Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Malicious module in ...

 Business

A malicious Internet Information Services (IIS) module is turning Outlook on the web into a tool for stealing credentials and a remote access panel. Unknown actors have used the module, which our researchers call OWOWA, in targeted attacks. Why Outlook on the web attracts attackers Outlook on the web (previously known   show more ...

as Exchange Web Connect, Outlook Web Access, and Outlook Web App, or simply OWA) is a Web-based interface for accessing Microsofts Personal Information Manager service. The app is deployed on Web servers running IIS. Many companies use it to provide employees with remote access to corporate mailboxes and calendars without having to install a dedicated client. There are several methods of implementing Outlook on the web, one of which involves using Exchange Server on site, which is what cybercriminals are drawn to. In theory, gaining control of this app gives them access to all corporate correspondence, along with endless opportunities to expand their attack on the infrastructure and launch additional BEC campaigns. How OWOWA works OWOWA loads on compromised IIS Web servers as a module for all compatible apps, but its purpose is to intercept credentials entered into OWA. The malware checks requests and responses on Outlook on the Web login page, and if it sees a user has entered credentials and received an authentication token in response, it writes the username and password to a file (in encrypted form). In addition, OWOWA allows attackers to control its functionality directly through the same authentication form. By entering certain commands into the username and password fields, an attacker can retrieve the harvested information, delete the log file, or execute arbitrary commands on the compromised server through PowerShell. For a more detailed technical description of the module with indicators of compromise, see Securelists post. Who are the victims of OWOWA attacks? Our experts detected OWOWA-based attacks on servers in several Asian countries: Malaysia, Mongolia, Indonesia, and the Philippines. However, our experts have reason to believe the cybercriminals are also interested in organizations in Europe. The majority of targets were government agencies, with at least one being a transport company (also state-owned). How to guard against OWOWA You can use the appcmd.exe command — or the regular IIS configuration tool — to detect the malicious OWOWA module (or any other third-party IIS module) on the IIS Web server. Keep in mind, however, that any Internet-facing server, like any computer, needs protection.

image for Inside Ireland’s P ...

 A Little Sunshine

The consulting firm PricewaterhouseCoopers recently published lessons learned from the disruptive and costly ransomware attack in May 2021 on Ireland’s public health system. The unusually candid post-mortem found that nearly two months elapsed between the initial intrusion and the launching of the ransomware. It   show more ...

