Search This Blog

Showing posts with label Cyber Security. Show all posts

SecureWorx, an Australian Cybersecurity Firm Acquired by EY

 

SecureWorx, a managed services provider, has been bought by Ernst & Young (EY) Australia for an undisclosed sum. SecureWorx, based in Melbourne, specializes in multi-cloud services, managed security operations, and security advisory services for businesses that handle sensitive data. It also offers managed security operations services 24 hours a day, seven days a week, with government-approved staff and facilities. 

“Cyber security is a critical business function that has moved beyond our clients’ technology agenda,” said recently installed EY Australia CEO David Larocca. “This is because we’re seeing a dramatic escalation in the frequency and impact of ransomware attacks that are changing the way Boards are accountable to stakeholders. Our clients are telling us that cybersecurity is one of their greatest concerns.” 

In response to new mandatory requirements in the Security Legislation Amendment (Critical Infrastructure) Bill 2020, including sovereign cybersecurity capabilities, EY said the purchase will boost its cybersecurity services portfolio. SecureWorx CEO Philip Mulley will join EY Australia as Sovereign Cybersecurity Leader as part of the acquisition. 

“We have long admired EY and in particular the work of their cybersecurity team,” Mulley said. “Joining gives us access to EY’s global thought leadership and deep industry knowledge. For our people it provides exciting career development opportunities through industry focus, technology career paths and global reach and mobility. EY’s Cyber team in Australia is a natural, cultural fit for us.” 

The purchase was motivated by EY's desire to improve its ability to assist clients with their mandated duties under new security legislation. “The latest updates to the Security of Critical Infrastructure Act outline new requirements that will require significant investment for onshore cyber capabilities to detect and combat threats,” said EY Oceania cybersecurity lead partner Richard Bergman. 

“SecureWorx has a set of cybersecurity assets that complement EY Australia’s existing cybersecurity team and capabilities including government-accredited hosting facilities in Melbourne and Canberra and an accredited Security Operations Centre in Melbourne,” Bergman continued, adding that the purchase would complement Aleron's 2019 cybersecurity acquisition and Open Windows' earlier acquisition. 

Over the last few years, the Australian consulting industry has seen a flurry of M&A activity in the cybersecurity space, which appears to be intensifying due to rising market demand. According to a recent Boston Consulting Group report, Australia's cloud market will approach $10 billion in 2022 or 2023, up from under $5 billion three years ago.

Malevolent PyPI Packages Detected Filching Developer Data

 

Repositories of software packages have become a frequent target for supply chain attacks. Reports concerning malware attacks on prominent repository systems like npm, PyPI, and RubyGems have been recently surfacing. Programmers completely trust repositories and install packages from such sources, provided that they are trustworthy. 

Malware packages may be posted to the package repository, permitting malicious actors to leverage repository systems to propagate viruses and start successful attacks both on developers and CI/CD machines in the pipeline. 

Eight Python packages that have been installed more than 30,000 times have been deleted from the PyPI portal with malicious code, demonstrating again how software package repositories have developed into a hub for a popular supply chain attack. 

The dearth of moderation and automated security safeguards in public software repositories enables relatively unfamiliar attackers, through typosquatting, dependency misunderstanding, or basic social engineering attempts, to utilize them as a base to disseminate malware. 

PyPI is Python's primary third-party software repository, which has package manager utilities, such as pip, as its default package and dependency source. 

Several of the packages could have been used for more complex threats, allowing the attacker to implement remote code on the target device, collect network data, plunder credit card details, and autosaved passwords in browsers like Chrome and Edge, and sometimes even steal Discord authentication tokens to impersonate the victim. 

PyPI is not alone in software package repositories that appear as a potential attack surface to invasions, with rogue packages identified in npm and RubyGems that might potentially damage a complete system or be a useful jump-off point to deepen the network of a victim. 

"The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread supply chain attacks," said JFrog CTO Asaf Karas. "The ability for attackers to use simple obfuscation techniques to introduce malware means developers have to be concerned and vigilant. This is a systemic threat, and it needs to be actively addressed on several layers, both by the maintainers of software repositories and by the developers." 

Mostly on the programmers' side, precautionary action must form an important part of any CI/CD pipeline, including the confirmation of the signature in the library and the use of automated security instruments that analyze problematic code suggestions included inside the project. Automated tools like these may warn users about the use of harmful code.

An Indian Firm Facing 1,738 Cyber Attacks A Week On Average, Claims Report


On Thursday, a report has been published that claimed that Indian organizations witnessed cyberattacks  1,738 times more compared to 757 attacks per organization globally on average per week in the last six months. 

According to the report by Check Point Research (CPR), the Threat Intelligence arm of Check Point Software Technologies, some of the Indian industries that have been most vulnerable in the last six months include government/military, education/research, insurance/legal, manufacturing and healthcare institutions.

Malicious actors continue to exploit the data related to the Covid-19 pandemic and ransomware attacks have been increased by 93 percent globally, said the 'Cyber Attack Trends: 2021 Mid-Year Report'.

The figure has demonstrated that the APAC region has witnessed the highest number of cyber-attacks, with around 1,338 institutions being vulnerable to cybersecurity, followed by EMEA at 777 and Americas at 688.

"In the first half of 2021, cybercriminals have continued to adapt their working practices to exploit the shift to hybrid working, targeting organizations' supply chains and network links to partners to maximum disruption," said Maya Horowitz, VP Research at Check Point Software.

"This year cyber-attacks have continued to break records and we have even seen a huge increase in the number of ransomware attacks, with high-profile incidents such as Solarwinds, Colonial Pipeline, JBS, or Kayesa," he added.

Despite the continuous efforts by various governments and law enforcement agencies, ransomware attacks are likely to grow rapidly, in the coming months of 2021.

"Ransomware attacks will continue to proliferate despite increased investment from governments and law enforcement, especially as the Joe Biden Administration makes this a priority," the report added,  

Ransomware Attempt Volume Touching Over 300 Million, Sets Record




A new investigation report has been published by SonicWall network security organization in which it stated that ransomware attacks have been increased rampantly in the first half of 2021, with 304.7 million attempted attacks observed by the organization. 

