WildPressure has added a new type of malware to its arsenal to carry out cyberattacks against organizations in the energy sector. The malware is distributed by threat actors via compromised WordPress websites, according to Threat Post. Yesterday, Kaspersky cybersecurity researchers revealed new details about the show more ...
updated version of the Milium Trojan. WildPressure has been working on the malware since March 2020 and used it in attacks against a variety of organizations in the Middle East. According to Denis Legezo, a security researcher at Kaspersky, the new version of Milum can decode VBSCript Tandis Trojan, a multi-OS Guard Trojan and a PyInstaller developed to run on macOS. [YOUTUBE=https://www.youtube.com/watch?v=1v79QRhi1HM] The Milum Trojan has been updated to be capable of infilt... (read more)
The Atomic Energy Research Authority South Korea has been subjected to a 12-day cyberattack that is certain to originate from North Korea, according to KBS World. On Thursday, the National Intelligence Service (NIS) revealed the hacking incident during a hearing before a House Committee on National Security. show more ...
According to ruling Democratic Party lawmaker Kim Byeong -ki and main opposition People Power Party (PPP) lawmaker Ha Tae-keung, the spy agency informed parliamentarians that it suspected a group affiliated with North Korea was behind the attack. The two MPs, who are both members of the intelligence committee, said the National Intelligence Service (NIS) did not believe the perpetrators had been able to gain access to critical technology. North Korea's cyberattack lasted 12 days in a row Rep. Ha, a senior member of the PPP's Intelligence Comm... (read more)
According to new research provided by Trustwave, the code that REvil's cybercriminals used to launch a recent large-scale ransomware campaign was written in such a way that it avoids machines whose primary language is Russian or a related language, says NBC News. Ziv Mador, the vice president of security show more ...
research at Trustwave SpiderLabs' said, "They don't want to annoy the local authorities, and they know they will be able to run their business much longer if they do it this way," ... (read more)
Liad Mordekovitz and Ophir Harpaz uncovered a cyberattack that targeted several organizations and compromised servers to mine crypto or get data, says Israel Hayom. Approximately 2,000 companies were attacked and had their servers as a launching pad to carry out attacks on more organizations. Since the attacks were show more ...
decentralized, it made them harder to trace. The primary targets of the cyberattack were largely commercial and institutional servers within the media, tourism, health, and education industries, in India, Vietnam, and the United States. What is the end goal of these cyberattacks on Windows Servers? Bad actors took control of servers with the goal of mining digital money, infecting them with malware or Trojans, and stealing sensitive information stored. What's interesting is that hackers deleted malwar... (read more)
In response to a data breach that exposed the personal information of more than 420,000 customers, British Airways (BA) has reached an out-of-court settlement with victims, according to IT Pro. The agreement with PGMBM, the company that had led the mediation between British Airways and the victims calls for the show more ...
carrier to pay undisclosed amounts to victims of the class action. According to the UK's flag carrier airline, the law company filing the claim on behalf of the people affected would not be admitting blame in the case. In early September 2018, British Airways reported that its security systems had been attacked, exposing the personal data of around 420,000 customers and employees. Leaked data included full names, email addresses, addresses, and credit or debit card numbers. British Airways expecte... (read more)
This week on the podcast, Jeff’s on vacation, so Ahmed and I tackle some thorny cybersec issues on our own. We start with news that EA’s billion dollar franchise, Apex Legends, faced hacking concerns from gamers about the state of TitanFall, Respawn’s first foray into the FPS genre. From there, we show more ...
move on to news that Google has taken the ban-hammer to some developers who placed Trojans inside their apps to scrape Facebook credentials. Other stories this week include discussion about APT28, aka Fancy Bear, targeting governments around the world, plus an exclusive chat with Kaspersky security researcher David Emm about the recent REvil attacks. If you liked what you heard, please consider subscribing and sharing with your friends. For more information on the stories we covered, see the links below: Hacker targets ‘Apex Legends’ in plea to fix ‘Titanfall’ hacking Widespread brute-force attacks tied to Russia’s APT28 Google removes popular Android apps that stole Facebook passwords Older workers are a secret weapon against cyber attacks
By the end of June, security researchers were actively discussing a vulnerability in the Windows Print Spooler service, which they dubbed PrintNightmare. The patch, released on June’s patch Tuesday, was supposed to fix the vulnerability, and it did — but as it happens, the issue involved two. The patch closed show more ...
