Search This Blog

Showing posts with label CISA. Show all posts

Do Not Use Single-Factor Authentication on Internet-Exposed Systems, CISA Warns

 

The US Cybersecurity and Infrastructure Security Agency (CISA) this week added single-factor authentication (SFA) to a very short list of "exceptionally risky" cybersecurity practices that could lead threat actors to target government organizations and the private sector entities. 

As per CISA, SFA (a low-security authentication method that only requires users to provide a username and a password) is “dangerous and significantly elevates risk to national security" when used for remote or administrative access to systems supporting the operation of critical infrastructure. 

“The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety," CISA explained.

Cybercriminals can easily secure access to the systems that are shielded by single-factor authentication, as it is a well-known fact that passwords can be easily stolen or guessed via multiple techniques like phishing, keylogging, network sniffing, social engineering, malware, brute-force attacks, or credential dumping.

CISA advised to switch to multi-factor authentication (MFA) as this method makes it a lot harder or even impossible for threat actors to pull off a successful attack. Alongside single-factor authentication as a bad practice is the use of end-of-life (or out-of-support) software and default (or known) credentials, which CISA describes as “dangerous”. 

According to the joint research conducted by Google, New York University, and University of California San Diego, MFA can prevent 100% of automated bots, 99% of bulk phishing attacks, and roughly 66% of targeted attacks. 

"Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” Alex Weinert, Microsoft Director of Identity Security said. 

CISA has also opened a GitHub Bad Practices discussions page in an attempt to allow IT, professionals and admins, to provide feedback and share their expertise on mitigating the risks of cyber-attacks.

Furthermore, CISA is considering adding a number of other practices to the catalog, including — 

• using weak cryptographic functions or key sizes 
• flat network topologies
• mingling of IT and OT networks 
• everyone's an administrator (lack of least privilege) 
• utilization of previously compromised systems without sanitization 
• transmission of sensitive, unencrypted/unauthenticated traffic over uncontrolled networks 
• poor physical controls 

"Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions. CISA encourages all organizations to review the Bad Practices webpage and to engage in the necessary actions and critical conversations to address Bad Practices,” CISA added.

Microsoft Issues an Advisory on ProxyShell Vulnerabilities

 

Microsoft this week published guidance about three vulnerabilities referred to collectively as ProxyShell days after security researchers at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were actively trying to exploit them. 

The ProxyShell vulnerabilities, which are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, could allow hackers to run arbitrary code on a vulnerable machine without authentication. The first two flaws were fixed in April, while the third received a patch in May.

Orange Tsai, a security researcher at consulting firm DEVCORE exploited the ProxyShell vulnerabilities to target a Microsoft Exchange server during the Pwn2Own 2021 hacking contest, but technical details were made public only a few weeks ago, at the Black Hat and DEF CON cybersecurity conferences. Earlier, Orange Tsai had identified the ProxyLogon and ProxyOracle vulnerabilities in Exchange servers.

Last week, cybersecurity experts unearthed more than 1,900 unpatched systems that were exploited, and CISA issued a warning on attacks targeting Exchange servers impacted by the ProxyShell vulnerabilities.

In a blog post on Wednesday, Microsoft urged the customers to install patches as soon as possible, noting that only systems without the already issued patches are vulnerable to the attack. The company also advised users to install the latest set of updates on their Exchange servers, which would ensure they are shielded from any compromise attempts. 

“This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on unpatched Exchange servers to deploy ransomware or conduct other post-exploitation activities. If you have installed the May 2021 security updates or the July 2021 security updates on your Exchange servers, then you are protected from these vulnerabilities,” Microsoft stated.

According to the advisory, systems without either security updates are vulnerable to attacks. Furthermore, the company pointed out, Exchange servers should always be kept updated with the latest available Cumulative Update (CU) and Security Update (SU). Furthermore, Exchange servers are vulnerable if the server is running an older, unsupported CU; or those running older, unsupported CUs that have the March 2021 mitigations applied.

 “In all of the above scenarios, you must install one of the latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities,” the company added.

CISA Published MARs on Samples Targeting Pulse Secure Devices

 

Five new research reports outlining malware detected on compromised Pulse Secure devices were issued this week by the US Cybersecurity and Infrastructure Security Agency (CISA). Adversaries have been targeting Pulse Connect Secure VPN appliances to exploit a variety of vulnerabilities, including CVE-2021-22893 and CVE-2021-22937, which were found earlier this year.

CISA issued an alert in April this year on assaults on Pulse Secure devices, along with indicators of compromise (IOCs) and details on the malware used by the attackers. Threat actors' tactics, techniques, and procedures (TTPs) are detailed in the malware analysis reports (MARs). 

CVE-2021-22893 is a buffer overflow vulnerability in Pulse Connect Secure Collaboration Suite prior to version b9.1R11.4 that allows remote authenticated attackers to execute arbitrary code as the root user through a maliciously crafted meeting room. Two hacking groups have used the zero-day vulnerability in Pulse Secure VPN equipment to break into the networks of US defence contractors and government institutions around the world, according to reports issued by FireEye and Pulse Secure in May. 