SonicWall researchers' team has discovered several attempted ransomware attacks in both April and May, however, the record of these two months was knockdown by June, which recorded 78.4 million attempted ransomware attacks. 

According to the study, the total figure of ransomware attacks that has been observed by SonicWall in the first half of 2021 has broken the record of 2020's total attempts. 

"Even if we don't record a single ransomware attempt in the entire second half (which is irrationally optimistic), 2021 will already go down as the worst year for ransomware SonicWall has ever recorded," the report read.

According to the 2021 SonicWall Cyber Threat Report, some world's developed counties including the US, the UK, Germany, South Africa, and Brazil topped the list of countries most hard hit by ransomware in the first half of 2021. 

This report has also mentioned the names of some of the US districts that have been impacted more was Florida, which saw 111.1 million ransomware attempts, New York had 26.4 million, Idaho saw 20.5 million, and Rhode Island, as well as Louisiana, has to face nearly 9 million ransomware attacks attempts. 

Furthermore, the report touched upon what these ransomware attacks are doing with organizations' systems. The network collects malware and IP-sensitive credentials from tens of thousands of firewalls and email security devices from all over the world. 

As per the report, in 2021, the most common targets are important governmental organizations such as financial institutions, defense, and information broadcasting institutions; Governments face more attacks than any other industry each month. By the month of June, government customers saw 10 times as many ransomware attempts and an overall spike of 917%. 

Customers in the education field have been found to be largely targeted by ransomware attempts, with an increase of 615%. SonicWall Capture Labs threat researchers have found an increased risk of ransomware attacks across healthcare (594%), as well as retail (264%) organizations.

According to data from SonicWall's Capture Labs, the three ransomware groups including Ryuk, Cerber, and SamSam are alone responsible for 64% of all attempted ransomware attacks. Ryuk attempted 93.9 million attacks, however, a new hype has been seen in 2020, tripling Ryuk attempts. 

On the other hand, Cerber attempted 52.5 million ransomware attacks in 2021 while SamSam group has increased its attempts by 49.7 in 2021, from last year's 15.7 million attempts. 



Hacker Uses Credential Phishing to Gain Access Into PayPal Account

 

Analysts from Cofense Phishing Defense Center recently found a unique PayPal credential phishing attack. Phishing is a harmful technique that hackers use to steal sensitive information like banking information, credit card data, usernames, and passwords. The actors pretend to be genuine individuals to lure victims by gaining their trust and stealing their personal information. Even worse, the confidential data stolen through phishing attacks can be used for identity theft, financial theft to gain illegal access into victim accounts, or use this account access to blackmail the victims. 

Because credential phishing is generally conducted through a simple URL link, it is easy to ignore exaggerated or subtle tactics that hackers use to steal credentials from innocent victims. As per the experts, the attack isn't very sophisticated and doesn't seem suspicious. Cybersecurity Analyst Alex Geoghagan said that the email may compel the victim to try finding the solution to the problem quickly. The hacker didn't even bother hiding 'from' email address, which was later identified as not actually being from PayPal. But, the e-mail was very well put together and no one would've thought it as a fraud. 

Alex Geoghagan says "There is a “Help & Contact” link, as well as an (ironic) “Learn to identify Phishing” link in the body of the email, both leading to authentic PayPal links. Beyond the first clue in the sender email address, when hovering over the button labeled “Confirm Your Account,” it does not lead to a PayPal URL. It instead leads to a URL at direct[.]lc[.]chat. A user familiar with PayPal may notice at this point that they are being taken to a domain outside of PayPal, while the legitimate PayPal live chat is hosted within the PayPal domain and requires that you log in to use it." 

After a fake live chat has been accessed, hacker uses automated scripts to start communication with the victims and tries to steal user data, e-mail address, credit card information etc. In other words, hacker takes this information to appear as genuine and store enough information for authentication. Once the information is acquired, hacker tries to steal victim's PayPal credentials. After that, a verification code is sent to target via SMS to make him think an authorised person has access to his device. "This attack demonstrates the complexity of phishing attacks that go beyond the typical “Forms” page or spoofed login. In this case, a carefully crafted email appears to be legitimate until a recipient dives into the headers and links, which is something your average user will most likely not do," says Alex Geoghagan.

Seven-Fold Surge in Dark Web Ads Providing Corporate Network Access

 

In the latest study, researchers at Positive Technologies have documented the evolution of hacker-placed ads on the Dark Web from 2020 to early 2021. It has transformed into a thriving marketplace for cybercriminals who want to buy or sell illegal and malicious goods and services. 

The number of ‘access-for-sale’ ads on the dark web has increased seven-fold compared with previous years. Researchers have identified as many as 590 new offers in the first quarter of 2021 alone, which is 83% of all offers in 2020. A contributing factor to this increase is a jump in ransomware attacks, according to the report.

Security specialists at the company believe that the profile of threat actors is changing in many ways. The profile of an outside intruder who gains first access to a corporate network is different from a criminal who tracks an attack after breaking inside. Most importantly, the two have different skillsets. 

Positive Technologies researchers note that ads promising access on dark web forums increased with each quarter throughout the observed period. In the first quarter of 2021, the number of users who placed ads for buying and selling access and also for seeking hacking partners tripled compared to Q1 2020.

“The market for access to corporate networks has evolved in the past few years. It could be assessed as mature as early as the beginning of 2020. A factor that contributed to this level of development is an increase in ransomware attacks: members of ransomware partner programs often use offers available on the initial access market,” Vadim Solovyov, a senior information security analyst at Positive Technologies stated.

Around $600,000 worth of corporate network access is sold on the Dark Web each quarter. Though that number seems low, selling prices on the Dark Web tend to be cheap, and the average cost keeps going down. This may reflect mass entry into the market by novice attackers. 

