Search This Blog

Showing posts with label Cyber Security. Show all posts

AIVD says they face cyber attacks from Russia and China every day

According to the head of the country's General Intelligence and Security Service, these hackers break into the computers of companies and educational institutions

The head of the General Intelligence and Security Service of the Netherlands (AIVD), Erik Akerboom, said that the country's special services allegedly "every day" catch hackers from China and Russia, who, according to him, break into the computers of companies and educational institutions. At the same time, the head of the AIVD did not provide any evidence.

"Every day we catch hackers from both China and Russia hacking into the computers of companies and educational institutions," the head of AIVD said in an interview with Vu Magazine.

According to Akerboom, the target of these hackers is vital infrastructure, such as drinking water, banks, telecommunications, and energy networks." However, he did not give an example of any specific cyberattack.

In 2018, the Ministry of Defense of the Netherlands said that the country's special services prevented a hacker attack on the Organization for the Prohibition of Chemical Weapons (OPCW), which four Russian citizens allegedly tried to carry out. According to the head of department Ankh Beyleveld, the suspects with diplomatic passports were expelled from the Netherlands on April 13. The Russian Foreign Ministry called such accusations "another staged propaganda" action and said that the unleashed "anti-Russian espionage campaign" causes serious harm to bilateral relations.

Besides, in December 2020, the Netherlands was accused of the espionage of two Russian diplomats, calling them employees of the Foreign Intelligence Service undercover. The Russians were declared persona non grata. In response, Moscow sent two employees of the Dutch Embassy from Russia. The accusations of activities incompatible with the diplomatic status of the Russians were called "unfounded and defamatory".

Recall that recently Washington accused Moscow of large-scale cyber attacks, which were allegedly carried out in order to get intelligence data. The representative of the Russian Ministry of Foreign Affairs, Maria Zakharova, said in response that such statements by the United States about hacker attacks allegedly by Russia have already become routine.

FedEx and DHL Express Hit with Phishing Attacks

 

Researchers reported on Tuesday that they discovered two email phishing assaults targeting at least 10,000 mailboxes at FedEx and DHL Express that hope to extract client's work email account. In a blog published by Armorblox, the researchers said one assault impersonates a FedEx online document share, and the other claims to share shipping details from DHL. The phishing pages were facilitated on free services like Quip and Google Firebase to deceive security technologies and clients into thinking the links were legitimate.

“The email titles, sender names, and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively,” said researchers with Armorblox on Tuesday. “Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.” 

The phishing email spoofing American multinational delivery services company FedEx was entitled, “You have a new FedEx sent to you,” with a date that the email was sent. This email contained some data about the document to make it seem legitimate – like its ID, the number of pages, and kind of document – alongside a link to see the supposed document. On the off chance that the recipients clicked on the email, they would be taken to a file facilitated on Quip. Quip, which comes in a free form, is a tool for Salesforce that offers documents, spreadsheets, slides, and chat services. 

A separate campaign impersonated German international courier DHL Express, with emails telling recipients that “Your parcel has arrived,” with their email addresses towards the end of the title. The email told recipients that a package couldn't be conveyed to them because of incorrect delivery details – and that the parcel is rather ready for pickup at the post office. The email provoked recipients to look at appended “shipping documents” if they want to receive their delivery. The attached document was an HTML file (named “SHIPPING DOC”) that, when opened, previewed a spreadsheet that looked like shipping documents.

Bug in Brave Browser Expose Users’ Dark Web History

 

Brave, the web browser that insists on privacy, exposes users' activities to its Internet Service Providers on Tor's secret servers, or "dark web." In its browser, Brave has solved a data protection problem that sends queries for .onion domains to a DNS solution, instead of a Tor node path, so that access to the dark website is shown to users. In a hotfix release, the bug was addressed.

Brave is an open-source web browser built on a Chromium web browser created by Brave Software, Inc. It restricts advertisements and website trackers and supplies users with a way to submit cryptocurrency donations to websites and developers of content in the form of simple tokens. 