CVE-2021-22937 is a high-severity remote code execution vulnerability in Pulse Connect Secure's admin web interface. A remote attacker might use the weakness to overwrite arbitrary files and gain root-level code execution. The bug has a CVSS score of 9.1 and is the consequence of a bypass of the patch provided in October 2021 to address the CVE-2020-8260 issue, according to experts. Early this month, Ivanti corrected a major code execution issue in Pulse Connect Secure VPN. 

According to CISA, two of the samples are maliciously modified Pulse Secure files received from compromised machines, both of which are credential harvesters. One of the files also serves as a backdoor, allowing attackers to access the hacked device remotely. A malicious shell script in another file might log usernames and passwords. A third sample consisted of many files, one of which had a shell script for converting a Pulse Secure file to a web shell. One file was created to intercept certificate-based multi-factor authentication, while others were created to read web request data.

Two Perl scripts designed to execute attacker instructions, a Perl library, a Perl script, and a shell script designed to manipulate and execute the 'bin/umount' file were included in the fifth sample.

CISA Partners with Leading Technology Providers for New Cybersecurity Initiative

 

As part of a new campaign aimed at improving the country's cyber defences, the US government has announced partnerships with Amazon, Microsoft, Google, and other major corporations. According to CISA Director Jen Easterly, the Joint Cyber Defense Collaborative, or JCDC, would strive to take a proactive approach to cyber defense in the wake of multiple high-profile breaches that damaged the federal government and the general public. 

The JCDC would initially focus on battling ransomware and other cyberattacks against cloud computing providers, according to a Wall Street Journal report, in order to avoid situations like the recent Kaseya supply-chain ransomware incident that occurred earlier this summer. 

“The industry partners that have agreed to work side-by-side with CISA and our interagency teammates share the same commitment to defending our country’s national critical functions from cyber intrusions, and the imagination to spark new solutions,” Easterly said in the statement. 

CISA will be able to integrate unique cyber capabilities across numerous federal departments, state and local governments, and private sector firms to achieve shared objectives due to the establishment of the JCDC. The new programme will also enable the public and commercial sectors to share information, coordinate defensive cyber operations, and participate in joint exercises to improve cyber defense operations in the United States. 

 Aside from AWS, Microsoft, and Google Cloud, the JCDC will collaborate with AT&T, Crowdstrike, FireEye Mandiant, Lumen, Palo Alto Networks, and Verizon. Meanwhile, the Department of Defense (DoD), US Cyber Command, the National Security Agency (NSA), the Department of Justice (DoJ), the FBI, and the Office of the Director of National Intelligence are among the government's partners. 

 Rep. Jim Langevin, D-RI, is a member of the Cyberspace Solarium Commission and a senior member of the House Committee on Homeland Security, said the JCDC is “exactly the kind of aggressive, forward-thinking we need to combat the ever-growing cyber threats that face our nation.” In a statement, Langevin said the JCDC “brings together our [Cyberspace Solarium Commission] recommendations about planning, intelligence fusion and cybersecurity operations in a visionary way.” 

 According to a Langevin aide, the Joint Cyber Defense Collaborative will house the Joint Planning Office, which Congress has authorised, as well as the Joint Collaborative Environment, if passed this year as politicians like Langevin hope.

Pulse Security Devices Identified with Malware: Alerts CISA

 

A detailed warning concerning almost 13 malware samples associated with Pulse Secure operated devices has been issued by the Cybersecurity and Infrastructure Security Agency (CISA). These specimens were flown beneath the anti-virus radar. 

In Pulse Connect Secure's suite of virtual private network (VPN) devices, at least two main hacker groups have distributed a dozen malware families to spies on the US defense sector. Several hacking organizations supported by the Chinese are believed to be behind the attacks. 

Executives were urged to evaluate the document to identify the threat actor's strategies, techniques, and procedures while looking for any signs of data being compromised. 

Pulse Secure is indeed a global business with offices around the world. Its headquarters are situated in Silicon Valley, with development offices in Massachusetts and India. Pulse has sales offices located across America, Europe, the Middle East, and Asia. It's the most diverse SSL-VPN in the World to ensure user productivity, IT agility, and continuity in the enterprise. 

Pulse Secure devices, key infrastructure institutions, and other organizations in the commercial sector have been targeted by cyber threats ever since June 2020. Attackers used various vulnerabilities for the first entry and deployed backdoor web shells (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-2289). 

All of the documents examined by the CISA were identified on affected Pulse Connect Secure devices, including some updated versions of legal Pulse Secure scripts. 

In most cases, the Malevolent Files were web shells for remote persistence and remote controls to activate and execute, although other utilities were included. For one of these specimens, the CISA reports that it is a "modified version of the Secure Pulse Perl Module" - a fundamental firmware update file particularly DSUpgrade.pm - for hackers to retrieve and execute remote instructions converted to a web shell (ATRIUM). 

The embedded web shell was intended to accept an ID parameter from a web application post. The web shell processes the data offered by running it locally using a system() function within the 'id' parameter as a control of the operating system. 

In another examination, CISA discovered a customized Unix umount application designed to "hook" the environmentally friendly capabilities of a Unix device. 

The addition of this unmountable 'hook' feature results in many system changes providing persistent control and command (C2) remote operator access to an affected Pulse Secure device, as per CISA. 