“As we can see, most companies who had access to their networks put up for sale by cybercriminals belong to the services (17%), manufacturing (14%), and research and education (12%) industries. Note that the share of industrial companies and financial institutions, whose networks are typically more expensive to hack, decreased somewhat. This may be attributed to the fact that the initial access market is served by lower-skilled actors who prefer easier victims,” Yana Yurakova, a  security analyst at Positive Technologies explained.

Two Belarusian Arrested in Black Box ATM Attack

 

The Polish authorities have detained two individuals committing so-called ‘Black Box’ attacks, targeting ATMs, whereby criminal offenders attach electronic devices to cash machines and electronically force them into spraying all the money. The Polish authorities did this with the assistance of Europol. 

Following the ATM 'jackpotting' attack, which fraudulently led cash machines throughout Europe to deliver Euro 230,000 ($273,000), two Belorussian residents have been arrested. 

According to a press statement released on July 29 by Europol, criminals gained access to ATM cables by piercing or mounting pieces, that further connect the equipment to a laptop physically. This was then used to send relay commands to distribute all of the cash in the ATM. 

An ATM black-box attack is an ATM cash-out sort, a fraud concerning the financial system where the culprit bores troughs in the top of the cash machine, to obtain access to the internal infrastructure of the ATM. The money dispenser of the ATM is then connected to an outside electronic device, or black box, which employs native ATM commands to discharge money, circumventing the necessity for a card or transaction authorization. 

Coordinated by the EU Law Enforcement Agency and its Joint Cyber-Crime Action Task Force (J-CAT), the investigation highlighted that dozen of such "Blackbox" attacks have been committed by criminals in at least seven countries in Europe. 

The hackers attacked only a certain ATM model; Europol stated. The company refused to disclose in its assessment the specific cash machine brand susceptible to attack technology. Meanwhile, the Polish police in Warsaw, Poland on 17 July detained both suspects. The investigation also engaged German, Austrian, Swiss, Slovak, and Czech law enforcement authorities. 

While ATMs are indeed a lucrative target, they often have major physical and virtual weaknesses. ATM vulnerabilities have been a frequent issue since hacker Barnaby Jack persuaded an ATM in 2010 in Black Hat USA at a security conference in 2010 to dump all its money on stage.

Malicious Linux Shell Scripts Used to Evade Defenses

 

Attackers' evasive methods stretch back to the times when base64 and other popular encoding schemes were utilized. 

New Linux shell script methods and techniques are being used by attackers today to deactivate firewalls, monitor agents, and change access control lists (ACLs). The common evasive shell-script techniques are: 

1.Uninstalling monitoring agents 
Monitoring agents are software elements that track the system's process and network activity on a regular basis. The monitoring agents also produce various logs, which are useful during an incident probe. 

The malicious script, discovered in the osquery-based sandbox, attempts to uninstall the cloud-related monitoring agent Aegis (Alibaba Cloud threat detection agent) and terminate the Aliyun service. It also tries to uninstall YunJing, a host security agent from Tencent and BCM client management agent, which is generally installed on Endpoints for risk mitigation. 

2.Disabling Firewalls and Interrupts 
As a defensive measure, most systems and servers employ firewalls. As a defence evasive technique, the malicious software attempts to deactivate the firewall, i.e., uninterrupted firewall (ufw). In addition, attackers delete iptables rules (iptables -F), which are commonly used on Linux computers and servers for controlling firewall rules. 

The instructions were also exploited by attackers to deactivate non-maskable Interrupts (nmi). Watchdog is a configurable timer system that creates an interruption when a certain condition and time are met. The nmi watchdog interrupt handler would stop the process that caused the system to freeze in the case of a system freeze. To get over this defense, attackers disable the watchdog feature using the sysctl command or temporarily disabling it by setting the value to ‘0’. 

3.Disabling Linux Security Modules (LSMs) 
Security components such as SElinux and Apparmor are also disabled by the malicious shell script. These modules are used to establish MAC policies (mandatory access control). These modules might be easily configured by a server administrator to give users restricted access to the system's installed or running programs. 

-AppArmour: AppArmour is a Linux security feature that allows users to lock down apps such as Firefox for added protection. In Ubuntu's default setup, a user can restrict a program by granting it limited permissions. 

- SElinux: SElinux is a Linux security feature that allows a security administrator to deploy security context to certain apps and services. The shell is blocked or limited on various web servers, therefore RCE (Remote Code Execution) attackers generally bypass/disable it. 

4.Modifying ACLs 
The guidelines for granting rights on files and utilities are contained in ACLs, or Access Control Lists. ACLs on filesystems notify operating systems which users are authorized to access the system and what rights they possess. In Linux, the setfacl program is used to change and remove ACLs. 

5.Changing Attributes 
In Linux, the chattr is used to set and unset various characteristics of a file. Attackers use this to protect their own dropped files or to make their files permanent so that they can't be deleted by a user.

6.Renaming common utilities 
Common utilities like wget and curl were utilized with various names in one of the malicious scripts. These programs are often used to acquire files from a distant IP address. These tools are used by attackers to download malicious files from C2. 

If wget and curl are used under different names, some security systems that track the precise names of the utilities may not trigger the download event. 

-EDR Detections by Uptycs 
These malicious scripts were discovered with a threat level of 10/10 by Uptycs EDR using YARA process scanning. 

As attackers employ more complex and new techniques of evasion, it's more vital than ever to keep track of and document what's going on in the system. As per the Threat Post, the following suggestions are recommended: 

-Monitor suspicious processes, events, and network traffic that result from the execution of any untrusted binary on a regular basis.
-Keep your systems and firmware up to date with the most recent fixes and releases.

Data of 100 Million JustDial Customers Left Unsecured for Over a Year

 

The Personally Identifiable Information (PII) of approximately 100 million users of local business listing site JustDial was at stake after an Application Programming Interface (API) was left exposed for over a year. 

JustDial is an Indian internet technology firm that offers local search for a variety of services in India via phone, Internet, and mobile apps. 

However, a fix appears to have protected the PII data, which includes users' names, gender, profile photos, email addresses, phone numbers, and birthdates. 