Introduced in June 2018, Brave's Tor mode has enabled Brave users to gain anonymity when browsing the internet, encouraging them to have access to the .onion versions of legal websites such as Facebook, Wikipedia, and key news portals over the years. However, an unnamed security researcher reported in the research article, that Brave's Tor mode had sent queries to DNS resolvers rather than Tor nodes on the open Network. DNS requests are non-encrypted so that attempts to access .onion sites in Brave can be monitored using the Tor functionality, which is directly contradictory to the goal of this platform at first. 

The aforementioned DNS leak poses great dangers when all leaks build footprints on the Tor traffic of Brave users in DNS server logs. The risk is important. While in some Western states with stable democracy it might not be troublesome, it may be a concern for certain browser users to browse Brave's Tor websites from the authoritarian regimes. 

This problem seems to be the product of the browser's CNAME ad-block feature, which blocks third-party monitoring scripts using CNAME DNS for first-party scripts and prevents traffic blocker detection. This allows a website to cloak third-party scripts using primary domain's- sub-domains that are then immediately routed into a monitoring domain. 

Over the last three years, the organization has worked to develop today, second only to Tor Browser, one of the most privacy-driven Web browser solutions available. 

A Brave developer has stated after the release that the browser provided a hotfix on the problem. The problem is already solved on the night of the development of the browser. 

“Since it’s now public we’re uplifting the fix to a stable hotfix. Root cause is regression from CNAME- based adblocking which used a separate DNS query.” He further added. 

The press secretary of the Russian president denied Russia's connection with the hackers who attacked France

As the press secretary of the President of the Russian Federation noted, the report of the French special services "contains accusations of committing certain cybercrimes by a certain group of hackers"

The press secretary of the President of Russia Dmitry Peskov considers absurd the wording from the report of the French special services about the involvement of the Russian Federation in cyber attacks on enterprises of this country.

"If I understand correctly, they did not accuse Russia, but a certain group of some hackers who, as they say, maybe related to Russia. This wording is a little absurd, and here it is impossible to say that Russia was accused of something," Mr. Peskov told reporters on Tuesday.

He once again stressed that the report "contains accusations of committing certain cybercrimes by a certain group of hackers."

Peskov noted that Moscow "did not, does not, and cannot have any involvement in any manifestations of cybercrime." "In this context, I would like to remind you that it is Russia that constantly speaks about the need for international cooperation in countering cyber security," concluded he.

On Monday, the French National Agency for the Security of Information Systems (ANSSI) of France published a report according to which French businesses have been subjected to cyberattacks since 2017. At the same time, the report does not specify what damage was caused to enterprises and what exactly the hackers did.

The agency concluded in this report that "this campaign is very similar to previous campaigns based on the principles of hacker group Sandworm". A number of Western countries associate the Sandworm group with Russia.

It is worth noting that cybersecurity experts have reported on the activity of the Sandworm group since 2008 when they were accused of DDoS attacks on facilities in Georgia. In October 2020, the US Department of Justice charged six Russian citizens with working for the Sandworm group, participating in attacks on companies and hospitals in the United States, Ukraine's power systems in 2016, the French presidential election in 2017, and the Pyeongchang Winter Olympics in 2018.

Accusations against "Russian hackers" periodically appear in the West. Russia has repeatedly denied such accusations.

Yandex Suffers Data Breach, Exposes Email Accounts

 

Russian internet and search organization Yandex declared on Friday that one of its system administrators had enabled unapproved access to a huge number of client mailboxes. The organization found the breach internally, during a standard check of its security team. The investigation uncovered that the employee’s activities prompted the compromise of almost 5,000 Yandex email inboxes. This employee was one of three system administrators, who had the access privileges to offer technical support for mailboxes, said Yandex.

“A thorough internal investigation of the incident is under way, and Yandex will be making changes to administrative access procedures,” said Yandex’s Friday security advisory. “This will help minimize the potential for individuals to compromise the security of user data in future. The company has also contacted law enforcement.” 

