source:  cyware.com

25 Vulnerabilities Chinese APT Groups Are Chasing Right Now

 

Cybercriminals are consistently scanning and exploiting publicly available security bugs. Recently, the National Security Agency (NSA) has published a 

report , detailing the top 25 vulnerabilities exploited by hackers, urging organizations in the U.S. public and private sectors to prioritize for action.

The top 25 vulnerabilities

According to the report, Chinese state-sponsored hackers were seen abusing these vulnerabilities to launch strategic hacking operations against a multitude of victim networks.
  • Most of these vulnerabilities belong to products related to remote access or external web services. Such products, accessible via the internet, are often exploited to gain initial access inside the victim’s network.
  • Exploits in the enterprise products including gateways (including Citrix ADC and Gateway, Symantec Messaging Gateway), VPN (Pulse Secure VPN), load balancers (F5 BIG-IP), etc. could provide direct remote access to the attackers.
  • Several vulnerabilities in the list target Windows OS and its services, such as Remote Desktop Services (Blukeep vulnerability), Netlogon (Zerologon), DNS server (SigRed), etc.
  • Additional products include business applications such as email servers (such as Microsoft Exchange, Exim mail), and application servers (such as Oracle WebLogic, Zoho ManageEngine, Adobe ColdFusion), that are being targeted by Chinese hackers.

Recent exploitation of these flaws

Not only Chinese hackers but several other low-level malware groups, ransomware gangs, and other state-sponsored hackers (including Russia, and Iran) were seen exploiting the above-mentioned vulnerabilities.
  • Threats actors such as TA505MuddyWater, and Ryuk were seen abusing the ZeroLogon vulnerability (CVE-2020-1472) to target public and private sector organizations.
  • Hackers were seen combining VPN (CVE-2019-11510) and Windows bugs to gain access to government networks, for which CISA and the FBI had issued prior warnings.
  • F5 BIG-IP (CVE-2020-5902), and Pulse Secure VPN servers (CVE-2019-11510) were also recently targeted by hackers.
  • In September, Iranian hacking group Pioneer Kitten was seen taking advantage of several unpatched vulnerabilities (CVE-2020-5902, CVE-2019-11510, and CVE-2019-19781) to target U.S. businesses and federal agencies.

The bottom line

The exploitation of such vulnerabilities could lead to the compromise of sensitive information related to a country’s policies, strategies, plans, and competitive advantage. Fortunately, all the vulnerabilities listed by researchers have patches available from their vendors. Thus, users are recommended to patch these and all other known vulnerabilities to avoid any undue risks to their infrastructure.

 

 

 

facebook logo

Facebook Details Malware Campaign Targeting Its Ad Platform

source: securityweek.com

Facebook on Thursday released a detailed technical report on a malware campaign that targeted its ad platform for years.

Referred to as SilentFade (Silently running Facebook ADs with Exploits), the malware was identified in late 2018 and the vulnerability it was exploiting to stay undetected was patched soon after. Facebook took legal action against the malware operators in December 2019.

The malware exploited a server-side flaw to persistently suppress notifications and ensure that the infected users would not be made aware of suspicious activity related to their accounts. This allowed SilentFade to abuse the compromised accounts and run malicious ads without the victims noticing anything.

Although the malware was first detected in the final week of 2018, the cyber-crime group behind it is believed to have been operating since 2016, constantly adapting to new Facebook features and likely expanding to other social platforms and web services as well.

Continue reading “Facebook Details Malware Campaign Targeting Its Ad Platform”

Report details how North Korean and Russian cybercriminals are cooperating

source:  scmagazine.com

Several companies, media outlets and the U.S. government have accused North Korean state-sponsored hackers of purchasing access to pre-hacked servers from criminal groups. But the connections to specific criminal groups have been a little more tenuous.

Now a new meta-analysis of previous reports from Intel 471 establish a likely connection to TrickBot.

TrickBot, as well as Dridex and TA505, are groupings of attacks linked to different Russian-speaking cybercriminals who sell access to victims’ machines in criminal forums. The North Korean Lazarus Group, which supplements an economy ravaged by sanctions with cybercrime, is known to use a variety of vectors to find initial access.

“I was skeptical about any North Korea / Russian criminal group links before writing this,” said Intel 471 chief executive Mark Arena, who wrote the report. “When open-source reporting is based on one or two instances of TrickBot and Lazarus in the same server, it’s possible that they were two separate attacks.”

Arena read through the various reporting on the overlap between criminal groups and Lazarus, contacted the researchers for information not contained in the reports and solicited additional information from other researchers.

What he found was a very clear chain in the reports showing TrickBot infections leading to malware only used infrequently in Lazarus-type attacks, which appears to be developed by Lazarus using the group’s fairly distinctive code.

