Normal view

There are new articles available, click to refresh the page.
Today — 29 March 2024Security News

Cisco warns of password-spraying attacks targeting Secure Firewall devices

29 March 2024 at 12:34

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services of Cisco Secure Firewall devices.

Cisco is warning customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.

The company published a document containing recommendations against password spray attacks aimed at Remote Access VPN (RAVPN) services. The IT giant pointed out that the attacks are also targeting third-party VPN concentrators.

“Cisco was made aware of multiple reports related to password spraying attacks aimed at RAVPN services. It has been noted by Talos that these attacks are not limited to Cisco products but also third-party VPN concentrators.” reads the report. “Depending on your environment, the attacks can cause accounts to be locked, resulting in Denial of Service (DoS)-like conditions.”

Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application. For example, an attacker will use one password (say, Secure@123) against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.

The company shared Indicators of Compromise (IoC) for these attacks, including:

  • Unable to establish VPN connections with Cisco Secure Client (AnyConnect) when Firewall Posture (HostScan) is enabled;
  • Unusual Amount of Authentication Requests;

Below is the list of recommendations to defend against these attacks:

  • Enabling logging to a remote syslog server for improved correlation and auditing of network and security incidents across various network devices.
  • Securing Default Remote Access VPN Profiles when the default remote access VPN connection profiles/tunnel groups DefaultRAGroup and DefaultWEBVPNGroup are not used. The company urge to to prevent authentication attempts and remote access VPN session establishment using these default connection profiles/tunnel groups by pointing them to a sinkhole AAA server.
  • Leveraging TCP shun to block a malicious IP. This activity must be done manually. 
  • Configuring Control-plance ACL on the ASA/FTD to filter out unauthorized public IP addresses and prevent them from initiating remote VPN sessions.
  • Use Certificate-based authentication for RAVPN
  • Using certificates for authentication because provide a more robust approach compared to the use of credentials. To harden your environment, you can change the authentication method for RAVPN to be based on certificates.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, password-spraying attacks)

TheMoon Botnet Resurfaces, Exploiting EoL Devices to Power Criminal Proxy

By: Newsroom
29 March 2024 at 12:12
A botnet previously considered to be rendered inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless. "TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024," the Black Lotus Labs team at Lumen

The Golden Age of Automated Penetration Testing is Here

29 March 2024 at 11:19
Network penetration testing plays a vital role in detecting vulnerabilities that can be exploited. The current method of performing pen testing is pricey, leading many companies to undertake it only when necessary, usually once a year for their compliance requirements. This manual approach often misses opportunities to find and fix security issues early on, leaving businesses vulnerable to

New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking

By: Newsroom
29 March 2024 at 10:49
Details have emerged about a vulnerability impacting the "wall" command of the util-linux package that could be potentially exploited by a bad actor to leak a user's password or alter the clipboard on certain Linux distributions. The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. It has been described as a case of improper

American fast-fashion firm Hot Topic hit by credential stuffing attacks

29 March 2024 at 08:48

Hot Topic suffered credential stuffing attacks that exposed customers’ personal information and partial payment data.

Hot Topic, Inc. is an American fast-fashion company specializing in counterculture-related clothing and accessories, as well as licensed music.

The company was the victim of credential stuffing attacks against its website and mobile application on November 18-19 and November 25, 2023. The attackers detected suspicious login activity to certain Hot Topic Rewards accounts.

Threat actors obtained valid account credentials obtained from an unknown third-party source.

Credential stuffing is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts for the purpose of abusing permissions, siphoning out data, or both. 

“We recently identified suspicious login activity to certain Hot Topic Rewards accounts. Following a careful investigation, we determined that unauthorized parties launched automated attacks against our website and mobile application on November 18-19 and November 25, 2023 using valid account credentials (e.g., email addresses and passwords) obtained from an unknown third-party source. Hot Topic was not the source of the account credentials used in these attacks.” reads the notification sent to the potentially impacted customers.

The company informed customers that it could not confirm whether unauthorized third parties accessed any accounts or if the logins were legitimate customer access during the relevant periods. The company only observed that the account credentials of potentially impacted customers were used to log into their Rewards account.