Rajshekhar Rajaharia, an independent internet security researcher who first tweeted about this on Tuesday, informed BusinessLine that after discovering the data breach, he contacted the organization, and it was patched and fixed promptly. 

“The company’s data was exposed since March 2020, though we can’t say yet if they have been leaked. We will only know once JustDial releases an audit report on it,” Rajaharia stated. 

Further, he added that JustDial needs an audit because the system may have other flaws. JustDial did not respond to an email requesting a statement. 

JustDial became a Mukesh Ambani group firm just ten days ago when Reliance Retail bought a 41% stake in it for $3,497 crore. Bill payments and recharge, groceries and food delivery, and reservations for restaurants, cabs, movie tickets, plane tickets, and events are among the services provided by the organization. 

This isn't the first time the information of JustDial has been leaked. In April 2019, Rajaharia discovered that a similar API was leaking user information in real-time whenever someone called or messaged JustDial via its app or website. The organization stated to have solved the issue, but it appears to have reemerged a year later. 

Rajaharia stated, JustDial never reveals the total number of people who have signed up. They disclose the count of active users and merchants, but never the total number, because every time someone dials the platform's "88888 88888" number, the caller data is saved in JustDial's database right away. This information is also in danger of being leaked. This data can also be tracked in real-time by the API in question. If an attacker gains access to it, they would be able to quickly extract and upload the data of every JustDial user to the Dark Web.

Many famous online firms and their customers have been the victims of data leaks and carelessness since the pandemic broke last year. MobiKwik, JusPay, Upstox, Bizongo, BigBasket, Dominos India, and even Air India are among them. 

As per BusinessLine, Kapil Gupta, co-founder, Volon Cyber Security stated, “Customers need to be notified about any data leak happening in companies so that they can reset accounts and change passwords to protect their data. Though users can sue, raise a complaint, and even ask for damages, under the Right to Privacy or IT Acts, these policies are still open to interpretation. The articulation is not obvious.” 

“The proposed Data Protection Bill gives more clarity on accountability of the companies facing a data breach. They have to voluntarily disclose and pay a fine if a data breach happens or they will be punished under the law. But we are still waiting for the DPB,” he added.

Bugs in the Zimbra Server Could Lead to Unrestricted Email Access

 

Multiple security flaws have been uncovered in the Zimbra email collaboration software, which could be abused to compromise email accounts by sending a malicious message or even take control of the mail server if it is housed on a cloud infrastructure. Researchers from code quality and security solutions company SonarSource found and reported the flaws in Zimbra 8.8.15 in May 2021, dubbed CVE-2021-35208 and CVE-2021-35209. Since then, Zimbra versions 8.8.15 Patch 23 and 9.0.0 Patch 16 have been released with mitigations. 

"A combination of these vulnerabilities could enable an unauthenticated attacker to compromise a complete Zimbra webmail server of a targeted organization," said SonarSource vulnerability researcher, Simon Scannell, who identified the security weaknesses. "As a result, an attacker would gain unrestricted access to all sent and received emails of all employees." 

Zimbra is a cloud-based email, calendar, and collaboration suite for businesses that comes in both an open-source and commercially supported version with extra capabilities like a proprietary connector API for synchronising mail, calendar, and contacts with Microsoft Outlook, among other things. It's utilised by more than 200,000 companies in 160 countries. 

The first flaw, discovered by Simon Scannell, could be exploited simply by opening a malicious email with a JavaScript payload. A cross-site scripting (XSS) bug (CVE-2021-35208) would be triggered in a victim's browser if they opened such a rigged email. According to SonarSource, when the payload is performed, it gives an attacker access to the victim's emails as well as their webmail session. They also claimed that it would serve as a starting point for additional assaults: “With this, other features of Zimbra could be accessed and further attacks could be launched.”

The second bug is an allow-list bypass that leads to a powerful server-side request forgery (SSRF) vulnerability (CVE-2021-35209) that may be exploited by an authenticated account belonging to a member of a targeted organisation with any permitted role. If the two bugs are combined, a remote attacker will be able to obtain valuable information from cloud infrastructure instances, such as Google Cloud API Tokens or AWS IAM credentials. 

"Zimbra would like to alert its customers that it is possible for them to introduce an SSRF security vulnerability in the Proxy Servlet," the company noted in its advisory. "If this servlet is configured to allow a particular domain (via zimbraProxyAllowedDomains configuration setting), and that domain resolves to an internal IP address (such as 127.0.0.1), an attacker could possibly access services running on a different port on the same server, which would normally not be exposed publicly."

Safeguard Your Smartphones From Radio-based Attacks

 

Smartphones, unlike PCs, involve a range of radios – generally cellular, Wi-Fi, Bluetooth, and Near Field Communication (NFC) – that permit wireless communication in a variety of situations, and these radios are made to remain turned on while the user moves around the world. All smartphone users should be aware of the security implications of these wireless connections. 

Security flaws in these interfaces are a matter of concern, whether built into the protocol or discovered in a particular implementation. They can enable attackers to force connections to untrusted equipment, allowing them to extract data and even gain access to the target device. According to reports, RF-based tactics are used by sophisticated nation-state actors such as Russia and China, allegedly target people traveling through airports and other chokepoints. However, the tools for RF hacking are available to garden-variety hackers as well. 

Ways attackers engage in RF hacking: 

The IMSI catcher, also known as a cell-site simulator, false cell tower, rogue base station, StingRay, or dirtbox in cellular communications, is the biggest concern. An IMSI catcher is a piece of equipment that acts like a genuine cell tower, allowing a targeted smartphone to connect to it rather than the actual mobile network. It may be done using a variety of ways, such as impersonating a neighboring cell tower or using white noise to jam the competing 5G/4G/3G frequencies. 

The IMSI catcher places itself between the targeted smartphone and its cellular network after capturing the IMSI of the targeted smartphone. (the ID number connected to its SIM card). The IMSI catcher is then used to track the user's position, collect data from the phone, and, in some circumstances, even install spyware on the device. 

Unfortunately, there's no guaranteed method for the ordinary smartphone user to see or know they're connecting to a fraudulent cell tower, but there may be some hints: a notably slower connection or a change in a band in the phone's status bar. 