The list of genuine CISA Pulse Secure files that the attacker has identified to modify include: 
  • licenseserverproto.cgi (STEADYPULSE) t
  • nchcupdate.cgi 
  • healthcheck.cgi 
  • compcheckjs.cgi 
  • DSUpgrade.pm.current 
  • DSUpgrade.pm.rollback 
  • clear_log.sh (THINBLOOD LogWiper Utility Variant) 
  • compcheckjava.cgi (hardpulse) 
  • meeting_testjs.cgi (SLIGHTPULSE) 

In cases studied by Mandiant Cybersecurity firm, most of the above files were subjected to change for nefarious intent earlier this year. The researchers indicated in an April report that CVE-2021-22893 was used by the suspected Chinese threat actor. 

As per the report of Mandiant, the opponents converted the genuine files into the STEADYPULSE, HARDPULSE, and SLIGHTPULSE web shells and a variant of THINBLOOD LogWiper utility. 

Some of the documents CISA identified on hacked Pulse Secure devices at the time of investigation were uncovered by anti-virus solutions; just one of them was available on the VirusTotal file scanning portal which was uploaded two months ago and flagged as a variation of ATRIUM web shell by one antivirus engine. 

To ensure security posture in their systems, CISA administrators advised performing several actions. It suggested that antivirus and engines be kept up-to-date along with the patches. The experts also said that file sharing and printing services must be disabled. One must use strong passwords or Active Directory authentication if required.

15 Philips Vue Vulnerabilities Could Result in Full Takeover of the Devices

 

CISA has released an advisory about several vulnerabilities found in Philips Vue PACS health devices. In the hands of a hacker, the 15 Philips Vue Vulnerabilities found in the Philips Clinical Collaboration Platform Portal might lead to remote code execution attacks. 

The danger that these vulnerabilities pose, according to CISA (the United States Cybersecurity and Infrastructure Security Agency), is as follows: 

Successful exploitation of these vulnerabilities could allow an unauthorized person or process to hear in on conversations, view or alter data, gain system access, execute code, install unauthorized software, or compromise system data integrity, all of which could compromise the system's confidentiality, integrity, or availability. 

The vulnerabilities demand immediate attention and patching since four of the fifteen have a CVSS rating of 9.8. (Common Vulnerability Scoring System). 

The discovered vulnerabilities were characterized as follows in the advisory released for informational purposes, according to the CISA website: 

#1 CVE-2020-1938: 9.8 CVSS scored flaw caused by improper validation of the received data. 

#2 CVE-2018-12326 and CVE-2018-11218: the software that works through a memory buffer cannot read or write to an outside of the buffer area memory location. It can be found on the Redis component. 

#3 CVE-2020-4670: scored with 9.8 CVSS, it’s caused by improper authentication. The Redis Software cannot assert the validity of the threat actor’s given identity claim. 

#4 CVE-2018-8014: the default set by the software is not secure (it’s intended to be modified by the administrator). 

#5 CVE-2021-33020: expired passwords and cryptographic keys the product uses lead to increasing the timing window. 

#6 CVE-2018-10115: it exists in the third-party component 7-Zip. Incorrect initialization of the resource leads to unexpected status. 

#7 CVE-2021-27501: specific development coding rules are not implemented by the software. 

#8 CVE-2021-33018: a damaged algorithm of cryptography might lead to data leakage. 

#9 CVE-2021-27497: the protection mechanism is not properly used by the product. 

#10 CVE-2012-1708: it lies in the third-party Oracle Database component and is related to data integrity. 

#11 CVE-2015-9251: user-controllable input is not correctly neutralized before locating it in output. 

#12 CVE-2021-27493: structured data or messages are not ensured in a proper way. 

#13 CVE-2019-9636: the Unicode encoding from the input is not accurately managed by the software. 

#14 CVE-2021-33024: the method to protect authentication credentials is insecure. 

#15 CVE-2021-33022: the communication channel through which sensitive data is transmitted might be sniffed. 

According to reports, the impacted devices are Vue Speech 12.2 and previous variants, Vue Motion and Philips Vue PACS, MyVue. Some of them have been fixed, while others will not receive security upgrades until 2022.

Safety measures: 

A reasonable strategy, according to SCMagazine, would be to limit the gadgets' network connections. Administrators should be in charge of remote devices and control system networks; they must separate them from the company's network and place them behind firewalls. 

However, if certain appliances with Philips Vue vulnerabilities are to be utilized remotely, it is not suggested to do so without a secure connection, such as an updated VPN.

FireEye: Transportation and Telecom Firms Being Hit in Chinese Espionage

 

According to security firm FireEye, a massive Chinese espionage operation against US and European government entities includes four new hacking tools and reaches more commercial sectors than previously reported. 

Two China-linked gangs — as well as additional hackers that investigators did not name — have used virtual private network software in breaches affecting the transportation and telecommunications industries. The breaches had previously only been identified as affecting the defense, banking, and government sectors, according to the firm. 

The intruders are using Pulse Connect Secure, a popular VPN product, to break into networks and steal critical data. According to Mandiant, FireEye's incident response arm, many of the hacked firms "operate in verticals and industries aligned with Beijing's strategic objectives" specified in the Chinese government's latest "Five Year Plan" for economic growth. 

According to Sarah Jones, senior principal analyst at Mandiant Threat Intelligence, most of the breaches have been carried out by a group called UNC2630, which appears to work on behalf of the Chinese government. Four other pieces of malware are being used by the alleged Chinese hackers to collect data and cover their tracks. 