also found affected hospitals had tens of thousands of outdated Windows 7 systems, and that the health system’s IT administrators failed to respond to multiple warning signs that a massive attack was imminent. PWC’s timeline of the days leading up to the deployment of Conti ransomware on May 14. Ireland’s Health Service Executive (HSE), which operates the country’s public health system, got hit with Conti ransomware on May 14, 2021. A timeline in the report (above) says the initial infection of the “patient zero” workstation happened on Mar. 18, 2021, when an employee on a Windows computer opened a booby-trapped Microsoft Excel document in a phishing email that had been sent two days earlier. Less than a week later, the attacker had established a reliable backdoor connection to the employee’s infected workstation. After infecting the system, “the attacker continued to operate in the environment over an eight week period until the detonation of the Conti ransomware on May 14, 2021,” the report states. According to PWC’s report (PDF), there were multiple warnings about a serious network intrusion, but those red flags were either misidentified or not acted on quickly enough: On Mar. 31, 2021, the HSE’s antivirus software detected the execution of two software tools commonly used by ransomware groups — Cobalt Strike and Mimikatz — on the Patient Zero Workstation. But the antivirus software was set to monitor mode, so it did not block the malicious commands.” On May 7, the attacker compromised the HSE’s servers for the first time, and over the next five days the intruder would compromise six HSE hospitals. On May 10, one of the hospitals detected malicious activity on its Microsoft Windows Domain Controller, a critical “keys to the kingdom” component of any Windows enterprise network that manages user authentication and network access. On 10 May 2021, security auditors first identified evidence of the attacker compromising systems within Hospital C and Hospital L. Hospital C’s antivirus software detected Cobalt Strike on two systems but failed to quarantine the malicious files. On May 13, the HSE’s antivirus security provider emailed the HSE’s security operations team, highlighting unhandled threat events dating back to May 7 on at least 16 systems. The HSE Security Operations team requested that the Server team restart servers. By then it was too late. At just after midnight Ireland time on May 14, the attacker executed the Conti ransomware within the HSE. The attack disrupted services at several Irish hospitals and resulted in the near complete shutdown of the HSE’s national and local networks, forcing the cancellation of many outpatient clinics and healthcare services. The number of appointments in some areas dropped by up to 80 percent.” Conti initially demanded USD $20 million worth of virtual currency in exchange for a digital key to unlock HSE servers compromised by the group. But perhaps in response to the public outcry over the HSE disruption, Conti reversed course and gave the HSE the decryption keys without requiring payment. Still, the work to restore infected systems would take months. The HSE ultimately enlisted members of the Irish military to bring in laptops and PCs to help restore computer systems by hand. It wasn’t until September 21, 2021 that the HSE declared 100 percent of its servers were decrypted. As bad as the HSE ransomware attack was, the PWC report emphasizes that it could have been far worse. For example, it is unclear how much data would have been unrecoverable if a decryption key had not become available as the HSE’s backup infrastructure was only periodically backed up to offline tape. The attack also could have been worse, the report found: if there had been intent by the Attacker to target specific devices within the HSE environment (e.g. medical devices); if the ransomware took actions to destroy data at scale; if the ransomware had auto-propagation and persistence capabilities, for example by using an exploit to propagate across domains and trust-boundaries to medical devices (e.g. the EternalBlue exploit used by the WannaCry and NotPetya15 attacks); if cloud systems had also been encrypted such as the COVID-19 vaccination system The PWC report contains numerous recommendations, most of which center around hiring new personnel to lead the organization’s redoubled security efforts. But it is clear that the HSE has an enormous amount of work ahead to grow in security maturity. For example, the report notes the HSE’s hospital network had over 30,000 Windows 7 workstations that were deemed end of life by the vendor. “The HSE assessed its cybersecurity maturity rating as low,” PWC wrote. “For example, they do not have a CISO or a Security Operations Center established.” PWC also estimates that efforts to build up the HSE’s cybersecurity program to the point where it can rapidly detect and respond to intrusions are likely to cost “a multiple of the HSE’s current capital and operation expenditure in these areas over several years.” One idea of a “security maturity” model. In June 2021, the HSE’s director general said the recovery costs for the May ransomware attack were likely to exceed USD $600 million. What’s remarkable about this incident is that the HSE is publicly funded by the Irish government, and so in theory it has the money to spend (or raise) to pay for all these ambitious recommendations for increasing their security maturity. That stands in stark contrast to the healthcare system here in the United States, where the single biggest impediment to doing security well continues to be lack of making it a real budget priority. Also, most healthcare organizations in the United States are private companies that operate on razor-thin profit margins. I know this because in 2018 I was asked to give the keynote at an annual gathering of the Healthcare Information Sharing and Analysis Group (H-ISAC), an industry group centered on sharing information about cybersecurity threats. I almost didn’t accept the invitation: I’d written very little about healthcare security, which seemed to be dominated by coverage of whether healthcare organizations complied with the letter of the law in the United States. That compliance centered on the Health Insurance Portability and Accountability Act (HIPAA), which prioritizes protecting the integrity and privacy of patient data. To get up to speed, I interviewed over a dozen of the healthcare security industry’s best and brightest minds. A common refrain I heard from those interviewed was that if it was security-related but didn’t have to do with compliance, there probably wasn’t much chance it would get any budget. Those sources unanimously said that however well-intentioned, it’s not clear that the “protect the data” regulatory approach of HIPPA was working from an overall threat perspective. According to HealthcareIT News, more than 40 million patient records have been compromised in incidents reported to the federal government in 2021 so far alone. During my 2018 talk, I tried to emphasize the primary importance of being able to respond quickly to intrusions. Here’s a snippet of what I told that H-ISAC audience: “The term ‘Security Maturity’ refers to the street smarts of an individual or organization, and this maturity generally comes from making plenty of mistakes, getting hacked a lot, and hopefully learning from each incident, measuring response times, and improving. Let me say up front that all organizations get hacked. Even ones that are doing everything right from a security perspective get hacked probably every day if they’re big enough. By hacked I mean someone within the organization falls for a phishing scam, or clicks a malicious link and downloads malware. Because let’s face it, it only takes one screw up for the hackers to get a foothold in the network. Now this is in itself isn’t bad. Unless you don’t have the capability to detect it and respond quickly. And if you can’t do that, you run the serious risk of having a small incident metastasize into a much larger problem. Think of it like the medical concept of the ‘Golden Hour:’ That short window of time directly following a traumatic injury like a stroke or heart attack in which life-saving medicine and attention is likely to be most effective. The same concept holds true in cybersecurity, and it’s exactly why so many organizations these days are placing more of their resources into incident response, instead of just prevention.” The United States’ somewhat decentralized healthcare system means that many ransomware outbreaks tend to be limited to regional or local healthcare facilities. But a well-placed ransomware attack or series of attacks could inflict serious damage on the sector: A December 2020 report from Deloitte says the top 10 health systems now control a 24 percent market share and their revenue grew at twice the rate of the rest of the market. In October 2020, KrebsOnSecurity broke the story that the FBI and U.S. Department of Homeland Security had obtained chatter from a top ransomware group which warned of an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” Members associated with the Russian-speaking ransomware group known as Ryuk had discussed plans to deploy ransomware at more than 400 healthcare facilities in the United States. Hours after that piece ran, I heard from a respected H-ISAC security professional who questioned whether it was worth getting the public so riled up. The story had been updated multiple times throughout the day, and there were at least five healthcare organizations hit with ransomware within the span of 24 hours. “I guess it would help if I understood what the baseline is, like how many healthcare organizations get hit with ransomware on average in one week?” I asked the source. “It’s more like one a day,” the source confided. In all likelihood, the HSE will get the money it needs to implement the programs recommended by PWC, however long that takes. I wonder how many U.S.-based healthcare organizations could say the same.

