University of Cambridge experts described a vulnerability they say affects most modern compilers. A novel attack method uses a legitimate feature of development tools whereby the source code displays one thing but compiles something completely different. It happens through the magic of Unicode control characters. show more ...
Unicode directionality formatting characters relevant to reordering attacks. Source. Most of the time, control characters do not appear on the screen with the rest of the code (although some editors display them), but they modify the text in some way. This table contains the codes for the Unicode Bidirectional (bidi) Algorithm, for example. As you probably know, some human languages are written from left to right (e.g., English), others from right to left (e.g., Arabic). When code contains only one language, there’s no problem, but when necessary — when, for example, one line contains words in English and in Arabic — bidi codes specify text direction. In the authors’ work, they used such codes to, for example, move the comment terminator in Python code from the middle of a line to the end. They applied an RLI code to shift just a few characters, leaving the rest unaffected. Example of vulnerable Python code using bidi codes. Source. On the right is the version programmers see when checking the source code; the left shows how the code will be executed. Most compilers ignore control characters. Anyone checking the code will think the fifth line is a harmless comment, although in fact, an early-return statement hidden inside will cause the program to skip the operation that debits bank account funds. In this example, in other words, the simulated banking program will dispense money but not reduce the account balance. Why is it dangerous? At first glance, the vulnerability seems too simple. Who would insert invisible characters, hoping to deceive source code auditors? Nevertheless, the problem was deemed serious enough to warrant a vulnerability identifier (CVE-2021-42574). Before publishing the paper, the authors notified the developers of the most common compilers, giving them time to prepare patches. The report outlines the basic attack capabilities. The two execution strategies are to hide a command within the comments, and to hide something in a line that, for example, appears on-screen. It is possible, in theory, to achieve the opposite effect: to create code that looks like a command but is in fact part of a comment and will not be run. Even more creative methods of exploiting this weakness are bound to exist. For example, someone could use the trick to carry out a sophisticated supply-chain attack whereby a contractor supplies a company with code that looks correct but doesn’t work as intended. Then, after the final product is released, an outside party can use the “alternative functionality” to attack customers. How dangerous is it, really? Shortly after the paper was published, programmer Russ Cox critiqued the Trojan Source attack. He was, to put it mildly, unimpressed. His arguments are as follows: It is not a new attack at all; Many code editors use syntax highlighting to show “invisible” code; Patches for compilers are not necessary — carefully checking the code to detect any accidental or malicious bugs is sufficient. Indeed, the problem with Unicode control characters surfaced, for example, way back in 2017. Also, a similar problem with homoglyphs — characters that look the same but have different codes — is hardly new and can also serve to sneak extraneous code past manual checkers. However, Cox’s critical analysis does not deny the existence of the problem, but rather condemns reports as overdramatic — an apt characterization of, for example, journalist Brian Krebs’ apocalyptic ‘Trojan Source’ Bug Threatens the Security of All Code. The problem is real, but fortunately the solution is quite simple. All patches already out or expected soon will block the compilation of code containing such characters. (See, for example, this security advisory from the developers of the Rust compiler.) If you use your own software build tools, we recommend adding a similar check for hidden characters, which should not normally be present in source code. The danger of supply-chain attacks Many companies outsource development tasks to contractors or use ready-made open-source modules in their projects. That always opens the door to attacks through the supply chain. Cybercriminals can compromise a contractor or embed code in an open-source project and slip malicious code into the final version of the software. Code audits typically reveal such backdoors, but if they don’t, end users may get software from trusted sources but still lose their data. Trojan Source is an example of a far more elegant attack. Instead of trying to smuggle megabytes of malicious code into an end product, attackers can use such an approach to introduce a hard-to-detect implant into a critical part of the software and exploit it for years to come. How to stay safe To guard against Trojan Source–type attacks: Update all programming language compilers you use (if a patch has been released for them), and Write your own scripts that detect a limited range of control characters in source code. More broadly, the fight against potential supply-chain attacks requires both manual code audits and a range of automated tests. It never hurts to look at your own code from a cybercriminal perspective, trying to spot that simple error that could rupture the whole security mechanism. If you lack the in-house resources for that kind of analysis, consider engaging outside experts instead.
