Search This Blog

Latest News

Severe Remote Code Execution Flaws Discovered in Motorola Halo+ Baby Monitors

  On Tuesday, Randy Westergren, a cybersecurity expert, published his study on the Motorola Halo+, a popular baby monitor. He revealed two s...

All the recent news you need to know

Lenovo: No Fix for High-Severity Flaw in Legacy IBM System X Servers

 

Lenovo stated that two legacy IBM System x server models that were discontinued in 2019 are vulnerable to attack and will not receive security fixes. However, the firm is providing a workaround mitigation solution. 

Both the IBM System x 3550 M3 and IBM System x 3650 M3 are vulnerable to command injection attacks. An attacker can use a vulnerable programme called Integrated Management Module to execute arbitrary instructions on either server model's operating system (IMM). 

IMM performs system management functions. Serial and Ethernet connections on the back panel of System x models use the IMM for device management. 

According to a Lenovo advisory published Tuesday, the flaw is in the IMM firmware code and “could allow the execution of operating system commands over an authenticated SSH or Telnet session.” 

Secure Shell, often known as SSH, is a cryptographic network communication technology that allows two computers to interact or transfer files. Telenet is another network protocol that permits remote users to log into another machine on the same network. Telnet does not encrypt data delivered over its connection by default. 

The flaw, which has been assigned the number CVE-2021-3723, was discovered on Wednesday by Denver Abrey, a bug hunter. 

In June 2020, eight vulnerabilities in a subsequent version of IMM, known as IMM2, were discovered, three of which were of high severity. These issues were found in the client-side code called libssh2, which is accountable for executing the SSH2 protocol. 

The System x 3550 M3 and System x 3650 M3 were announced as medium‐sized corporate solutions on April 5, 2011. Lenovo stated on June 30, 2015, that both systems will be terminated, but security updates would be provided for another five years. 

Software and security support for the System x 3550 and 3650 ended on December 31, 2019, according to the Lenovo security notice. 

Lenovo wrote, “Lenovo has historically provided service and support for at least five years following a product’s withdrawal from marketing. This is subject to change at Lenovo’s sole discretion without notice. Lenovo will announce a product’s EOS date at least 90 days before the actual EOS date and in most cases longer.”

Lenovo stated on Wednesday that it recommends discontinuing the use of both servers, but that it had a mitigation approach. 

If it is not possible to stop using these systems, Lenovo suggests: 
  • Disable SSH and Telnet (This can be done in the Security and Network Protocol sections of the navigation pane after logging into the IMM web interface) 
  • During initial configuration, change the default Administrator password. 
  • Enforce the use of strong passwords. 
  • Only give trustworthy admins access. 
Lenovo did not comment if it was familiar with any active campaigns aimed at exploiting the flaw.

Anonymous Hacktivists Leak 180 GB of Data from Web Host Epik

 

One of the most prominent hacktivists gangs, Anonymous, has returned. Security analysts have verified that the most recent attack by malicious hackers focuses on Epik, an alt-right web host company. 

Anonymous Hacktivist group claims that they have seized gigabytes of Epik's data which supplies several customers with the domain name, hosting, and DNS services. Among many other places on the right-wing are the GOP in Texas, Gab, Parler, and 8chan. The information stolen was disclosed as a torrent document. The hacktivist group states that the data package, which has a size of over 180 GB, includes a "decade's worth of data from the company." 

Epik is a web and domain registrar service provider company that caters to certain right-wing customers. The company is a leading service provider: it helps organizations that normally disconnect IT, service providers. 

"The data set is all that's needed to trace actual ownership and management of the fascist side of the Internet that has eluded researchers, activists, and, well, just about everybody," said the Anonymous hackers. 

The allegedly disclosed database might enable anyone to know the identity of Epik client as well as other personally identifiable information as per Ars Technica's latest revelation. 

Likewise, Anonymous's current cyber operation named “Operation Jane” was launched in September following the passing of the Texas Heartbeat Act. The restricted abortion law authorizes the enforcement of the six-week prohibition on abortion, not necessarily by government entities or by the police. Any Texas resident who carries out or aids in facilitating unlawful abortion can take a civil complaint, and demand at least $10,000 in penalties, according to that act. 

Different SQL databases hold client records for every domain name hosting Epik are among the data sets. Ars investigated a tiny section of the leaked dataset, including an Epik mailbox that contained Epik CEO Rob Monster letters from a source. 

"We are not aware of any breach. We take the security of our clients' data extremely seriously, and we are investigating the allegation," an Epik representative told Ars. 

