Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Phishing for Microso ...

 Business

With access to corporate e-mail, cybercriminals can perform business e-mail compromise–type attacks. That’s why we see so many phishing letters directing corporate users to sign in to websites fashioned like the MS Office login page. And that means it’s very important to know what to pay attention to if   show more ...

a link redirects to a page like that. Cybercriminals stealing credentials for Microsoft Office accounts is nothing new. However, the methods attackers use keep getting more advanced. Today, we’re using a real-world case — a letter we actually received — to demonstrate best practices and to outline some of the new tricks. New phishing trick: HTML attachment A phishing letter normally contains a hyperlink to a fake website. As we say regularly, hyperlinks need careful examination both for general appearance and for the actual Web addresses they lead to (hovering over the URL reveals the target address in most mail clients and Web interfaces). Sure enough, once enough people had absorbed that simple precaution, phishers began replacing links with attached HTML files, the sole purpose of which is to automate redirection. Clicking on the HTML attachment opens it in a browser. As far as the phishing aspect, the file has just one line of code (javascript: window.location.href) with the phishing website address as a variable. It forces the browser to open the website in the same window. What to look for in a phishing letter New tactics aside, phishing is phishing, so begin with the letter itself. Here is the actual letter we received. In this case, it’s a fake incoming voice message notification: Before clicking on the attachment, we have a few questions to contemplate: Do you know the sender? Is it likely the sender would leave you a voice message at work? Is it common practice at your company to send voice messages by e-mail? Not that it is used much nowadays, but Microsoft 365 hasn’t supported voice mail since January 2020. Do you have a clear idea what app sent the notification? MS Recorder is not part of the Office package — and anyway, Microsofts default sound recording app, which could in theory send voice messages, is called Voice Recorder, not MS Recorder. Does the attachment look like an audio file? Voice Recorder can share voice recordings, but it sends them as .m3a files. Even if the recording comes from a tool unknown to you and is itself stored on a server, there should be a link to it, not an attachment. In summary: We have a letter from an unknown sender delivering an alleged voice message (a feature we never use) recorded using an unknown program, sent in as an attached Web page. Worth trying to open? Certainly not. How to recognize a phishing page Suppose you did click on that attachment and landed on a phishing page. How can you tell it’s not a legitimate site? Here is what to look at: Does the address bar content look like a Microsoft address? Do the links “Can’t access your account?” and “Sign in with a security key” direct you where they should? Even on a phishing page, they may well lead to real Microsoft pages, although in our case, they were inactive, a clear sign of fraud. Does the window look right? Microsoft normally has no problems with details such as background image scale. Glitches can happen to anyone, of course, but anomalies should raise a flag. In any case, if you have any doubt, look up https://login.microsoftonline.com/ to see what Microsoft’s actual sign-in page looks like. How to avoid getting hooked To avoid giving up your Office account passwords to unknown attackers: Pay attention. Use our questions to avoid the simplest forms of phishing. To learn more tricks, try our modern cyberthreat awareness training courses; Protect employees’ mailboxes with Office 365 protection to expose phishing attempts with hyperlinks or with attached HTML files, and endpoint protection to prevent the opening of phishing sites.

image for Top 5 most dangerous ...

 Business

Over the past five years, ransomware has evolved from being a threat to individual computers to posing a serious danger to corporate networks. Cybercriminals have stopped simply trying to infect as many computers as possible and are now targeting big victims instead. Attacks on commercial organizations and government   show more ...