In a blog post published Thursday, Mandiant analysts said, “Chinese cyber-espionage activity has shown a larger tolerance for risk and is less restrained by diplomatic considerations than previously characterized.” 

In a separate incident disclosed by Microsoft in March, alleged Chinese spies used vulnerabilities in the Exchange Server software to steal email inboxes from U.S. firms. Some researchers said that the intrusions were unethical because the malicious code left on victims' systems could have been exploited by a variety of financially motivated criminals. 

On Thursday, a request for comment on Mandiant's findings was not immediately answered by a representative for the Chinese Embassy in Washington, D.C. Beijing consistently denies carrying out cyberattacks. Responding to the alleged Chinese attacks as well as a suspected Russian operation that used SolarWinds software has been a time-consuming process for US officials. 

Pulse Connect Secure is used by at least 24 federal entities, with some national-security-focused research laboratories openly announcing the use of the software. According to a representative from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Pulse Connect Secure cyberattack may have compromised at least five civilian agencies.  

According to the security firm, the claimed Chinese spies covered up traces of many of their hacks in some of the Pulse Connect breaches as Mandiant prepared to reveal the operation last month.

“The greater ambition and risk tolerance demonstrated by Chinese policymakers since 2019 indicate that the tempo of Chinese state-sponsored activity may increase in the near future and that the Chinese cyber threat apparatus presents a renewed and serious threat to U.S. and European commercial entities,” the Mandiant analysts alerted.

FBI – CISA Published a Joint Advisory as Colonial Pipeline Suffers a Catastrophic Ransomware Attack

 

Following a catastrophic ransomware assault on a Colonial Pipeline, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory. The notice, issued on Tuesday 11th May, contains information on DarkSide, malware operators running a Ransomware-as-a-Service (RaaS) network. 

DarkSide is in charge of the latest Colonial Pipeline cyber assault. Past Friday - 7th May, the fuel giant has said that a Cyberattack had obliged the company, which was found to be an intrusion of DarkSide affiliates, to stop pipeline activities and to pull the IT systems offline. 

Cybercriminal gangs use DarkSide for data encryption and to gain entry to a victim's server. These groups attempt to disclose the information if the victim is not paying the ransom. DarkSide leverage groups have recently targeted organizations, including production, legal, insurance, healthcare, and energy, through various sectors of CI. 

Colonial pipeline is yet to be recovered, and the FBI is engaged with them as a key infrastructure supplier – one of which provides 45% of the fuel of the East Coast and typically provides up to 100 million gallons of fuel per day. 

"Cybercriminal groups use DarkSide to gain access to a victim's network to encrypt and exfiltrate data," the alert says. "These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy." 

The ransomware from DarkSide is available to RaaS clients. This cybercriminal template has become prominent because only a core team needs to create malware that can be transmitted to other people. 

RaaS can also be offered on a subscription basis as a ransomware partner, and/or the developers may earn cuts in income when a ransom is paid. In exchange, developers continue to enhance their 'product' malware. 

Furthermore the FBI - CISA advisory also provides tips and best practices to avoid or mitigate ransomware threats. 

The most important defense act against ransomware is prevention. It is crucial to follow good practices to defend against attacks by ransomware, that can be damaging to a person or an organization. 

"CISA and FBI urge CI [critical infrastructure] asset owners and operators to adopt a heightened state of awareness and implement recommendations [...] including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections," the agencies say. "These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware."

Three Affiliated Tribes—The Mandan, Hidatsa & Arikara Suffers Ransomware Attack

 

On the 28th of April Three Affiliated Tribes – the Mandan, Hidatsa, and Arikara nation – informed their workers that they have been hacked with their server and believed it was ransomware. The community has not accessed files, email, and sensitive information since the server was hacked. 

Ransomware is a sort of malware that, as per the Homeland Security Department, attempts to publish information or restrict access until a ransom is paid. The Federal Bureau of Investigation, reports that 4,000 ransomware attacks are initiated daily, with an attack is conducted every 40 seconds. 
 
A document with details that the intrusion was linked with ransomware was sent to all Three Affiliate Tribes employees on April 28th. The one thing that it does, is changing file locations and file names of the document, stated Mandan, Hidatsa & Arikara CEO Scott Satermo. “Share this text, call, or use other methods as we have no way of sending an email notification at this time.” 

“Ransomware is running rampant in governments throughout the world,” said National Association of State Chief Information Officers (NASCIO) Director of Policy & Research Meredith Ward in an email to Native News Online. “Many local governments have been hit very hard.” 

NASCIO is a 501c(3)(h) non-profit framework that has its main advocacy and policy goal, as objectives and has a provision of insight and advice on the consequences of legislation, policies, and proposals relating to technology. On 14 October 2020, 30 Member States identified financial fraud as being a major cause of infringement over the past year compared with 10 states in 2018, states a report issued by NASCIO. The main causes of infringements still lie in external sources: malicious (68%), external-source web services (81%), and increased hacktivism (86%). 

