Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for New SolarWinds Zero- ...

 Security

After being targeted by a massive supply chain attack in late 2020, SolarWinds issued new fixes to remedy a remote code execution vulnerability in the Serv-U controlled file transfer service, according to The Hacker News.  The updates address Serv-U Managed File Transfer and Serv-U Secure FTP protocols and are being   show more ...

made available after Microsoft identified the vulnerability. It is not yet known who the threat actor behind the exploit is, nor how the attack was carried out, although the vulnerabilities were being used in the wild for some time. Successful exploitation of the weakness (CVE-2021-35211) can enable an attacker to remove, read or alter sensitive data, and install malicious programs on the afflicted system. Both SSH connections from IP addresses 98.176.196.89 and 68.235.178.32 and TCP connections on port 443 to IP address 208.113.35.58 are factors that... (read more)

image for New Phishing Attacks ...

 Security

Writers and professors from the Middle East have been targeted by a phishing campaign carried out by cyber criminals using SpoofedScholars, according to a new Proofpoint report. The attack employs a University of London website to steal data from targeted individuals, says Tech Republic.  The School of Oriental and   show more ...

African Studies at the University of London has over 5,200 undergraduate and postgraduate students on campus, as well as almost 300 lecturers who specialize in the study of the Middle East, Africa, and Asia. After infiltrating the radio station's website, a malicious group was able to develop a credential harvesting page masqueradi... (read more)

image for Guess Suffers Data B ...

 Security

Following a ransomware attack in February, popular fashion and retailer Guess made customers aware of a data breach that occurred after the cyberattack, according to Techtwiddle.  On June 3, 2021, the fashion shop completed a comprehensive analysis of the documents stored on the hacked systems and was able to   show more ...

identify the addresses of all those affected. Beginning June 9, Guess began sending notification letters to affected customers, offering them free identity intrusion security solutions and one year of free credit monitoring by Experian.  Passport numbers, financial account numbers, driver's license numbers, and even Social Security numbers were stolen. According to the company, approximately 200GB of data was affected. This is not surp... (read more)

image for Cyberattacks Should ...

 Security

The topic of cybersecurity has received considerable attention in the context of NATO and the G8 Summits in June. The trend over the past several weeks has been to treat cybercrime as a high priority national security concern under the Biden administration, according to NDR Daily. Law enforcement officials have   show more ...

announced that a more widespread reaction will be forthcoming following the Kaseya ransomware attack that impacted over a thousand companies across the globe last week. Shortly thereafter, the FBI initiated actions to recover the Bitcoin payments, including the successful recovery of a portion of the ransom paid by Colonial Pipeline.  US authorities said they will treat ransomware attacks with simil... (read more)

image for How end-to-end encry ...

 Privacy

Zoom’s presentation at RSA Conference 2021 focused on end-to-end encryption in Zoom Cloud Meetings. The company explained why its developers are focusing on the issue, how they plan to make calls more secure, and what other new, security-related features users can expect. A little history The pandemic forced   show more ...