agencies require careful planning but can potentially lead to rewards in the tens of millions of dollars. Ransomware gangs exploit companies’ financial clout, which tends to be far greater than that of ordinary users. What’s more, many modern ransomware groups steal data prior to encryption, adding the threat of publication as further leverage. For the affected company, that adds all kinds of risks, from reputational damage to problems with shareholders to fines from regulators, which often add up to more than the ransom. According to our data, 2016 was a watershed year. In just a few months, the number of ransomware cyberattacks on organizations tripled: Whereas in January 2016 we recorded one incident every 2 minutes on average, by late September the interval had shrunk to 40 seconds. Since 2019, experts have regularly observed targeted campaigns from a series of so-called big-game-hunting ransomware. The malware operators’ own sites show attack statistics. We used this data to compile a ranking of the most active cybercriminal groups. 1. Maze (aka ChaCha ransomware) Maze ransomware, first spotted in 2019, quickly rose to the top of its malware class. Of the total number of victims, this ransomware accounted for more than a third of attacks. The group behind Maze was one of the first to steal data before encryption. If the victim refused to pay the ransom, the cybercriminals threatened to publish the stolen files. The technique proved effective and was later adopted by many other ransomware operations, including REvil and DoppelPaymer, which we discuss below. In another innovation, the cybercriminals began reporting their attacks to the media. In late 2019, the Maze group told Bleeping Computer about its hack of the company Allied Universal, attaching a few of the stolen files as evidence. In its e-mail conversations with the website’s editors, the group threatened to send spam from Allied Universal’s servers, and it later published the hacked company’s confidential data on the Bleeping Computer forum. The Maze attacks continued until September 2020, when the group began winding down its operations, although not before several international corporations, a state bank in Latin America, and a US city’s information system had already suffered from its activities. In each of those cases, Maze operators demanded several million dollars from the victims. 2. Conti (aka IOCP ransomware) Conti appeared in late 2019 and was very active throughout 2020, accounting for more than 13% of all ransomware victims during this period. Its creators remain active. An interesting detail about Conti attacks is that the cybercriminals offer the target company help with security in exchange for agreeing to pay, saying “You will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers.” As with Maze, the ransomware not only encrypts, but also sends copies of files from hacked systems to ransomware operators. The cybercriminals then threaten to publish the information online if the victim fails to comply with their demands. Among the most high-profile Conti attacks was the hack of a school in the United States, followed by a $40 million ransom demand. (The administration said it had been ready to pay $500,000 but would not negotiate 80 times that amount.) 3. REvil (aka Sodin, Sodinokibi ransomware) The first attacks by REvil ransomware were detected in early 2019 in Asia. The malware quickly attracted the attention of experts for its technical prowess, such as its use of legitimate CPU functions to bypass security systems. In addition, its code contained characteristic signs of having been created for lease. In the total statistics, REvil victims make up 11%. The malware affected almost 20 business sectors. The largest share of victims falls to Engineering & Manufacturing (30%), followed by Finance (14%), Professional & Consumer Services (9%), Legal (7%), and IT & Telecommunications (7%). The latter category accounted for one of the most high-profile ransomware attacks of 2019, when cybercriminals hacked several MSPs and distributed Sodinokibi among their customers. The group currently holds the record for the largest ever known ransom demand: $50 million from Acer in March 2021. 4. Netwalker (aka Mailto ransomware) Of the total number of victims, Netwalker accounted for more than 10%. Among its targets are logistics giants, industrial groups, energy corporations, and other large organizations. In the space of just a few months in 2020, the cybercriminals hauled in more than $25 million. Its creators seem determined to bring ransomware to the masses. They offered to lease Netwalker to lone scammers in exchange for a slice of attack profits. According to Bleeping Computer, the malware distributor’s share could reach 70% of the ransom, although such schemes typically pay affiliates much less. As evidence of their intent, the cybercriminals published screenshots of large money transfers. To make the leasing process as easy as possible, they set up a website to automatically publish the stolen data after the ransom deadline. In January 2021, police seized Netwalker dark web resources and charged Canadian citizen Sebastien Vachon-Desjardins with obtaining more than $27.6 million from the extortion activity. Vachon-Desjardins was in charge of finding victims, breaching them, and deploying Netwalker on their systems. The law-enforcement operation effectively killed off Netwalker. 