Although ransomware attacks may appear popular, yet they aren't recorded widely in the various tribes. There are currently no statistical databases if and how often these cyberattacks impact tribes. Unless the rescue has been charged, ransomware actors also attempt and threaten the selling or leaking of exfiltrated data or authentication information as per the Cybersecurity & Infrastructure Security Agency (CISA). Ransomware attacks among national, local, tribal and territorial (SLTT) government bodies and critical infrastructure organizations have become exceedingly common in recent years. 

The Department of the Interior overturned a judgment of Trump-era on 22nd March 2021 which decided that a section of the Missouri River on the Fort Berthold Indian Reserve will belong to the government of North Dakota. The decision was made days after the very first American Indian to become Secretary of the Interior Department, Laguna Pueblo Debra Haaland, was sworn in. The change could offer Mandan, Hidatsa, and Arikara tribal members billions of dollars in revenue. 

The U.S. Congress assesses legislation including the State and Local Cybersecurity Improvement Act. If enacted, the law will provide several billion cybersecurity financing through the Cybersecurity and Infrastructure Security Agency to state, local governments and 25 million US dollars for tribal governments. In September 2020 it was discussed in the House Homeland Security Committee and voted in two-party terms, but it still resides in the Senate.

US Agencies Hit By Cyberattack, Confirms CISA Investigation

 

Around five federal civilian agencies were breached recently, in a hit to the US government, revealed an investigation by a top Cybersecurity and Infrastructure Security Agency, which followed emergency protocol to minimize damage from the attack. Suspected hackers from China exploited vulnerabilities in Pulse Secure VPN, a popular remote connectivity tool, to hack into government organizations, defense systems, financial agencies across Europe and the US, said a report released earlier this month. 

For the past few weeks, CISA has been constantly working to find out to find the total damage of the attack and help organizations protect their systems, telling organizations to run an "integrity tool" to look for potential breaches. Matt Hartman, Deputy Executive Assistant Director of Cybersecurity said "CISA is aware of at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access." CISA is coordinating with various agencies to verify if a breach occurred and to provide assistance as a response to the issue. The news came out first when Reuters reported about the affected agencies. Earlier this week, CNN had reported that CISA found 24 Federal Civilian Agencies using Pulse Secure VPN, but were not sure whether they were compromised. 

CNN reports, "The discovery of potential breaches comes a little over a week after CISA issued a rare "emergency directive" ordering all federal civilian agencies to determine how many instances of the product they have, run the "integrity tool," install updates and submit a report to CISA. Emergency directives are used when there is a high potential for compromise of agency systems. Since March 31, CISA has been assisting multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor, according to a CISA spokesperson." 

The US government is still determining the extent of the attack. The Pulse Secure VPN intrusions don't show any signs of sophisticated attack or supply chain attack, as was the case with the recent SolarWinds attack. The hack was also different from the Microsoft Exchange Server Campaign indiscriminate targetting, where hackers breached thousands of servers.

The VMware Carbon Black Cloud Workload Patched a Vulnerability

 

The VMware Carbon Black Cloud Workload device's major security vulnerability will indeed permit root access, and the authority to handle most of the solution administration rights. The lately identified vulnerability, trackable as CVE-2021-21982, with a 9.1 CVSS score, remains in the device's administrative interface and continues to exist because intruders might bypass authentication by manipulating the URL on the interface. VMware Black Cloud Workload is the forum for cybersecurity defense on VMware's vSphere portal for virtual servers and workloads. vSphere is the virtualization platform for VMware cloud computing. 

As per the statement made by VMware last week, the problem is caused by inaccurate URL handling. “A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,” the company noted. “An adversary who has already gained network access to the administrative interface of the appliance may be able to obtain a valid authentication token.” 

In turn, the intruder would be able to obtain the device management API. Once the intruder is logged in as an admin, it may also access and change administrative configuration settings. The opponent might also perform several attacks, which include code execution, de-activation of security monitoring, or the catalog of virtual instances in the private cloud, and even more since it depends on what instruments the institution has implemented in the environment. 

“A malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance may be able to obtain a valid authentication token, granting access to the administration API of the appliance,” VMware notes in an advisory. 

VMware's Carbon Black Cloud Workload is being used by organizations in virtualized environments for protecting workloads that offer tools for the evaluation of vulnerabilities, antiviruses, and threats. 

Egor Dimitrenko, a positive technologies researcher who has been credited with the discovery of the vulnerability, says that the intruder could definitely use the bug to execute arbitrary code on a server. “Remote Code Execution is a critical vulnerability that gives an attacker unlimited opportunity to perform any attack to company infrastructure,” Dimitrenko underlines. 

The researcher explains that the intruder should not usually be able to access the VMware Carbon Black Cloud workload admin panel from the Internet, but also indicates that misconfigurations can result in improper exposure. He says that organizations can implement tools for remote access inside the internal network. 

In order to deal with this vulnerability and encourage customers to use the update to stay secure, VMware released version 1.0.2 of the VMware Carbon Black Cloud Workload appliance last week. It is also recommended that network checks should be implemented to ensure limited access to the device admin interface. Additionally on Friday, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of the vulnerability and raise awareness on the existence of patches for it.

Weintek’s HMI Found with Vulnerabilities which can Allow Attackers to Exploit Devices

 

Weintek's human-machine interface (HMI) products include three types of critical vulnerabilities, according to a cybersecurity researcher - who specializes in industrial control systems (ICS). 