Before the attack, Anonymous altered the Texas GOP homepage with "Texas: Taking voices from women to promote theocratic erosion of church/state barriers," substituting references to "Help Texas Stay Red." "Texas." The group has also placed "donate" links to Planned Parenthood for reproductive health services.

Years-Long Attack by Chinese-Linked APT Groups Discovered by McAfee

 

A cyber-attack that had been sitting on the target organization's network for years stealing data was discovered during a McAfee investigation into a suspected malware infection. The sophisticated threat actors utilized a mix of known and novel malware tools in the attack, called Operation Harvest, to infiltrate the victim's IT infrastructure, exfiltrate data, and avoid detection, according to the investigators. McAfee researchers were able to narrow down the list of suspects to two advanced persistent threat (APT) nation-state groups with ties to China during the course of the two-month investigation. 

“Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data,” Christiaan Beek, lead scientist and senior principal engineer for the Enterprise Office of the CTO at McAfee, wrote in a report. 

“The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families,” Beek added. 

The actor gained initial access by compromising the victim's web server, which contained software to maintain the existence and storage of tools needed to acquire information about the victim's network and lateral movement/execution of files, according to forensic investigations. 

Between the operating method of the unique encryption function in the custom backdoor and the code used in the DLL, the adversaries used techniques that are commonly seen in this type of attack, but they also used distinctive new backdoors or variants of existing malware families, almost identical to methods attributed to the Winnti malware family. According to the findings, the adversary was looking to steal proprietary knowledge for military or intellectual property/manufacturing reasons.

McAfee investigators drew out MITRE ATT&CK Enterprise methods, added the tools utilized, and compared the information to previous technique data to figure out who the perpetrators were. They discovered four groups that shared the same tactics and sub-techniques and then used a chart to narrow down the suspects to APT27 and APT41.

“After mapping out all data, TTP’s [tactics, techniques, and procedures] etc., we discovered a very strong overlap with a campaign observed in 2019/2020,” Beek wrote. “A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.”

Attackers Use Cryptomining Malware to Target Organizations

 

Earlier this year in June, a security researcher from security firm Sonatype uncovered six malicious payloads in the official Python programming language’s PyPI repository that were laced with cryptomining malware. 

The attackers used typo-squatted names for the malicious payloads that were downloaded more than 5000 times. All the packages were posted on PyPI by the author “nedog123,” some as early as April of this year. Attackers used typosquats to trick people into thinking they were normal programs and hide their main purpose of hijacking developer systems for cryptomining. 

The PyPI event is complex because it combines three different kinds of attacks: logic bombs, cryptojacking, and software supply chain attacks. The risk posed by these kinds of attacks requires immediate action from organizations if they want to shield their database. 

Logic Bomb Attacks 

A logic bomb also known as 'code bomb', cyber bomb, or slag code is a malicious piece of code that gets executed under specific conditions, usually with a malicious purpose. One challenge with logic bomb attacks is that they are sneaky in nature and can go undetected for long periods of time. 

All the logic bomb attacks vary in form and function from one another which help malicious actors to install logic bombs that victim can’t easily detect. The logic bomb attacks are used for various purposes like stealing data, deleting or corrupting data, locking systems, or launching cryptomining processes.

Cryptojacking 

Cryptojacking, the illicit hijacking of computers, smartphones, or even servers to mine cryptocurrency. Attackers can steal huge bandwidth and compute energy, and, in the end, financial resources as it works to solve the equations needed for mining currency. In fact, the high resource demand — the high cost of cryptomining — is exactly why attackers are stealing it with cryptomining malware. Threat actors use crypto-malware because its behavior is hard to predict. In addition, it’s a foot in the door for other kinds of payloads and breaches. 

Software supply chain attack

Software supply chain attack, the most common method to target organizations by adding malicious code in third-party software with the aim of compromising applications that use that software. According to the State of the Software Supply Chain report, supply chain attacks have increased by a staggering 650% year-on-year, versus a figure of 430% last year. 

“Next-generation software supply chain attacks are far more sinister, because bad actors are no longer waiting for public vulnerability disclosures to pursue an exploit. Instead, they are taking the initiative and injecting new vulnerabilities into open source projects that feed the global supply chain, and then exploiting those vulnerabilities before they are discovered,” the report noted. 

How to mitigate the risks 

Organizations are advised to follow the steps mentioned below to protect their database: 

• Use trusted antivirus software 
• Perform regular OS updates 
• Avoid downloading apps from untrusted sources 
• Use red team tests to learn how supply chain attacks could play out within your organization and figure out how to best respond 
• Blacklist mining sites, pirate software sites, and other sites are likely to lead to shady downloads 
• Disable JavaScript, if feasible 
• Train employees on basic digital safety awareness and practices.