Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Hackers publish data ...

 Business

Late last year, information surfaced online about attacks on companies using the outdated Accellion File Transfer Appliance (FTA). Some cybercriminals used Accellion FTA vulnerabilities to snatch confidential data, using the threat of publication to extort ransom from the victims. We are not pleased to report that   show more ...

they were true to their word. What’s the vulnerability? The Accellion FTA is an network appliance companies deploy for quick and easy delivery of large files.  Twenty years old, the solution is due to be retired this year, and developers have long called for a migration to more modern products. In December 2020, the discovery of two vulnerabilities — CVE-2021-27101 and CVE-2021-27102 — in the solution enabled attackers to gain access to files uploaded to FTA devices. The vulnerabilities were closed, but January 2021 saw two more (CVE-2021-27103 and CVE-2021-27104) uncovered and patched. Nonetheless, intruders managed to steal the data of several Accellion FTA users. Several high-profile press reports about the leaks followed. Apparently, not all of the victims agreed to pay the ransom, so the attackers carried out their threat to share the data they’d stolen. How cybercriminals publish data Recently, we registered mass e-mails aimed at compromising victims’ reputations in the eyes of employees, clients, and partners, as well as compet itors. The extent of the mailings and the sources of the addresses are not known for sure, but it seems the cybercriminals were trying to reach as many viewers as they could. The attackers’ e-mail to employees, clients, partners, and competitors. The messages urged recipients to use the Tor browser to visit a .onion site, and they claimed the website got tens of thousands of hits per day. Among the purported visitors: all kinds of hackers and journalists able to cause even greater damage to a company’s infrastructure and reputation. Interestingly, the site belongs to the CL0P group, which specializes in ransomware, although in the attacks through the Accellion FTA vulnerabilities, the files were not encrypted. The hackers, it seems, took advantage of this convenient platform. Of course, the aim is to intimidate other victims. Incidentally, both the e-mail and website contain details for contacting the attackers so as to get the published files removed, although there is little point once the information is out there. It is also worth noting that the site features an ad offering lessons for administrators on closing the vulnerabilities through which data was stolen — for $250,000 in bitcoin. Offer to help potential victims avoid the same fate. We rather doubt anyone will bite. For starters, the developers have already released updated versions of Accellion FTA, and anyway, asking for help is tantamount to admitting that you can’t close the vulnerability and it’s still exploitable. How to protect your company against such attacks First, update Accellion FTA — or better, stop using the solution altogether (even the developers advise that). Second, update all software products and services that have access to the Internet. It’s important to do that right away but also to ensure ongoing, timely updates. In addition, protect every device — be it a workstation, server, or hardware/software solution — with a modern security product that can detect attempts to exploit vulnerabilities, including unknown ones. For anyone who has fallen victim to extortionists, we do not recommend paying. Eugene Kaspersky’s recent post offers an in-depth explanation.

image for Microsoft Patch Tues ...

 Other

On the off chance you were looking for more security to-dos from Microsoft today…the company released software updates to plug more than 82 security flaws in Windows and other supported software. Ten of these earned Microsoft’s “critical” rating, meaning they can be exploited by malware or   show more ...

miscreants with little or no help from users. Top of the heap this month (apart from the ongoing, global Exchange Server mass-compromise) is a patch for an Internet Explorer bug that is seeing active exploitation. The IE weakness — CVE-2021-26411 — affects both IE11 and newer EdgeHTML-based versions, and it allows attackers to run a file of their choice by getting you to view a hacked or malicious website in IE. The IE flaw is tied to a vulnerability that was publicly disclosed in early February by researchers at ENKI who claim it was one of those used in a recent campaign by nation-state actors to target security researchers. In the ENKI blog post, the researchers said they will publish proof-of-concept (PoC) details after the bug has been patched. “As we’ve seen in the past, once PoC details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits,” said Satnam Narang, staff research engineer at Tenable. “We strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.” This is probably a good place to quote Ghacks.net’s Martin Brinkman: This is the last patch hurrah for the legacy Microsoft Edge web browser, which is being retired by Microsoft. For the second month in a row, Microsoft has patched scary flaws in the DNS servers on Windows Server 2008 through 2019 versions that could be used to remotely install software of the attacker’s choice. All five of the DNS bugs quashed in today’s patch batch earned a CVSS Score (danger metric) of 9.8 — almost as bad as it gets. “There is the outside chance this could be wormable between DNS servers,” warned Trend Micro’s Dustin Childs. As mentioned above, hundreds of thousands of organizations are in the midst dealing with a security nightmare after having their Exchange Server and Outlook Web Access (OWA) hacked and retrofitted with a backdoor. If an organization you know has been affected by this attack, please have them check with the new victim notification website mentioned in today’s story. Susan Bradley over at Askwoody.com says “nothing in the March security updates (besides the Exchange ones released last week) is causing me to want to urge you to go running to your machines and patch at this time.” I’d concur, unless of course you cruise the web with older Microsoft browsers. It’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any kinks in the new armor. But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files. So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide. As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Additional reading: Martin Brinkman’s always comprehensive take. The SANS Internet Storm Center no-frills breakdown of the fixes.  

