Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Key trends in IT and ...

 Business

Business requirements for IT and infosec teams are manifold and often contradictory. The tasks include cost reduction, efficient data use, automation, cloud migration, and weighing up all information security risks. How do the major trends and changes in IT affect a companys infosec profile, and what should your   show more ...

response to business requirements take into account? We analyzed the most important and practical trends in IT (according to various groups of independent experts and cybersecurity market analysts), focusing on the infosec aspects of each. IT optimization Businesses all over the world have good reason to tighten their belts – be it due to geopolitical changes, inflation or economic recession. For the IT team, this means a major review of operating costs. Finance departments currently have cloud expenses under the microscope, as 60% of companies data is now stored in the cloud. For many companies, migration to the cloud has been impromptu and unsystematic, resulting in a buildup of underutilized SaaS subscriptions, as well as sub-optimally configured virtual machines and other cloud environments. Theres usually great potential for optimization here, but it mustnt be a one-off process. Companies need to create a culture in which cloud costs are the concern not only of IT folks, but of the cloud users themselves. The infosec angle. During optimization and consolidation, cloud services get reconfigured and data is moved around between different cloud environments. Its important to allocate time and resources to a post-migration system audit to make sure, among other things, that the security settings are correct and that any service accounts needed for migrating ports have been closed. During migration, its a good idea to update secrets (access tokens, API keys, etc.) and apply the best-practice password and encryption policies. If any equipment or cloud services are decommissioned post-migration, these must be wiped of all confidential data and service information (debugging and temporary files, test data, etc.). Open source The economic benefits of open-source applications are varied: for example, software development companies reduce costs and time-to-market through the use of off-the-shelf code, while others get a system they can modify and maintain internally, if required. The infosec angle. The main risk of open source is the presence of vulnerabilities and backdoors in third-party code – especially since its not always clear who should correct the code and how. Oftentimes a company will use some library or piece of software without knowing it. Eliminating open-source risks requires code inventory and scanning systems. For an in-depth look at risks and mitigation measures, see our separate post. Data management Large companies in practically every industry have been accumulating huge amounts of operational data for around two decades now. In theory, this helps optimize and automate business processes and develop fundamentally new products (sometimes the data itself becomes a sought-after commodity). In practice, however, things are more complicated: lots of data is collected, but often its structure, currentness and form of storage are such that its difficult or even impossible to find information and use it. For real data-driven growth, businesses need clear procedures for collecting, cataloging, storing and using it. A useful strategy here is data management and data governance. These strategies describe the structure and nature of stored information and the full data life-cycle, and allow you to manage its storage and use. The infosec angle. Data governance is being implemented for economic reasons, but the collateral benefits for information security are huge. After all, knowing where and what data it holds, a company is better placed to assess the risks, provide adequate protection for all data pools, and comply with personal data laws. The infosec team should play an active role in developing and implementing the data management strategy, including: access and encryption policies, compliance control, protection measures for data at rest and in transit, and procedures for gaining access. The strategy must also cover auxiliary data types such as backups and proprietary technical information in the cloud (especially SaaS). Low code & no code The low-code approach allows business systems to be modified and developed without programmers. Common modifications include changing the interface of applications and websites, creating new data analysis and control scenarios, and robotic process automation (RPA). This helps develop CRM solutions, e-document management, create marketing web pages, etc. Companies benefit from this approach because the involved IT maintenance costs are significantly lower than counterparts that require real programmers. Some popular no-code/low-code systems are Microsoft Power Apps, Salesforce, Uipath, and even WordPress. The infosec angle. Low-code systems harbor significant risks, since by definition they have fairly wide access to data and other corporate IT systems. Theyre also configured and used by people without in-depth IT/infosec training. All of this can lead to data leaks, various forms of privilege escalation, insufficient logging, and unauthorized access to information. In addition, users of such systems regularly leave secrets, such as API keys, directly in the code. And to top it off, almost all no-code systems make active use of plug-in architecture and have their own specific component stores for user projects. Vulnerabilities in such components are often very serious and extremely hard to track and fix promptly using standard infosec tools. The infosec team should develop specialized policies and procedures for each low-code application used in the company. Application administrators and owners must receive in-depth training in these infosec procedures, while regular users of low-code applications need basic specialized training. As part of this user training, its essential to teach safe programming practices and how to use the system. At the absolute minimum, the training must cover the requirements not to store passwords in software code, to check input data and to minimize data-modifying operations. IT administrators need to pay careful attention to minimizing privileges and controlling access to data through low-code applications. The infosec team should evaluate specialized solutions for protecting specific low-code applications; for example, there is a fairly developed mini-industry around WordPress. More about this quite broad topic can be found in our separate post. Robustness & resilience Major IT incidents over the past decade (not necessarily cyberattacks) have taught businesses that investing in IT resilience is cost-effective and worthwhile. Investments here are primarily aimed at eliminating catastrophic losses and ensuring business continuity. But even if major incidents are left out of the equation, resilience brings benefits by improving the user experience for customers and employees, increasing the companys reputation and encouraging loyalty. There are several strands to robustness development: In-depth testing of IT systems during development (devops, devsecops); Designing systems able to continue functioning in case of partial failure (redundancy, duplication); Implementing monitoring systems for tracking IT/infosec anomalies and preventing incidents at an early stage (database failure, load imbalance, malware execution, etc.); Implementing a multi-layered infosec system in the company; Developing automation scenarios to save time and minimize human errors, including scenarios for automatic resolution of IT infrastructure issues; Studying the supply chain to rule out incidents related to the code, infrastructure or internal procedures of company suppliers and contractors; Implementing incident response and post-incident recovery procedures and testing them in practice. The infosec angle. Although businesses demand general resilience from their IT systems, the IT and infosec requirements here are closely intertwined, such that implementation of any of the above strands will require in-depth collaboration among the relevant departments. Budgets are limited, so its important to define the priorities with business decision makers and distribute tasks and projects between general IT and infosec, identifying opportunities for optimization and synergy. Ideally, one solution (say, a backup system) should handle IT/infosec tasks concurrently, and defining their requirements, training in their use, etc., should take place jointly. The result for the company will be a holistic cyber-resilience strategy. The first steps to cyber-resilience are covered in detail here. This post has not said a word about generative AI or various other corporate IT trends still in the were experimenting how to apply it phase. As regards promising but still raw trends, we plan to release a separate review.