many of us to switch to long-term remote work and communicate with colleagues and loved ones through teleconferencing software. Zoom’s high popularity aroused the interest of security experts and cybercriminals alike, whereupon many quickly learned that not all was well with the platform’s security. For example, the software was found to contain vulnerabilities that allowed attackers to spy on users through their cameras and microphones, and raids by online trolls even got their own name: Zoombombing. Zoom’s response was quick and far-reaching, but issues remained. A major gripe about Zoom was that the platform used point-to-point encryption (P2PE) instead of end-to-end encryption (E2EE). E2EE vs P2PE At first glance, the two systems may seem similar: Both encrypt the data that users exchange. But with P2PE, the server can access users’ messages, whereas E2EE encrypts information on the sender’s device and decrypts it only on the recipient’s end. However, this detail has potential for trouble, which Zoom developers highlighted at the conference: Cybercriminals could breach the server, steal the encryption keys stored there, and join meetings in real invitees’ places or spoof their messages; Opportunistic employees of the cloud provider or Zoom itself could gain access to keys and steal users’ data. No one wants private conversations with family and friends, let alone secret business talks, made public. What’s more, if a hacker were to use stolen keys only for passive eavesdropping, that would be extremely difficult to detect. E2EE solves those problems by storing decryption keys on users’ devices, and only there. That means hacking the server would not enable an intruder to eavesdrop on a video conference. Naturally, then, many have been longing for Zoom to switch to E2EE, already a de facto standard for messaging apps. End-to-end encryption in Zoom: State of play The developers listened to the criticism and took steps to improve platform security, including implementing E2EE. Zoom has used E2EE for audio and video calls as well as chat since the fall of 2020. When it is enabled, Zoom protects participants’ data with a so-called conference encryption key. The key is not stored on Zoom’s servers, so even the developers can’t decrypt the content of conversations. The platform stores only encrypted user IDs and some meeting metadata such as call duration. To guard against outside connections, developers also introduced the Heartbeat feature, a signal that the meeting leader’s app automatically sends to other users. It contains, among other things, a list of attendees to whom the meeting leader sent the current encryption key. If someone not in the list joins the meeting, everyone immediately knows something is wrong. Another way to keep out uninvited participants is to lock the meeting (using the appropriately titled Lock Meeting feature) once all of the guests have gathered. You have to lock meetings manually, but once you have, no one else can join, even if they have the meeting ID and password. Zoom also protects against man-in-the-middle attacks with encryption key replacement. To make sure an outsider isn’t eavesdropping, the meeting leader can click a button at any time to generate a security code based on the current meeting encryption key. The code is likewise generated for the other meeting participants automatically. It remains for the leader to read this code aloud; if it matches everyone else’s, then everyone is using the same key and all is well. Finally, if the meeting leader leaves the meeting and someone else takes over, the app reports the handoff. If it seems suspicious to others on the call, they can pause any top-secret discussions to work everything out. Of course, if you’re just having a Zoom party with friends, you probably have no need to use all of those security mechanisms. But if business (or other) secrets are on the virtual table, these protection tools can really come in handy, so participants of important meetings should be aware of them and know how to use them. Despite the innovations, Zoom developers admit they still have a lot to do. The RSA 2021 talk also shed light on Zoom’s development path. What the future holds for Zoom The developers identified a number of threats for which they have yet to implement effective countermeasures. One is outside infiltration of meetings by people posing as invited users. Another is that E2EE protection does not prevent attackers from learning some metadata, such as call duration, names of participants, and IP addresses. Nor can we exclude vulnerabilities in the program from the list of risks; in theory, cybercriminals could embed malicious code in Zoom. With these threats in mind, Zoom’s developers listed the following goals: Prevent all but invited and approved participants from gaining access to events; Prevent any participants removed from an event from reconnecting to it; Prevent interference from anyone not admitted to the meeting; Let bona fide attendees report abuses to Zoom’s security team. Road map To achieve these goals, the developers created a four-stage road map. Stage one has already been implemented. As we said, they’ve changed the system for managing the conference encryption key so that it is stored only on users’ devices, as well as improved the means of protection against outsiders joining meetings. At stage two, they plan to introduce user authentication that is not reliant on Zoom’s servers but will instead be based on single sign-on (SSO) technology involving independent identity providers (IDPs). As a result, a would-be intruder cannot fake a user’s identity, even by gaining control of the Zoom server. If someone joins an event pretending to be an invitee but with a new public key, others will be alerted to the potential threat. Stage three will introduce the transparency tree concept, storing all identities in an authenticated, auditable data structure to ensure all users have a consistent view of any identity and detect impersonation attacks. Zoom’s intent is to strengthen the platform’s protection from man-in-the-middle attacks. At the final, fourth stage, the developers plan to make checking an identity easier when a user connects from a new device. To link a new gadget, the user will need to confirm its legitimacy, for example by scanning a QR code on the screen of a trusted phone or computer. That will prevent an attacker from linking a device to someone else’s account. Security without sacrifice When implementing additional security mechanisms, it is important to consider how they will affect ordinary users. Zoom’s developers are considering this aspect as well. For example, one proposed innovation is the use of personal device clouds. Such technology will simplify the process of adding new gadgets to an account while helping secure it. For example, if you normally use a computer for Zoom calls but then download and sign in from your smartphone, the next time you open Zoom on your computer, you’ll see that a new gadget has signed in. If you approve it, both devices will be linked to a single cloud, and other meeting participants will know it is you and not an interloper. A device cloud also lets you check which gadgets are logged in to your account and revoke trusted status for any of them. On top of that, the developers plan to add an option to switch to E2EE mid-meeting and many other useful features. Will Zoom become more secure? The short answer is yes, Zoom’s security continues to improve. The company has already done a great deal to guard against outside interference, and it has even more protection tools in development. On a separate note, it is nice to see that Zoom is trying to blend security with ease of use. Of course, a lot depends on Zoom’s users. As with everything online, videoconferencing requires common sense and knowledge of the available protection mechanisms. It is important to heed warnings from the platform and refrain from confidential talks if something looks suspicious and you cannot rule out a data leak.