Public reporting was less sufficient. A purported connection to Dridex appeared to be a researcher conflating different criminal groups. And when Arena contacted a BAE researcher who had given a presentation proposing a connection between TA505 and Lazarus, that researcher said the presentation was only meant to be taken as a theory. However, in speaking with practitioners who hadn’t made their work public, other people had independent suspicions of a link between the two that no longer appears to be active.

Arena told SC Media that knowing there is a connection between different actors gives defenders a chance to investigate a potential second problem when the first one is found. He added that if North Korea is likely to purchase access from one actor, it is likely to be willing to purchase from others. The choice of vendors shouldn’t be seen as set in stone.

““I was skeptical about any North Korea / Russian criminal group links before writing this…”  –Mark Arena,

source:  proofpoint.com

Twitter is a vital media and marketing platform with a massive audience base. With 330 millionmonthlyactive usersrecorded in 2019, it’s one of the biggest social media platforms and makes a significant contribution to brand visibility and growth. So, what happens when Twitter gets hacked?

On 15 July, attackers compromised several high-profile accounts, including Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Apple. The hijacked accounts, which have tens of millions of followers, sent a series of tweets proposing a classic bitcoin scam: “If you transfer cryptocurrency to a specific bitcoin wallet, they will receive double the money in return”. Approximately $180,000 was sent to those bitcoin wallets and, needless to say, no money was paid back. This scam demonstrates that having software security and crisis management plans in place is a “must-have” not a “should have”—now more than ever.  

So how did the attackers gain access? According to Twitter, they used a spear phishing attack to target Twitter employees by phone. After stealing employee credentials and getting into Twitter’s systems, attackers could target other employees who had access to account support tools.  Spear phishing is a more targeted version of phishing, an impersonation scam that uses email or other electronic communications to deceive recipients into handing over sensitive information.

This kind of attack reveals how imperative it is for organizations to implement people-centric cybersecurity framework. Attackers do not view the world in terms of a network diagram—they target human vulnerabilities across channels. The best way to combat attacks like these is to implement a complete social media security solution that scans all social networks and reports fraudulent activity. 

Continue reading “What the Latest Twitter Hack Can Teach Us About Social Media Security and Compliance”

source: bbc.com

A few days after the coronavirus lockdown began, Ciaran Martin’s phone pinged with a text message – the government was warning him he had left home three times and had to pay a fine.
As the official in charge of defending the UK against cyber-threats, he knew enough to spot a scam.
But it was also a sign he was unlikely to have a quiet end to his time as the first head of the National Cyber Security Centre (NCSC).
Speaking in his last few days in office, he says recent events have been an “unexpected vindication” of the decision to spin out part of the intelligence agency GCHQ so classified intelligence could be better shared to protect the UK.
Pandemic protection
Cyber-criminals were quick to exploit Covid-19, using it to persuade people to click on links or buy fake goods.
And that placed new demand on systems built to automate cyber-defences and spot spoof messages.
At the same time, the NCSC had to help government and public-sector organisations deal with the sudden increased dependence on technology, whether in the cabinet meeting over video link or the government sending out genuine text messages to the entire public.
But it was not just cyber-crime groups who were on the move.
Foreign spies also began to go after new targets.
And protecting universities and researchers seeking a coronavirus vaccine became an urgent new priority.
“Many of the people involved never thought they’d be in a case where they’d be talking to part of an intelligence service about resisting major nation state threats against their work,” Mr Martin says.
In July, the UK, along with the US and Canada, accused Russian intelligence of trying to steal research.
The accusation – known as an “attribution” – came because the NCSC could draw on GCHQ’s long history monitoring Russian hackers.
“We have built up significant knowledge of some of the major attack groups from the major nation states, including Russia, over more than two decades,” Mr Martin says.
“For a lot of the things that we were seeing in the high end of vaccine protection, it was detected by us because it was the more sophisticated end, where the attacker is trying harder not to get caught.”

source: nytimes.com

 

 
Several people involved in the events that took down Twitter this week spoke with The Times, giving the first account of what happened as a pursuit of Bitcoin spun out of control.

OAKLAND, Calif. — A Twitter hacking scheme that targeted political, corporate and cultural elites this week began with a teasing message between two hackers late Tuesday on the online messaging platform Discord.

“yoo bro,” wrote a user named “Kirk,” according to a screenshot of the conversation shared with The New York Times. “i work at twitter / don’t show this to anyone / seriously.”

He then demonstrated that he could take control of valuable Twitter accounts — the sort of thing that would require insider access to the company’s computer network.

The hacker who received the message, using the screen name “lol,” decided over the next 24 hours that Kirk did not actually work for Twitter because he was too willing to damage the company. But Kirk did have access to Twitter’s most sensitive tools, which allowed him to take control of almost any Twitter account, including those of former President Barack Obama, Joseph R. Biden Jr., Elon Musk and many other celebrities.

Despite global attention on the intrusion, which has shaken confidence in Twitter and the security provided by other technology companies, the basic details of who were responsible, and how they did it, have been a mystery. Officials are still in the early stages of their investigation.

