Search This Blog

Showing posts with label CISA. Show all posts

FireEye: Transportation and Telecom Firms Being Hit in Chinese Espionage

 

According to security firm FireEye, a massive Chinese espionage operation against US and European government entities includes four new hacking tools and reaches more commercial sectors than previously reported. 

Two China-linked gangs — as well as additional hackers that investigators did not name — have used virtual private network software in breaches affecting the transportation and telecommunications industries. The breaches had previously only been identified as affecting the defense, banking, and government sectors, according to the firm. 

The intruders are using Pulse Connect Secure, a popular VPN product, to break into networks and steal critical data. According to Mandiant, FireEye's incident response arm, many of the hacked firms "operate in verticals and industries aligned with Beijing's strategic objectives" specified in the Chinese government's latest "Five Year Plan" for economic growth. 

According to Sarah Jones, senior principal analyst at Mandiant Threat Intelligence, most of the breaches have been carried out by a group called UNC2630, which appears to work on behalf of the Chinese government. Four other pieces of malware are being used by the alleged Chinese hackers to collect data and cover their tracks. 

In a blog post published Thursday, Mandiant analysts said, “Chinese cyber-espionage activity has shown a larger tolerance for risk and is less restrained by diplomatic considerations than previously characterized.” 

In a separate incident disclosed by Microsoft in March, alleged Chinese spies used vulnerabilities in the Exchange Server software to steal email inboxes from U.S. firms. Some researchers said that the intrusions were unethical because the malicious code left on victims' systems could have been exploited by a variety of financially motivated criminals. 

On Thursday, a request for comment on Mandiant's findings was not immediately answered by a representative for the Chinese Embassy in Washington, D.C. Beijing consistently denies carrying out cyberattacks. Responding to the alleged Chinese attacks as well as a suspected Russian operation that used SolarWinds software has been a time-consuming process for US officials. 

Pulse Connect Secure is used by at least 24 federal entities, with some national-security-focused research laboratories openly announcing the use of the software. According to a representative from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Pulse Connect Secure cyberattack may have compromised at least five civilian agencies.  

According to the security firm, the claimed Chinese spies covered up traces of many of their hacks in some of the Pulse Connect breaches as Mandiant prepared to reveal the operation last month.

“The greater ambition and risk tolerance demonstrated by Chinese policymakers since 2019 indicate that the tempo of Chinese state-sponsored activity may increase in the near future and that the Chinese cyber threat apparatus presents a renewed and serious threat to U.S. and European commercial entities,” the Mandiant analysts alerted.

FBI – CISA Published a Joint Advisory as Colonial Pipeline Suffers a Catastrophic Ransomware Attack

 

Following a catastrophic ransomware assault on a Colonial Pipeline, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory. The notice, issued on Tuesday 11th May, contains information on DarkSide, malware operators running a Ransomware-as-a-Service (RaaS) network. 

DarkSide is in charge of the latest Colonial Pipeline cyber assault. Past Friday - 7th May, the fuel giant has said that a Cyberattack had obliged the company, which was found to be an intrusion of DarkSide affiliates, to stop pipeline activities and to pull the IT systems offline. 

Cybercriminal gangs use DarkSide for data encryption and to gain entry to a victim's server. These groups attempt to disclose the information if the victim is not paying the ransom. DarkSide leverage groups have recently targeted organizations, including production, legal, insurance, healthcare, and energy, through various sectors of CI. 

Colonial pipeline is yet to be recovered, and the FBI is engaged with them as a key infrastructure supplier – one of which provides 45% of the fuel of the East Coast and typically provides up to 100 million gallons of fuel per day. 

"Cybercriminal groups use DarkSide to gain access to a victim's network to encrypt and exfiltrate data," the alert says. "These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy." 

The ransomware from DarkSide is available to RaaS clients. This cybercriminal template has become prominent because only a core team needs to create malware that can be transmitted to other people. 