image for Who and What is Behi ...

 A Little Sunshine

Researchers this month uncovered a two-year-old Linux-based remote access trojan dubbed AVrecon that enslaves Internet routers into botnet that bilks online advertisers and performs password-spraying attacks. Now new findings reveal that AVrecon is the malware engine behind a 12-year-old service called SocksEscort,   show more ...

which rents hacked residential and small business devices to cybercriminals looking to hide their true location online. Image: Lumen’s Black Lotus Labs. In a report released July 12, researchers at Lumen’s Black Lotus Labs called the AVrecon botnet “one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history,” and a crime machine that has largely evaded public attention since first being spotted in mid-2021. “The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying and ad fraud,” the Lumen researchers wrote. Malware-based anonymity networks are a major source of unwanted and malicious web traffic directed at online retailers, Internet service providers (ISPs), social networks, email providers and financial institutions. And a great many of these “proxy” networks are marketed primarily to cybercriminals seeking to anonymize their traffic by routing it through an infected PC, router or mobile device. Proxy services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source. Proxy services also let users appear to be getting online from nearly anywhere in the world, which is useful if you’re a cybercriminal who is trying to impersonate someone from a specific place. Spur.us, a startup that tracks proxy services, told KrebsOnSecurity that the Internet addresses Lumen tagged as the AVrecon botnet’s “Command and Control” (C2) servers all tie back to a long-running proxy service called SocksEscort. SocksEscort[.]com, is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer. The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys. Spur tracks SocksEscort as a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay. Usually, these users have no idea their systems are compromised. Spur says the SocksEscort proxy service requires customers to install a Windows based application in order to access a pool of more than 10,000 hacked devices worldwide. “We created a fingerprint to identify the call-back infrastructure for SocksEscort proxies,” Spur co-founder Riley Kilmer said. “Looking at network telemetry, we were able to confirm that we saw victims talking back to it on various ports.” According to Kilmer, AVrecon is the malware that gives SocksEscort its proxies. “When Lumen released their report and IOCs [indicators of compromise], we queried our system for which proxy service call-back infrastructure overlapped with their IOCs,” Kilmer continued. “The second stage C2s they identified were the same as the IPs we labeled for SocksEscort.” Lumen’s research team said the purpose of AVrecon appears to be stealing bandwidth – without impacting end-users – in order to create a residential proxy service to help launder malicious activity and avoid attracting the same level of attention from Tor-hidden services or commercially available VPN services. “This class of cybercrime activity threat may evade detection because it is less likely than a crypto-miner to be noticed by the owner, and it is unlikely to warrant the volume of abuse complaints that internet-wide brute-forcing and DDoS-based botnets typically draw,” Lumen’s Black Lotus researchers wrote. Preserving bandwidth for both customers and victims was a primary concern for SocksEscort in July 2022, when 911S5 — at the time the world’s largest known malware proxy network — got hacked and imploded just days after being exposed in a story here. Kilmer said after 911’s demise, SocksEscort closed its registration for several months to prevent an influx of new users from swamping the service. Danny Adamitis, principal information security researcher at Lumen and co-author of the report on AVrecon, confirmed Kilmer’s findings, saying the C2 data matched up with what Spur was seeing for SocksEscort dating back to September 2022. Adamitis said that on July 13 — the day after Lumen published research on AVrecon and started blocking any traffic to the malware’s control servers — the people responsible for maintaining the botnet reacted quickly to transition infected systems over to a new command and control infrastructure. “They were clearly reacting and trying to maintain control over components of the botnet,” Adamitis said. “Probably, they wanted to keep that revenue stream going.” Frustratingly, Lumen was not able to determine how the SOHO devices were being infected with AVrecon. Some possible avenues of infection include exploiting weak or default administrative credentials on routers, and outdated, insecure firmware that has known, exploitable security vulnerabilities. WHO’S BEHIND