CVE-2021-1675 but not CVE-2021-34527. On unpatched Windows-based computers or servers, malefactors can use the vulnerabilities to gain control because the Windows Print Spooler is active by default on all Windows systems. Microsoft uses the name PrintNightmare for CVE-2021-34527 but not CVE-2021-1675; however, many others use it for both vulnerabilities. Our experts have studied both vulnerabilities in detail and made sure that Kaspersky security solutions, with its exploit prevention technology and behavior-based protection, prevents attempts to exploit them. Why PrintNightmare is dangerous PrintNightmare is considered extremely dangerous for two main reasons. First, Windows Print Spooler being enabled by default on all Windows-based systems, including domain controllers and computers with system admin privileges, makes all such computers vulnerable. Second, a misunderstanding between teams of researchers (and, perhaps, a simple mistake) led to a proof-of-concept exploit for PrintNightmare being published online. The researchers involved were pretty sure Microsoft’s June patch had already solved the problem, so they shared their work with the expert community. However, the exploit remained dangerous. The PoC was quickly removed, but not before many parties copied it, which is why Kaspersky experts predict a rise in attempts to exploit PrintNightmare. The vulnerabilities and their exploitation CVE-2021-1675 is a privilege elevation vulnerability. It allows an attacker with low access privileges to craft and use a malicious DLL file to run an exploit and gain higher privileges. However, that is only possible if the attacker already has direct access to the vulnerable computer in question. Microsoft considers this vulnerability relatively low-risk. CVE-2021-34527 is significantly more dangerous: Although similar, it’s a remote code execution (RCE) vulnerability, which means it allows remote injection of DLLs. Microsoft has already seen exploits of this vulnerability in the wild, and Securelist provides a more detailed technical description of both vulnerabilities and their exploitation techniques. Because malefactors can use PrintNightmare to access data in corporate infrastructure, they may also use the exploit for ransomware attacks. How to protect your infrastructure against PrintNightmare Your first step to guarding against PrintNightmare attacks is to install both patches — June and July — from Microsoft. The latter page also provides some workarounds from Microsoft in case you can’t make use of the patches — and one of them doesn’t even require disabling Windows Print Spooler. That said, we strongly suggest disabling Windows Print Spooler on computers that don’t need it. In particular, domain controller servers are highly unlikely to need the ability to print. Additionally, all servers and computers need reliable endpoint security solutions that prevent exploitation attempts of both known and yet unknown vulnerabilities, including PrintNightmare.
Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears show more ...
Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago. On July 3, the REvil ransomware affiliate program began using a zero-day security hole (CVE-2021-30116) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the Kaseya Virtual System Administrator (VSA). According to this entry for CVE-2021-30116, the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating Kaseya had roughly three months to address the bug before it was exploited in the wild. Also on July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site —portal.kaseya.net — was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser. As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness. The Kaseya customer support and billing portal. Image: Archive.org. Mandiant notified Kaseya after hearing about it from Alex Holden, founder and chief technology officer of Milwaukee-based cyber intelligence firm Hold Security. Holden said the 2015 vulnerability was present on Kaseya’s customer portal until Saturday afternoon, allowing him to download the site’s “web.config” file, a server component that often contains sensitive information such as usernames and passwords and the locations of key databases. “It’s not like they forgot to patch something that Microsoft fixed years ago,” Holden said. “It’s a patch for their own software. And it’s not zero-day. It’s from 2015!” The official description of CVE-2015-2862 says a would-be attacker would need to be already authenticated to the server for the exploit to work. But Holden said that was not the case with the vulnerability on the Kaseya portal that he reported via Mandiant. “This is worse because the CVE calls for an authenticated user,” Holden said. “This was not.” Michael Sanders, executive vice president of account management at Kaseya, confirmed that the customer portal was taken offline in response to a vulnerability report. Sanders said the portal had been retired in 2018 in favor of a more modern customer support and ticketing system, yet somehow the old site was still left available online. “It was deprecated but left up,” Sanders said. In a written statement shared with KrebsOnSecurity, Kaseya said that in 2015 CERT reported two vulnerabilities in its VSA product. “We worked with CERT on responsible disclosure and released patches for VSA versions V7, R8, R9 and R9 along with the public disclosure (CVEs) and notifications to our customers. Portal.kaseya.net was not considered by our team to be part of the VSA shipping product and was not part of the