“It’s important to note that we have not concluded any unauthorized access to your Hot Topic Rewards account. We’re sending you this notice as a precautionary measure.” continues the notification.

Threat actors may have accessed customers’ names, email addresses, order history, phone numbers, month and day of their births, and mailing addresses. If the potentially impacted customers had saved a payment card to their Rewards account, threat actors could have accessed the last four digits of the card number.

Hot Topic revealed that after detecting the suspicious activity, they launched an investigation with the help of outside cybersecurity experts. The company also announced the implementation of specific measures to improve the website and mobile application protection from credential stuffing attacks. The company also recommends changing the account password.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, credential stuffing)

PyPI Halts Sign-Ups Amid Surge of Malicious Package Uploads Targeting Developers

By: Newsroom
29 March 2024 at 05:37
The maintainers of the Python Package Index (PyPI) repository briefly suspended new user sign-ups following an influx of malicious projects uploaded as part of a typosquatting campaign. PyPI said "new project creation and new user registration" was temporarily halted to mitigate what it said was a "malware upload campaign." The incident was resolved 10 hours later, on March 28, 2024, at 12:56

Thread Hijacking: Phishes That Prey on Your Curiosity

28 March 2024 at 23:56

Thread hijacking attacks. They happen when someone you know has their email account compromised, and you are suddenly dropped into an existing conversation between the sender and someone else. These missives draw on the recipient’s natural curiosity about being copied on a private discussion, which is modified to include a malicious link or attachment. Here’s the story of a thread hijacking attack in which a journalist was copied on a phishing email from the unwilling subject of a recent scoop.

In Sept. 2023, the Pennsylvania news outlet LancasterOnline.com published a story about Adam Kidan, a wealthy businessman with a criminal past who is a major donor to Republican causes and candidates, including Rep. Lloyd Smucker (R-Pa).

The LancasterOnline story about Adam Kidan.

Several months after that piece ran, the story’s author Brett Sholtis received two emails from Kidan, both of which contained attachments. One of the messages appeared to be a lengthy conversation between Kidan and a colleague, with the subject line, “Re: Successfully sent data.” The second missive was a more brief email from Kidan with the subject, “Acknowledge New Work Order,” and a message that read simply, “Please find the attached.”

Sholtis said he clicked the attachment in one of the messages, which then launched a web page that looked exactly like a Microsoft Office 365 login page. An analysis of the webpage reveals it would check any submitted credentials at the real Microsoft website, and return an error if the user entered bogus account information. A successful login would record the submitted credentials and forward the victim to the real Microsoft website.

But Sholtis said he didn’t enter his Outlook username and password. Instead, he forwarded the messages to LancasterOneline’s IT team, which quickly flagged them as phishing attempts.

LancasterOnline Executive Editor Tom Murse said the two phishing messages from Mr. Kidan raised eyebrows in the newsroom because Kidan had threatened to sue the news outlet multiple times over Sholtis’s story.

“We were just perplexed,” Murse said. “It seemed to be a phishing attempt but we were confused why it would come from a prominent businessman we’ve written about. Our initial response was confusion, but we didn’t know what else to do with it other than to send it to the FBI.”

The phishing lure attached to the thread hijacking email from Mr. Kidan.

In 2006, Kidan was sentenced to 70 months in federal prison after pleading guilty to defrauding lenders along with Jack Abramoff, the disgraced lobbyist whose corruption became a symbol of the excesses of Washington influence peddling. He was paroled in 2009, and in 2014 moved his family to a home in Lancaster County, Pa.

The FBI hasn’t responded to LancasterOnline’s tip. Messages sent by KrebsOnSecurity to Kidan’s emails addresses were returned as blocked. Messages left with Mr. Kidan’s company, Empire Workforce Solutions, went unreturned.

No doubt the FBI saw the messages from Kidan for what they likely were: The result of Mr. Kidan having his Microsoft Outlook account compromised and used to send malicious email to people in his contacts list.

Thread hijacking attacks are hardly new, but that is mainly true because many Internet users still don’t know how to identify them. The email security firm Proofpoint says it has tracked north of 90 million malicious messages in the last five years that leverage this attack method.

