source:  cyware.com

25 Vulnerabilities Chinese APT Groups Are Chasing Right Now

 

Cybercriminals are consistently scanning and exploiting publicly available security bugs. Recently, the National Security Agency (NSA) has published a 

report , detailing the top 25 vulnerabilities exploited by hackers, urging organizations in the U.S. public and private sectors to prioritize for action.

The top 25 vulnerabilities

According to the report, Chinese state-sponsored hackers were seen abusing these vulnerabilities to launch strategic hacking operations against a multitude of victim networks.
  • Most of these vulnerabilities belong to products related to remote access or external web services. Such products, accessible via the internet, are often exploited to gain initial access inside the victim’s network.
  • Exploits in the enterprise products including gateways (including Citrix ADC and Gateway, Symantec Messaging Gateway), VPN (Pulse Secure VPN), load balancers (F5 BIG-IP), etc. could provide direct remote access to the attackers.
  • Several vulnerabilities in the list target Windows OS and its services, such as Remote Desktop Services (Blukeep vulnerability), Netlogon (Zerologon), DNS server (SigRed), etc.
  • Additional products include business applications such as email servers (such as Microsoft Exchange, Exim mail), and application servers (such as Oracle WebLogic, Zoho ManageEngine, Adobe ColdFusion), that are being targeted by Chinese hackers.

Recent exploitation of these flaws

Not only Chinese hackers but several other low-level malware groups, ransomware gangs, and other state-sponsored hackers (including Russia, and Iran) were seen exploiting the above-mentioned vulnerabilities.
  • Threats actors such as TA505MuddyWater, and Ryuk were seen abusing the ZeroLogon vulnerability (CVE-2020-1472) to target public and private sector organizations.
  • Hackers were seen combining VPN (CVE-2019-11510) and Windows bugs to gain access to government networks, for which CISA and the FBI had issued prior warnings.
  • F5 BIG-IP (CVE-2020-5902), and Pulse Secure VPN servers (CVE-2019-11510) were also recently targeted by hackers.
  • In September, Iranian hacking group Pioneer Kitten was seen taking advantage of several unpatched vulnerabilities (CVE-2020-5902, CVE-2019-11510, and CVE-2019-19781) to target U.S. businesses and federal agencies.

The bottom line

The exploitation of such vulnerabilities could lead to the compromise of sensitive information related to a country’s policies, strategies, plans, and competitive advantage. Fortunately, all the vulnerabilities listed by researchers have patches available from their vendors. Thus, users are recommended to patch these and all other known vulnerabilities to avoid any undue risks to their infrastructure.

 

 

 

Creepy ‘Geofence’ Finds Anyone Who Went Near a Crime Scene

Police increasingly ask Google and other tech firms for data about who was where, when. Two judges ruled the investigative tool invalid in a Chicago case.

source:  wired.com

 

IN 2018, 23-YEAR-OLD Jorge Molina was arrested and jailed for six days on suspicion of killing another man. Police in Avondale, Arizona, about 20 miles from Phoenix, held Molina for questioning. According to a police report, officers told him they knew “one hundred percent, without a doubt” his phone was at the scene of the crime, based on data from Google. In fact, Molina wasn’t there. He’d simply lent an old phone to the man police later arrested. The phone was still signed into his Google account.

The information about Molina’s phone came from a geofence warrant, a relatively new and increasingly popular investigative technique police use to track suspects’ locations. Traditionally, police identify a suspect, then issue a warrant to search the person’s home or belongings.

Continue reading “Creepy ‘Geofence’ Finds Anyone Who Went Near a Crime Scene”

Report details how North Korean and Russian cybercriminals are cooperating

source:  scmagazine.com

Several companies, media outlets and the U.S. government have accused North Korean state-sponsored hackers of purchasing access to pre-hacked servers from criminal groups. But the connections to specific criminal groups have been a little more tenuous.

Now a new meta-analysis of previous reports from Intel 471 establish a likely connection to TrickBot.

TrickBot, as well as Dridex and TA505, are groupings of attacks linked to different Russian-speaking cybercriminals who sell access to victims’ machines in criminal forums. The North Korean Lazarus Group, which supplements an economy ravaged by sanctions with cybercrime, is known to use a variety of vectors to find initial access.

“I was skeptical about any North Korea / Russian criminal group links before writing this,” said Intel 471 chief executive Mark Arena, who wrote the report. “When open-source reporting is based on one or two instances of TrickBot and Lazarus in the same server, it’s possible that they were two separate attacks.”

Arena read through the various reporting on the overlap between criminal groups and Lazarus, contacted the researchers for information not contained in the reports and solicited additional information from other researchers.

What he found was a very clear chain in the reports showing TrickBot infections leading to malware only used infrequently in Lazarus-type attacks, which appears to be developed by Lazarus using the group’s fairly distinctive code.