image for Microsoft Patch Tues ...

 Time to Patch

Microsoft, Adobe, and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited. But this month’s Patch Tuesday is overshadowed by the “Log4Shell” 0-day exploit in a popular Java   show more ...

library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw. Log4Shell is the name picked for a critical flaw disclosed Dec. 9 in the popular logging library for Java called “log4j,” which is included in a huge number of Java applications. Publicly released exploit code allows an attacker to force a server running a vulnerable log4j library to execute commands, such as downloading malicious software or opening a backdoor connection to the server. According to researchers at Lunasec, many, many services are vulnerable to this exploit. “Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable,” Lunasec wrote. “Anybody using Apache Struts is likely vulnerable. We’ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach. An extensive list of responses from impacted organizations has been compiled here.” “If you run a server built on open-source software, there’s a good chance you are impacted by this vulnerability,” said Dustin Childs of Trend Micro’s Zero Day Initiative. “Check with all the vendors in your enterprise to see if they are impacted and what patches are available.” Part of the difficulty in patching against the Log4Shell attack is identifying all of the vulnerable web applications, said Johannes Ullrich, an incident handler and blogger for the SANS Internet Storm Center. “Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon,” Ullrich said. “Treat it as such.” SANS has a good walk-through of how simple yet powerful the exploit can be. “Basically the perfect ending to cybersecurity in 2021 is a 90s style Java vulnerability in an open source module, written by two volunteers with no funding, used by large cybersecurity vendors, undetected until Minecraft chat got pwned, where nobody knows how to respond properly,” researcher Kevin Beaumont quipped on Twitter. A half-dozen of the vulnerabilities addressed by Microsoft today earned its most dire “critical” rating, meaning malware or miscreants could exploit the flaws to gain complete, remote control over a vulnerable Windows system with little or no help from users. The Windows flaw already seeing active exploitation is CVE-2021-43890, which is a “spoofing” bug in the Windows AppX installer on Windows 10. Microsoft says it is aware of attempts to exploit this flaw using specially crafted packages to implant malware families like Emotet, Trickbot, and BazaLoader. Kevin Breen, director of threat research for Immersive Labs, said CVE-2021-43905 stands out of this month’s patch batch. “Not only for its high CVSS score of 9.6, but also because it’s noted as ‘exploitation more likely’,” Breen observed. Microsoft also patched CVE-2021-43883, an elevation of privilege vulnerability in Windows Installer. “This appears to be a fix for a patch bypass of CVE-2021-41379, another elevation of privilege vulnerability in Windows Installer that was reportedly fixed in November,” Satnam Narang of Tenable points out. “However, researchers discovered that fix was incomplete, and a proof-of-concept was made public late last month.” Google issued five security fixes for Chrome, including one rated critical and three others with high severity. If you’re browsing with Chrome, keep a lookout for when you see an “Update” tab appear to the right of the address bar. If it’s been a while since you closed the browser, you might see the Update button turn from green to orange and then red. Green means an update has been available for two days; orange means four days have elapsed, and red means your browser is a week or more behind on important updates. Completely close and restart the browser to install any pending updates. Also, Adobe issued patches to correct more than 60 security flaws in a slew of products, including Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager and Premiere Rush. Standard disclaimer: Before you update Windows, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files. So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide. If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips. Additional reading: SANS ISC listing of each Microsoft vulnerability patched today, indexed by severity and affected component.