Customers should download relevant patches and follow measures to mitigate risks, according to a technical advisory posted by the company. The risk of abuse is higher if the devices are linked to an open network, according to the study. Customers can disconnect the devices from the network and update the operating system if the device is accessible by an open network. While devices that are not attached to an open network cannot be compromised, consumers are still encouraged to update their operating systems. If a computer can be accessed via a public IP address, it is said to be exposed to an open network. 

Marcin Dudek, a senior ICS/OT security researcher at Poland’s CERT Polska, identified the flaws; the security flaws have also been discovered in the Weintek cMT products', EasyWeb, web-based configuration interface. HMIs (including screen-less HMIs), programmable logic controllers (PLCs), and gateways are all the affected products. 

A remote, unauthenticated attacker may use the flaws to conduct malicious JavaScript code with root privileges (CVE-2021-27446), remotely access critical information, and perform actions on behalf of an admin (CVE-2021-27444) and conduct malicious JavaScript code through a stored XSS vulnerability (CVE-2021-27442). 

There are even more than 170 cMT HMIs linked directly to the internet, according to Dudek, with networks located in Europe, Asia, and North America. According to the researcher, an attacker may exploit the first two flaws by sending a single query to the targeted computer. An attacker could take advantage of CVE-2021-27444 to extract the administrator password hash. 

In the worst-case scenario, an attacker might use the bugs to gain full control of the targeted system with root privileges, which could have significant implications in the actual world. 

“Having such high privileges, an attacker can have unlimited access to all functions of the HMI,” Dudek explained. “It could also be used as a proxy to get access to the internal network of an organization, or to have direct access to other industrial devices in the same network, such as PLCs.” 

Dudek also said that “he worked well with the vendor during the disclosure process. He said it took roughly two months to release all patches, but most of the fixes were ready one month after he reported his findings.” 

The impacted items are mainly used in the water and commercial facilities industries, according to the US Cybersecurity and Infrastructure Security Agency (CISA), which released an advisory for the Weintek CMT vulnerabilities this week.

Everthing You Need to Know About Ongoing TrickBot Attacks, US Agencies Warn

 

The Cybersecurity and Infrastructure Security Agency (CISA) in unison with the Federal Bureau of Investigation (FBI) published an advisory on Wednesday to warn organizations of ongoing TrickBot attacks despite in October multiple security firms dismantled their C2 infrastructure in a joint operation.

In their joint advisory, two agencies disclosed that a sophisticated group of cybercrime actors is leveraging a traffic infringement phishing scheme to lure victims into installing the Trickbot malware.

TrickBot was initially observed in 2016, it is believed to be designed by the threat actors behind the Dyre Trojan. TrickBot has become one of the most prevalent families out there, entrapping machines into a botnet that was being offered under a malware-as-a-service model to both nation-states and cybercrime groups.

“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spear phishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot,” the joint advisory reads.

In October 2020, Microsoft revealed that it had disrupted the infrastructure behind TrickBot, taking most of it down. However, the malware survived the takedown attempt and came back stronger, with several new updates that protected against similar attempts. The recent attacks come as a confirmation to the same, that TrickBot’s operators were able to restore their malicious operations. 

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download Trickbot to the victim’s system,” the advisory further stated. 

NSA and CISA Jointly Issued Guidance On Protective DNS Services


America’s chief security departments The National Security Agency (NSA) and Cybersecurity and Infrastructure Agency (CISA) have released a joint information sheet on Thursday which provides information regarding the positive outcomes of using a Protective Domain Name System (PDNS).
 
How Protective Domain Name System (PDNS) works? 

Its (PDNS) service uses present Domain Name System (DNS) protocols and its structure to analyze DNS queries and mitigate threats. It leverages many open sources, such as non-profit organizations, and various governmental threat feeds to categorize domain information and block queries to identified hackers' domains. 

According to The National Security Agency (NSA) and the Cybersecurity and Infrastructure Agency (CISA), the service (PDNS) presents threat prevention measures against network exploitation, includes various kind of online threats such as addressing phishing attacks, malware distribution, domain generation algorithms, command and control, and content filtering. 

Additionally, a PDNS can log in and save suspicious data and can give a blocked response to the malicious activities into a system– such as ransomware locking victim files – while letting institutions using those logged DNS information data. 

The information sheet gave a list of providers, but NSA and CISA explicitly stated, “We, the federal agencies do not endorse one provider over another”. The listed six companies are BlueCat, Akamai, Cisco, EfficientIP, Nominet, and Neustar. 

How NSA and CISA made their recommendations? 

The recommendations are based on the learned lessons from an NSA PDNS pilot. The NSA partnered with the Defense Cyber Crime Center (DDCCC) department to offer PDNS-as-a-service to its members of the defense industrial base. Alongside, the PDNS studied over 4 billion DNS queries and participating networks, and successfully blocked millions of connections identified as malicious domains. 

Oliver Tavakoli, chief technology officer at Vectra stated, “Like other preventive approaches, they are useful in protecting organizations from known bads, but ultimately fall short in blocking the early stages of a new attack or more sophisticated attacks...”

“...So it makes sense to implement PDNS to reduce the attack surface, however, it should not be thought of as a preventive silver bullet that obviates the need to detect attackers who know how to bypass these protections.” She added. 