Continue reading “HACKERS TELL THE STORY OF THE TWITTER ATTACK FROM THE INSIDE”

source:  technewsworld.com

With much of the workforce conducting business from home to escape the pandemic, scammers have revved up their trickery to scare victims into falling for credential harvesting schemes.

Two new reports lay bare the new twists digital scammers are putting on old approaches to get you to unwittingly give up login credentials for your personal or company online banking and server portals. The two reports focus on how to avoid becoming a corporate or consumer victim.

One new twist detailed by Armorblox threatens to recycle inactive addresses unless the would-be victims immediately update and confirm their account details. This results in fearful recipients entering their legitimate email addresses and password information.

The second report, by email phishing protection firm INKY, reveals the intricate directives of a credential harvesting phishing email. These emails impersonate the United States Department of Justice by using a malicious link with real logos mimicking government websites.

phishing email pretending to be the DoJ

A phishing email scam which gives the appearance that the sender is the U.S. Department of Justice.

Credential harvesting is largely considered the foundation of email phishing. It is the easiest way for anyone to get into your secure files. They simply use your password that you gave them, explained Dave Baggett, CEO and co-founder of INKY.

“In terms of the overall rate of phishing generally, we have seen nearly a three-times increase in phishing emails since the pandemic started,” Baggett told TechNewsWorld.

 

Banking on Phishing

Last week, Armorblox, a cloud office security platform that protects inbound and outbound enterprise communications, released its latest discovery of a new credential phishing attempt. The report details how cybercriminals use an email with a malicious link leading to a fake website. The landing page painstakingly resembles the Bank of America login page.

Continue reading “EMAIL SCAMMERS USING OLD TRICKS WITH NEW TWISTS”

source: threatpost.com

 

A new devilish malware is targeting Windows systems with cryptojacking and DDoS capabilities.

Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.

The never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of  taking advantage of an “exhaustive” list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” said researchers with Palo Alto Networks’ Unit 42 team, onWednesday in a blog post. “Applying the updates and patches to the affected software are strongly advised.”

The vulnerabilities targeted by Lucifer include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework  CVE-2019-9081), and Microsoft Windows (CVE-2017-0144CVE-2017-0145, and CVE-2017-8464).

Continue reading “SELF-PROPAGATING LUCIFER MALWARE TARGETS WINDOWS SYSTEMS”

source: nakedsecurity.sophos.com

If you’re a Naked Security Podcast listener, you’ll have heard Sophos’s own Peter Mackenzie telling some fairly wild ransomware stories.

Peter works in the Managed Threat Response (MTR) part of our business – in his own words, if your network’s on fire, he’s one of the people who will rush in to try to fix it.

As you can imagine, plenty of his deployments come in the aftermath of ransomware attacks.

A few years ago ransomware criminals typically used what’s called the “spray-and-pray” approach – or what might more appropriately be called “spray-and-prey”, given the entirely predatory nature of these attacks.

A ransomware gang might have emailed a malicious attachment to ten million people, relying on ten thousand of them opening it up and getting scrambled, and then banking (figuratively and literally) on three thousand or so of the victims being stuck with little alternative but to pay up $350 each, for a total criminal pay-check of $1,000,000.

Make no mistake, those early ransomware criminals, such as the crooks behind malware such as CryptoLockerLocky and Teslacrypt, extorted millions of dollars, and their crimes were no less odious or destructive overall than what we see today.

But today’s ransomware criminals tend to pick entire organisations as victims.

Continue reading “INSIDE A RANSOMWARE GANG’S ATTACK TOOLBOX”

source:  securityweek.com

 

The U.S. National Security Agency says the same Russian military hacking group that interfered in the 2016 presidential election and unleashed a devastating malware attack the following year has been exploiting a major email server program since last August or earlier.

The timing of the agency’s advisory Thursday was unusual considering that the critical vulnerability in the Exim Mail Transfer Agent — which mostly runs on Unix-type operating systems — was identified 11 months ago, when a patch was issued.

Exim is so widely used — though far less known than such commercial alternatives as Microsoft’s proprietary Exchange — that some companies and government agencies that run it may still not have patched the vulnerability, said Jake Williams, president of Rendition Infosec and a former U.S. government hacker.image - hacking

It took Williams about a minute of online probing on Thursday to find a potentially vulnerable government server in the U.K.

He speculated that the NSA might have issued to advisory to publicize the IP addresses and a domain name used by the Russian military group, known as Sandworm, in its hacking campaign — in hopes of thwarting their use for other means.

The Exim exploit allows an attacker to gain access using specially crafted email and install programs, modify data and create new accounts — gaining a foothold on a compromised network.

Continue reading “NSA: RUSSIAN AGENTS HAVE BEEN HACKING MAJOR EMAIL PROGRAM”