Though 5G in standalone mode promises to make IMSI catchers obsolete since the Subscription Permanent Identifier (SUPI) – 5G’s IMSI equivalent – is never exposed in the handshake between smartphone and cell tower. However, because these deployments account for a small percentage of all cellular networks, IMSI catchers will continue to be successful in the vast majority of situations in the near future. 

A Karma attack performed via a rogue access point is a critical danger to be mindful of on the Wi-Fi front. A rogue access point is often a Wi-Fi penetration testing device – the Wi-Fi Pineapple is one popular model – that is set up to attract unsuspecting users rather than auditing Wi-Fi networks. 

In a Karma attack, the rogue AP compromises a basic feature of smartphones and all Wi-Fi-enabled devices. When a smartphone's Wi-Fi is turned on but not connected to a network, the rogue AP broadcasts a preferred network list (PNL), which includes the SSIDs (Wi-Fi network names) of access points to which the device previously connected and is willing to reconnect to automatically without user intervention. 

The rogue AP provides itself an SSID from the PNL after getting this list, fooling the smartphone into thinking it's connected to a known Wi-Fi network. An intruder can spy on network traffic to acquire sensitive data after the targeted smartphone connects. This sort of attack is difficult to detect without continually monitoring the Wi-Fi indicator in the status bar. 

Bluetooth exploits: Instead of relying on constraints inherent in the protocol's standard operating procedures, attackers use particular weaknesses inside the protocol or its implementation to carry out an attack. Bluetooth is a very lengthy and complicated standard, which means there are more possibilities for flaws to arise in the protocol's code as well as for developers to make mistakes in their implementations. 

BlueBorne is a strong example of the damage that a Bluetooth-based assault may do. The BlueBorne vulnerabilities, first disclosed in 2017 and mainly fixed since then, are an attack vector that allows attackers to gain total control of a target device without having to pair with it or even having the device in discoverable mode. Bluetooth has enhanced privileges on nearly all operating systems, with components ranging from the hardware level to the application level, allowing for such control. 

Lastly, NFC is a technology that allows for payment between a smartphone and a retailer's terminal. Due to its limited range (approximately a mile), and fewer use cases, NFC attacks are possible. A malicious NFC tag on an Android device, for example, might immediately launch a malicious site in the user's browser if the device is unlocked. Weaponizing a malicious tag on iOS demands some social engineering, as a popup notifies the user that the tag wants to open a certain app; for example, in a transit station, the tag may request that the user open the most recent train timetable in their browser. 

Techniques to minimize risks: 

Although radio-based assaults on smartphones are frequently undetectable to the user and fall beyond the realm of most mobile security solutions, there are a few steps a user can take to protect their smartphone and data. 

Turning off radios (especially Wi-Fi and Bluetooth) while not in use or when in public is the most effective. If the smartphone permits it, disable 2G functionality to reduce the danger of IMSI catchers. Turn off auto-join for hotspots on Wi-Fi. Install security updates for Bluetooth as soon as they become available to ensure that any known Bluetooth flaws are addressed. 

If one often goes through chokepoints or known hostile regions, they should consider investing in a high-end Faraday case to protect against RF assaults (Faraday bags are generally inadequate against strong signals). The radios in smartphones are a crucial component of why these gadgets are so popular. People can escape being easy targets for the evil people with a little bit of knowledge and aggressive resistance against their misuse.

Pegasus: The Case of the Infamous Spyware

 

The case of the infamous spyware Pegasus has taken the world by storm, with news revealing its unlawful use infringing on many people's basic human rights. With such remote surveillance now accessible via an infected device, the issue of cybersecurity has grown more pressing than ever. According to sources from throughout the world, NSO Group's software was used to spy on around 50,000 people, including politicians, businessmen, journalists, and activists. 

Dmitry Galov, a security researcher at Kaspersky's GReAT, describes the Pegasus spyware's beginnings and how it differs from vulnerabilities. “Pegasus is a spyware with versions for both iOS and Android devices,” he explains. Even in 2017, the criminal had the ability to “read the victim's SMS and emails, listen to calls, take screenshots, record keystrokes, and access contacts and browser history, among other things.” To clarify, Galov argues that Pegasus is a sophisticated and costly malware. It was created with the intent of spying on people of particular interest. As a result, the typical user is unlikely to be a target. 

However, the spyware's sophistication makes it one of the most powerful tools for spying on one's smartphone. Pegasus has evolved over time to attack a number of zero-day vulnerabilities in Android and iOS. Although it tries to remove its own traces from an infected device, some of them can still be seen under forensic examination. According to Galov, many parties on the darknet can sell and buy malware as well as zero-day vulnerabilities. Vulnerabilities can cost up to $2.5 million - that's how much the whole chain of Android vulnerabilities was offered for, in 2019. 

Amnesty International researchers have created a toolkit that can assist consumers to determine whether their phone has been infected with spyware. The open-source toolkit has been made accessible on GitHub by Amnesty International. Users must first download and install a python package from the MVT (Mobile Verification Toolkit) website's documentation. It also contains advice on how to complete the procedure on both iOS and Android. Users must take a backup of their iOS device before launching MVT. 

According to Amnesty International, the goal of MVT is to make it easier to conduct a "consensual forensic study" of devices belonging to people who may be the victims of sophisticated mobile spyware attacks. “We do not want MVT to enable privacy violations of non-consenting individuals,” Amnesty said. “Therefore, the goal of this license is to prohibit the use of MVT (and any other software licensed the same) for the purpose of adversarial forensics.”

U.S. Department of Commerce Seizes Trade with 6 Russian Companies

 

The Department of Commerce restricts trade with four Russian IT and cybersecurity companies together with two additional entities, based on the latest document issued on Friday 16th of July, because of suspicions that these corporations constitute a threat to the US national security. 

On Friday, six Russian corporations were added to the Department's Entity List, build off sanctions enforced by the Treasury Department in April, claiming these companies and other organizations are in line with or help Russia's intelligence agencies. 