RaaS can also be offered on a subscription basis as a ransomware partner, and/or the developers may earn cuts in income when a ransom is paid. In exchange, developers continue to enhance their 'product' malware. 

Furthermore the FBI - CISA advisory also provides tips and best practices to avoid or mitigate ransomware threats. 

The most important defense act against ransomware is prevention. It is crucial to follow good practices to defend against attacks by ransomware, that can be damaging to a person or an organization. 

"CISA and FBI urge CI [critical infrastructure] asset owners and operators to adopt a heightened state of awareness and implement recommendations [...] including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections," the agencies say. "These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware."

Three Affiliated Tribes—The Mandan, Hidatsa & Arikara Suffers Ransomware Attack

 

On the 28th of April Three Affiliated Tribes – the Mandan, Hidatsa, and Arikara nation – informed their workers that they have been hacked with their server and believed it was ransomware. The community has not accessed files, email, and sensitive information since the server was hacked. 

Ransomware is a sort of malware that, as per the Homeland Security Department, attempts to publish information or restrict access until a ransom is paid. The Federal Bureau of Investigation, reports that 4,000 ransomware attacks are initiated daily, with an attack is conducted every 40 seconds. 
 
A document with details that the intrusion was linked with ransomware was sent to all Three Affiliate Tribes employees on April 28th. The one thing that it does, is changing file locations and file names of the document, stated Mandan, Hidatsa & Arikara CEO Scott Satermo. “Share this text, call, or use other methods as we have no way of sending an email notification at this time.” 

“Ransomware is running rampant in governments throughout the world,” said National Association of State Chief Information Officers (NASCIO) Director of Policy & Research Meredith Ward in an email to Native News Online. “Many local governments have been hit very hard.” 

NASCIO is a 501c(3)(h) non-profit framework that has its main advocacy and policy goal, as objectives and has a provision of insight and advice on the consequences of legislation, policies, and proposals relating to technology. On 14 October 2020, 30 Member States identified financial fraud as being a major cause of infringement over the past year compared with 10 states in 2018, states a report issued by NASCIO. The main causes of infringements still lie in external sources: malicious (68%), external-source web services (81%), and increased hacktivism (86%). 

Although ransomware attacks may appear popular, yet they aren't recorded widely in the various tribes. There are currently no statistical databases if and how often these cyberattacks impact tribes. Unless the rescue has been charged, ransomware actors also attempt and threaten the selling or leaking of exfiltrated data or authentication information as per the Cybersecurity & Infrastructure Security Agency (CISA). Ransomware attacks among national, local, tribal and territorial (SLTT) government bodies and critical infrastructure organizations have become exceedingly common in recent years. 

The Department of the Interior overturned a judgment of Trump-era on 22nd March 2021 which decided that a section of the Missouri River on the Fort Berthold Indian Reserve will belong to the government of North Dakota. The decision was made days after the very first American Indian to become Secretary of the Interior Department, Laguna Pueblo Debra Haaland, was sworn in. The change could offer Mandan, Hidatsa, and Arikara tribal members billions of dollars in revenue. 

The U.S. Congress assesses legislation including the State and Local Cybersecurity Improvement Act. If enacted, the law will provide several billion cybersecurity financing through the Cybersecurity and Infrastructure Security Agency to state, local governments and 25 million US dollars for tribal governments. In September 2020 it was discussed in the House Homeland Security Committee and voted in two-party terms, but it still resides in the Senate.

US Agencies Hit By Cyberattack, Confirms CISA Investigation

 

Around five federal civilian agencies were breached recently, in a hit to the US government, revealed an investigation by a top Cybersecurity and Infrastructure Security Agency, which followed emergency protocol to minimize damage from the attack. Suspected hackers from China exploited vulnerabilities in Pulse Secure VPN, a popular remote connectivity tool, to hack into government organizations, defense systems, financial agencies across Europe and the US, said a report released earlier this month. 

