Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Successful hack demo ...

 Privacy

On August 15, the Signal team reported that unknown hackers attacked users of the messenger. We explain why this incident demonstrates Signals advantages over some other messengers. What happened? According to the statement issued by Signal, the attack affected around 1900 users of the app. Given that Signals audience   show more ...

runs to more than 40 million active users a month, the incident impacted only a tiny share of them. That said, Signal is used predominantly by those who genuinely care about the privacy of their correspondence. So even though the attack affected a minuscule fraction of the audience, it still reverberated around the information security world. As a result of the attack, hackers were able to log in to the victims account from another device, or simply find out that the owner of such and such phone number uses Signal. Among these 1900 numbers, the attackers were interested in three specifically, whereupon Signal was notified by one of these three users that their account had been activated on another device without their knowledge. How did it happen? On the pages of Kaspersky Daily, we have often talked about the fact that Signal is a secure messenger. And yet it was successfully attacked. Does that mean that its renowned security and privacy are just a myth? Lets see what exactly the attack looked like and what role Signal actually played in it. Lets start with the fact that Signal accounts, as in, say, WhatsApp and Telegram, are linked to a phone number. This is common, but not universal practice: for example, the secure messenger Threema proudly states as one of its selling points that it does not tie accounts to phone numbers. In Signal a phone number is needed for authentication: the user enters their phone number, to which a code is sent in a text message. The code must be entered: if it is correct, that means the user does indeed own the number. The sending of such text messages with one-time codes is handled by specialized companies that provide the same authentication method for multiple services. In the case of Signal, this provider is Twilio — and it is this company that the hackers targeted. The next step was phishing: some Twilio employees received messages saying that their passwords were supposedly old and needed updating. To do so, they were invited to click a (thats right) phishing link. One employee swallowed the bait, went to the fake site and entered their credentials, which fell straight into the hackers hands. These credentials gave them access to Twilios internal systems, enabling them to send text messages to users, and to read them. The hackers then used the service to install Signal on a new device: they entered the victims phone number, intercepted the text with the activation code and, voilà, got inside their Signal account. How this incident proves Signals robustness So, it turns out that even Signal isnt immune to such incidents. Why, then, do we keep talking about its security and privacy? First of all, the cybercriminals did not gain access to correspondence. Signal uses end-to-end encryption with the secure Signal Protocol. By using end-to-end encryption, user messages are stored only on their devices, not on Signals servers or anywhere else. Therefore, there is simply no way to read them just by hacking Signals infrastructure. What is stored on Signals servers is users phone numbers as well as their contacts phone numbers. This allows the messenger to notify you when a contact of yours signs up to Signal. However the data is stored, first, in special storages called secure enclaves, which even Signal developers cant access. And second, the numbers themselves arent stored there in plain text, but rather in the form of a hash code. This mechanism allows the Signal app on your phone to send encrypted information about contacts and receive a likewise encrypted reply as to which of your contacts uses Signal. In other words, the attackers could not gain access to the users contact list either. Lastly, we should stress that Signal was attacked in the supply chain — through a less protected service provider used by the company. This, therefore, is its weak link. However, Signal has safeguards against this, too. The app contains a feature called Registration Lock (to activate go to Settings -> Account -> Registration Lock), which requires a user-defined PIN to be entered when activating Signal on a new device. Just in case, lets clarify that the PIN in Signal has nothing to do with unlocking the app — this is done through the same means you use to unlock your smartphone. Registration Lock in Signal settings By default, Registration Lock is disabled, as was the case for at least one of the hacked accounts. As such, the cybercriminals managed to pull off the attack by being able to impersonate the victim of the attack for roughly 13 hours. If Registration Lock had been enabled, they could not have logged in to the app knowing only the phone number and verification code. What can be done to better protect messages? To sum up: the attackers did not hack Signal itself, but its partner Twilio, giving them access to 1900 accounts, which they utilized to log in to three of them. Whats more, they gained access to neither correspondence nor contact list, and could only try to impersonate the users of those accounts they penetrated. If these users had turned on Registration Lock, the hackers could not even have done that. And although the attack was formally a success, there is no reason to get scared and stop using Signal. It remains a pretty secure app that provides good privacy for your messages, as demonstrated by this hacking incident. But you can make it even safer: Enable Registration Lock in the Signal settings, so that cybercriminals cant log in to your account without knowing your private PIN, even if they have the one-time code for activating Signal on a new device. Read our blog post about setting up privacy and security in Signal, and configure your app. Signal has basic settings as well as options for the truly paranoid, that provide extra security at the cost of some usability. And, of course, install a security app on your smartphone. If malware gets on your device, no safeguards on Signals side will protect your messages and contact list. But if malware is not allowed in, or at least is caught in time, there is no threat to your data.

image for The chronicle of Wan ...