Since these organizations have appeared on the Entity List, the Department of Commerce will require them to seek a special license to do business with US companies or to receive supplies and components from American companies.

The Russian organizations that are now on the list of companies managed by the Commerce Department's Bureau of Industry and Security include: 

  •  Aktsionernoe Obschchestvo Past: An IT company that reportedly conducted research and development for the country's Foreign Intelligence Service; 
  •  Federal State Autonomous Institution Military Innovative Technopolis Era: A research center and technology park operated by the Russian Ministry of Defense;
  •  Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA): A state-owned institution believed to support malicious cyber activity; 
  •  Aktsionernoe Obshchaestvo AST; 
  •  Aktsionernoe Obshchestvo Pozitiv Teknolodzhiz, or JSC Positive Technologies; 
  •  Obshchestvo S Ogranichennoi Otvetstvennostyu Neobit; 

As per the Commerce Department, IT companies like, AST, Positive Technologies, and Neobit have also worked with the Russian Government. 

In April, Treasury Department sanctions indicated Russian technology, security organizations, and research companies reportedly engaging in cyber campaigns with the Russian Foreign Intelligence Service, often referred to as the SVR, as well as other Russia's agencies, which includes the GRU. 

The government of Biden sought to curtail the cyber activities in the country while responding to frequent events - along with a large-scale attack on the software provider Kaseya with remote management software this month - that the Russian-speaking group of REvil is accused of carrying out. 

“Treasury is leveraging…[its] authority to impose costs on the Russian government for its unacceptable conduct, including by limiting Russia’s ability to finance its activities and by targeting Russia’s malicious and disruptive cyber capabilities," Treasury Secretary Janet L. Yellen said at the time. 

The department also noted: "The Russian Intelligence Services have executed some of the most dangerous and disruptive cyberattacks in recent history," including the 2020 SolarWinds incident, a supply chain attack that ultimately affected several U.S. agencies. 

The Treasury Department has also criticized the Kremlin for its electoral intervention to poison Kremlin's opponent Aleksei Navalny, and for robbing a U.S. security firm, among other recent measures, of "red team tools" – imitations of cyber-attack. The Kremlin refused these claims. 

On Thursday, the State Department also announced that it will now reward the country's key infrastructure with up to $10 million for information concerning cyber-threats. 

In addition, a website named 'StopRansomware' was revealed by the Homeland Security Department and the Justice Department, which is intended to be a primary platform for building ransomware-fighting tools from all government departments. 

Further, Biden added that the U.S. government is prepared to take "any necessary action to defend its people and its critical infrastructure in the face" of ongoing cyberattacks.

Juniper Bug Allows RCE and DoS Against Carrier Networks

 

Juniper Networks' Steel-Belted Radius (SBR) Carrier Edition has a severe remote code-execution vulnerability that leaves wireless carrier and fixed operator networks vulnerable to tampering. By centralizing user authentication, giving the proper level of access, and verifying compliance with security standards, telecom carriers utilize the SBR Carrier server to manage policies for how subscribers use their networks. It enables carriers to distinguish service tiers, diversify revenue models, and manage network resources. 

Juniper Networks, Inc. is a multinational technology company based in Sunnyvale, California. Routers, switches, network management software, network security solutions, and software-defined networking technology are among the networking products developed and sold by the company. Pradeep Sindhu started the company in 1996, with Scott Kriens serving as the original CEO until September 2008. Juniper Networks began by specializing in core routers, which are used by internet service providers (ISPs) to execute IP address lookups and route internet traffic. 

SBR Carrier versions 8.4.1, 8.5.0, and 8.6.0 that use the extensible authentication protocol are affected by the bug (CVE-2021-0276). It was on Wednesday, Juniper released a patch. On the CVSS vulnerability-severity rating scale, it gets a 9.8 out of 10. According to Juniper's advisory, it's a stack-based buffer-overflow vulnerability that an attacker can exploit by sending specially designed packets to the platform, causing the RADIUS daemon to crash. This can cause RCE as well as denial-of-service (DoS), which prevents phone subscribers from having a network connection. 

The flaw is one of the dozens that the networking giant patched this week across its carrier and corporate product lines, including multiple high-severity flaws that could be used to launch DoS assaults. Juniper claims that one of these can also be used for RCE. CVE-2021-0277 is an out-of-bounds read vulnerability that affects Junos OS (versions 12.3, 15.1, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3 and 20.4), as well as Junos OS Evolved (all versions). 

The problem occurs when the Layer 2 Control Protocol Daemon (l2cpd) processes specially designed LLDP frames (l2cpd). On a local area network (usually over wired Ethernet), network devices utilize LLDP to advertise their identification, capabilities, and neighbors. “Continued receipt and processing of these frames, sent from the local broadcast domain, will repeatedly crash the l2cpd process and sustain the DoS condition,” Juniper said in its advisory, issued on Thursday.

With Safari Zero-Day Attacks, Russian SVR Hackers Targeted LinkedIn Users

 

Google security experts revealed details on four zero-day vulnerabilities that were undisclosed until they were exploited in the wild earlier this year. After discovering exploits leveraging zero-day vulnerabilities in Google Chrome, Internet Explorer, and WebKit, the engine used by Apple's Safari web browser, Google Threat Analysis Group (TAG), and Google Project Zero researchers discovered the four security issues. 

CVE-2021-21166 and CVE-2021-30551 in Chrome, CVE-2021-33742 in Internet Explorer, and CVE-2021-1879 in WebKit were the four zero-day exploits found by Google researchers earlier this year while being abused in the wild. "We tie three to a commercial surveillance vendor arming govt backed attackers and one to likely Russian APT," Google Threat Analysis Group's Director Shane Huntley said. "Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020," Google researchers added. "While there is an increase in the number of 0-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend." 

Despite the fact that the zero-day flaws for Chrome and Internet Explorer were developed and sold by the same vendor to customers all over the world looking to improve their surveillance capabilities, they were not employed in any high-profile operations. The CVE-2021-1879 WebKit/Safari bug, according to Google, was used "to target government officials from Western European countries by sending them malicious links," via LinkedIn Messaging. 