VSA product patch in 2015. It has no access to customer endpoints and has been shut down – and will no longer be enabled or used by Kaseya.” “At this time, there is no evidence this portal was involved in the VSA product security incident,” the statement continued. “We are continuing to do forensic analysis on the system and investigating what data is actually there.” The REvil ransomware group said affected organizations could negotiate independently with them for a decryption key, or someone could pay $70 million worth of virtual currency to buy a key that works to decrypt all systems compromised in this attack. But Sanders said every ransomware expert Kaseya consulted so far has advised against negotiating for one ransom to unlock all victims. “The problem is that they don’t have our data, they have our customers’ data,” Sanders said. “We’ve been counseled not to do that by every ransomware negotiating company we’ve dealt with. They said with the amount of individual machines hacked and ransomwared, it would be very difficult for all of these systems to be remediated at once.” In a video posted to Youtube on July 6, Kaseya CEO Fred Voccola said the ransomware attack had “limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached.” “While each and every customer impacted is one too many, the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated,” Voccola said. The zero-day vulnerability that led to Kaseya customers (and customers of those customers) getting ransomed was discovered and reported to Kaseya by Wietse Boonstra, a researcher with the Dutch Institute for Vulnerability Disclosure (DIVD). In a July 4 blog post, DIVD’s Victor Gevers wrote that Kaseya was “very cooperative,” and “asked the right questions.” “Also, partial patches were shared with us to validate their effectiveness,” Gevers wrote. “During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.” Still, Kaseya has yet to issue an official patch for the flaw Boonstra reported in April. Kaseya told customers on July 7 that it was working “through the night” to push out an update. Gevers said the Kaseya vulnerability was discovered as part of a larger DIVD effort to look for serious flaws in a wide array of remote network management tools. “We are focusing on these types of products because we spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses,” he wrote.
Admins of on-premises Sage X3 ERP deployments should check they're not exposing the enterprise resource planning suite to the public internet in case they fall victim to a new vulnerability.
Payment operators are planning to set up a countrywide negative database that can be used across payments platforms and will serve as a repository of all fraudsters, types of frauds and fraud heat map across India.
The Babuk ransomware gang appears to be back in action after a hiatus as it was found targeting and encrypting multiple corporate networks. It indicates that businesses are still facing enormous threats from the gang and they must keep holding their protective shields tight.
Acquired for an unknown sum, the acquisition will see Sophos integrate Capsule8 technology, which is aimed at Linux cybersecurity, to its Adaptive Cybersecurity Ecosystem.
Researchers are urging everyone to patch multiple critical and high-severity vulnerabilities found in Windows Print Spooler, QNAP devices, and other systems.
Cybersecurity researchers on Thursday took the wraps off a new, ongoing espionage campaign targeting corporate networks in Spanish-speaking countries, specifically Venezuela, to spy on its victims.
The research wing of New Delhi-based think tank CyberPeace Foundation, along with Autobot Infosec Pvt Ltd, studied two such incidents on the name of SBI that were faced by some smartphone users.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 would allow government to provide "assistance" to entities in response to significant cyberattacks on Australian systems.
As per a 1Password survey, 64% of participants admitted that they reused corporate secrets between projects, while 36% are willing to share secrets over insecure channels for better speed and productivity.
Even as Microsoft expanded patches for the so-called PrintNightmare vulnerability, the fix for the remote code execution exploit in the Windows Print Spooler service can still be bypassed.
Anne Neuberger, the deputy National Security Advisor for Cyber and Emerging Technology, spoke to a bipartisan group of mayors virtually during a US Conference of Mayors event this week.
One tactic that some Magecart actors employ is the dumping of swiped credit card details into image files on the server to avoid raising suspicion which can be later downloaded using a GET request.
Most targeted industries are financial services and ecommerce, with consumers stating that of all scam messages they receive, 59% impersonate their bank or a retailer (36%), Callsign reported.
NanoLock Security has secured an $11 million Series B round from new investors OurCrowd, HIVE2040 (by Avnon Group), and Atlantica Group as well as current investors AWZ Ventures.
The most severe vulnerabilities affect the System component and could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
Researchers from Cisco Talos recently discovered multiple vulnerabilities in IOBit Advanced SystemCare Ultimate. These vulnerabilities all exist in a monitoring driver in the software.
As the U.S. looks at its vulnerable industries, the responsibility is falling on businesses to ensure that they are keeping the organization and employees safe and secure.