As indicated by Verizon's 2020 Data Breach Investigations Report (DBIR), internal actors were behind 30% of breaches (with the dominant part, or 70%, coming from external actors). An insider threat could leave organizations spiraling from financial or brand damage – but additionally an absence of ensuing trust from clients. In a recent January case, for example, a former ADT employee was found adding his own email address to the accounts of attractive women, so he could have around-the-clock access to their most private moments. In December, a former Cisco Systems employee was condemned to two years in prison, subsequent to hacking into the networking company’s cloud infrastructure and deleting 16,000 Webex Teams accounts in 2018. Furthermore, in October, Amazon fired an employee who shared clients' names and email addresses with a third party. 

“Yandex’s security team has already blocked unauthorized access to the compromised mailboxes,” the organization says, adding that the proprietors have been cautioned of the breach and that they need to change their account passwords. Because of the occurrence, Yandex will make changes to the administrative access procedure to expand the security of client information. As indicated by the organization, payment details have not been affected. While this information breach deserves serious scrutiny, Yandex confronted a graver threat in the past, when Western intelligence agencies compromised their systems with Regin malware. 

The assault occurred between October and November 2018, and it targeted technical information regarding user account authentication, Reuters learned at that point. Yandex recognized the assault and said that it was detected and neutralized before it brought on any harm.

PayPal Suffered Cross-Site Scripting -XSS Vulnerability

 

The PayPal currency converter functionality was damaged by severe cross-site scripting (XSS) vulnerability. An attacker might be able to run destructive scripts if the vulnerability is abused. This could lead to the malicious user injecting malicious JavaScript, HTML, or some other form of browser file. The bug was noticed on PayPal's web domain with the currency converter functionality of PayPal wallets. 

On February 19, 2020, the vulnerability was first identified as a concern of "reflected XSS and CSP bypass" by a security researcher who goes by the name "Cr33pb0y" – he's been granted $2,900 in bug bounty programming by HackerOne. 

PayPal said that a flaw occurred in the currency conversion endpoint which was triggered by an inability to adequately sanitize user feedback, in a restricted disclosure that was released on February 10 – almost a year after the researcher identified the problem privately. 

PayPal acknowledged the flaw- in response to the HackerOne forum, that contributed to the currency translation URL managing user feedback inappropriately. A vulnerability intruder may use the JavaScript injection to access a document object in a browser or apply other malicious code to the URL. If hackers load a malicious payload into the browser of a victim, they can steal data or use the computer to take control of the system. As a consequence, malicious payloads can trigger a victim's browser page without its knowledge or consent in the Document Object Model (DOM). 

Typically, XSS attacks represent a browser's script from a specific website and can enable a target to click a malicious connection. Payloads can be used as a theft point in larger attacks or for the stealing of cookies, session tokens, or account information. PayPal has now carried out further validation tests to monitor users’ feedback in the currency exchange function and wipe out errors following the disclosure of the bug bounty hunter. 

XSS bugs are a frequent hacker attack vector. Several recent leaks of data have been related to bugs like what some analysts claim is an XSS flaw. 

While telling that the vulnerability has been fixed, PayPal said, “by implementing additional controls to validate and sanitize user input before being returned in the response.”

FBI Warns About Using TeamViewer and Windows 7

 

The FBI issued this week a Private Industry Notification (PIN) caution to warn organizations about the dangers of utilizing obsolete Windows 7 systems, poor account passwords, and desktop sharing software TeamViewer. The alert comes after the recent assaults on the Oldsmar water treatment plant's network where assailants attempted to raise levels of sodium hydroxide, by a factor of more than 100. The investigation into the occurrence uncovered that operators at the plant were utilizing obsolete Windows 7 systems and poor account passwords, and the desktop sharing software TeamViewer which was utilized by the assailants to penetrate the network of the plant. 

“The attempt on Friday was thwarted. The hackers remotely gained access to a software program, named TeamViewer, on the computer of an employee at the facility for the town of Oldsmar to gain control of other systems, Sheriff Bob Gualtieri said in an interview,” reported Reuters. 

The FBI alert doesn't explicitly advise associations to uninstall TeamViewer or some other sort of desktop sharing software but cautions that TeamViewer and other similar software can be abused if assailants gain access to employee account credentials or if remote access accounts, (for example, those utilized for Windows RDP access) are secured with frail passwords. 