5. DoppelPaymer ransomware The last villain of our roundup is DoppelPaymer, ransomware whose victims make up about 9% in the total statistics. Its creators made a mark with other malware too, including the Dridex banking Trojan and the now-defunct BitPaymer (aka FriedEx) ransomware, which is considered an earlier version of DopplePaymer. So the total number of victims of this group is in fact much higher. Commercial organizations hit by DoppelPaymer include electronics and automobile manufacturers, as well as a large Latin American oil company. DoppelPaymer frequently targets government organizations worldwide, including healthcare, emergency, and education services. The group also made headlines after publishing voter information stolen from Hall County, Georgia, and receiving $500,000 from Delaware County, Pennsylvania, both in the United States. DoppelPaymer attacks continue to this day: In February of this year, a European research body announced that it had been hacked. Targeted attack methods Every targeted attack on a large company is the result of a long process of finding vulnerabilities in the infrastructure, devising a scenario, and selecting tools. Then the penetration occurs, spreading malware throughout the corporate infrastructure. Cybercriminals sometimes remain inside a corporate network for several months before encrypting files and issuing a demand. The main paths into the infrastructure are through: Poorly secured remote access connections. Vulnerable RDP (Remote Desktop Protocol) connections are such a common means of delivering malware that groups on the black market offer services to exploit them. When much of the world switched to remote work, the number of such attacks skyrocketed. This is the modus operandi of the Ryuk, REvil, and other ransomware campaigns; Server application vulnerabilities. Attacks on server-side software give cybercriminals access to the most sensitive of data. A recent example came in March, when ransomware DearCry attacked through a zero-day vulnerability in Microsoft Exchange. Insufficiently protected server-side software can serve as an entry point for a targeted attack. Security issues also crop up in enterprise VPN servers, some examples of which we saw last year; Botnet-based delivery. To ensnare even more victims and increase profits, ransomware operators use botnets. Zombie network operators provide other cybercriminals with access to thousands of compromised devices, which automatically look for vulnerable systems and download ransomware onto them. That is how, for example, the Conti and DoppelPaymer ransomware spread; Supply-chain attacks. The REvil campaign best highlights this threat vector: the group compromised an MSP provider and then distributed ransomware to its customers’ networks; Malicious attachments. E-mails containing malicious macros in attached Word documents are still a popular option for malware delivery. One of our Top 5 villains, NetWalker, used malicious attachments to ensnare victims — its operators sent out mailings with “COVID-19” in the subject line. How business can stay protected Train employees in digital hygiene. Employees should know what phishing is, never to follow links in suspicious e-mails or download files from dubious sites, and how to create, remember, and safeguard strong passwords. Conduct regular training in information security not only to minimize incident risk, but also to mitigate damage in the event that attackers still manage to penetrate the network; Regularly update all operating systems and applications to ensure maximum protection against attacks through known software vulnerabilities. Take care of updating both client-side and server-side software; Perform security audits, check equipment security, and keep track of which ports are open and accessible from the Internet. Use a secure connection for remote work, but remember that even VPNs can be vulnerable; Create backups of corporate data. Having backups helps not only to reduce downtime and restore business processes faster in the event of a ransomware attack, but also to recover from more humdrum events such as hardware malfunctions; Use a professional security solution that employs behavioral analysis and antiransomware technologies; Deploy information security system that is able to recognize anomalies in the network infrastructure, such as attempts to probe ports or requests to access non-standard systems. Engage outside expertise if you don’t have in-house specialists capable of monitoring the network.