 Malware and Vulnerabilities

Recently, an exploit was publicly released for Log4Shell vulnerability (CVE-2021-44228) in the Apache Log4j Java-based logging utility. Soon after, cybercriminals started abusing the flaw to spread malware.

 Identity Theft, Fraud, Scams

A noteworthy threat group, TA575, has been observed using holiday-themed lures in its recent attack campaigns. The main goal of the campaigns is to lure victims into downloading the banking trojan, Dridex.

 Trends, Reports, Analysis

In reality, these criminal actions are a way for unscrupulous individuals or criminal rings to secure gift card codes they can use illicitly or resell through online black markets for profit.

 Malware and Vulnerabilities

Purple Fox focuses on SQL servers as its target as opposed to normal computers for cryptomining activities. This is because of the better hardware configuration that the servers would usually have.

 Security Culture

An American non-profit cybersecurity training and IT company is inviting cybersecurity fans everywhere to boost their skills by taking part in a free festive hacking competition.

 Trends, Reports, Analysis

According to the FBI, U.S. businesses lost more than $1.8 billion last year in costs related to business email compromise (BEC) or spearphishing and over $54 million in losses to phishing scams.

 Feed

Ubuntu Security Notice 5192-1 - Chen Zhaojun discovered that Apache Log4j 2 allows remote attackers to run programs via a special crafted input. An attacker could use this vulnerability to cause a denial of service or possibly execute arbitrary code.

 Feed

Ubuntu Security Notice 5191-1 - It was discovered that Flatpak incorrectly handled certain AF_UNIX sockets. An attacker could use this to specially craft a Flatpak application that could escape sandbox confinement.

 Feed

Red Hat Security Advisory 2021-5086-06 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include a path sanitization vulnerability.

 Feed

Ubuntu Security Notice 5174-2 - USN-5174-1 fixed vulnerabilities in Samba. Some of the changes introduced a regression in Kerberos authentication in certain environments. This update fixes the problem.

 Feed

Red Hat Security Advisory 2021-5085-08 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

 Feed

Ubuntu Security Notice 5142-3 - USN-5142-1 fixed vulnerabilities in Samba. Some of the upstream changes introduced a regression in Kerberos authentication in certain environments. Please see the following upstream bug for more information: https://bugzilla.samba.org/show_bug.cgi?id=14922 This update fixes the problem. Various other issues were also addressed.

 Feed

Red Hat Security Advisory 2021-5094-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include a code execution vulnerability.

 Feed

Europol, the European Union's premier law enforcement agency, has announced the arrest of a third Romanian national for his role as a ransomware affiliate suspected of hacking high-profile organizations and companies and stealing large volumes of sensitive data. The 41-year-old unnamed individual was apprehended Monday morning at his home in Craiova, Romania, by the Romanian Directorate for

 Feed

Apple on Monday released updates to iOS, macOS, tvOS, and watchOS with security patches for multiple vulnerabilities, including a remote jailbreak exploit chain as well as a number of critical issues in the Kernel and Safari web browser that were first demonstrated at the Tianfu Cup held in China two months ago. Tracked as CVE-2021-30955, the issue could have enabled a malicious application to

 Feed

Google has rolled out fixes for five security vulnerabilities in its Chrome web browser, including one which it says is being exploited in the wild, making it the 17th such weakness to be disclosed since the start of the year. Tracked as CVE-2021-4102, the flaw relates to a use-after-free bug in the V8 JavaScript and WebAssembly engine, which could have severe consequences ranging from

 Feed

Romanian cybersecurity technology company Bitdefender on Monday revealed that attempts are being made to target Windows machines with a novel ransomware family called Khonsari as well as a remote access Trojan named Orcus by exploiting the recently disclosed critical Log4j vulnerability. The attack leverages the remote code execution flaw to download an additional payload, a .NET binary, from a

 Feed

As a CISO, one of the most challenging questions to answer is "How well are we protected right now?" Between the acceleration of hackers' offensive capabilities and the dynamic nature of information networks, a drift in the security posture is unavoidable and needs to be continuously compensated. Therefore, answering that question implies continuously validating the security posture and being in

2021-12
Aggregator history
Tuesday, December 14
WED
THU
FRI
SAT
SUN
MON
TUE
DecemberJanuaryFebruary