Public reporting was less sufficient. A purported connection to Dridex appeared to be a researcher conflating different criminal groups. And when Arena contacted a BAE researcher who had given a presentation proposing a connection between TA505 and Lazarus, that researcher said the presentation was only meant to be taken as a theory. However, in speaking with practitioners who hadn’t made their work public, other people had independent suspicions of a link between the two that no longer appears to be active.

Arena told SC Media that knowing there is a connection between different actors gives defenders a chance to investigate a potential second problem when the first one is found. He added that if North Korea is likely to purchase access from one actor, it is likely to be willing to purchase from others. The choice of vendors shouldn’t be seen as set in stone.

““I was skeptical about any North Korea / Russian criminal group links before writing this…”  –Mark Arena,

source:  thecyberwire.com

At a glance.

  • FBI Director offers a harsh appraisal of Chinese cyberespionage.
  • Official concerns about Chinese cyber operations in France and India.

FBI Director offers a harsh appraisal of Chinese cyberespionage.

At a speech before the Hudson Institute yesterday, US FBI Director Wray denounced Chinese intelligence operations as serving Beijing’s ambitions to become the world’s dominant power. The Communist Party of China, Director Wray said, believes it’s in a “generational fight” to become the world’s sole superpower, and that Beijing’s assertiveness in cyberspace is a consequence of the strategy that flows from that belief. 

Continue reading “THE FBI’S TAKE ON CHINA’S CYBER OPERATIONS”

source: threatpost.com

 

A new devilish malware is targeting Windows systems with cryptojacking and DDoS capabilities.

Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.

The never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of  taking advantage of an “exhaustive” list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” said researchers with Palo Alto Networks’ Unit 42 team, onWednesday in a blog post. “Applying the updates and patches to the affected software are strongly advised.”

The vulnerabilities targeted by Lucifer include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework  CVE-2019-9081), and Microsoft Windows (CVE-2017-0144CVE-2017-0145, and CVE-2017-8464).

Continue reading “SELF-PROPAGATING LUCIFER MALWARE TARGETS WINDOWS SYSTEMS”

source: securityweek.com

 

image - phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”.

According to a 2019 study, 74 percent of respondents whose organizations have been breached acknowledged the incident exploited privileged account access. This number closely aligns with Forrester’s estimate that 80 percent of security breaches involve compromised privileged credentials. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front ended by phishing campaigns. So, what can organizations do to prevent their users from falling for the bait of these attacks? 

The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security defines phishing as “an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails [or text messages] are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails [or SMS messages] often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user may then be asked to provide personal information, such as account usernames and passwords that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.”

Continue reading “PHISHING ATTACKS: BEST PRACTICES FOR NOT TAKING THE BAIT”

source: nakedsecurity.sophos.com

If you’re a Naked Security Podcast listener, you’ll have heard Sophos’s own Peter Mackenzie telling some fairly wild ransomware stories.

Peter works in the Managed Threat Response (MTR) part of our business – in his own words, if your network’s on fire, he’s one of the people who will rush in to try to fix it.

As you can imagine, plenty of his deployments come in the aftermath of ransomware attacks.

A few years ago ransomware criminals typically used what’s called the “spray-and-pray” approach – or what might more appropriately be called “spray-and-prey”, given the entirely predatory nature of these attacks.

A ransomware gang might have emailed a malicious attachment to ten million people, relying on ten thousand of them opening it up and getting scrambled, and then banking (figuratively and literally) on three thousand or so of the victims being stuck with little alternative but to pay up $350 each, for a total criminal pay-check of $1,000,000.

Make no mistake, those early ransomware criminals, such as the crooks behind malware such as CryptoLockerLocky and Teslacrypt, extorted millions of dollars, and their crimes were no less odious or destructive overall than what we see today.

But today’s ransomware criminals tend to pick entire organisations as victims.

Continue reading “INSIDE A RANSOMWARE GANG’S ATTACK TOOLBOX”

source: securitymagazine.com

 

A new study from FICO found a large percentage of Americans currently do not take the necessary steps to protect their passwords and logins online.

As consumers reliance on online services grows in response to COVID-19, the study examined the steps Americans are taking to protect their financial information online, as well as attitudes towards increased digital services and alternative security options such as behavioral biometrics.

The study found that a large percentage of Americans are not taking the necessary precautions to secure their information online. For example, only 42 percent are using separate passwords to access multiple accounts; 17 percent of respondents have between two to five passwords they reuse across accounts; and four percent use a single password across all accounts. Additionally, less than a quarter (23 percent) of respondents use an encrypted password manager which many consider best practice; 30 percent are using high-risk strategies such as writing their passwords down in a notebook.