For the past few weeks, CISA has been constantly working to find out to find the total damage of the attack and help organizations protect their systems, telling organizations to run an "integrity tool" to look for potential breaches. Matt Hartman, Deputy Executive Assistant Director of Cybersecurity said "CISA is aware of at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access." CISA is coordinating with various agencies to verify if a breach occurred and to provide assistance as a response to the issue. The news came out first when Reuters reported about the affected agencies. Earlier this week, CNN had reported that CISA found 24 Federal Civilian Agencies using Pulse Secure VPN, but were not sure whether they were compromised. 

CNN reports, "The discovery of potential breaches comes a little over a week after CISA issued a rare "emergency directive" ordering all federal civilian agencies to determine how many instances of the product they have, run the "integrity tool," install updates and submit a report to CISA. Emergency directives are used when there is a high potential for compromise of agency systems. Since March 31, CISA has been assisting multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor, according to a CISA spokesperson." 

The US government is still determining the extent of the attack. The Pulse Secure VPN intrusions don't show any signs of sophisticated attack or supply chain attack, as was the case with the recent SolarWinds attack. The hack was also different from the Microsoft Exchange Server Campaign indiscriminate targetting, where hackers breached thousands of servers.

The VMware Carbon Black Cloud Workload Patched a Vulnerability

 

The VMware Carbon Black Cloud Workload device's major security vulnerability will indeed permit root access, and the authority to handle most of the solution administration rights. The lately identified vulnerability, trackable as CVE-2021-21982, with a 9.1 CVSS score, remains in the device's administrative interface and continues to exist because intruders might bypass authentication by manipulating the URL on the interface. VMware Black Cloud Workload is the forum for cybersecurity defense on VMware's vSphere portal for virtual servers and workloads. vSphere is the virtualization platform for VMware cloud computing. 

As per the statement made by VMware last week, the problem is caused by inaccurate URL handling. “A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,” the company noted. “An adversary who has already gained network access to the administrative interface of the appliance may be able to obtain a valid authentication token.” 

In turn, the intruder would be able to obtain the device management API. Once the intruder is logged in as an admin, it may also access and change administrative configuration settings. The opponent might also perform several attacks, which include code execution, de-activation of security monitoring, or the catalog of virtual instances in the private cloud, and even more since it depends on what instruments the institution has implemented in the environment. 

“A malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance may be able to obtain a valid authentication token, granting access to the administration API of the appliance,” VMware notes in an advisory. 

VMware's Carbon Black Cloud Workload is being used by organizations in virtualized environments for protecting workloads that offer tools for the evaluation of vulnerabilities, antiviruses, and threats. 

Egor Dimitrenko, a positive technologies researcher who has been credited with the discovery of the vulnerability, says that the intruder could definitely use the bug to execute arbitrary code on a server. “Remote Code Execution is a critical vulnerability that gives an attacker unlimited opportunity to perform any attack to company infrastructure,” Dimitrenko underlines. 

The researcher explains that the intruder should not usually be able to access the VMware Carbon Black Cloud workload admin panel from the Internet, but also indicates that misconfigurations can result in improper exposure. He says that organizations can implement tools for remote access inside the internal network. 

In order to deal with this vulnerability and encourage customers to use the update to stay secure, VMware released version 1.0.2 of the VMware Carbon Black Cloud Workload appliance last week. It is also recommended that network checks should be implemented to ensure limited access to the device admin interface. Additionally on Friday, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of the vulnerability and raise awareness on the existence of patches for it.

Weintek’s HMI Found with Vulnerabilities which can Allow Attackers to Exploit Devices

 

Weintek's human-machine interface (HMI) products include three types of critical vulnerabilities, according to a cybersecurity researcher - who specializes in industrial control systems (ICS). 

Customers should download relevant patches and follow measures to mitigate risks, according to a technical advisory posted by the company. The risk of abuse is higher if the devices are linked to an open network, according to the study. Customers can disconnect the devices from the network and update the operating system if the device is accessible by an open network. While devices that are not attached to an open network cannot be compromised, consumers are still encouraged to update their operating systems. If a computer can be accessed via a public IP address, it is said to be exposed to an open network. 