Ray Kelly, a principal security engineer at WhiteHat Security, added that “DNS exploitations are still incredibly rampant and require some attention because they are such an effective technique used by malicious actors”.

Unprotected Private Key Allows Remote Hacking of PLCs

 

Industrial associations have been cautioned for this present week that a critical authentication bypass vulnerability can permit hackers to remotely compromise programmable logic controllers (PLCs) made by industrial automation giant Rockwell Automation that are marketed under the Logix brand. These gadgets, which range from the size of a little toaster to a huge bread box or considerably bigger, help control equipment and processes on assembly lines and in other manufacturing environments. Engineers program the PLCs utilizing Rockwell software called Studio 5000 Logix Designer. 

The vulnerability requires a low skill level to be exploited, CISA said. The vulnerability, which is followed as CVE-2021-22681, is the consequence of the Studio 5000 Logix Designer software making it possible for hackers to exfiltrate a secret encryption key. This key is hard-coded into both Logix controllers and engineering stations and confirms correspondence between the two gadgets. A hacker who got the key could then copy an engineering workstation and manipulate PLC code or configurations that directly impact a manufacturing process.

“Any affected Rockwell Logix controller that is exposed on the Internet is potentially vulnerable and exploitable,” said Sharon Brizinov, principal vulnerability researcher at Claroty, one of three organizations Rockwell credited with independently discovering the flaw. “To successfully exploit this vulnerability, an attacker must first obtain the secret key and have the knowledge of the cryptographic algorithm being used in the authentication process.” 

Rockwell isn't issuing a patch that straightforwardly addresses the issues coming from the hard-coded key. Instead, the organization is suggesting that PLC clients follow explicit risk mitigation steps. The steps include putting the controller mode switch into run, and if that is impractical, following different suggestions that are explicit to each PLC model.

 Those steps are laid out in an advisory Rockwell is making accessible to clients, just as in the CISA warning. Rockwell and CISA likewise suggest PLC clients adhere to standard security-in-depth security advice. Chief among the suggestions is guaranteeing that control system gadgets aren't accessible from the Internet. On the off chance that Logix PLC clients are segmenting industrial control networks and following other prescribed procedures, almost certainly, the risk posed by CVE-2021-22681 is negligible. What's more, if individuals haven't executed these practices, hackers likely have simpler ways to hijack the devices.

US Agencies Publish Advisory on North Korean Cryptocurrency Malware, AppleJeus

 

The Federal Bureau of Investigation (FBI) jointly with the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury, released an advisory on North Korea's cyber-threat to cryptocurrency and on suggestions for mitigating. 

Operated with the US government allies, FBI, CISA and the Treasury assess that, Lazarus Group –advanced persistent threat (APT) actors assisted by these agencies in North Korea is targeting the consumers and firms through the dissemination of cryptocurrency trading apps, including crypto-currency exchange and financial service providers, that have been updated to cover. 

“This advisory marks another step by the U.S. Government to counter the ongoing and criminal North Korean global cryptocurrency theft scheme targeting finance, energy, and other sectors,” said CISA Acting Executive Assistant Director of Cybersecurity Matt Hartman. “The FBI, Treasury, and CISA continue to assess the evolving cyber threat posed by North Korea, cybercriminals, and other nation-state actors and are committed to providing organizations timely information and mitigations to combat these threats.” 

In the last year alone, these cyber actors attacked organizations for cryptocurrency theft, in more than 30 nations. These actors would undoubtedly see amended cryptocurrency trade applications as a way of bypassing North Korea's foreign sanctions—applications that allow them to gain access to cryptocurrency exchanges and loot cryptocurrency cash from victims' accounts. 

The US government refers to the North Korean Government's malicious cyber activity as HIDDEN COBRA. Malware and indicators of compromise (IOCs) have been identified by the United States Government to facilitate North Korean cryptocurrency robbery, which is called "AppleJeus" by the Cyber Security community. 

Although the malware was first found in 2018, North Korea has used several versions of AppleJeus. In the first place, HIDDEN COBRA actors used websites that seemed to host genuine cryptocurrency trading platforms, but these actors seem to be using other infection feature vectors, such as phishing, social networking, and social engineering, to get users to download the malware and to infect victims with AppleJeus. They are also using other infection vectors. Active AppleJeus Malware agencies in several areas, including energy, finances, government, industry, technology, and telecommunications, were targeted by HIDDEN COBRA actors. 

Ever since it was discovered, several variants of AppleJeus were found in the wild. Most of them are supplied as relatively simple applications from attacker-controlled websites that resemble legitimate cryptocurrency exchange sites and firms. 

“It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea — the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts,” states the report. 

If consumers perceive that they have been affected by AppleJeus, the findings suggest victims creating new keys or transferring funds from corrupted crypto wallets, expelling hosts, running anti-malware tests on tainted devices, and notifying the FBI, CISA, or treasury.

Operation LadyBird: International Law Enforcement Agencies Crackdown Emotet

 

European and US law agencies earlier this week directed a brilliant crackdown on Emotet. Emotet is a botnet of corrupted computers, which has attacked millions of victims to date. The international police operation "LadyBird" consisted of a team of officials from nine governments. The Dutch police, however, was more resolute and used its cyber agencies to get access to the Emotet infrastructure. Next, it installed a software update on the servers which disrupted the communication between botnet and hacked computers, putting a stop to its further spread.  