SOCKSESCORT? KrebsOnSecurity briefly visited SocksEscort last year and promised a follow-up on the history and possible identity of its proprietors. A review of the earliest posts about this service on Russian cybercrime forums suggests the 12-year-old malware proxy network is tied to a Moldovan company that also offers VPN software on the Apple Store and elsewhere. SocksEscort began in 2009 as “super-socks[.]com,” a Russian-language service that sold access to thousands of compromised PCs that could be used to proxy traffic. Someone who picked the nicknames “SSC” and “super-socks” and email address “michvatt@gmail.com” registered on multiple cybercrime forums and began promoting the proxy service. According to DomainTools.com, the apparently related email address “michdomain@gmail.com” was used to register SocksEscort[.]com, super-socks[.]com, and a few other proxy-related domains, including ip-score[.]com, segate[.]org seproxysoft[.]com, and vipssc[.]us. Cached versions of both super-socks[.]com and vipssc[.]us show these sites sold the same proxy service, and both displayed the letters “SSC” prominently at the top of their homepages. Image: Archive.org. Page translation from Russian via Google Translate. According to cyber intelligence firm Intel 471, the very first “SSC” identity registered on the cybercrime forums happened in 2009 at the Russian language hacker community Antichat, where SSC registered using the email address adriman@gmail.com. SSC asked fellow forum members for help in testing the security of a website they claimed was theirs: myiptest[.]com, which promised to tell visitors whether their proxy address was included on any security or anti-spam block lists. DomainTools says myiptest[.]com was registered in 2008 to an Adrian Crismaru from Chisinau, Moldova. Myiptest[.]com is no longer responding, but a cached copy of it from Archive.org shows that for about four years it included in its HTML source a Google Analytics code of US-2665744, which was also present on more than a dozen other websites. Most of the sites that once bore that Google tracking code are no longer online, but nearly all of them centered around services that were similar to myiptest[.]com, such as abuseipdb[.]com, bestiptest[.]com, checkdnslbl[.]com, dnsbltools[.]com and dnsblmonitor[.]com. Each of these services were designed to help visitors quickly determine whether the Internet address they were visiting the site from was listed by any security firms as spammy, malicious or phishous. In other words, these services were designed so that proxy service users could easily tell if their rented Internet address was still safe to use for online fraud. Another domain with the Google Analytics code US-2665744 was sscompany[.]net. An archived copy of the site says SSC stands for “Server Support Company,” which advertised outsourced solutions for technical support and server administration. The company was located in Chisinau, Moldova and owned by Adrian Crismaru. Leaked copies of the hacked Antichat forum indicate the SSC identity tied to adriman@gmail.com registered on the forum using the IP address 71.229.207.214. That same IP was used to register the nickname “Deem3n®,” a prolific poster on Antichat between 2005 and 2009 who served as a moderator on the forum. There was a Deem3n® user on the webmaster forum Searchengines.guru whose signature in their posts says they run a popular community catering to programmers in Moldova called sysadmin[.]md, and that they were a systems administrator for sscompany[.]net. That same Google Analytics code is also now present on the homepages of wiremo[.]co and a VPN provider called HideIPVPN[.]com. Wiremo sells software and services to help website owners better manage their customer reviews. Wiremo’s Contact Us page lists a “Server Management LLC” in Wilmington, DE as the parent company. Records from the Delaware Secretary of State indicate Crismaru is CEO of this company. Server Management LLC is currently listed in Apple’s App Store as the owner of a “free” VPN app called HideIPVPN. The contact information on Crismaru’s LinkedIn page says his company websites include myiptest[.]com, sscompany[.]net, and hideipvpn[.]com. “The best way to secure the transmissions of your mobile device is VPN,” reads HideIPVPN’s description on the Apple Store. “Now, we provide you with an even easier way to connect to our VPN servers. We will hide your IP address, encrypt all your traffic, secure all your sensitive information (passwords, mail credit card details, etc.) form [sic] hackers on public networks.” Mr. Crismaru did not respond to multiple requests for comment. When asked about the company’s apparent connection to SocksEscort, Wiremo responded, “We do not control this domain and no one from our team is connected to this domain.” Wiremo did not respond when presented with the findings in this report.