In August, KrebsOnSecurity warned that scammers were contacting people and asking them to unleash ransomware inside their employer’s network, in exchange for a percentage of any ransom amount paid by the victim company. This week, authorities in Nigeria arrested a suspect in connection with the scheme — a show more ...
young man who said he was trying to save up money to help fund a new social network. Image: Abnormal Security. The brazen approach targeting disgruntled employees was first spotted by threat intelligence firm Abnormal Security, which described what happened after they adopted a fake persona and responded to the proposal in the screenshot above. “According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Abnormal’s Crane Hassold wrote. Abnormal Security documented how it tied the email back to a Nigerian man who acknowledged he was trying to save up money to help fund a new social network he is building called Sociogram. In June 2021, the Nigerian government officially placed an indefinite ban on Twitter, restricting it from operating in Nigeria after the social media platform deleted tweets by the Nigerian president. Reached via LinkedIn, Sociogram founder Oluwaseun Medayedupin asked to have his startup’s name removed from the story, although he did not respond to questions about whether there were any inaccuracies in Hassold’s report. “Please don’t harm Sociogram’s reputation,” Medayedupin pleaded. “I beg you as a promising young man.” After he deleted his LinkedIn profile, I received the following message through the “contact this domain holder” link at KrebsOnSecurity’s domain registrar [curiously, the date of that missive reads “Dec. 31, 1969.”]. Apparently, Mr. Krebson is a clout-chasing monger. A love letter from the founder of the ill-fated Sociogram. Mr. Krebson also heard from an investigator representing the Nigeria Finance CERT on behalf of the Central Bank Of Nigeria. While the Sociogram founder’s approach might seem amateurish to some, the financial community in Nigeria did not consider it a laughing matter. On Friday, police in Lagos arrested Medayedupin. The investigator says formal charges will be levied against the defendant sometime this week. KrebsOnSecurity spoke with a fraud investigator who is performing the forensic analysis of the devices seized from Medayedupin’s home. The investigator spoke on condition of anonymity out of concern for his physical safety. The investigator — we’ll call him “George” — said the 23-year-old Medayedupin lives with his extended family in an extremely impoverished home, and that the young man told investigators he’d just graduated from college but turned to cybercrime at first with ambitions of merely scamming the scammers. George’s team confirmed that Medayedupin had around USD $2,000 to his name, which he’d recently stolen from a group of Nigerian fraudsters who were scamming people for gift cards. Apparently, he admitted to creating a phishing website that tricked a member of this group into providing access to the money they’d made from their scams. Medayedupin reportedly told investigators that for almost a week after he started emailing his ransom-your-employer scheme, nobody took him up on the offer. But after his name appeared in the news media, he received thousands of inquiries from people interested in his idea. George described Medayedupin as smart, a quick learner, and fairly dedicated to his work. “He seems like he could be a fantastic [employee] for a company,” George said. “But there is no employment here, so he chose to do this.” What’s interesting about this case — and indeed likely why anyone thought this guy worthy of arrest — is that the Nigerian authorities were fairly swift to take action when a domestic cybercriminal raised the specter of causing financial losses for its own banks. After all, the majority of the cybercrime that originates from Africa — think romance scams, BEC fraud, and unemployment/pandemic loan fraud — does not target Nigerian citizens, nor does it harm African banks. On the contrary: This activity pumps a great deal of Western money into Nigeria. How much money are we talking about? The financial losses from these scams dwarf other fraud categories — such as identity theft or credit card fraud. According to the FBI’s Internet Crime Complaint Center (IC3), consumers and businesses reported more than $4.2 billion in losses tied to cybercrime in 2020, and BEC fraud and romance scams alone accounted for nearly 60 percent of those losses. Source: FBI/IC3 2020 Internet Crime Report. If the influx of a few billion US dollars into the Nigerian economy each year from cybercrime seems somehow insignificant, consider that (according to George) the average police officer in the country makes the equivalent of less than USD $100 a month. Ronnie Tokazowski is a threat researcher at Agari, a security firm that has closely tracked many of the groups behind BEC scams. Tokazowski maintains he has been one of the more vocal proponents of the idea that trying to fight these problems by arresting those involved is something of a Sisyphean task, and that it makes way more sense to focus on changing the economic realities in places like Nigeria. Nigeria has the world’s second-highest unemployment rate — rising from 27.1 percent in 2019 to 33 percent in 2020, according to the National Bureau of Statistics. The nation also is among the world’s most corrupt, according to 2020 findings from Transparency International. “Education is definitely one piece, as raising awareness is hands down the best way to get ahead of this,” Tokazowski said, in a June 2021 interview. “But we also need to think about ways to create more business opportunities there so that people who are doing this to put food on the table have more legitimate opportunities. Unfortunately, thanks to the level of corruption of government officials, there are a lot of cultural reasons that fighting this type of crime at the source is going to be difficult.”
The findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a never-before-seen loader dubbed SQUIRRELWAFFLE.
The return of Emotet correlates with two long-term developments in the ransomware ecosystem; unfulfilled loader commodity demand and decline of the RaaS model, and return of syndicates such as Conti.
The expanded partnership now features a smart solution that enables customers to leverage Flashpoint’s intelligence data within Cyware’s Security Orchestration Layer (CSOL).
The Conti ransomware group has suffered an embarrassing data breach after a security firm was able to identify the real IP address of one of its most sensitive servers and then gain console access to the affected system for more than a month.
While the pandemic forced many small and medium-sized businesses (SMBs) to scale back their operations, cyberattacks actually increased throughout 2020 and 2021 for SMBs.
According to the alert issued by the SEC’s Office of Investor Education and Advocacy (OIEA), cybercriminals are contacting investors via phone calls, voicemails, emails, and letters.
There’s a “shockingly high” disconnect between awareness of best practices following a data breach and actions taken, according to a new study from the Identity Theft Resource Center (ITRC).
Cybercriminals cash out by draining the bank accounts of victims via Zelle, a P2P payment service used by many financial institutions that allows customers to quickly send cash to friends and family.
Critical financial and personal information of 180 million Punjab National Bank (PNB) customers was at risk for around seven months due to a vulnerability in PNB's servers, said cybersecurity firm CyberX9.
The funding round was led by NextLeap Ventures and Bloc Ventures, with the participation from Atlas Ventures, Akamai Technologies, Springtide Ventures, DIVEdigital, and Janvest Capital Partners.
The new visibility challenge, with many core business processes dependent on APIs, requires that companies need to know what APIs they expose externally and internally and how they should behave.
Security researchers have checked the web's public key infrastructure and have measured a long-known but little-analyzed security threat: hidden root Certificate Authorities.
New findings from a Bugcrowd report indicate a startling shift in the threat landscape with 8 out of 10 ethical hackers recently having identified a vulnerability they had never seen before.
Scammers are setting up fake online shops that impersonate legitimate ones. The perpetrators ensure that these stores are easy to find while looking for the original ones.
Sophos found that fake corporate complaints are surging and using targeted attacks to deploy malware. The emails come in the form of complaints from your boss or colleagues and use fear-inducing verbiage.
Over 4,000 online retailers have been warned that their websites had been hacked by cybercriminals trying to steal payment information and other personal information from customers.
Mahan Air is Iran's main private airline and the second biggest after the national carrier Iran Air. It has been on the blacklist of Iranian companies targeted by US sanctions since 2011.
Farmington, Utah-based radiology medical center Utah Imaging Associates has started informing former and current patients that their information might have been compromised in a data breach.
OpenStego is a tool implemented in Java for generic steganography, with support for password-based encryption of the data. It supports plugins for various steganographic algorithms (currently, only Least Significant Bit algorithm is supported for images).
Hashcat is an advanced GPU hash cracking utility that includes the World's fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker. It also has the first and only GPGPU-based rule engine, focuses on highly iterated modern hashes, single dictionary-based attacks, and more. This is the source code release.
Hashcat is an advanced GPU hash cracking utility that includes the World's fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker. It also has the first and only GPGPU-based rule engine, focuses on highly iterated modern hashes, single dictionary-based attacks, and more. This is the binary release.
Ubuntu Security Notice 5153-1 - It was discovered that LibreOffice incorrectly handled digital signatures. An attacker could possibly use this issue to create a specially crafted document that would display a validly signed indicator, contrary to expectations.
A KVM guest using SEV-ES (Secure Encrypted Virtualization - Encrypted State) can trigger out-of-bounds reads and writes in the host kernel via a malicious VMGEXIT using the exit reason SVM_EXIT_IOIO.
OX App Suite and OX Documents suffer from cross site scripting, code injection, path traversal, and input validation vulnerabilities. Most of these issues affect 7.10.5 and below with one affecting 7.10.4 and below.
Whitepaper called PrintNightmare Vulnerability. This document illustrates the exploitation of the vulnerability found in the Windows spooler service. Originally thought to be a local privilege escalation vulnerability in the Windows Print Spooler, identified as CVE-2021-1675 and patched during Microsoft's June show more ...
Patch. Microsoft increased the severity of this issue on June 21 as well as reclassifying it as a 'remote code execution' (RCE) threat. This RCE vulnerability has been assigned a new identifier, CVE-2021-34527.
