Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Former Polish Deputy ...

 Cybersecurity News

From refusing to cooperate with spyware abuse investigations to cracking down on its blatant misuse, Poland has come a full circle. The Polish prosecutor's office has charged Michał Woś, a former Deputy Minister of Justice, with exceeding his powers and failing to fulfill his obligations. The charges stem from   show more ...

the unauthorized transfer of PLN 25 million [approximately US$6.45 million] from the Justice Fund to purchase the controversial Pegasus spyware for the Central Anticorruption Bureau (CBA). The Polish parliament in June voted to lift Woś’s legal immunity in order to prosecute him for the part he allegedly played in buying the commercial spyware when in power. Five-Year Surveillance History of Pegasus Spyware The prosecutor's office in April revealed that the government led by the conservative Law and Justice Party targeted nearly 600 people for Pegasus surveillance between 2017 and 2022. The investigation was first opened based on a Citizen Lab investigation from 2021 that determined Pegasus had infected the phone of Krzysztof Brejza, a member of the European Parliament for Poland. Brejza was an opposition figure at the time of infection in 2019. Text messages from his phone were doctored and then leaked. The prosecutor's investigation into irregularities within the Justice Fund uncovered evidence implicating Woś in the illicit transfer. The Sejm, Poland's lower house of parliament, voted unanimously to allow criminal proceedings against him following a request from the Prosecutor General. Woś is accused of abusing his authority by ordering the Justice Fund to pay the CBA the hefty sum for the Pegasus spyware, despite knowing that the agency did not meet the necessary criteria for receiving such funding. The Justice Fund is typically reserved for supporting other entities, and its resources cannot be used to directly finance the CBA's activities, which are primarily funded through the state budget. Possible 10-Year Sentence for Polish Official The prosecutor argues that Woś's actions caused significant financial damage to the Polish Treasury and undermined the public interest. The crime he is charged with carries a potential prison sentence of up to 10 years. The prosecutor's office has gathered substantial evidence to support the charges, including documents from the Ministry of Justice and the CBA, as well as findings from the Supreme Audit Office and the Chief Advocate for Public Finance Discipline. These materials clearly demonstrate that the Justice Fund could not legally transfer funds to the CBA for the purchase of Pegasus, the prosecutor's office said. After being charged, Woś appeared before the prosecutor and provided explanations for his actions. However, he did not admit to the crime he is accused of. To ensure that the legal proceedings move smoothly, the prosecutor has imposed a preventive measure on Woś, requiring him to report to the police twice a month and prohibiting him from contacting certain individuals involved in the case. Woś has the right to appeal this decision. The new administration in Poland has also recently signed a Biden administration pledge to counter the proliferation and misuse of spyware.

image for Researchers Track Ma ...

 Cybersecurity News

ManticoraLoader, a new malware-as-a-service (MaaS), was observed on the cybercriminal XSS forum being distributed by 'DarkBLUP,' an alias that was previously used to distribute malware from the DeadXInject group such as the still-active AresLoader malware and the AiDLocker ransomware. The new malware variant   show more ...

has been offered by DeadXInject on its Telegram channel since around August 8, 2024. ManticoraLoader Employs Stealth and Obfuscation ManticoraLoader boasts an impressive array of features that make it a versatile and potent tool for cybercriminal operations. Researchers from CRIL (Cyble Research and Intelligence Labs) indicated that the malware is compatible with Windows 7 and later versions, including Windows Server, allowing it to target a wide range of systems still in use today. [caption id="attachment_88691" align="alignnone" width="940"] Source: Cyble Blog[/caption] One of its key features is a module designed to gather extensive information from infected devices, including IP address, username, system language, installed antivirus software, UUID, and date-time stamps. This detailed reconnaissance data is then transmitted back to a centralized control panel, enabling the threat actors to profile victims and tailor their attacks accordingly. [caption id="attachment_88692" align="alignnone" width="940"] Source: Cyble Blog[/caption] The loader's modular design allows for easy extension of functionalities upon request, making it adaptable to various malicious objectives. ManticoraLoader also employs sophisticated obfuscation techniques to evade detection, with a reported detection rate of 0/39 on Kleenscan. To further demonstrate its evasive capabilities, the actors posted a video showcasing the loader's ability to bypass the 360 Total Security sandboxing solution. The threat actors have also designed ManticoraLoader with persistence in mind, as it can reportedly place files into auto-start locations, ensuring its continued presence on compromised systems. This modular design also allows for easy expansion of functionalities, making the loader adaptable to various malicious objectives. The threat actors behind ManticoraLoader have implemented a strict transaction process, limiting the number of clients to 10 and offering the service through the forum's escrow service or direct contact via Telegram or TOX. This exclusivity may be a strategic move to maintain control and reduce exposure. The service is offered for a monthly rental fee of $500, indicating the threat actors' intention to monetize their creation. This pricing model suggests that ManticoraLoader is not merely a one-off tool, but rather a carefully crafted MaaS designed to generate a steady stream of revenue for the cybercriminals. AresLoader Persists The researchers, however, are unclear why the threat actor DarkBLUP remained inactive for more than a year after their success with the AiDLocker ransomware and AresLoader. As AresLoader remains still widely in use among cybercriminals, the researchers suggest that the group is not abandoning its previous project but rather expanding their arsenal to diversify their malicious offerings and expand monetization.