One key reason thread hijacking is so successful is that these attacks generally do not include the tell that exposes most phishing scams: A fabricated sense of urgency. A majority of phishing threats warn of negative consequences should you fail to act quickly — such as an account suspension or an unauthorized high-dollar charge going through.

In contrast, thread hijacking campaigns tend to patiently prey on the natural curiosity of the recipient.

Ryan Kalember, chief strategy officer at Proofpoint, said probably the most ubiquitous examples of thread hijacking are “CEO fraud” or “business email compromise” scams, wherein employees are tricked by an email from a senior executive into wiring millions of dollars to fraudsters overseas.

But Kalember said these low-tech attacks can nevertheless be quite effective because they tend to catch people off-guard.

“It works because you feel like you’re suddenly included in an important conversation,” Kalember said. “It just registers a lot differently when people start reading, because you think you’re observing a private conversation between two different people.”

Some thread hijacking attacks actually involve multiple threat actors who are actively conversing while copying — but not addressing — the recipient.

“We call these multi-persona phishing scams, and they’re often paired with thread hijacking,” Kalember said. “It’s basically a way to build a little more affinity than just copying people on an email. And the longer the conversation goes on, the higher their success rate seems to be because some people start replying to the thread [and participating] psycho-socially.”

The best advice to sidestep phishing scams is to avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Yesterday — 28 March 2024Security News

Cisco addressed high-severity flaws in IOS and IOS XE software

28 March 2024 at 18:49

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to trigger a denial-of-service (DoS) condition.

Cisco this week released patches to address multiple IOS and IOS XE software vulnerabilities. An unauthenticated attacker can exploit several issues fixed by the IT giant to cause a denial-of-service (DoS) condition.

Below are the most severe issues addressed by the company:

CVE-2024-20311 (CVSS score 8.6) – A vulnerability in the Locator ID Separation Protocol (LISP) feature of Cisco IOS Software and Cisco IOS XE Software. An unauthenticated, remote attacker can trigger the flaw to cause an affected device to reload.

CVE-2024-20314 (CVSS score 8.6) – A vulnerability in the IPv4 Software-Defined Access (SD-Access) fabric edge node feature of Cisco IOS XE Software. An unauthenticated, remote attacker can trigger the flaw to cause high CPU utilization and stop all traffic processing, resulting in a denial of service (DoS) condition on an affected device.

CVE-2024-20307 – CVE-2024-20308 (CVSS score 8.6) – Multiple vulnerabilities in the Internet Key Exchange version 1 (IKEv1) fragmentation feature of Cisco IOS Software and Cisco IOS XE Software. An attacker could allow an unauthenticated, remote attacker to cause a heap overflow or corruption on an affected system.

CVE-2024-20259 (CVSS score 8.6) – A vulnerability in the DHCP snooping feature of Cisco IOS XE Software. An unauthenticated, remote attacker can trigger the flaw to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition.

CVE-2024-20303 (CVSS score 7.4) – A vulnerability in the multicast DNS (mDNS) gateway feature of IOS XE Software for Wireless LAN Controllers (WLCs). An unauthenticated, adjacent attacker can trigger the flaw to cause a denial of service (DoS) condition.

The company also addressed other high and medium-severity vulnerabilities in Access Point Software, Catalyst Center, and Aironet Access Point Software.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)

Linux Version of DinodasRAT Spotted in Cyber Attacks Across Several Countries

By: Newsroom
28 March 2024 at 17:02
A Linux version of a multi-platform backdoor called DinodasRAT has been detected in the wild targeting China, Taiwan, Turkey, and Uzbekistan, new findings from Kaspersky reveal. DinodasRAT, also known as XDealer, is a C++-based malware that offers the ability to harvest a wide range of sensitive data from compromised hosts. In October 2023, Slovak cybersecurity firm ESET&nbsp

Finland Blames Chinese Hacking Group APT31 for Parliament Cyber Attack

By: Newsroom
28 March 2024 at 16:50
The Police of Finland (aka Poliisi) has formally accused a Chinese nation-state actor tracked as APT31 for orchestrating a cyber attack targeting the country's Parliament in 2020. The intrusion, per the authorities, is said to have occurred between fall 2020 and early 2021. The agency described the ongoing criminal probe as both demanding and time-consuming, involving extensive analysis of a "

❌
❌