 Trends, Reports, Analysis

Cryptocurrency scammers have come under the limelight recently as it was found that they made off with at least $145,000 in the span of a week.

 Malware and Vulnerabilities

The ZLoader payload is a multipurpose Trojan that often acts as a dropper that delivers Zeus-based malware in multistage ransomware attacks, such as Ryuk and Egregor, a Forcepoint X-Labs report notes.

 Expert Blogs and Opinion

Where were you on May 12, 2017? For many cybersecurity professionals, the answer is "trying to contain the fallout from WannaCry," the ransomware that on that day began hitting organizations globally.

 Feed

Ubuntu Security Notice 4762-1 - It was discovered that the OpenSSH ssh-agent incorrectly handled memory. A remote attacker able to connect to the agent could use this issue to cause it to crash, resulting in a denial of service, or possibly execute arbitrary code.

 Feed

Red Hat Security Advisory 2021-0794-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 5.0.104 and .NET Runtime 5.0.4. Issues addressed include a code execution vulnerability.

 Feed

Red Hat Security Advisory 2021-0793-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 5.0.104 and .NET Runtime 5.0.4. Issues addressed include a code execution vulnerability.

 Feed

Red Hat Security Advisory 2021-0787-01 - .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address a security vulnerability are now available. The updated versions are .NET Core SDK 2.1.522 and .NET Core Runtime 2.1.26. Issues addressed include a code execution vulnerability.

 Feed

Red Hat Security Advisory 2021-0789-01 - .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address a security vulnerability are now available. The updated versions are .NET Core SDK 3.1.113 and .NET Core Runtime 3.1.13. Issues addressed include a code execution vulnerability.

 Feed

Red Hat Security Advisory 2021-0788-01 - .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address a security vulnerability are now available. The updated versions are .NET Core SDK 2.1.522 and .NET Core Runtime 2.1.26. Issues addressed include a code execution vulnerability.

 Feed

Red Hat Security Advisory 2021-0790-01 - .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address a security vulnerability are now available. The updated versions are .NET Core SDK 3.1.113 and .NET Core Runtime 3.1.13. Issues addressed include a code execution vulnerability.

 Feed

Ubuntu Security Notice 4761-1 - Matheus Tavares discovered that Git incorrectly handled delay-capable clean/smudge filters when being used on case-insensitive filesystems. A remote attacker could possibly use this issue to execute arbitrary code.

 Feed

Microsoft plugged as many as 89 security flaws as part of its monthly Patch Tuesday updates released today, including fixes for an actively exploited zero-day in Internet Explorer that could permit an attacker to run arbitrary code on target machines. Of these flaws, 14 are listed as Critical, and 75 are listed as Important in severity, out of which two of the bugs are described as publicly

 Feed

Threat actors known for keeping a low profile do so by ceasing operations for prolonged periods in between to evade attracting any attention as well as constantly refining their toolsets to fly below the radar of many detection technologies. One such group is FIN8, a financially motivated threat actor that's back in action after a year-and-a-half hiatus with a powerful version of a backdoor with

 Feed

Cybersecurity researchers on Wednesday shed light on a new sophisticated backdoor targeting Linux endpoints and servers that's believed to be the work of Chinese nation-state actors. Dubbed "RedXOR" by Intezer, the backdoor masquerades as a polkit daemon, with similarities found between the malware and those previously associated with the Winnti Umbrella (or Axiom) threat group such as ​PWNLNX,

 Data loss

Platform engineer and open source enthusiast Rob Dyke says that he's found himself in a sticky pickle. You see, in late February he discovered two public repositories on Github which contained code for an application, API keys, usernames nad passwords, and a database dump. Anyone in the world could access the   show more ...

sensitive information. What's disappointing, however, is how the organisation responded when he told them about the problem.

 Feed only

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support! The team at Recorded Future are experts at providing deep, detailed insight into emerging threats. They do it by automatically collecting and analyzing billions of data points across   show more ...

the web. The FREE … Continue reading "Recorded Future’s free Cyber Daily newsletter delivers trending threat insights straight to your inbox"

 Business + Partners

Every device on an MSP’s managed network provides insight into what’s happening on that network. This includes network routers, switches, printers, wireless devices to servers, endpoints, IoT devices and everything else connected to the network. Each creates a log in its own format, or syntax, that a   show more ...