 Breaches and Incidents

Orrick, Herrington & Sutcliffe on July 20 reported the data breach to several state regulators, including the attorneys general of Maine and California, as well as a HIPAA breach to the U.S. Department of Health and Human Services.

 Threat Actors

The notorious Clop ransomware gang may earn as much as $100m from its recent data extortion campaign, after a small number of victims paid the group large sums of money, according to Coveware.

 Trends, Reports, Analysis

GuidePoint Research and Intelligence Team (GRIT) published its ransomware report for Q2 2023, which noted some shocking statistics. The report also identified a surge in the activity of Ransomware-as-a-Service (RaaS) groups throughout the quarter, attributed to the emergence of 14 new groups.

 Trends, Reports, Analysis

The average global cost of a data breach now stands at a record $4.45m, up a little over 2% year on year (YoY), according to IBM's 18th annual Cost of a Data Breach Report, compiled by the Ponemon Institute.

 Malware and Vulnerabilities

Spyhide is secretly collecting private data from tens of thousands of Android devices worldwide. The app is often installed on a victim's phone by someone who knows their passcode, and it remains hidden on the home screen.

 Threat Actors

A China-linked group APT31 (aka Zirconium) has been linked to a cyberespionage campaign targeting industrial organizations in Eastern Europe. The attackers abused DLL hijacking vulnerabilities in cloud-based data storage systems such as Dropbox or Yandex, as well as a temporary file-sharing service, to deliver next-stage malware.

 Feed

Ubuntu Security Notice 6243-1 - It was discovered that Graphite-Web incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform server-side request forgery and obtain sensitive information.   show more ...

