 1:26 p.m. ET: In live briefing, White House press secretary Jen Paski expresses concern over the size of the attack. Mar. 5, 4:07 p.m. ET: KrebsOnSecurity breaks the news that at least 30,000 organizations in the U.S. — and hundreds of thousands worldwide — now have backdoors installed. Mar. 5, 6:56 p.m. ET: Wired.com confirms the reported number of victims. Mar. 5, 8:04 p.m. ET: Former CISA head Chris Krebs tweets the real victim numbers “dwarf” what’s been reported publicly. Mar. 6: CISA says it is aware of “widespread domestic and international exploitation of Microsoft Exchange Server flaws.” Mar. 7-Present: Security experts continue effort to notify victims, coordinate remediation, and remain vigilant for “Stage 2” of this attack (further exploitation of already-compromised servers). Update, 12:11 p.m. ET: Correct link to Dubex site (it’s Dubex.dk). Also clarified timing of White House press statement expressing concern over the number of the Exchange Server compromises. Corrected date of Orange Tsai tweet.

 Incident Response, Learnings

A sophisticated attack on Microsoft Corp.’s widely used business email software is morphing into a global cybersecurity crisis, as hackers race to infect as many victims as possible before companies can secure their computer systems.

 Identity Theft, Fraud, Scams

The campaign begins with phishing emails that appear to come from a unified communications system used for streamlining corporate communication. This email contains a malicious email attachment.

 Trends, Reports, Analysis

COVID-19 made many organizations, distracted with mitigating the fallout from the pandemic, vulnerable to cyber threats. Ransomware turned out to be the one that capitalized on the crisis most.

 Breaches and Incidents

After SITA issued a statement confirming it had been the subject of a cyberattack, more airlines confirmed they have been directly affected. It appears the SITA breach affected all carrier members of Star Alliance and the One World alliance.

 Feed

This Metasploit module exploits an unauthenticated OVA file upload and path traversal in VMware vCenter Server to write a JSP payload to a web-accessible directory. Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. Note that later vulnerable versions of the Linux appliance aren't exploitable via   show more ...

the webshell technique. Furthermore, writing an SSH public key to /home/vsphere-ui/.ssh/authorized_keys works, but the user's non-existent password expires 90 days after install, rendering the technique nearly useless against production environments. You'll have the best luck targeting older versions of the Linux appliance. The Windows target should work ubiquitously.

 Feed

Red Hat Security Advisory 2021-0744-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include denial of service and resource exhaustion vulnerabilities.

 Feed

Red Hat Security Advisory 2021-0740-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include denial of service and resource exhaustion vulnerabilities.

 Feed

Red Hat Security Advisory 2021-0738-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include denial of service and resource exhaustion vulnerabilities.

 Feed

Red Hat Security Advisory 2021-0741-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include denial of service and resource exhaustion vulnerabilities.

 Feed

Red Hat Security Advisory 2021-0739-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include denial of service and resource exhaustion vulnerabilities.

 Feed

Raptor is a web application firewall written in C that uses DFA to block SQL injection, cross site scripting, and path traversals.

 Feed

Microsoft on Friday warned of active attacks exploiting unpatched Exchange Servers carried out by multiple threat actors, as the hacking campaign is believed to have infected tens of thousands of businesses, government entities in the U.S., Asia, and Europe. The company said "it continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious

 Feed

Hackers with suspected ties to Iran are actively targeting academia, government agencies, and tourism entities in the Middle East and neighboring regions as part of an espionage campaign aimed at data theft. Dubbed "Earth Vetala" by Trend Micro, the latest finding expands on previous research published by Anomali last month, which found evidence of malicious activity aimed at UAE and Kuwait

 Feed

A new research has yielded yet another means to pilfer sensitive data by exploiting what's the first "on-chip, cross-core" side-channel in Intel Coffee Lake and Skylake processors. Published by a group of academics from the University of Illinois at Urbana-Champaign, the findings are expected to be presented at the USENIX Security Symposium coming this August. While information leakage attacks

2021-03
Aggregator history
Monday, March 08
MON
TUE
WED
THU
FRI
SAT
SUN
MarchAprilMay