The attackers were part of a likely Russian government-backed actor employing this zero-day to target iOS devices running older versions of iOS (12.4 through 13.7), according to Google experts. While Google did not link the exploit to a specific threat group, Microsoft claims it is Nobelium, the state-sponsored hacking group responsible for the SolarWinds supply-chain attack that resulted in the compromise of numerous US federal agencies last year. 

Volexity, a cybersecurity firm, also attributed the attacks to SVR operators based on strategies used in earlier attacks dating back to 2018. In April, the US government charged the Russian Foreign Intelligence Service (aka SVR) for conducting "a broad-scale cyber-espionage campaign" through its hacking group known as APT29, The Dukes, or Cozy Bear. The attacks were designed to "collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo and send them via WebSocket to an attacker-controlled IP," according to Google.

Facebook says Iranian Hackers Targeted U.S. Military Personnel

 

On Thursday, Facebook announced that it had shut down approximately 200 accounts operated by a group of hackers in Iran as part of a cyber-spying operation that focused primarily on US military officials and others working in defense and aerospace firms. 

The group, termed 'Tortoiseshell' by security experts, utilized fraudulent online identities to interact with targets, establish confidence over time (often months), and lead them to other sites where they were duped into clicking malicious links that infected their devices with spying software, according to Facebook. 

In a blog post, Facebook's investigative team stated, "This activity had the hallmarks of a well-resourced and persistent operation while relying on relatively strong operational security measures to hide who's behind it." 

Thus according to Facebook, the group created dubious identities on numerous social media sites to look more legitimate, frequently impersonating recruiters or staff of aerospace and defense firms. LinkedIn, which is controlled by Microsoft, announced the removal of several accounts, while Twitter said it was "actively investigating" the data in Facebook's report. 

The virus was distributed via email, chat, and collaboration platforms, according to Facebook, including malicious Microsoft Excel spreadsheets. In a statement, a Microsoft spokesman said the company was aware and following this actor, and that it takes action when harmful behavior is detected. 

Google stated it had discovered and prevented phishing on Gmail as well as provided user warnings. Slack, a workplace messaging service, claimed it has taken action against hackers who exploited the platform for social engineering and had shut down any Workspaces that broke its rules. 

According to Facebook, the hackers utilized customized domains to entice their targets, including phony defense recruitment websites and internet infrastructure that spoofed a real job search website for the US Department of Labor. 

In a campaign that began in mid-2020, Facebook claimed the hackers mostly targeted users in the United States, as well as some in the United Kingdom and Europe. It did not name the firms whose employees were targeted, but its chief of cyber espionage, Mike Dvilyanski, said the "fewer than 200 individuals" who were targeted were being alerted. 

The campaign appeared to demonstrate an extension of the group's operations, which had previously been claimed to focus mostly on the Middle East's I.T. and other businesses, according to Facebook. A section of the malware employed by the organization was developed by Mahak Rayan Afraz (MRA), a Tehran-based IT firm with links to the Islamic Revolutionary Guard Corps, as per the inquiry. 

Mahak Rayan Afraz's contact information was not readily available to Reuters, and former employees of the firm did not respond to LinkedIn messages sent to them. A request for comment from Iran's mission to the United Nations in New York was not promptly reported. The allegations that MRA is involved in Iranian state cyber espionage are not new. MRA was one of the numerous contractors suspected of assisting the IRGC's elite Quds Force, according to cybersecurity firm Recorded Future. 

Iranian spies, like other espionage services, have long been alleged of farming out their missions to a variety of domestic contractors. Facebook stated the fraudulent domains had been prohibited from being shared, while Google said the domains had been placed to its "blocklist."

By Fooling a Webcam, Hackers were Able to get Past Windows Hello

 

Biometric authentication is a critical component of the IT industry's plan to eliminate the need for passwords. However, a new method for fooling Microsoft's Windows Hello facial recognition technology demonstrates that a little hardware tinkering can make the system unlock when it shouldn't.

Face-recognition authentication has become more prevalent in recent years thanks to services like Apple's FaceID, with Windows Hello driving usage even further. Face recognition by Hello is compatible with a variety of third-party webcams. 

Only webcams having an infrared sensor in addition to the conventional RGB sensor operate with Windows Hello facial recognition. However, it turns out that the system doesn't even look at RGB data. The researchers discovered that by using a single straight-on infrared image of a target's face and a black frame, they were able to open the victim's Windows Hello–protected device. The researchers were able to fool Windows Hello into thinking the device owner's face was there and unlocking by manipulating a USB webcam to produce an attacker-chosen image. 

“We tried to find the weakest point in the facial recognition and what would be the most interesting from the attacker’s perspective, the most approachable option,” says Omer Tsarfati, a researcher at the security firm CyberArk. “We created a full map of the Windows Hello facial-recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera because the whole system is relying on this input.”

Microsoft dubbed the discovery a "Windows Hello security feature bypass vulnerability" and patched the problem on Tuesday. Furthermore, the company recommends that users use "Windows Hello enhanced sign-in security," which employs Microsoft's "virtualization-based security" to encrypt Windows Hello facial data and process it in a secure area of memory. 

Tsarfati, who will present the findings at the Black Hat security conference in Las Vegas next month, says the CyberArk team focused on Windows Hello's facial-recognition authentication because there has already been a lot of research into PIN cracking and fingerprint-sensor spoofing in the industry. 

He goes on to say that the team was attracted by a large number of Windows Hello users. Microsoft said in May 2020 that the service had over 150 million users. In December, Microsoft announced that 84.7 percent of Windows 10 users utilize Windows Hello to log in.

Kremlin Does Not Know Why All Websites Linked to Hacker Group REvil Are Down

Press secretary of the President of the Russian Federation Dmitry Peskov said that the Kremlin does not have information whether the disappearance of the hacker group REvil from the darknet is linked to Russia-US cybersecurity contacts.

"I can't answer your question, because I don't have such information. I do not know which group, where it disappeared from," Peskov said.