Marcin Dudek, a senior ICS/OT security researcher at Poland’s CERT Polska, identified the flaws; the security flaws have also been discovered in the Weintek cMT products', EasyWeb, web-based configuration interface. HMIs (including screen-less HMIs), programmable logic controllers (PLCs), and gateways are all the affected products. 

A remote, unauthenticated attacker may use the flaws to conduct malicious JavaScript code with root privileges (CVE-2021-27446), remotely access critical information, and perform actions on behalf of an admin (CVE-2021-27444) and conduct malicious JavaScript code through a stored XSS vulnerability (CVE-2021-27442). 

There are even more than 170 cMT HMIs linked directly to the internet, according to Dudek, with networks located in Europe, Asia, and North America. According to the researcher, an attacker may exploit the first two flaws by sending a single query to the targeted computer. An attacker could take advantage of CVE-2021-27444 to extract the administrator password hash. 

In the worst-case scenario, an attacker might use the bugs to gain full control of the targeted system with root privileges, which could have significant implications in the actual world. 

“Having such high privileges, an attacker can have unlimited access to all functions of the HMI,” Dudek explained. “It could also be used as a proxy to get access to the internal network of an organization, or to have direct access to other industrial devices in the same network, such as PLCs.” 

Dudek also said that “he worked well with the vendor during the disclosure process. He said it took roughly two months to release all patches, but most of the fixes were ready one month after he reported his findings.” 

The impacted items are mainly used in the water and commercial facilities industries, according to the US Cybersecurity and Infrastructure Security Agency (CISA), which released an advisory for the Weintek CMT vulnerabilities this week.

Everthing You Need to Know About Ongoing TrickBot Attacks, US Agencies Warn

 

The Cybersecurity and Infrastructure Security Agency (CISA) in unison with the Federal Bureau of Investigation (FBI) published an advisory on Wednesday to warn organizations of ongoing TrickBot attacks despite in October multiple security firms dismantled their C2 infrastructure in a joint operation.

In their joint advisory, two agencies disclosed that a sophisticated group of cybercrime actors is leveraging a traffic infringement phishing scheme to lure victims into installing the Trickbot malware.

TrickBot was initially observed in 2016, it is believed to be designed by the threat actors behind the Dyre Trojan. TrickBot has become one of the most prevalent families out there, entrapping machines into a botnet that was being offered under a malware-as-a-service model to both nation-states and cybercrime groups.

“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spear phishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot,” the joint advisory reads.

In October 2020, Microsoft revealed that it had disrupted the infrastructure behind TrickBot, taking most of it down. However, the malware survived the takedown attempt and came back stronger, with several new updates that protected against similar attempts. The recent attacks come as a confirmation to the same, that TrickBot’s operators were able to restore their malicious operations. 

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download Trickbot to the victim’s system,” the advisory further stated. 

NSA and CISA Jointly Issued Guidance On Protective DNS Services


America’s chief security departments The National Security Agency (NSA) and Cybersecurity and Infrastructure Agency (CISA) have released a joint information sheet on Thursday which provides information regarding the positive outcomes of using a Protective Domain Name System (PDNS).
 
How Protective Domain Name System (PDNS) works? 

Its (PDNS) service uses present Domain Name System (DNS) protocols and its structure to analyze DNS queries and mitigate threats. It leverages many open sources, such as non-profit organizations, and various governmental threat feeds to categorize domain information and block queries to identified hackers' domains. 

According to The National Security Agency (NSA) and the Cybersecurity and Infrastructure Agency (CISA), the service (PDNS) presents threat prevention measures against network exploitation, includes various kind of online threats such as addressing phishing attacks, malware distribution, domain generation algorithms, command and control, and content filtering. 