Moreover, the FBI alert likewise cautions about the continued use of Windows 7, an operating system that has reached end-of-life a year ago, on January 14, 2020, an issue the FBI cautioned US organizations about a year ago. This part of the warning was incorporated in light of the fact that the Oldsmar water treatment plant was all the while utilizing Windows 7 systems on its network, as indicated by a report from the Massachusetts government. 

While there is no proof to suggest that the attackers abused Windows 7-explicit bugs, the FBI says that continuing to utilize the old operating system is risky as the OS is unsupported and doesn't get security updates, which presently leaves numerous systems exposed to assaults via newly discovered vulnerabilities. While the FBI cautions against the utilization of Windows 7 for valid reasons, numerous organizations and US federal and state agencies might not be able to do anything about it, barring a serious financial investment into modernizing IT foundation from upper management, something that is not expected at any point soon in many locations.

Adorcam Leaks Thousands of Webcam Accounts

 

A webcam application installed by a huge number of clients left an uncovered database loaded with client information on the internet without a password. The Elasticsearch database belonged to Adorcam, an application for viewing and controlling a few webcam models including Zeeporte and Umino cameras. Security researcher Justin Paine found the data exposure and reached Adorcam, which secured the database. Adorcam application is specially built for the P2P IP camera series. The clients just need to enter the camera ID and password to watch real-time video from any bought IP camera on their cell phone and no complicated IP or router settings are required. 

Paine said in a blog post shared, that the database contained around 124 million rows of information for the several thousand clients, and included live insights concerning the webcam —, for example, its location, whether the microphone was active, and the name of the WiFi network that the camera is connected to — and information about the webcam owner, such as email addresses. Paine additionally discovered proof of the camera uploading captured stills from the webcam to the application's cloud, however, he was unable to confirm since the links had expired. 

He likewise discovered hardcoded credentials in the database for the application's MQTT server, a lightweight messaging protocol often used in internet-connected devices. Paine didn't test the credentials (as doing so would be unlawful in the U.S.), yet alerted the application creator about the vulnerability, who at that point changed the password. Paine checked that the database was updated live by signing up with a new account and looking for his data in the database. Albeit the information was restricted in sensitivity, Paine cautioned that a malevolent hacker could create persuading phishing emails, or utilize the data for extortion. 

In his report on the matter, Paine pointed out that the data contained in the database distinguished between Adorcam's Chinese clients and its clients outside of China, saying, “One interesting detail about this database was that the user information was split between Chinese users and "abroad" users. For example: request_adorcam_cn_user vs. such as request_adorcam_abroad_user. Adorcam almost certainly has breach disclosure obligations based on what appeared to be a global user base. If they had users within the EU they absolutely have an obligation.”

Researchers Spotted Two Android Spyware Linked to Confucius

 

Researchers at cybersecurity firm Lookout have published information on two recently discovered Android spyware families utilized by an advanced persistent threat (APT) group named Confucius. Lookout said that two malware strains, named Hornbill and SunBird, have been linked to Confucius, a group thought to be state-sponsored and to have pro-India ties. 

First detected in 2013, Confucius has been linked to assaults against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies. “Hornbill and SunBird have both similarities and differences in the way they operate on an infected device” reads the report published by Lookout. “While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.” 

The team's analysis of the malware recommends that Hornbill is based on MobileSpy, a commercial stalker ware application for remotely observing Android gadgets that were retired in 2018. SunBird, however, seems to have a comparable codebase to BuzzOut, an old type of spyware created in India. Confucius was known to have utilized ChatSpy for surveillance purposes back in 2017, yet it is felt that both Hornbill and SunBird originated before this malware. There doesn't appear to be any new campaigns utilizing SunBird–accepted to have been in active development between 2016 and early 2019; in any case, Hornbill has been found in a rush of assaults dating from December 2020. 

Both malware variations, however, can steal information including gadget identifiers, call logs, WhatsApp voice notes, contact records, and GPS location information. Also, they can request administrator privileges on an undermined gadget, take screenshots and photographs, and record sound both when calls are taking place or just as environmental noise. SunBird's abilities go past Hornbill's as this malware is likewise ready to grab browser histories, calendar information, BlackBerry Messenger (BBM) content, and more extensive WhatsApp content including documents, databases, and pictures. SunBird will likewise attempt to upload stolen information to a command-and-control (C2) server at more normal spans than Hornbill.