 Business

The WannaCry cryptoworm epidemic began on May 12, 2017. Its victims had their work interrupted by the following on-screen message: Wannacry ransom note on the screen of an infected computer. Source. Right after that, victims discovered that all their documents were encrypted, and all normal file extensions like .doc   show more ...

or .mp3 had .wnry extention appended to them. In case anyone will close the window without reading it, the malware also swapped the desktop wallpaper with its own bearing the following message: Wallpaper warning. Source. To decrypt the files, the program demanded transferring $300 in bitcoin to the attackers wallet. Later, the amount was increased to $600. Within a day, the rapidly spreading internet worm had infected more than 200,000 systems worldwide, including both home computers and corporate networks: hospitals, transport companies, banking services and cell phone carriers were affected. The Taiwanese chipmaker TSMC had to suspend production due to a mass infection of corporate devices. How did it happen? Wannacrys lightning-fast spread was made possible by vulnerabilities in the Server Message Block (SMB) protocol in Windows. This protocol serves to exchange files over a local network. The vulnerabilities allowed arbitrary code execution on an unpatched computer using a request via the SMBv1 protocol. This is an antiquated version of SMB that has been in use since the early 1990s. Since 2006, the default protocol version used in Windows has been SMBv2 or later, but support for the old protocol was retained for compatibility with computers running legacy software. When the problem was discovered and updates released in March 2017 (almost two months before the WannaCry outbreak), SMBv1 vulnerabilities affected all unpatched versions of the operating system, from Vista to the then brand-new Windows 10. The outdated Windows XP and Windows 8 were also at risk. Microsoft released a patch for Windows XP, despite having officially pulled support for it back in 2014. The exploit that targeted vulnerabilities in SMBv1 is commonly referred to by the codename EternalBlue, for reasons worthy of a separate mention. But first, you should know another codename: DoublePulsar. This is the name of the malicious code used to create a backdoor in the attacked system. Both the EternalBlue exploit and the DoublePulsar backdoor were made public by the anonymous group ShadowBrokers in March and April 2017 correspondingly. They, along with other malicious tools, were allegedly stolen from a division of the US National Security Agency. The WannaCry worm uses both components: it first acquires the ability to run malicious code through the EternalBlue exploit, then uses a customized DoublePulsar tool to launch the payload for encrypting files and displaying the ransom note. In addition to file encryption, WannaCry communicated with the attackers C2 server through the anonymous Tor network, and propagated itself by sending malicious requests to random IP addresses. This is what drove the worms incredible rate of distribution — tens of thousands of infected systems per hour! Kill switch On the same day, May 12, a then-unknown cybersecurity blogger MalwareTech took an in-depth look at the WannaCry code. He discovered that stitched inside the code was an address of the form .com. The domain name was not registered, so MalwareTech registered it to himself, initially assuming that infected computers would use this address for further communication with C2 servers. Instead, he inadvertently stopped the WannaCry epidemic. Although it transpired that by the evening of May 12, after registration of the domain, WannaCry was still infecting computers, it did not encrypt the data on them. What the malware was doing, in fact, was accessing the domain name and, if this did not exist, encrypting files. Since the domain was now available, all malware instances for some reason halted their efforts. Why did the creators make it so easy to kill their ransomware? According to MalwareTech, it was a failed attempt to deceive automated sandbox analysis. Sandboxing works like this: a malicious program is run in an isolated virtual environment allowing real-time analysis of its behavior. This is a common procedure that is performed either manually by virus analysts or automatically. The virtual environment is designed to allow the malware to execute fully and give up all its secrets to the researchers. If the malware requests a file, the sandbox pretends that the file exists. If it accesses a site online, the virtual environment can emulate a response. Perhaps WannaCrys authors believed they could outwit sandbox analysis: if the worm accessed a domain known not to exist, and it got a response, then the victim is not real and malicious activity must be hidden. What they probably didnt reckon with was the worms code being disassembled in just three hours, and its secret domain name being found and registered. MalwareTech: the hacker who saved the internet MalwareTech had reasons to hide his true identity. His real name is Marcus Hutchins. When WannaCry hit, he was just 23 years old. While still in high school, he fell in with the wrong crowd, as they say, and hung out on forums involved in petty cybercrime. Among his sins was writing a program to steal browser passwords. He also wrote a program to infect users through Torrents, and used it to build a 8,000 strong botnet. In the early 2000s, he was spotted by a bigger player and invited to write a piece of Kronos malware. For his work, Marcus was paid a commission on each sale on the gray market: other cybercriminals bought the malware to carry out their own attacks. Hutchins revealed that on at least two occasions he gave out his real name and home address in the UK to accomplices. This information later fell into hands of US law enforcement. The man who saved the internet was anonymous no more. Two days later, reporters were knocking on his door: the daughter of one of the journalists went to the same school as Markus, and knew that he used MalwareTech alias. He avoided talking to the press at first, but eventually gave an interview to the Associated Press. In August 2017, now as an honored guest, he was invited to Las Vegas for the famous DEF CON hacker conference. Thats where he was arrested. After spending several months under house arrest and partially admitting to the charges regarding Kronos, Hutchins got off lightly with a suspended sentence. In a major interview with Wired magazine, he described his criminal past as a regrettable mistake: he did it less for money than the desire to show off his skills and achieve recognition in the underground community. At the time of WannaCry, he had had no contact with cybercriminals for two years, and his MalwareTech blog was read and admired by experts. Was it the last epidemic? We recently wrote about the ILOVEYOU worm, which caused a major epidemic in the early 2000s. It had a lot in common with WannaCry: both worms spread through a vulnerability in Windows for which a patch was already available. But not all computers had been updated when the infection broke out. The result was hundreds of thousands of victims worldwide, million-dollar damage to companies and lost user data. There are differences, too. The creators of WannaCry (presumably a group from North Korea) used off-the-shelf hacking tools available in the public domain. ILOVEYOU simply deleted a few files; WannaCry demanded a ransom from users robbed of all their documents. Luckily, WannaCrys authors got too cute by embedding a kill switch that worked against them. The story of this epidemic is also about the genius of malware hunters able to take someone elses handiwork, analyze it in next to no time, and develop a defense mechanism. The WannaCry epidemic was studied by dozens of companies and received maximum media attention, which makes it rather an exception to the rule. A ransomware attack on a specific business these days is unlikely to get front-page coverage: in fact, youll be left facing your tormentor alone. Therefore, its important to involve top experts in the damage control operation, and not succumb to extortion. As the case of WannaCry shows, even a highly sophisticated and effective attack can have its Achilles heel.