This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that Graphite-Web incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform cross site scripting and obtain sensitive information.

 Feed

WordPress File Manager Advanced Shortcode plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to remote code execution in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users, but   show more ...

it also works in an authenticated configuration. Versions 2.3.2 and below are affected. To install the Shortcode plugin File Manager Advanced version 5.0.5 or lower is required to keep the configuration vulnerable. Any user privileges can exploit this vulnerability which results in access to the underlying operating system with the same privileges under which the Wordpress web services run.

 Feed

Ubuntu Security Notice 6242-1 - It was discovered that OpenSSH incorrectly handled loading certain PKCS#11 providers. If a user forwarded their ssh-agent to an untrusted system, a remote attacker could possibly use this issue to load arbitrary libraries from the user's system and execute arbitrary code.

 Feed

jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.

 Feed

Ubuntu Security Notice 6203-2 - USN-6203-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 18.04 ESM. Seokchan Yoon discovered that Django incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.

 Feed

Ubuntu Security Notice 6241-1 - Jan Wasilewski and Gorka Eguileor discovered that OpenStack incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.

 Feed

Red Hat Security Advisory 2023-4262-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include privilege escalation and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2023-4256-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include privilege escalation and use-after-free vulnerabilities.

 Feed

Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems. The list of the flaws is below - CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and

 Feed

Ivanti is warning users to update their Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core) to the latest version that fixes an actively exploited zero-day vulnerability. Dubbed CVE-2023-35078, the issue has been described as a remote unauthenticated API access vulnerability that impacts currently supported version 11.4 releases 11.10, 11.9, and 11.8 as

 Feed

Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild. Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management. "

 Feed

The financially motivated threat actors behind the Casbaneiro banking malware family have been observed making use of a User Account Control (UAC) bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and execute malicious code on compromised assets. "They are still heavily focused on Latin American

 Feed

As the number of people using macOS keeps going up, so does the desire of hackers to take advantage of flaws in Apple's operating system.  What Are the Rising Threats to macOS? There is a common misconception among macOS fans that Apple devices are immune to hacking and malware infection. However, users have been facing more and more dangers recently. Inventive attackers are specifically

 Feed

A set of five security vulnerabilities have been disclosed in the Terrestrial Trunked Radio (TETRA) standard for radio communication used widely by government entities and critical infrastructure sectors, including what's believed to be an intentional backdoor that could have potentially exposed sensitive information. The issues, discovered by Midnight Blue in 2021 and held back until now, have

 Feed

How do you overcome today's talent gap in cybersecurity? This is a crucial issue — particularly when you find executive leadership or the board asking pointed questions about your security team's ability to defend the organization against new and current threats. This is why many security leaders find themselves turning to managed security services like MDR (managed detection and response),

 Feed

A new security vulnerability has been discovered in AMD's Zen 2 architecture-based processors that could be exploited to extract sensitive data such as encryption keys and passwords. Discovered by Google Project Zero researcher Tavis Ormandy, the flaw – codenamed Zenbleed and tracked as CVE-2023-20593 (CVSS score: 6.5) – allows data exfiltration at the rate of 30 kb per core, per second. The

 Feed

North Korean nation-state actors affiliated with the Reconnaissance General Bureau (RGB) have been attributed to the JumpCloud hack following an operational security (OPSEC) blunder that exposed their actual IP address. Google-owned threat intelligence firm Mandiant attributed the activity to a threat actor it tracks under the name UNC4899, which likely shares overlaps with clusters already

 Feed only

Graham Cluley Security News is sponsored this week by the folks at PlexTrac. Thanks to the great team there for their support! Reports are the critical deliverables that make pentest results actionable, but do they have to be so painful to prepare? Not anymore. Check out our guide to writing a killer pentest report. And … Continue reading "How to write a killer pentest report"

2023-07
Aggregator history
Tuesday, July 25
SAT
SUN
MON
TUE
WED
THU
FRI
JulyAugustSeptember