The Central Bank conducted remote anti-hacker exercises for the first time

The Central Bank of the Russian Federation summed up the results of the cyber exercises held in November-December 2020, designed to test the information security systems of Russian financial organizations.

The intention to launch cyber training for the Russian banking sector was announced in 2019 by the Central Bank of the Russian Federation. According to the organizer, the exercises should be held in the format of stress testing for resistance to cyber threats once every two years.

22 organizations voluntarily participated in the past cyber-trainings. According to Vyacheslav Kasimov, Director of the Information Security Department of Credit Bank of Moscow, various situations of responding to incidents were practiced and procedures for interaction with the Bank of Russia were tested.

According to Mikhail Ivanov, Director of the Information Security Department of Rosbank, "participation in cyber training is primarily an opportunity to demonstrate its reliability to the regulator".

The Bank of Russia's audits are aimed at ensuring that banks comply with the established requirements and determine whether their infrastructure is designed and implemented correctly in terms of cybersecurity.

As Vitaly Zadorozhny, head of the cybersecurity department of Alfa-Bank, explains," they check the level of cyber-hygiene in the organization, but they do not allow determining how effectively the bank will operate when attacked.”

Artem Sychev, the First Deputy Director of the Information Security Department of the Central Bank, said that cyber training makes it possible to quickly identify the risks of financial organizations.

At the same time, the Bank of Russia has recently fined 17 banks for non-compliance with the requirements of the information security system. 

At the same time, the consequences for those tested with the new approach of the Central Bank are getting tougher. If a fine is issued based on the results of the checks, then the Bank of Russia may potentially worsen the risk profile of the credit institution based on the results of the cyber studies.

Discord Cryptoscam: Scammers Lure Players to Fake Cryptocurrency Exchange Site

 

Experts at Kaspersky have issued a warning alarming that hackers are attacking Discord users, with a scam that focuses on counterfeit cryptocurrency transactions and using the bait of free Ethereum cryptocurrency or Bitcoins to steal user data and money. The cyber scam fools victims on cryptocurrency servers of Discord by sending users a message that looks like a legit ad of an upcoming trading platform that is doing cryptocurrency giveaway. The scammer then deploys social engineering techniques to generate sign-ups, as per the Kaspersky report.  

Experts believe that the ad offers such generous offers to get user interest, the offer depends on the message to message. However, the gist always remains the same, for instance, if the exchange will help the traders in dire times or is it just trying to lure new users. In this case, says Kaspersky, there'll be a lucky user who'd be chosen for the reward of free Ethereum cryptocurrency or Bitcoins. As we all know, the Discord platform was built solely for gamers, but various users, varying from study groups to cryptocurrency enthusiasts, use Discord's handy servers, channels, and private messages for communication. 

The user diversity becomes an easy target for hackers to scam. In this particular incident, the scammer first tried to send the victim a fake message with emojis and added details that contained a code to free cryptocurrency gifts. The message contained a malicious link that led the user to a fake cryptocurrency exchange domain. When the victim clicks the given link, he's redirected to a website (fake of course). The cryptocurrency exchange site has details like trading info, charts, and trading history (to make it look more genuine). 

"The attention to detail even extends to offering victims two-factor authentication to secure their accounts, plus antiphishing protection. Here, of course, the purpose is purely to add plausibility; the site’s true purpose is to transfer money from victim to criminal," reports Kaspersky. "The scammers claim to need a top-up — in our case, 0.02 BTC or an equivalent amount in Ethereum or US dollars. The scammers appear to be collecting a database to sell; many legitimate services, including financial ones," it further says.

Threat Actors are Targeting Users Via New Phishing Campaign

 

Threat actors are using Morse code – ‘the novel obfuscation technique’ for targeted phishing campaigns. This technique is known for the code language for Army and security services, by this technique, threat actors are able to hide the email attachment containing malicious URLs.