 Govt., Critical Infrastructure

A command center founded by North Dakota to facilitate interstate cooperation on cybersecurity and threat intelligence has expanded and now comprises nearly 20% of states, North Dakota Chief Information Officer Shawn Riley announced.

 Govt., Critical Infrastructure

The center will also lead internet security research in the continent, in a time when hacking groups are deploying sophisticated deep learning software to penetrate African government websites, banks, hospitals, power companies, and telcos.

 Govt., Critical Infrastructure

The ministry notes that within the framework of the memorandum, Ukraine and Poland will exchange best practices in countering cyberattacks, conduct joint training, share information about cyber attacks, and fight disinformation.

 Malware and Vulnerabilities

“VMware Tools was impacted by a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine,” VMWare said in an advisory.

 Malware and Vulnerabilities

Attackers using BianLian typically demand unusually high ransoms, and they utilize a unique encryption style that divides the file content into chunks of 10 bytes to evade detection by antivirus products, the researchers said.

 Breaches and Incidents

A Workforce Safety & Insurance employee opened a malicious email attachment — an incident that led to cyber attackers accessing personal data on 182 individuals who had been seeking injured employee claims.

 Feed

This Metasploit module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path traversal issue in Zimbra Collaboration Suite's ZIP   show more ...

implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on Zimbra Collaboration Suite Network Edition versions 9.0.0 Patch 23 and below as well as Zimbra Collaboration Suite Network Edition versions 8.8.15 Patch 30 and below.

 Feed

MIMEDefang is a flexible MIME email scanner designed to protect Windows clients from viruses. Includes the ability to do many other kinds of mail processing, such as replacing parts of messages with URLs. It can alter or delete various parts of a MIME message according to a very flexible configuration file. It can   show more ...

also bounce messages with unacceptable attachments. MIMEDefang works with the Sendmail 8.11 and newer "Milter" API, which makes it more flexible and efficient than procmail-based approaches.