The office in charge of the U.S. military’s 3D printing left designs for defense technology vulnerable to theft by hackers and adversaries, according to a DODIG report made public on Wednesday.
The REvil gang used a level of planning and sophistication closer to high-level, government-backed hackers, rather than a mere criminal operation, several cybersecurity experts say.
The Dutch Institute for Vulnerability Disclosure (DIVD) said in blog posts this week that it had discovered seven vulnerabilities in Kaseya's system in April and confidentially informed the company.
Phishing scammers posing as customers are contacting live-chat support agents with phony issues or problems and tricking them into opening up malicious documents, according to security experts.
Morgan Stanley has reported a data breach after attackers stole personal information belonging to its customers by hacking into the Accellion FTA server of a third-party vendor.
Consumers around the world fear that businesses are now compromising online security in their efforts to deliver seamless digital experiences, according to research by Trulioo.
Four of the flaws have been given a Common Vulnerability Scoring System (CVSS) base score of 9.8, spotlighting the critical need to urgently apply the provided patch or workarounds.
Gentoo Linux Security Advisory 202107-19 - An inefficient regular expression could be exploited to cause a Denial of Service condition. Versions less than 2.11.3 are affected.
Gentoo Linux Security Advisory 202107-18 - A buffer overflow in BladeEnc might allow arbitrary code execution. Versions less than 0.94.2-r1 are affected.
Gentoo Linux Security Advisory 202107-17 - A file named by an attacker being utilized by Mechanize could result in arbitrary code execution. Versions less than 2.7.7 are affected.
Gentoo Linux Security Advisory 202107-16 - Multiple vulnerabilities have been found in Privoxy, the worst of which could result in Denial of Service. Versions less than 3.0.32 are affected.
Gentoo Linux Security Advisory 202107-15 - A buffer overflow in blktrace might allow arbitrary code execution. Versions less than 1.2.0_p20210419122502 are affected.
Gentoo Linux Security Advisory 202107-14 - rclone uses weak random number generation such that generated passwords can be easily cracked. Versions less than 1.53.3 are affected.
Ubuntu Security Notice 5008-2 - USN-5008-1 fixed a vulnerability in avahi. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Thomas Kremer discovered that Avahi incorrectly handled termination signals on the Unix socket. A local attacker could possibly use this issue to cause Avahi to hang, resulting in a denial of service. Various other issues were also addressed.
Even as Microsoft expanded patches for the so-called PrintNightmare vulnerability for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the fix for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code
Humans are an organization's strongest defence against evolving cyber threats, but security awareness training alone often isn't enough to transform user behaviour. In this guide, usecure looks at why Human Risk Management (HRM) is the new fix for building a security-savvy workforce. Don't be fooled... Businesses are investing more than ever into strengthening their employee security awareness
This week, PrintNightmare - Microsoft's Print Spooler vulnerability (CVE-2021-34527) was upgraded from a 'Low' criticality to a 'Critical' criticality. This is due to a Proof of Concept published on GitHub, which attackers could potentially leverage for gaining access to Domain Controllers. As we reported earlier, Microsoft already released a patch in June 2021, but it wasn't enough to stop
A cyber-espionage group has been observed increasingly targeting Indian government personnel as part of a broad campaign to infect victims with as many as four new custom remote access trojans (RATs), signaling a "boost in their development operations." Attributed to a group tracked as SideCopy, the intrusions culminate in the deployment of a variety of modular plugins, ranging from file
Four security vulnerabilities have been uncovered in the Sage X3 enterprise resource planning (ERP) product, two of which could be chained together as part of an attack sequence to enable adversaries to execute malicious commands and take control of vulnerable systems. These issues were discovered by researchers from Rapid7, who notified Sage Group of their findings on Feb. 3, 2021. The vendor
Cybersecurity researchers on Thursday took the wraps off a new, ongoing espionage campaign targeting corporate networks in Spanish-speaking countries, specifically Venezuela, to spy on its victims. Dubbed "Bandidos" by ESET owing to the use of an upgraded variant of Bandook malware, the primary targets of the threat actor are corporate networks in the South American country spanning across
A ransomware gang has exploited a security hole in software used by many businesses, and are demanding $70 million for a decryption tool. Plus we take a close look at TikTok, and a website which seems to have entirely ripped-off Twitter. All this and much more is discussed in the latest edition of the award-winning show more ...
"Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology journalist and author Chris Stokel-Walker.