Last week hackers used the morse code in the phishing emails to bypass secure mail gateways and mail filters. Bleeping Computer discovered the strike on various samples which were uploaded on 2nd February 2021 to VirusTotal. Threat actors targeted the company by sending a malicious email posing to be an invoice for the company. 

This mail looks like – “Revenue_payment_invoice February_Wednesday 02/03/2021” including the HTML attachment for the invoice as [company_name] _ invoice _ [number]._xlsx.html.

The attachment contains mapped letters and numbers then calling out to the decodeMorse() function into a hexadecimal string to decode a Morse code string. The JavaScript is inserted into the code holding assets to provide a fake file asking users for the password permitting threat actors to gain access.

Threat actors are tricking users by using the logo-clearbit.com service to make the form look more convincing, in case the logo is not available then the logo of generic Office 365 is used. The other companies which have suffered due to this phishing attack are Dimensional, Metrohm, SBS, Nuovo IMAIE, ODDO BHF Asset Management, SGS, Dimensional, SBI (Mauritius) Ltd., Bridgestone, Cargeas, Equinti, Capital Four, and Dea Capital.

Morse code was invented by the American artist and inventor Samuel F.B. Morse during the 1830s for electrical telegraphy and further upgraded by American scientist and businessman Alfred Lewis Vail. It is a technique used in telecommunication to encode text characters by an arrangement of dots, dashes, and spaces.

Medical Records of Two US Based Hospitals Leaked on Dark Web

 

Two major US hospitals, the Leon Medical Centers in Miami, and Nocona General Hospital in Texas have recently been hit by active ransomware attacks that have allowed hackers to steal and compromise medical records connected with tens of thousands of patients and employees. These two hospitals have eight facilities in Miami and three facilities in Texas. Patients of these two US hospital chains had their addresses, birthdays, and colonoscopy results published on the dark web as a result of the hack. Hackers released detailed patient information in an obvious effort to defraud them for money. 

The documents that have been uploaded to a website on the dark web that attackers use to identify and extort victims contain the personal identity records of patients, such as their names, addresses, treatment history as well as medical diagnosis. The posted information also includes letters to health insurers. One folder includes background inspections on the hospital personnel. The "2018 colonoscopies” Excel file includes 102 complete names, dates, and treatment information and a 'yes' or 'no' area to show whether the patient has a “normal colon.” 

Cybersecurity experts are well acquainted with the gang of hackers who released the files. Usually, the actors first encrypt the files of the victim and ask them to pay but this happens very occasionally that they post such files openly on the dark web without asking to pay. But it seems a similar incident happened with Nocona and therefore the explanation why the files are released is still unknown. In comparison to a more enigmatic situation, while an attorney representing the Nocona General Hospital said that no malware infection or ransom demands appeared to exist. 

On the other hand, Leon Medical has taken immediate action in detecting problems that caused unauthorized access to its systems to take place and aims to tackle them. "Leon Medical is still in the process of a thorough review to identify all individuals whose information was impacted by this incident and will be providing written notice as soon as possible to individuals that Leon Medical determines have been impacted by this incident," it said. 

Since the cyberattack has been discovered, the Leon Medical Centre, with the assistance of Internet security experts, promptly took over the compromised networks and conducted an inquiry into the existence and severity of the incident. The FBI and the Department of Health and Human Services (DHS) have both been alerted about the misuse of patient information by the healthcare business. 

The leak reveals how hackers have attacked American hospitals, small companies, colleges, and public computers in recent years, infecting them frequently with extortion malware that locks computers and makes them inoperative. Further hackers ask for payment to open files, normally in Bitcoin. The majority of health institutions are not prepared for cyber threats as well as fewer services are available to answer such concerns and therefore they are the primary target of such hackers.

Seven Common Microsoft Active Directory Misconfigurations

 

The modern IT association has a wide assortment of responsibilities and competing priorities. Therefore, cybersecurity is regularly ignored for projects that quickly affect business operations. Sadly, this working model unavoidably prompts unaddressed vulnerabilities and security misconfigurations in services and Active Directory. Seven of the most common system and Active Directory misconfigurations are:

Misconfiguration 1: Administrative Privileges 
When an attacker has gotten initial access inside an environment, the adversary will endeavor to lift privileges inside the network. Adversaries ordinarily have the objective of getting Active Directory Domain Administrator privileges, or, in simple words, complete control over the Active Directory domain.  