 Feed

Ubuntu Security Notice 5578-1 - It was discovered that Open VM Tools incorrectly handled certain requests. An attacker inside the guest could possibly use this issue to gain root privileges inside the virtual machine.

 Feed

Ubuntu Security Notice 5576-1 - It was discovered that Twisted incorrectly parsed some types of HTTP requests in its web server implementation. In certain proxy or multi-server configurations, a remote attacker could craft malicious HTTP requests in order to obtain sensitive information.

 Feed

Ubuntu Security Notice 5577-1 - Asaf Modelevsky discovered that the Intel 10GbE PCI Express Ethernet driver for the Linux kernel performed insufficient control flow management. A local attacker could possibly use this to cause a denial of service. It was discovered that the framebuffer driver on the Linux kernel did   show more ...

not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

Red Hat Security Advisory 2022-6094-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.28.

 Feed

Red Hat Security Advisory 2022-6102-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.1.

 Feed

Red Hat Security Advisory 2022-6103-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.1.

 Feed

DevOps platform GitLab this week issued patches to address a critical security flaw in its software that could lead to arbitrary code execution on affected systems. Tracked as CVE-2022-2884, the issue is rated 9.9 on the CVSS vulnerability scoring system and impacts all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 11.3.4 before 15.1.5, 15.2 before 15.2.3,

 Feed

WordPress sites are being hacked to display fraudulent Cloudflare DDoS protection pages that lead to the delivery of malware such as NetSupport RAT and Raccoon Stealer. "A recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware," Sucuri's Ben Martin said in a write-up published last week

 Feed

The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services have also set their sights on Google Workspace users. "This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace]," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu 

 Feed

Threat actors have begun to use the Tox peer-to-peer instant messaging service as a command-and-control method, marking a shift from its earlier role as a contact method for ransomware negotiations. The findings from Uptycs, which analyzed an Executable and Linkable Format (ELF) artifact ("72client") that functions as a bot and can run scripts on the compromised host using the Tox protocol. Tox

 Feed

A security researcher who has a long line of work demonstrating novel data exfiltration methods from air-gapped systems has come up with yet another technique that involves sending Morse code signals via LEDs on network interface cards (NICs). The approach, codenamed ETHERLED, comes from Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the

 Feed

From ransomware to breaches, from noncompliance penalties to reputational damage – cyberthreats pose an existential risk to any business. But for SMEs and SMBs, the danger is compounded. These companies realize they need an in-house Chief Information Security Officer (CISO) – someone who can assess risks and vulnerabilities, create and execute a comprehensive cybersecurity plan, ensure

 Business + Partners

With social engineering now the #1 cause of cyberattacks, it’s imperative for you to learn how to stop social engineering attacks against your business. Your first step in stopping them is to learn what they are and how they work. After that, you need to learn how combining security layers like Endpoint Protection   show more ...

and Email Security makes the best defense. Read on and we’ll walk you through every step of the way. What is social engineering and how does it work? Social engineering tactics are based on a simple truth: it’s easier to hack a human than it is to hack a computer. That means social engineering attackers use deception and tricks to get their victims to willingly give up private information like logins, passwords and even bank info. Phishing is the most common type of social engineering attack, and it works by disguising emails as someone or something you trust. We would never click on an email with the subject line “Click here to get hacked,” but we might click on an email titled “Your Amazon purchase refund – claim now.” Why does combining security layers prevent social engineering? Forrester unleashed their researchers to find the best defense against social engineering. They recommend layered defenses for preventing social engineering strategies like phishing. Because social engineering attacks prey on the human element of cybersecurity, they’re very good at getting around single layers of protection. After all, locked doors only work when the bad guys don’t have a copy of the key. But if your business is protected by both Email Security and Endpoint Protection, attackers can trick their way into an employee’s email password and still be foiled by Endpoint Protection. Or they might gain access to your network with an illicitly gained password, but Email Security stops their attack from spreading. Stop social engineering Now that you know how social engineering works and the best defense against this type of cyberattack, you’re well on your way to stopping social engineering. The next step is making sure you have the right tools to stop cybercriminals in their tracks. Review your cybersecurity strategy to make sure you have multiple layers of protection like Email Security and Endpoint Protection. Interested in achieving cyber resilience and gaining a partner to help stop cyberattacks? Explore Webroot Endpoint Protection and Webroot Email Security powered by Zix. The post How to stop social engineering tactics appeared first on Webroot Blog.

2022-08
Aggregator history
Wednesday, August 24
MON
TUE
WED
THU
FRI
SAT
SUN
AugustSeptemberOctober