Additionally, a PDNS can log in and save suspicious data and can give a blocked response to the malicious activities into a system– such as ransomware locking victim files – while letting institutions using those logged DNS information data. 

The information sheet gave a list of providers, but NSA and CISA explicitly stated, “We, the federal agencies do not endorse one provider over another”. The listed six companies are BlueCat, Akamai, Cisco, EfficientIP, Nominet, and Neustar. 

How NSA and CISA made their recommendations? 

The recommendations are based on the learned lessons from an NSA PDNS pilot. The NSA partnered with the Defense Cyber Crime Center (DDCCC) department to offer PDNS-as-a-service to its members of the defense industrial base. Alongside, the PDNS studied over 4 billion DNS queries and participating networks, and successfully blocked millions of connections identified as malicious domains. 

Oliver Tavakoli, chief technology officer at Vectra stated, “Like other preventive approaches, they are useful in protecting organizations from known bads, but ultimately fall short in blocking the early stages of a new attack or more sophisticated attacks...”

“...So it makes sense to implement PDNS to reduce the attack surface, however, it should not be thought of as a preventive silver bullet that obviates the need to detect attackers who know how to bypass these protections.” She added. 

Ray Kelly, a principal security engineer at WhiteHat Security, added that “DNS exploitations are still incredibly rampant and require some attention because they are such an effective technique used by malicious actors”.

Unprotected Private Key Allows Remote Hacking of PLCs

 

Industrial associations have been cautioned for this present week that a critical authentication bypass vulnerability can permit hackers to remotely compromise programmable logic controllers (PLCs) made by industrial automation giant Rockwell Automation that are marketed under the Logix brand. These gadgets, which range from the size of a little toaster to a huge bread box or considerably bigger, help control equipment and processes on assembly lines and in other manufacturing environments. Engineers program the PLCs utilizing Rockwell software called Studio 5000 Logix Designer. 

The vulnerability requires a low skill level to be exploited, CISA said. The vulnerability, which is followed as CVE-2021-22681, is the consequence of the Studio 5000 Logix Designer software making it possible for hackers to exfiltrate a secret encryption key. This key is hard-coded into both Logix controllers and engineering stations and confirms correspondence between the two gadgets. A hacker who got the key could then copy an engineering workstation and manipulate PLC code or configurations that directly impact a manufacturing process.

“Any affected Rockwell Logix controller that is exposed on the Internet is potentially vulnerable and exploitable,” said Sharon Brizinov, principal vulnerability researcher at Claroty, one of three organizations Rockwell credited with independently discovering the flaw. “To successfully exploit this vulnerability, an attacker must first obtain the secret key and have the knowledge of the cryptographic algorithm being used in the authentication process.” 

Rockwell isn't issuing a patch that straightforwardly addresses the issues coming from the hard-coded key. Instead, the organization is suggesting that PLC clients follow explicit risk mitigation steps. The steps include putting the controller mode switch into run, and if that is impractical, following different suggestions that are explicit to each PLC model.

 Those steps are laid out in an advisory Rockwell is making accessible to clients, just as in the CISA warning. Rockwell and CISA likewise suggest PLC clients adhere to standard security-in-depth security advice. Chief among the suggestions is guaranteeing that control system gadgets aren't accessible from the Internet. On the off chance that Logix PLC clients are segmenting industrial control networks and following other prescribed procedures, almost certainly, the risk posed by CVE-2021-22681 is negligible. What's more, if individuals haven't executed these practices, hackers likely have simpler ways to hijack the devices.

US Agencies Publish Advisory on North Korean Cryptocurrency Malware, AppleJeus

 

The Federal Bureau of Investigation (FBI) jointly with the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury, released an advisory on North Korea's cyber-threat to cryptocurrency and on suggestions for mitigating. 

Operated with the US government allies, FBI, CISA and the Treasury assess that, Lazarus Group –advanced persistent threat (APT) actors assisted by these agencies in North Korea is targeting the consumers and firms through the dissemination of cryptocurrency trading apps, including crypto-currency exchange and financial service providers, that have been updated to cover. 