Peskov stressed that Russia considers any manifestations of cybercrime unacceptable. "We believe that they should be punished. Internationally, we believe that we should all cooperate. In this case, Russia and the United States should cooperate to prevent such manifestations. And as for the details about this group, unfortunately, I do not have such information," he added.

At the same time, the Kremlin representative recalled that Russia and the United States have begun the process of bilateral consultations on combating cybercrime. However, Peskov stressed that he does not have any information about whether any specific measures have been taken against ransomware hackers.

Earlier, Bloomberg reported that sites on the darknet allegedly belonging to hacker group REvil were down. So, when trying to visit the site where members of the group usually post their statements, a notification appears that this page has not been found. Bloomberg emphasizes that the situation is similar with other resources associated with hackers from REvil.

The agency recalls that the list of REvil victims includes many major corporations. For example, Aseg, Apple and Lenovo, from which hackers demanded $50 million for stolen information. In May, the world's largest meat producer, JBS, was subjected to a cyberattack and paid a ransom of $11 million in bitcoins.

Palo Alto Networks' Unit 42 Publishes Report on Mespinoza Group

 

Unit 42 of Palo Alto Networks has examined the Mespinoza gang's latest techniques and practices in identifying its 'cocky' message and its instruments endowed with 'creative names' – but has shown no evidence suggesting that the group has changed to ransomware-as-a-service. 

Mespinoza attacks mostly, demonstrate various trends between different actors and families threatened with ransomware, which make their attacks simple and easy to use. 

The report researchers explained, "As with other ransomware attacks, Mespinoza originates through the proverbial front door – internet-facing RDP servers – mitigating the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or other more time-consuming and costly activities. Further costs are saved through the use of numerous open-source tools available online for free, or through the use of built-in tools enabling actors to live off the land, all of which benefits bottom-line expenses and profits." 

Although the MESPINOZA organization has not been as active as the more popular REvil, still its operations have achieved great success: the examination of Unit 42, revealed that victims pay up to $470,000 each for decryption of files, mainly from targets in the US and UK - including a Hackney Council attack last October.

After a victim is in their sight, they may rapidly and accurately proceed from breach to exfiltration to ransomware. One scenario, by no means the quickest, lasted less than three days from breaking the RDP network through network recognition and credential collection, and on the second day the required data were exfiltrated and the ransomware deployed on the third day. 

"Through the use of various open-source tools - mostly designed for use by sysadmins and pen-testers - the Mespinoza actors can move around the network with ease, looking for high-value data for maximum leverage as they go, and staging the latter parts of their attack to encrypt as many systems as possible," stated Alex Hinchliffe, threat intelligence analyst at Unit 42. 

The group has primarily mostly targeted the manufacturers, retailers and medical sector, and the education sector. Unit 42 research also revealed evidence that the Mespinoza Group's previous reports followed in the footsteps of REvil and offered Ransomware-as-a-services.

Communication from the group described as "cocky," by the researchers, could have been mistaken in this respect. Researchers have concluded, "Victim organizations are referred to as 'partners,'" the researchers found. "Use of that term suggests that they try to run the group as a professional enterprise and see victims as business partners who fund their profits." 

"Generally speaking RDP and other remote administration tools have become a high-value target for many cybercriminals and nation-state adversaries because of how simple it is to find them," Hinchliffe told. 

"There's no reason to expose RDP directly to the public internet in this day and age," security researcher Tom Hudson told The Register of the all-too-familiar entry point for Mespinoza's attacks. "If you need RDP access over the internet you should be requiring the use of a VPN with multi-factor authentication enforced." 

While Mespinoza may not be above the copying victims lists of other malware groups, it is evident that its tools are named in another area. The report further notes that a tool for building network tunnels is dubbed 'MagicalSocks.' A component saved on its server is probably called 'HappyEnd.bat.' This is probably used to encapsulate an attack.

Criminals Targeted Security Gaps at Financial Services Firms as Employees Moved to WFH

 

According to a report released on Tuesday by the international Financial Stability Board (FSB), criminals targeted security flaws at financial services organizations as their employees switched to working from home. The Financial Stability Board (FSB) was established after the G20 London meeting in April 2009 to offer non-binding recommendations on the global financial system and to coordinate financial policies for the G20 group of nations. 

“Working from home (WFH) arrangements propelled the adoption of new technologies and accelerated digitalization in financial services,” the report states. Phishing, spyware, and ransomware were used to target workers at home. Between February 2020 and April 2021, the number of crimes increased from less than 5000 per week to more than 200,000 per week. 

On July 8, 2021, the Cyber Security Agency of Singapore (CSA) released data suggesting that cybercrime accounted for 43% of all crime in the city-state in 2020. "Although the number of phishing incidents remained stable and website defacements declined slightly, malicious cyber activities remain a concern amid a rapidly evolving global cyber landscape and increased digitalization brought about by the COVID-19 pandemic," said the agency. 

Ransomware attacks increased by 154% from 35 in 2019 to 89 in 2020, ranging from "indiscriminate, opportunistic attacks" to "Big Game Hunting," according to the CSA. They also used leak and shame techniques, as well as RaaS (Ransomware-as-a-Service) models. Between 2019 and 2020, the number of hostile command-and-control servers increased by 94%, with Emotet and Cobalt Strike malware accounting for one-third of the total. 

As IT departments tried to secure remote workers, increased dependence on virtual private networks and unsecured WiFi access points “posed new types of hurdles in terms of patching and other cyber security issues,” according to the FSB assessment. External providers, according to the research, also built cracks for hackers to exploit. According to the report, "While outsourcing to third-party providers, such as cloud services, seems to have enhanced operational resilience at financial institutions, increased reliance on such services may give rise to new challenges and vulnerabilities." 

Working from home isn't going away any time soon. According to Gartner, nearly half of knowledge employees will be working remotely by 2022. Even Apple's retail team follows a hybrid work schedule. Institutions' cyber risk management systems, incident reporting, response and recovery efforts, and how they manage cloud and other third-party services should all be adjusted properly, according to the FSB.