image for Columbus Judge Issue ...

 Cybersecurity News

The city of Columbus has obtained a temporary restraining order against cybersecurity expert David L. Ross Jr., also known as Connor Goodwolf, in a bid to prevent him from accessing, downloading, and disseminating sensitive files stolen from the city's server farm during a ransomware attack. City Attorney Zach   show more ...

Klein had requested the order, citing the need to protect police, victims, and the public from potential harm. Controversy Surrounding the Restraining Order The restraining order has sparked controversy, as Ross has been instrumental in alerting the public about the extent of the data breach. His disclosures have often contradicted statements made by city officials, including Mayor Andrew Ginther, about the severity of the hack. Ross argues that the city is trying to prevent him from exposing the full extent of the data breach, which he believes has been mishandled by the city's IT department. He stated that the city's data breach consultant tried to hire him earlier, which he suspects was an attempt to prevent him from speaking publicly about the breach. He plans to seek legal representation and has suggested the possibility of a lawsuit against the city for infringing on his First Amendment rights. The online court docket doesn't permit the public to see that document, and the file still lists Noble's name as the judge in the case. Goodwolf had been alerting the city's public that personal information on city officials and citizens, including driver's license and Social Security information, as being among the data that had been hacked and posted online after the city refused to pay ransom negotiations. The files are further stated to include data on victims of criminal acts such as domestic violence victims, and personal information about undercover Columbus police officers. Columbus Breach Stated to Include Personal Data City Attorney Zach Klein, justified and welcomed the decision from Common Pleas Judge Kim Brown, "As City Attorney, I have a duty to do whatever I can to protect police, victims, undercover officers and the public when they are threatened with harm." "This decision is a positive step to stem the dissemination of stolen confidential personnel and victim data—information that compromises active investigations and poses a threat to the lives and livelihoods of real people," he added. Daniel Maldet, from the Columbus office of CMIT Solutions, though not directly involved with the case's investigation, shed further light on the breach's extent. He stated, "They are showing that 3.1 TB (terabytes) of data is released – 258,270 files which is 45% of the stolen data. They show, 'not sold data was uploaded, data hunter, enjoy'. This might suggest that 55% of the data was sold — that’s just a guess." Earlier in January 2023, the Columbus City Council had approved a $2.5 million contract for 'Cybersecurity Products and Services' after receiving proposals from five different firms.

 Malware and Vulnerabilities

Once installed, the Rocinante malware prompts the victim to grant Accessibility Services and displays phishing screens tailored to different banks to steal personal information.

 Malware and Vulnerabilities

The attack starts with a phishing email disguised as a fund transfer notification, with an attached Excel file named “swift copy.xls” that triggers the deployment of Snake Keylogger on the victim's computer upon opening.

 Feed

GitLab version 16.0 contains a directory traversal for arbitrary file read as the gitlab-www user. This Metasploit module requires authentication for exploitation. In order to use this module, a user must be able to create a project and groups. When exploiting this vulnerability, there is a direct correlation between   show more ...

the traversal depth, and the depth of groups the vulnerable project is in. The minimum for this seems to be 5, but up to 11 have also been observed. An example of this, is if the directory traversal needs a depth of 11, a group and 10 nested child groups, each a sub of the previous, will be created (adding up to 11). Visually this looks like: Group1->sub1->sub2->sub3->sub4->sub5->sub6->sub7->sub8->sub9->sub10. If the depth was 5, a group and 4 nested child groups would be created. With all these requirements satisfied a dummy file is uploaded, and the full traversal is then executed. Cleanup is performed by deleting the first group which cascades to deleting all other objects created.