technician can review for troubleshooting, configuration confirmation, the creation of specific alerts based on a device’s activity or a host of other reasons. These records of each devices’ activities are known as syslogs. Syslogs present information in a variety of ways, including custom formatting, industry-standard formatting, even raw data lacking a consistent format. The good news is that any activity requiring a security review is buried somewhere in these syslogs. The bad news is that data can buried in these syslogs. Whole mountain ranges of information are regularly processed by these systems. Millions upon millions of data points may be present, making the set overwhelmingly confusing. At best, sorting meaningful information from noise is a daunting task, even for well-staffed IT departments. Fortunately for security professionals—and more specifically for MSPs and MSSPs focused on providing insight into their managed networks—there is a mature product category that can be incorporated into their technology stack to help. Security information event management (SIEM) solutions have existed for years, but they’ve recently been gaining traction among MSPs and MSSPs. For good reason: knowledge of a network’s activity is essential to protecting it. Is setting up a SIEM worth the cost and effort for an MSP? The short answer is: YES. If you want to synthesize information from various sources to determine if a security event has or is taking place on a customer network, then yes, a SIEM is the natural evolution of the MSP security stack. The longer answer is, well, longer. Let’s break out a couple of options for those interested in establishing a more sophisticated security information and event management solution. SIM, SEM or SIEM? That’s the question to begin with. While security information management (SIM) and security event management (SEM) solutions have been in place for some time, they’re now commonly combined into the offering referred to as a SIEM. So, where does an MSP get started? There are three common choices for getting a SIEM stood up and configured: On-premise – Stand up a server, add some software (a bunch, actually), point all the syslogs to the device and get started. Easy, right? In reality, on-premise solutions have a higher cost and can be daunting to get started. Software costs range based upon the solution provider’s model. But if control and compliance are important, on-premise solutions may be a great option.Cloud-based – Any one of a number of existing solutions that cater to MSPs are simpler to get started. The challenge with cloud-based solutions entails pulling data from many sources and pushing it through firewalls and networks to a public cloud solution.Hybrid – As its name implies, some options blend cloud-based solutions with a local collection server to gather information and push a single source, securely, to the cloud for analysis and processing. Feeding your SIEM a healthy diet of data Before deciding on a SIEM component, a log collection or data collection solution must be set up to feed it. Syslog collection refers to a number of different activities, but in a SIEM or security-specific sense it usually comes down to what makes the most sense for the application: purpose-built or generic. A syslog aggregator or log collector – These are devices that take in all syslog information from all devices. They range from sophisticated solutions with alerting and performance reviews to feeds that simply “normalize” the data, distilling the most relevant input and then reworking the details into a consistent standard and reporting on the highlights.Syslog bridges – These are more generic solutions that act mostly as log collectors. Simply point devices to this collector and it maps the data.Syslog collector – These are generic log collectors much like a bridges, but they usually provide a little more intelligence, cost more, and often serve multiple purposes like performance, device status and security event reporting. Log gathering is the most misunderstood aspect of a SIEM and is often overlooked. The key is finding the most appropriate strategy for your needs. For most MSPs, a basic bridge with a specific security purpose for feeding a SIEM may be the most efficient and cost-effective option. For additional needs like performance or status determinations, a more sophisticated syslog may be good. But most performance and status information is already provided by RMM solutions, so why reinvent the wheel? What to expect from your SIEM After deciding on a syslog collector and SIEM setup, it’s time to put the SIEM to work parsing data and making sense of the output. This is the intel that allow technicians to make sound decisions regarding security events. Which SIEM to incorporate into a given MSPs operations depends on the level of services offered. MSPs building out a SOC or offering managed detection and response (MDR) services may require more sophisticated output from their SIEM. MSPs simply looking to distill information for their respective technical teams to analyze and make security decisions can usually rely on tailored, cloud-based solutions. Regardless of the provider, a SIEMs should at least do the following: Perform log gathering – If log gathering is not directly accounted for by a SIEM, another solution will be necessary for feeding data to it.Correlate security events – To spot security threats that may be spread across a network, not only native to a single device’s syslog, a SIEM must be able to track data across multiple devices.Connect to threat intelligence feeds – To keep up with a rapidly shifting threat landscape (and therefore useful to preventing attacks) it must be informed by strong threat intelligence feeds, preferably those using machine learning to recognize even zero-day threats.Issue security alerts – A key SIEM benefit is the ability to provide timely alerts regarding security events based on large amounts of data to assist with decision making, making it possible to stop attacks before they developPresent reports – Many SIEMs can produce reports in a cadence that makes sense for an MSP or MSSP depending on their needs and the needs of their clients.Enhance compliance – Because SIEMs aggregate information on a network, it can produce compliance reports for clients based on industry-specific needs. A good SIEM solution can minimize technician workload and minimize manual data interpretation. It also benefits clients by beefing up your own security capabilities. A SIEM is a natural step for any growing MSP’s looking to provide the best security solution for customers with workable margins. With a little focus, it shouldn’t take months or an act of congress to setup and use a SIEM. The above guidance should enable any MSP, regardless of size, to devise a viable plan for putting one in place. The post Does a SIEM make sense for my MSP? appeared first on Webroot Blog.

2021-03
Aggregator history
Wednesday, March 10
MON
TUE
WED
THU
FRI
SAT
SUN
MarchAprilMay