“This advisory marks another step by the U.S. Government to counter the ongoing and criminal North Korean global cryptocurrency theft scheme targeting finance, energy, and other sectors,” said CISA Acting Executive Assistant Director of Cybersecurity Matt Hartman. “The FBI, Treasury, and CISA continue to assess the evolving cyber threat posed by North Korea, cybercriminals, and other nation-state actors and are committed to providing organizations timely information and mitigations to combat these threats.” 

In the last year alone, these cyber actors attacked organizations for cryptocurrency theft, in more than 30 nations. These actors would undoubtedly see amended cryptocurrency trade applications as a way of bypassing North Korea's foreign sanctions—applications that allow them to gain access to cryptocurrency exchanges and loot cryptocurrency cash from victims' accounts. 

The US government refers to the North Korean Government's malicious cyber activity as HIDDEN COBRA. Malware and indicators of compromise (IOCs) have been identified by the United States Government to facilitate North Korean cryptocurrency robbery, which is called "AppleJeus" by the Cyber Security community. 

Although the malware was first found in 2018, North Korea has used several versions of AppleJeus. In the first place, HIDDEN COBRA actors used websites that seemed to host genuine cryptocurrency trading platforms, but these actors seem to be using other infection feature vectors, such as phishing, social networking, and social engineering, to get users to download the malware and to infect victims with AppleJeus. They are also using other infection vectors. Active AppleJeus Malware agencies in several areas, including energy, finances, government, industry, technology, and telecommunications, were targeted by HIDDEN COBRA actors. 

Ever since it was discovered, several variants of AppleJeus were found in the wild. Most of them are supplied as relatively simple applications from attacker-controlled websites that resemble legitimate cryptocurrency exchange sites and firms. 

“It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea — the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts,” states the report. 

If consumers perceive that they have been affected by AppleJeus, the findings suggest victims creating new keys or transferring funds from corrupted crypto wallets, expelling hosts, running anti-malware tests on tainted devices, and notifying the FBI, CISA, or treasury.

Operation LadyBird: International Law Enforcement Agencies Crackdown Emotet

 

European and US law agencies earlier this week directed a brilliant crackdown on Emotet. Emotet is a botnet of corrupted computers, which has attacked millions of victims to date. The international police operation "LadyBird" consisted of a team of officials from nine governments. The Dutch police, however, was more resolute and used its cyber agencies to get access to the Emotet infrastructure. Next, it installed a software update on the servers which disrupted the communication between botnet and hacked computers, putting a stop to its further spread.  

FBI can learn a thing or two from this operation, realizing that sometimes foreign allies can be a help too. Here, the Dutch police were a step ahead of the bureau in making an arrest and even using offensive cyber capabilities to get the mission done. The Bureau had first discovered Emotet in 2017, by that time, it had already dealt damage of $1.4 Million to North Carolina school computers. As per the Department of Homeland Security (DHS), it cost the agency around $1 Million to settle the dust after each Emotet incident happened, however, not clear how the agency calculated this data. 

An FBI agent, however, suggested the estimated total cost to be around hundreds of millions of dollars, that the U.S victims might have suffered from the digital cyberattack. But, American agents failed to reach Emotet's infrastructural roots on their own. A senior FBI cyber-official in a press conference said that this is why it becomes so important for law enforcement agencies to work together. Hinting to the Dutch crackdown on Emotet, the official said "working within the legal frameworks of each individual partner to make sure that we have the greatest impact that we can within the law."  As of now, it's not confirmed if the Emotet's criminal group will be back in the action again. 

Experts say that Botnet generally survives until its operatives are finally captured. Dutch news website Politie reports, "A computer infection with Emotet malware often comes about through a phishing attack by email. In doing so, the victim is tempted to click on a malicious link, for example in a PDF file, or to open a Word file containing macros. The cybercriminals behind Emotet used different types of 'bait' to trick unsuspecting users into opening malicious attachments. For example, last year they pretended that e-mail attachments contained information about COVID-19."