FBI can learn a thing or two from this operation, realizing that sometimes foreign allies can be a help too. Here, the Dutch police were a step ahead of the bureau in making an arrest and even using offensive cyber capabilities to get the mission done. The Bureau had first discovered Emotet in 2017, by that time, it had already dealt damage of $1.4 Million to North Carolina school computers. As per the Department of Homeland Security (DHS), it cost the agency around $1 Million to settle the dust after each Emotet incident happened, however, not clear how the agency calculated this data. 

An FBI agent, however, suggested the estimated total cost to be around hundreds of millions of dollars, that the U.S victims might have suffered from the digital cyberattack. But, American agents failed to reach Emotet's infrastructural roots on their own. A senior FBI cyber-official in a press conference said that this is why it becomes so important for law enforcement agencies to work together. Hinting to the Dutch crackdown on Emotet, the official said "working within the legal frameworks of each individual partner to make sure that we have the greatest impact that we can within the law."  As of now, it's not confirmed if the Emotet's criminal group will be back in the action again. 

Experts say that Botnet generally survives until its operatives are finally captured. Dutch news website Politie reports, "A computer infection with Emotet malware often comes about through a phishing attack by email. In doing so, the victim is tempted to click on a malicious link, for example in a PDF file, or to open a Word file containing macros. The cybercriminals behind Emotet used different types of 'bait' to trick unsuspecting users into opening malicious attachments. For example, last year they pretended that e-mail attachments contained information about COVID-19."

Threat Actors Bypassed MFA to Gain Access to Cloud Service Accounts

 

The United States Cybersecurity and Infrastructure Agency (CISA) has alerted the firms by stating that cyber attackers are bypassing multi-factor authentication (MFA) protocols to secure access to the cloud service accounts.

Threat actors often use username and password combinations while targeting the organizations but hackers usually are unsuccessful in doing so due to an enabled multi-factor authentication by an organization. CISA said, threat actors successfully gained access to a user’s account despite MFA being enabled, at one instance, in this incident the hackers may have used browser cookies to bypass MFA. 

The threat actors use stolen cookies to gain access to web applications or online services and take control over an authenticated session. CISA noticed that cyber attackers are taking benefits of email forwarding protocols by storing critical information regarding the user’s personal email accounts.

CISA stated in the report that “in one case, we determined that the threat actors modified an existing email rule on a use’s account-originally set by the user to forward emails sent from a certain sender to a personal account-to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts”.

Threat actors also designed new mailbox regulations, which were created to send specific messages to the users. These messages contained specific phishing related keywords and these messages were transmitted by using Really Simple Syndication (RSS) feeds or RSS subscription folders to keep users from being alerted. CISA also clarified that this data breach has no link to the SolarWinds supply chain attack.

While explaining further, CISA told, “recommended mitigations for organizations to strengthen their cloud environment configuration to protect against, detect and respond to potential attacks”. These recommendations also include tactics, techniques, and procedures (TTPs) which will provide assistance to the security teams to counter the attacks by threat actors on their organizations.

Critical Bugs in Firefox and Chrome Allow Exploitation

 

On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) asked clients of Mozilla Foundation's Firefox browser and Windows, macOS, and Linux clients of Google's Chrome browser to fix bugs, traced as CVE-2020-16044 and CVE-2020-15995 respectively. 

The vulnerability of CVE-2020-16044 is classified as a use-after-free bug and attached to the manner in which Firefox handles browser cookies and whenever exploited permits hackers to access the computer, telephone, or tablet running the browser software. Affected are Firefox browser renditions released before the recently released Firefox desktop 84.0.2, Firefox Android 84.1.3 edition, and furthermore Mozilla's corporate ESR 78.6.1 version of Firefox. "A pernicious peer might have altered a COOKIE-ECHO chunk in a SCTP packet in a way that conceivably resulted in a use-after-free. We assume that with enough effort it might have been exploited to run arbitrary code," as indicated by a Mozilla security notice.

SCTP stands for Stream Control Transmission Protocol, utilized in computer networking to communicate protocol data inside the Transport Layer of the internet protocol suite, or TCP/IP. A COOKIE ECHO chunk is a snippet of information sent during the initialization of the SCTP association with the browser.

Google's Chrome browser bug CVE-2020-15995 was affecting the current 87.0.4280.141 rendition of the software. The CISA-bug cautioning expressed that the update to the most recent version of the Chrome browser would "addresses vulnerabilities that an attacker could exploit to take control of a tainted system." Microsoft's most recent Edge browser depends on Google Chromium browser engine, Microsoft additionally encouraged its clients to update to the most recent 87.0.664.75 rendition of its Edge browser.

While researchers at Tenable group called the out-of-bounds bug as critical, both Google and Microsoft characterized the vulnerability as being of high seriousness. Tencent Security Xuanwu Lab scientist Bohan Liu is credited for finding and detailing the bug. The CVE-2020-15995 is distinguished as an "out of bounds written in V8", a bug initially found in September 2020 by Liu. V8 is Google's open-source and high-performance JavaScript and WebAssembly engine, as indicated by a Google developer description. Neither Microsoft nor Google clarified why the September 2020 CVE-2020-15995 is being highlighted again in both their security bulletins. Typically, that means that the first fix was incomplete.