Weaknesses in e-commerce portals are being exploited to deploy a Linux backdoor as well as a credit card skimmer that's capable of stealing payment information from compromised websites. "The attacker started with automated e-commerce attack probes, testing for dozens of weaknesses in common online store platforms," researchers from Sansec Threat Research said in an analysis. "After a day and a
Threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems. The findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a
Meta, the parent company of Facebook, Instagram, and WhatsApp, disclosed that it doesn't intend to roll out default end-to-end encryption (E2EE) across all its messaging services until 2023, pushing its original plans by at least a year. "We're taking our time to get this right and we don't plan to finish the global rollout of end-to-end encryption by default across all our messaging services
Joe Tidy, technology reporter at BBC News rather bravely did something that many other journalists would probably balk at doing. He decided he wanted to talk to Russian hackers face-to-face, on their home turf, and ask them their side of the story.
Vulnerability reigns supreme On Oct. 26, we co-hosted a live virtual event, Blackpoint ReCON, with partner Blackpoint Cyber. The event brought together industry experts and IT professionals to discuss how security professionals can continue to navigate the modern threat landscape through a pragmatic MDR approach. show more ...
During the event, we learned how the increase in ransomware attacks underscores the value of a robust defense and recovery strategy. A recent string of notable attacks including Microsoft Exchange, Kaseya, JBS USA, SolarWinds and the Colonial Pipeline, have clearly demonstrated that businesses and critical infrastructure are under assault. The spike in sophistication and speed of attacks has even caught the attention of the White House. It issued an Executive Order in May 2021, calling on the private sector to address the continuously shifting threat landscape. For small to medium-sized businesses (SMBs) and managed service providers (MSPs), addressing these threats is made more difficult by resource-strapped teams at mid-sized organizations and budgetary constraints at small businesses. Addressing ongoing SMB and MSP challenges SMBs, unlike enterprise-level organizations, often suffer from a lack of adequate resources to effectively manage, detect and respond to ongoing security threats before they become full-blown attacks with dire consequences for continuity and productivity. “Small businesses remain a prime target for threat actors. With minimal margins and few resources, one cyberattack could put a SMB out of business in a matter of days,” says Tyler Moffitt, senior security analyst at Carbonite + Webroot, OpenText companies. For MSPs, their mid-market customers may not be at the scale or size of an enterprise to respond effectively to cyber threats. They may require additional resources to help boost defense infrastructure among customers. This leaves SMBs and MSP clients more vulnerable to attacks with the potential to cripple their business operations. SMBs and MSPs don’t have to approach the evolving threat landscape alone. Managed detection and response (MDR) offers a reliable defense and response approach to cyber threats. What is MDR? Managed detection and response is a proactive managed cyber security approach to managing threats and malicious activity that empowers organizations to become more cyber resilient. Carbonite + Webroot, OpenText companies, offers two new MDR options for customers looking for a threat detection and response system that meets their specific needs: Webroot MDR powered by Blackpoint is a turnkey solution developed by world-class security experts to provide 24/7/365 threat hunting, monitoring and remediation. Guided by a board of former national security leaders and an experienced MDR team, Webroot MDR constantly monitors, hunts and responds to threats.OpenText MDR is designed for SMBs with specific implementation and integration requirements determined by their business and IT environments. Backed by AI-powered threat detection, award-winning threat intelligence and a 99% detection rate, this MDR solution gives your business the ability to remain agile. Having a MDR solution can: Reduce the impact of successful attacksMinimize business operations and continuityBoost the ability to become cyber resilientAchieve compliance with global regulationsBolster customer confidence In our 2020 Webroot Threat Report, we found that phishing URLs increased by 640% last year. Similar attacks, business email comprise (BEC) for instance, are a major scam malicious actors use to lure unsuspecting end users. BEC attacks have cost organizations almost 1.8 billion in losses, according to FBI reports. MDR helps to reduce costs and secure an organization’s overall security program investment. In today’s ever-evolving threat landscape, no business can go without a proactive security program. As threat actors become increasingly more complex, their impact to SMBs and MSP customers becomes more severe. To prepare, manage and recover from threats, SMBs and MSPs should consider joining forces with a trusted partner to help boost their customer’s overall protection and remain prepared to tackle whatever threats may impact business continuity. To learn more about how Webroot can empower your business and get your own MDR conversation started, get in touch with us here. The post Making the case for MDR: An ally in an unfriendly landscape appeared first on Webroot Blog.