Threat Actors Bypassed MFA to Gain Access to Cloud Service Accounts

 

The United States Cybersecurity and Infrastructure Agency (CISA) has alerted the firms by stating that cyber attackers are bypassing multi-factor authentication (MFA) protocols to secure access to the cloud service accounts.

Threat actors often use username and password combinations while targeting the organizations but hackers usually are unsuccessful in doing so due to an enabled multi-factor authentication by an organization. CISA said, threat actors successfully gained access to a user’s account despite MFA being enabled, at one instance, in this incident the hackers may have used browser cookies to bypass MFA. 

The threat actors use stolen cookies to gain access to web applications or online services and take control over an authenticated session. CISA noticed that cyber attackers are taking benefits of email forwarding protocols by storing critical information regarding the user’s personal email accounts.

CISA stated in the report that “in one case, we determined that the threat actors modified an existing email rule on a use’s account-originally set by the user to forward emails sent from a certain sender to a personal account-to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts”.

Threat actors also designed new mailbox regulations, which were created to send specific messages to the users. These messages contained specific phishing related keywords and these messages were transmitted by using Really Simple Syndication (RSS) feeds or RSS subscription folders to keep users from being alerted. CISA also clarified that this data breach has no link to the SolarWinds supply chain attack.

While explaining further, CISA told, “recommended mitigations for organizations to strengthen their cloud environment configuration to protect against, detect and respond to potential attacks”. These recommendations also include tactics, techniques, and procedures (TTPs) which will provide assistance to the security teams to counter the attacks by threat actors on their organizations.

Critical Bugs in Firefox and Chrome Allow Exploitation

 

On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) asked clients of Mozilla Foundation's Firefox browser and Windows, macOS, and Linux clients of Google's Chrome browser to fix bugs, traced as CVE-2020-16044 and CVE-2020-15995 respectively. 

The vulnerability of CVE-2020-16044 is classified as a use-after-free bug and attached to the manner in which Firefox handles browser cookies and whenever exploited permits hackers to access the computer, telephone, or tablet running the browser software. Affected are Firefox browser renditions released before the recently released Firefox desktop 84.0.2, Firefox Android 84.1.3 edition, and furthermore Mozilla's corporate ESR 78.6.1 version of Firefox. "A pernicious peer might have altered a COOKIE-ECHO chunk in a SCTP packet in a way that conceivably resulted in a use-after-free. We assume that with enough effort it might have been exploited to run arbitrary code," as indicated by a Mozilla security notice.

SCTP stands for Stream Control Transmission Protocol, utilized in computer networking to communicate protocol data inside the Transport Layer of the internet protocol suite, or TCP/IP. A COOKIE ECHO chunk is a snippet of information sent during the initialization of the SCTP association with the browser.

Google's Chrome browser bug CVE-2020-15995 was affecting the current 87.0.4280.141 rendition of the software. The CISA-bug cautioning expressed that the update to the most recent version of the Chrome browser would "addresses vulnerabilities that an attacker could exploit to take control of a tainted system." Microsoft's most recent Edge browser depends on Google Chromium browser engine, Microsoft additionally encouraged its clients to update to the most recent 87.0.664.75 rendition of its Edge browser.

While researchers at Tenable group called the out-of-bounds bug as critical, both Google and Microsoft characterized the vulnerability as being of high seriousness. Tencent Security Xuanwu Lab scientist Bohan Liu is credited for finding and detailing the bug. The CVE-2020-15995 is distinguished as an "out of bounds written in V8", a bug initially found in September 2020 by Liu. V8 is Google's open-source and high-performance JavaScript and WebAssembly engine, as indicated by a Google developer description. Neither Microsoft nor Google clarified why the September 2020 CVE-2020-15995 is being highlighted again in both their security bulletins. Typically, that means that the first fix was incomplete.