image for Ransomware, BEC and ...

 Threat Intelligence

Although cybercriminal activity throughout 2020 was as innovative as ever, some of the most noteworthy threat activity we saw came from the old familiar players, namely ransomware, business email compromise (BEC) and phishing. According to the 2021 Webroot BrightCloud® Threat Report, each of these threat types saw   show more ...

significant fluctuations as people all over the world shifted to working, studying, and doing everything else online. Here are some of the findings from the report. Ransomware One of the newer trends we saw in ransomware was that of data extortion. Believed to have been started by the Maze ransomware group, the data extortion trend involves not just encrypting business’ data and holding it for ransom, but in fact threatening to expose the compromised data if the victims refuses to pay. This new ransomware business model specifically targets sensitive data to increase the likelihood of payment. Unfortunately, there’s little a targeted business can do in these situations. If they don’t pay up, their data might be disclosed publicly or otherwise misused. And, depending on what kind of data has been compromised, the consequences of exposure could include costly fines for violating privacy regulations like GDPR and California’s Consumer Privacy Act (CCPA). These fines can really add up, starting at $100 per customer per record lost and going up to flat percentages of revenue. As if the ransom cost and regulatory fines aren’t enough, there’s also the cost of other ransomware fallout, such as downtime and time to recover. Universal Healthcare Services reportedly suffered three weeks of downtime after its September 2020 ransomware incident, resulting in a $67 million loss of revenue. Finally, there’s the question of the brand’s reputation and customer trust, which could be so irreparably damaged that the business might not survive. Read more about the hidden costs of ransomware in our eBook. As the data extortion trend took off, we also saw massive payouts to ransomware actors. The attackers who hit Foxconn demanded ~1804 Bitcoin ($34 million at the time) to prevent the data they’d stolen from being publicly exposed.Malicious actors infected Garmin’s systems with ransomware and required (and reportedly received) $10 million to destroy the stolen data.By September 2020, the average ransom payment peaked at $233,817. “In most cases, ransomware isn’t the beginning of a compromise. It’s actually the end state, where the criminals cash in after an extended period. By the time you realize you’ve got ransomware on your network, the criminals may have been in there, watching, listening, and tampering with things for weeks or months without your knowledge. They might’ve even checked out your financials, so they know what kind of ransom to demand.”– Kelvin Murray, Sr. Threat Research Analyst Business email compromise (BEC) BEC typically targets commercial, government, and nonprofit organizations by impersonating a senior colleague, IT team member, vendor, or trusted customer. In most scenarios, the malicious actor contacts the victim via email under the pretense of requesting money (especially via wire transfer or pre-paid gift card), provide credentials, or release sensitive data.BEC relies pretty heavily on the inherent trust of employees in their management teams, fellow colleagues, and customers. But with so many invoices and payment requests that occur as part of the daily operations in any businesses, it can be quite easy for attackers to sneak a fake one in. From the example above, you might not think much of the consequences of this type of attack. It’s important to keep in mind that it’s not always a matter of a few $50 or $100 gift cards; it could just as easily be a legitimate-looking vendor invoice for tens of thousands of dollars. BEC remains a very lucrative business; the Internet Crime Complaint Center (IC3) got 19,369 BEC complaints in 2020, resulting in adjusted losses of $1.8 billion! “Like phishing prevention, successfully preventing BEC involves a combination of robust training for end users and appropriately designed and publicized business policies around how to handle financial or technical requests.” – Grayson Milbourne, Security Intelligence Director Phishing Phishing is still one of the most popular ways (if not the most popular) to get ransomware and other types of malware into a business’ network. Getting a victim to fall for a phishing attack is often the first step, which gives attackers a jumping off point to perform reconnaissance on the network, acquire any necessary credentials, interfere with protection measures and backup schedules, deploy malware payloads, and more — and then they get to decide what to do with any data they steal at their leisure.COVID-19 definitely affected phishing in very visible ways. For example, the majority of phishing lures we spotted throughout the year pretended to offer information on the pandemic, COVID-19 tracking, protection measures and PPE, and more, often purporting to be from reputable sources like the CDC or WHO. There were also numerous malicious spam (malspam) emails claiming to provide details on stimulus checks and vaccines. The rates of phishing attacks throughout 2020 largely coincided with the early months of the pandemic. Attacks increased 510% from January to February, with eBay and Apple the brands most often targeted (we believe these numbers were due to buyers increasingly looking online as product shortages and technology needs arose). Attack volume continued to grow into March, then dropped off as we moved into the summer months. A more modest spike occurred in the months leading up to the U.S. election, up 34% from September to October, and another 36% from October to November. Here are a few of the other phishing stats that stand out. From March to July, during the initial lockdown phase in the U.S., phishing URLs targeting Netflix jumped 646%. Other popular streaming services saw similar spikes at corresponding times.By the end of 2020, 54% of phishing sites used HTTPS, indicating that checking for the lock icon in your browser’s address bar is no longer an adequate way to gauge if a website is legitimate or not. Summary Cybercriminals certainly didn’t sit 2020 out, but it’s not all gloom and doom. In fact, there were numerous cybersecurity achievements throughout the year that work to the benefit of businesses and individuals everywhere. Security researchers and analysts have been working hard to identify and neutralize new threats the moment they’re encountered. More businesses are adopting robust backup and disaster recovery plans to remain resilient in the face of downtime, planned or unplanned. Operating systems and web browsers are improving their built-in security to stop threats sooner in the attack cycle. Phishing simulations and security awareness training for employees continue to improve business security postures by major percentages (up to 72%, per the report). Nations and companies are working together to break down cybercriminal infrastructure. Even malware (for the moment) is trending gently downward. It’s clear from our findings that, with the right backup, training, and security layers working together to form a united defense against cyber threats, businesses and individuals can achieve true resilience, no matter what threatens. Get the full story on these details and more in the 2021 Webroot BrightCloud® Threat Report. The post Ransomware, BEC and Phishing Still Top Concerns, per 2021 Threat Report appeared first on Webroot Blog.