Security researchers report that a notorious North Korean hacking group has been targeting engineers working in the defence industry. Read more in my article on the Tripwire State of Security blog.
Cybersecurity analysts are charting both a rise in ransomware incidents and in amounts cybercriminals are demanding from businesses to restore their data. That’s bad news in itself, but what’s often overlooked are the additional ways – beyond payments victims may or may not choose to make– victims pay for show more ...
these attacks. Our latest threat report found the average ransomware payment peaked in September 2020 at more than $230 thousand. But the ransom alone doesn’t tell the whole story. To do that, we conducted another study to tally and quantify the collateral damage from surging ransomware incidents and rising extortion amounts. These are some of those affects inflating the price tag of an attack, which we call The Hidden Costs of Ransomware. 1. Lost productivity Our survey data found that hours of lost productivity from a ransomware incident were closely related to the length of time to discovery of the attack. Generally, faster detection meant limiting the spread of the infection and less time spent on remediation. In other words, the further ransomware spreads the longer it takes to eradicate. Unfortunately, almost half (49%) of respondents to our survey reported being unaware of the infection for more than 24 hours. A third of incidents were reportedly remediated in 1-3 hours, while 17 percent required 3-5 days of effort. We attempted to quantify these lost hours based on hours spent on remediation (easily measurable) and the opportunity costs from diverting resources from IT teams’ “blue sky” responsibilities (tougher to measure). Factoring in varying costs of IT resources, we determined low/high cost estimates for hours of remediation reported by survey respondents. These ran from $300/$750 for three hours or remediation to $4,000/$10,000 for five workdays of remediation. (A full breakdown is available in the report.) 2. Downtime costs Regardless of whether an organization decides to pay a ransom, how long does it take to return to normal operations? In our study, businesses that didn’t pay ransoms had recovered their data quicker than those that didn’t pay. Specifically, 70 percent of companies that didn’t pay a ransom were able to recover their data within a business day, compared to 46 percent that did. Presumably this has to do with whether a target had readily available backups, and lost time due to back and forth with extortionists or time spent making a payment. One of the most important factors in determining downtime costs is specifying the value of the data that’s become unavailable. Is it critical to conducting business operations? Or is it nice to have but not essential like marketing or prospecting data? Determining data’s value helps businesses formulate their recovery time objectives (RTOs). For non-critical data and applications, a 24-hour recovery time may fall within the RTO. For mission-critical data, a 24-hour recovery may exceed the tolerable limit and help drive the cost of downtime higher than the ransom itself. 3. Impact on client operations Nearly half (46%) of the businesses in our survey reported client operations being adversely affected by a ransomware incident at their own company. This could quickly sever business relationships that take a long time to build and result in the loss of anticipated revenue. But that’s not even be the riskiest aspect of client operations being affected. The implications of supply chain attacks, especially for MSPs, came into sharper focus last year following the SolarWinds attack. Were a cybercriminal to compromise a trusted supplier to distribute ransomware, rather than for surveillance as in that attack, the costs could be enormous. MSPs should seriously consider the possibility of becoming the source for such a supply chain attack, especially those with clients in critical industries like energy, public utilities, defense and healthcare. 4. Brand and reputational damage Consider the headlines and airtime generated by ransomware attacks against high-profile targets. A Google search of “Garmin ransomware,” for instance, returns more than 1 million results. While your organization may not be a global tech giant, it also likely doesn’t have the staying power of one. In our study, 38 percent of businesses admitted their brand was harmed by a run-in with ransomware. Beyond lost customers, publicity issues could force businesses to enlist the services of expensive PR or communications firms to repair the damage. Businesses with the resources to do so should consider themselves lucky, because the alternative is worse. Silence or an uncoordinated response to a ransomware attack – especially one that affects customers – can come of as unserious, callous or ineffective. Reputational damage in an age of heightened sensitivity to cybersecurity incidents can have significant consequences. Our data shows that 61 percent of consumers switched some or all their business to a competing brand in the last year, and 77 percent admit they retract their loyalty now quicker than they once did. The list goes on… By no means is this an exhaustive list of the hidden costs of ransomware. They extend to fines for breaches of compliance regulation, the rising costs of cybersecurity insurance and a host of other unforeseen consequences. For the complete findings from our survey and our recommendations for not encountering these hidden costs, download the full report. Download the eBook The post 4 ways ransomware can cost your business (in addition to extortion) appeared first on Webroot Blog.