image for Microsoft Patch Tues ...

 Security Tools

Microsoft today released updates to patch at least 116 security holes in its Windows operating systems and related software. At least four of the vulnerabilities addressed today are under active attack, according to Microsoft. Thirteen of the security bugs quashed in this month’s release earned   show more ...

Microsoft’s most-dire “critical” rating, meaning they can be exploited by malware or miscreants to seize remote control over a vulnerable system without any help from users. Another 103 of the security holes patched this month were flagged as “important,” which Microsoft assigns to vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.” Among the critical bugs is of course the official fix for the PrintNightmare print spooler flaw in most versions of Windows (CVE-2021-34527) that prompted Microsoft to rush out a patch for a week ago in response to exploit code for the flaw that got accidentally published online. That patch seems to have caused a number of problems for Windows users. Here’s hoping the updated fix resolves some of those issues for readers who’ve been holding out. CVE-2021-34448 is a critical remote code execution vulnerability in the scripting engine built into every supported version of Windows — including server versions. Microsoft says this flaw is being exploited in the wild. Both CVE-2021-33771 and CVE-2021-31979 are elevation of privilege flaws in the Windows kernel. Both are seeing active exploitation, according to Microsoft. Chad McNaughton, technical community manager at Automox, called attention to CVE-2021-34458, a remote code execution flaw in the deepest areas of the operating system. McNaughton said this vulnerability is likely to be exploited because it is a “low-complexity vulnerability requiring low privileges and no user interaction.” Another concerning critical vulnerability in the July batch is CVE-2021-34494, a dangerous bug in the Windows DNS Server that earned a CVSS score (severity) of 9.8 out of a possible 10. “Both core and full installations are affected back to Windows Server 2008, including versions 2004 and 20H2,” said Aleks Haugom, also with Automox. “DNS is used to translate IP addresses to more human-friendly names, so you don’t have to remember the jumble of numbers that represents your favorite social media site,” Haugom said. “In a Windows Domain environment, Windows DNS Server is critical to business operations and often installed on the domain controller. This vulnerability could be particularly dangerous if not patched promptly.” Microsoft also patched six vulnerabilities in Exchange Server, an email product that has been under siege all year from attackers. Satnam Narang, staff research engineer at Tenable, noted that while Microsoft says two of the Exchange bugs tackled this month (CVE-2021-34473 and CVE-2021-34523) were addressed as part of its security updates from April 2021, both CVEs were somehow omitted from that April release. Translation: If you already applied the bevy of Exchange updates Microsoft made available in April, your Exchange systems have protection against these flaws. Other products that got patches today include Microsoft Office, Bing, SharePoint Server, Internet Explorer, and Visual Studio. The SANS Internet Storm Center as always has a nice visual breakdown of all the patches by severity. Adobe also issued security updates today for Adobe Acrobat and Reader, as well as Dimension, Illustrator, Framemaker and Adobe Bridge. Chrome and Firefox also recently have shipped important security updates, so if you haven’t done so recently take a moment to save your tabs/work, completely close out and restart the browser, which should apply any pending updates. The usual disclaimer: Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for Windows updates to hose one’s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files. So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide. As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, check out AskWoody, which keeps a close eye out for specific patches that may be causing problems for users.

 Malware and Vulnerabilities

ZLoader has reportedly devised an innovative way to bypass macro security warnings in Microsoft Office documents to execute malicious codes. The dynamic creation of agents in the infection chain has the potential to give rise to further threats in the near future by leveraging other living-off-the-land tools.