 Malware and Vulnerabilities

TA511 achieves initial access through a malicious Word document that drops an Hancitor sample as a DLL file and executes it using rundll32, a common Living Off the Land technique.

 Breaches and Incidents

The patch for ProxyLogon vulnerabilities was released more than a month ago. However, one more ransomware actor succeeded in joining the list of growing numbers of new adversaries exploiting it.

 Feed

Ubuntu Security Notice 4923-1 - Laszlo Ersek discovered that EDK II incorrectly handled recursion. A remote attacker could possibly use this issue to cause EDK II to consume resources, leading to a denial of service. Satoshi Tanda discovered that EDK II incorrectly handled decompressing certain images. A remote   show more ...

attacker could use this issue to cause EDK II to crash, resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.

 Feed

This Metasploit module exploits an arbitrary configuration write/update vulnerability to achieve remote code execution. Unauthenticated users can execute a terminal command under the context of the web server user. Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify   show more ...

pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user.

 Feed

This Metasploit module exploits an OS command injection vulnerability in includes/components/nxti/index.php that enables an authenticated user with admin privileges to achieve remote code execution as the apache user. Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios XI 5.7.3 running on CentOS 7.

 Feed

This Metasploit module exploits two NoSQL injection vulnerabilities to retrieve the user list and password reset tokens from the system. Next, the USER is targeted to reset their password. Then, a command injection vulnerability is used to execute the payload. While it is possible to upload a payload and execute it,   show more ...

the command injection provides a no disk write method which is more stealthy. Cockpit CMS versions 0.10.0 through 0.11.1, inclusive, contain all the necessary vulnerabilities for exploitation.

 Feed

Ubuntu Security Notice 4922-1 - Juho Nurminen discovered that the REXML gem bundled with Ruby incorrectly parsed and serialized XML documents. A remote attacker could possibly use this issue to perform an XML round-trip attack.

 Feed

Red Hat Security Advisory 2021-1150-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include a denial of service vulnerability.

 Feed

SonicWall has addressed three critical security vulnerabilities in its hosted and on-premises email security (ES) product that are being actively exploited in the wild. Tracked as CVE-2021-20021 and CVE-2021-20022, the flaws were discovered and reported to the company by FireEye's Mandiant subsidiary on March 26, 2021, after the cybersecurity firm detected post-exploitation web shell activity on

 Feed

If the Pulse Connect Secure gateway is part of your organization network, you need to be aware of a newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch yet. At least two threat actors have been behind a series of intrusions targeting defense, government, and financial organizations

 Feed

Google on Tuesday released an update for Chrome web browser for Windows, Mac, and Linux, with a total of seven security fixes, including one flaw for which it says an exploit exists in the wild. Tracked as CVE-2021-21224, the flaw concerns a type confusion vulnerability in V8 open-source JavaScript engine that was reported to the company by security researcher Jose Martinez on April 5 According

 Feed

Prominent Apple supplier Quanta on Wednesday said it suffered a ransomware attack from the REvil ransomware group, which is now demanding the iPhone maker pay a ransom of $50 million to prevent leaking sensitive files on the dark web. In a post shared on its deep web "Happy Blog" portal, the threat actor said it came into possession of schematics of the U.S. company's products such as MacBooks

 Feed

Today there are plenty of cybersecurity tools on the market. It is now more important than ever that the tools you decide to use work well together. If they don't, you will not get the complete picture, and you won't be able to analyze the entire system from a holistic perspective.  This means that you won't be able to do the right mitigations to improve your security posture. Here are examples

2021-04
Aggregator history
Wednesday, April 21
THU
FRI
SAT
SUN
MON
TUE
WED
AprilMayJune