 Feed

This Metasploit module uses a blind SQL injection (CVE-2020-5724) affecting the Grandstream UCM62xx IP PBX to dump the users table. The injection occurs over a websocket at the websockify endpoint, and specifically occurs when the user requests the challenge (as part of a challenge and response authentication scheme).   show more ...

The injection is blind, but the server response contains a different status code if the query was successful. As such, the attacker can guess the contents of the user database. Most helpfully, the passwords are stored in cleartext within the user table (CVE-2020-5723). This issue was patched in Grandstream UCM62xx IP PBX firmware version 1.20.22.

 Feed

This Metasploit module uses a directory traversal vulnerability to extract information such as password, rdspassword, and "encrypted" properties. This Metasploit module has been tested successfully on ColdFusion 9 and ColdFusion 10 (auto-detect).

 Feed

Dumps SAM hashes and LSA secrets (including cached creds) from the remote Windows target without executing any agent locally. This is done by remotely updating the registry key security descriptor, taking advantage of the WriteDACL privileges held by local administrators to set temporary read permissions. This can be   show more ...

disabled by setting the INLINE option to false and the module will fallback to the original implementation, which consists in saving the registry hives locally on the target (%SYSTEMROOT%Temp.tmp), downloading the temporary hive files and reading the data from it. This temporary files are removed when its done. On domain controllers, secrets from Active Directory is extracted using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need to get SIDs, NTLM hashes, groups, password history, Kerberos keys and other interesting data. Note that the actual NTDS.dit file is not downloaded. Instead, the Directory Replication Service directly asks Active Directory through RPC requests. This Metasploit modules takes care of starting or enabling the Remote Registry service if needed. It will restore the service to its original state when its done. This is a port of the great Impacket secretsdump.py code written by Alberto Solino.

 Feed

This Metasploit module sends a query to the port 264/TCP on CheckPoint Firewall-1 firewalls to obtain the firewall name and management station (such as SmartCenter) name via a pre-authentication request. The string returned is the CheckPoint Internal CA CN for SmartCenter and the firewall host. Whilst considered   show more ...

"public" information, the majority of installations use detailed hostnames which may aid an attacker in focusing on compromising the SmartCenter host, or useful for government, intelligence and military networks where the hostname reveals the physical location and rack number of the device, which may be unintentionally published to the world.

 Feed

Apache Superset versions less than or equal to 2.0.0 utilize Flask with a known default secret key which is used to sign HTTP cookies. These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that of an administrator, and re-sign the cookie. This   show more ...

valid cookie can then be used to login as the targeted user and retrieve database credentials saved in Apache Superset.

 Feed

This Metasploit module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser, a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up.

 Feed

Roundcube Webmail allows unauthorized access to arbitrary files on the hosts filesystem, including configuration files. This affects all versions from 1.1.0 through version 1.3.2. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. Tested against version 1.3.2.

 Feed

Fortinet FortiOS versions 5.4.6 to 5.4.12, 5.6.3 to 5.6.7 and 6.0.0 to 6.0.4 are vulnerable to a path traversal vulnerability within the SSL VPN web portal which allows unauthenticated attackers to download FortiOS system files through specially crafted HTTP requests. This Metasploit module exploits this vulnerability   show more ...

to read the usernames and passwords of users currently logged into the FortiOS SSL VPN, which are stored in plaintext in the "/dev/cmdb/sslvpn_websession" file on the VPN server.

 Feed

The W3-Total-Cache Wordpress plugin versions 0.9.2.4 and below can cache database statements and its results in files for fast access. Version 0.9.2.4 has been fixed afterwards so it can be vulnerable. These cache files are in the webroot of the Wordpress installation and can be downloaded if the name is guessed. This   show more ...

Metasploit module tries to locate them with brute force in order to find usernames and password hashes in these files. W3 Total Cache must be configured with Database Cache enabled and Database Cache Method set to Disk to be vulnerable.

 Feed

This Metasploit module abuses an XML External Entity Injection vulnerability on the OpenID module from Drupal. The vulnerability exists in the parsing of a malformed XRDS file coming from a malicious OpenID endpoint. This Metasploit module has been tested successfully on Drupal 7.15 and 7.2 with the OpenID module enabled.

 Feed

Lansweeper stores the credentials it uses to scan the computers in its Microsoft SQL database. The passwords are XTea-encrypted with a 68 character long key, in which the first 8 characters are stored with the password in the database and the other 60 is static. Lansweeper, by default, creates an MSSQL user   show more ...

"lansweeperuser" with the password is "mysecretpassword0*", and stores its data in a database called "lansweeperdb". This Metasploit module will query the MSSQL database for the credentials.