 Trends, Reports, Analysis

On Sunday, Kaseya released the long-awaited patch for its on-premises versions of VSA remote monitoring and management software. Some hackers had launched a malspam campaign to spread fake Kaseya VSA security updates to take advantage of the crisis.

 Threat Actors

Lazarus APT has been spotted hitting job seekers in the U.S. and Europe with malicious emails. Hackers pose as defense contractors like Airbus, General Motors, and Rheinmetall to lure the targeted victims. Its gradual improvements in the obfuscation techniques, as well as the ability to hide its tracks by deleting all   show more ...

footprints, indicate that this threat group is still making efforts to make its attacks more efficient.

 Breaches and Incidents

TA453, an Iranian threat actor, impersonated British scholars to covertly target individuals of intelligence interest to the Iranian government in what Proofpoint has dubbed Operation SpoofedScholars.

 Malware and Vulnerabilities

Trend Micro warned about a new Biopass malware striking online gambling firms in China masquerading as legitimate installers for well-known apps. The pretense of legitimate installers makes it a simple yet deadly threat. Organizations are required to have robust security mechanisms to stay protected from such advanced threats.

 Feed

Red Hat Security Advisory 2021-2694-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.7, and   show more ...

includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.8 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a cross site scripting vulnerability.

 Feed

This Metasploit module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM's implementation of the Jato framework and can be triggered by a simple one-line GET or POST request   show more ...

to a vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user. This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and thus is susceptible to the same issue.

 Feed

Red Hat Security Advisory 2021-2692-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.7, and   show more ...

includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.8 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a cross site scripting vulnerability.

 Feed

Global Socket is a tool for moving data from here to there, securely, fast, and through NAT and firewalls. It uses the Global Socket Relay Network to connect TCP pipes, has end-to-end encryption (using OpenSSL's SRP / RFC-5054), AES-256 and key exchange using 4096-bit Prime, requires no PKI, has Perfect Forward Secrecy, and TOR support.

 Feed

Red Hat Security Advisory 2021-2693-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.7, and   show more ...

includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.8 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a cross site scripting vulnerability.

 Feed

Red Hat Security Advisory 2021-2696-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.7, and   show more ...

includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.8 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a cross site scripting vulnerability.

 Feed

Red Hat Security Advisory 2021-2689-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.8.2 serves as a replacement for Red   show more ...

Hat AMQ Broker 7.8.1, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include denial of service, information leakage, and resource exhaustion vulnerabilities.

 Feed

Cybersecurity agencies in Australia and the U.S. are warning of an actively exploited vulnerability impacting ForgeRock's OpenAM access management solution that could be leveraged to execute arbitrary code on an affected system remotely. "The [Australian Cyber Security Centre] has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools,"

 Feed

SolarWinds, the Texas-based company that became the epicenter of a massive supply chain attack late last year, has issued patches to contain a remote code execution flaw in its Serv-U managed file transfer service. The fixes, which target Serv-U Managed File Transfer and Serv-U Secure FTP products, arrive after Microsoft notified the IT management and remote monitoring software maker that the

 Feed

A sophisticated social engineering attack undertaken by an Iranian-state aligned actor targeted think tanks, journalists, and professors with an aim to solicit sensitive information by masquerading as scholars with the University of London's School of Oriental and African Studies (SOAS). Enterprise security firm Proofpoint attributed the campaign — called "Operation SpoofedScholars" — to the

 Feed

Cybersecurity researchers have opened the lid on the continued resurgence of the insidious TrickBot malware, making it clear that the Russia-based transnational cybercrime group is working behind the scenes to revamp its attack infrastructure in response to recent counter efforts from law enforcement. "The new capabilities discovered are used to monitor and gather intelligence on victims, using

 Feed

Cybersecurity researchers have disclosed new security vulnerabilities in the Etherpad text editor (version 1.8.13) that could potentially enable attackers to hijack administrator accounts, execute system commands, and even steal sensitive documents. The two flaws — tracked as CVE-2021-34816 and CVE-2021-34817 — were discovered and reported on June 4 by researchers from SonarSource, following

2021-07
Aggregator history
Tuesday, July 13
THU
FRI
SAT
SUN
MON
TUE
WED
JulyAugustSeptember