“We’re seeing more cyber criminals targeting consumers with COVID-19 related phishing and social engineering,” said Liz Lasher, vice president of fraud portfolio marketing at FICO. “Because of the current situation, many consumers are only able to access their finances digitally, so it’s vital to remain vigilant against such scams and take the right precautions to protect themselves digitally.”

Continue reading “PROTECTION WHEN BANKING ONLINE”

source: wired.com

Five years ago, the Department of Defense set dozens of security hygiene goals. A new report finds that it has abandoned or lost track of most of them

THE UNITED STATES federal government isn’t known for robust cybersecurity. Even the Department of Defense has its share of known vulnerabilities. Now a new report from the Government Accountability Office is highlighting systemic shortcomings in the Pentagon’s efforts to prioritize cybersecurity at every level and making seven recommendations for shoring up DoD’s digital defenses.

The report isn’t a checklist of what DoD should be doing to improve cybersecurity awareness in the abstract. Instead, GAO looked at three DoD-designed initiatives to see whether the Pentagon is following through on its own goals. In a majority of cases, DoD has not completed the cybersecurity training and awareness tasks it set out to. The status of various efforts is simply unknown because no one has tracked their progress. While an assessment of “cybersecurity hygiene” like this doesn’t directly analyze a network’s hardware and software vulnerabilities, it does underscore the need for people who use digital systems to interact with them in secure ways. Especially when those people work on national defense.

“It’s everyone’s responsibility to understand their part in cybersecurity, but how do you convince everyone to follow the rules they’re supposed to follow and do it consistently enough?” says Joseph Kirschbaum, a director in GAO’s defense capabilities and management team who oversaw the report. “You’re never going to be able to eliminate all the threats, but you can manage them sufficiently, and a lot of DoD’s strategies and plans are good. Our concern is whether they’re doggedly pursuing it enough so they’re able to do the risk management.”

Continue reading “THE PENTAGON HASN’T FIXED BASIC CYBERSECURITY BLIND SPOTS”

source: fastcompany.com

By making encryption free and easy, Let’s Encrypt solved one of the web’s biggest problems. Its secret? A maniacal focus on automation and efficiency.

Let’s Encrypt issued its one billionth digital certificate a few weeks ago. Run by the nonprofit Internet Security Research Group (ISRG), the service provides these certificates to websites for free, allowing your browser to create a secure and validated connection to a server that’s effectively impenetrable to snooping. The pandemic hasn’t halted the group’s progress: It says it’s now issued over 1,080,000,000 certificates.

That Let’s Encrypt doesn’t charge for this service is a big deal. A digital certificate for a website—also useful for email servers and other client/server systems—used to cost hundreds of dollars a year for a basic version and even more for a more comprehensive one. For smaller sites, that cost alone was a barrier.

While the price had dropped significantly before Let’s Encrypt began issuing its certificates at no cost in 2015, and some commercial issuers had offered free certificates on a limited basis, encrypting a site was no trivial matter. It required technical expertise and the ability to puzzle through command-line configurations. (Though I’ve been running websites since 1994, renewing and installing certificates had remained one of my bugbears before Let’s Encrypt.)

Let’s Encrypt didn’t set out to launch a price war and thereby destroy an existing marketplace. By making encryption free and simple, the organization has been a large part of an industrywide shift to encrypt all web browsing that has doubled the number of secure sites from 40 to 80 percent of all sites since 2016.

As executive director and cofounder of ISRG Josh Aas says, the organization wants everyone to be able to “go out and participate fully in the web without having to pay hundreds of dollars to do something.” Setting the cost at zero benefits each site’s users and the internet as a whole.

Google tracks opt-in information from Chrome browser users about the type of connections they make. It shows that secure connections rose from 39 percent (Windows) and 43 percent (Mac) in early 2015 to 88 and 93 percent respectively on April 11, 2020. One source indicates that Let’s Encrypt now supplies 30 percent of all website digital certificates. Two hundred million websites now use its certificates, the organization says.

This dramatic increase in web encryption protects people from some unwanted commercial tracking and snooping by malicious parties and government actors alike. It took Let’s Encrypt as a catalyst to put it within the reach of every website.

BLOCKING UNPRECEDENTED SNOOPING

After the revelation of the scope and nature of wide-scale, routine data collection by U.S. national security agencies added to the already-known and suspected habits of other democracies and repressive countries, tech firms shifted heavily into encrypting connections everywhere they could. That meant more encryption between data centers run by the same company (as Google added starting in 2013), encryption of data at rest stored on servers, and browser makers calling users’ attention to unprotected web sessions.

Continue reading “HOW A NONPROFIT YOU’VE NEVER HEARD OF MADE THE WEB SAFER FOR EVERYONE”