 Feed

This Metasploit module will use the Microsoft XMLDOM object to enumerate a remote machines filenames. It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you must supply your own list of file paths. Each file path should look like this: c:\\windows\\system32\\calc.exe.

 Feed

MinIO is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. Verified against MinIO 2023-02-27T18:10:45Z.

 Feed

Firmware versions up to 7.0.0-build1904 of Peplink Balance routers are affected by an unauthenticated SQL injection vulnerability in the bauth cookie, successful exploitation of the vulnerability allows an attacker to retrieve the cookies of authenticated users, bypassing the web portal authentication. By default, a   show more ...

session expires 4 hours after login (the setting can be changed by the admin), for this reason, the module attempts to retrieve the most recently created sessions.

 Feed

This Metasploit module will search remote file shares for unattended installation files that may contain domain credentials. This is often used after discovering domain credentials with the auxiliary/scanner/dcerpc/windows_deployment_services module or in cases where you already have domain credentials. This   show more ...

Metasploit module will connect to the RemInst share and any Microsoft Deployment Toolkit shares indicated by the share name comments.

 Feed

A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit. The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.

 Agrees

Source: www.databreachtoday.com – Author: 1 Cloud Security , Legislation & Litigation , Security Operations Cloud-Based Security Camera Firm Pledges Better Security Ion US FTC Settlement Marianne Kolbasuk McGee (HealthInfoSec) • August 30, 2024     The U.S. Federal Trade Commission alleges that lax   show more ...

security practices allowed hackers to access sensitive video footage from Verkada’s IP-enabled […] La entrada Verkada Agrees to $2.95M Civil Penalty After Hacks – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Next-Generation Technologies & Secure Development The AI Safety Institute Will Evaluate Safety and Suggest Improvements Rashmi Ramesh (rashmiramesh_) • August 30, 2024     The U.S. AI Safety Institute will   show more ...

evaluate OpenAI and Anthropic models for safety. (Image: Shutterstock) Leading artificial intelligence companies OpenAI […] La entrada US Body to Assess OpenAI and Anthropic Models Before Release – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Healthcare , Industry Specific , Legislation & Litigation Bill Is Similar to Senate Proposals, But Will Congress Take Action Before Election? Marianne Kolbasuk McGee (HealthInfoSec) • August 30, 2024     Image: Getty A bipartisan House bill aims to bolster   show more ...

cybersecurity in the healthcare sector by requiring stronger collaboration between […] La entrada CISA and HHS Would Team Up in Health Sector Under House Bill – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Telegram Messages Hard to Encrypt But CEO Faces Charges for Noncompliant Cryptology Akshaya Asokan (asokan_akshaya) • August 30, 2024     The arrest and indictment of Telegram CEO Pavel Durov is sparking concerns about the viability of encrypted communications in   show more ...

France. See Also: Reducing Complexity in Healthcare IT The Paris […] La entrada Indictment of Telegram CEO Threatens End-to-End Encryption – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Building

Source: www.databreachtoday.com – Author: 1 Heather Costa Director of Technology Resilience, Mayo Clinic Heather M. Costa, MPS, CBCP, CCRP, is the Director of Technology Resilience at Mayo Clinic, the No. 1 ranked hospital by U.S. News and World Report and Newsweek. In her capacity, Heather is responsible for   show more ...

the strategic direction, development, and implementation of […] La entrada Live Webinar | Building a More Resilient Healthcare Enterprise and Ecosystem – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Again

Source: www.databreachtoday.com – Author: 1 Governance & Risk Management , Managed Security Service Provider (MSSP) , Open XDR Growth, Profitability and Stock Price Woes Have Dell Primed to Cash Out Its Chips Michael Novinson (MichaelNovinson) • August 30, 2024     The bifurcation of the public   show more ...

cybersecurity market between large, high-growth vendors and small, low-growth […] La entrada Why Dell Is Once Again Eyeing the Sale of MSSP Secureworks – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Ransomware Feds Count Over 200 Known US Victims of Ransomware Group That Launched in February Mathew J. Schwartz (euroinfosec) • August 30, 2024     Affiliates are turning RansomHub into a first-tier digital extortion group.   show more ...

(Image: Shutterstock) Ransomware groups may come and go in name, […] La entrada RansomHub Hits Powered by Ex-Affiliates of LockBit, BlackCat – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-08
Aggregator history
Saturday, August 31
THU
FRI
SAT
SUN
MON
TUE
WED
AugustSeptemberOctober