Misconfiguration 2: Network Shares
Network shares give plentiful freedom to an assailant to elevate privileges within a network. For instance, in a past red team assessment, CrowdStrike recognized an unprotected network share that contained a writable IIS webroot. This permitted CrowdStrike to write a web shell to the webroot as a standard domain user and along these lines acquire code execution as the IIS process proprietor on the webserver. 

Misconfiguration 3: Service Accounts with Weak Passwords 
Adversaries will hope to elevate their privileges inside a network by compromising the credentials of privileged accounts. It is normal for service accounts to be conceded administrative privileges to different hosts in an Active Directory environment. Kerberoasting is an assault technique that endeavors to acquire plaintext passwords from service account Kerberos tickets. One approach to assign service accounts is through an attribute called a service principal name (SPN), which attaches a service to a user account. 

Misconfiguration 4: Services Running on Hosts with Multiple Admins 
Although plaintext and hashed credentials might be stored inside the memory of processes like LSASS, most current endpoint detection and response (EDR) solutions intensely monitor and forestall credential access through these processes. An alternative method for credential access exists when services are arranged to run under a client account. Passwords for these accounts can be extracted by any local administrator. 

Misconfiguration 5: Aged Accounts 
As an attacker, aged accounts or accounts with no password expiration policy make ideal targets for adversaries hoping to keep up long haul admittance to an environment. Aged accounts infer to an attacker that password rotation for the client account is either very troublesome or not executed for a specific explanation, for example, shared access among multiple users. 

Misconfiguration 6: Passwords, Passwords, Passwords 
While other misconfigurations permit adversaries to acquire unapproved admittance to network resources and hosts utilizing a solitary compromised account, credential related assaults compromise additional accounts that might be utilized to further an adversary’s actions on objectives. Three routes normally utilized by attackers are distinguishing plaintext passwords, frail passwords with deficient lockout periods, and password reuse. 

Misconfiguration 7: Legacy Systems 
Assailants target legacy systems because of the unpatched critical vulnerabilities that affect them. EternalBlue (MS17-010) and BlueKeep (CVE-2019-0708) are favorite vulnerabilities that are focused on legacy systems as successful exploitation brings about code execution with regards to the system account, giving the assailant complete control of the vulnerable system.

Cerber Ransomware Returns: Targeting Healthcare Industry

 

Cerber, a type of ransomware that once was the most popular choice for cybercriminals, has returned and is used for targeting health care organizations. In 2020, COVID-19 test technology, healthcare firms have driven digital innovation. However, it is important to note that unprecedented safety flaws also emerged with these advances, which cybercriminals rapidly sought to take advantage of. 

Cerber ransomware is ransomware-as-a-service (RaaS), which means that the attacker authorizes Cerber ransomware over the internet. Cerber has climbed up the category of sophisticated ransomware. In 2017, it was the most powerful ransomware family with 90 percent of all ransomware attacks on Windows systems at one point. Usually, the attacker can adapt and deliver the ransomware while retaining the entire currency, however by setting up Cerber, the developer and partner can send further execute the attack with less effort. 

Usually, ransoms were amounted to a few hundred dollars – a tiny sum relative to today's ransomware strikes that demanded hundreds of thousands or millions for a decryption key, yet Cerber's influence led several victims to settle ransom demands and provide Cerber's creators and affiliates with a lucrative business model. At times cyber attackers also spread ransomware via phishing e-mails or compromised websites. 

The cybersecurity researchers at security company - VMware Carbon Black have identified Cerber as the most common ransomware targeting healthcare as of late. Back in 2020, they found that there were 239.4 million attempted cyberattacks targeting VMware Carbon Black healthcare customers. The average number of attempted attacks in 2020 was 816 on average, a stupefying rise of 9,851 percent from 2019. 

The rise in attacks started in February when the pandemic began to spread globally. The number of attempted attacks rose by 51 percent between January and February when hackers turned their focus to vulnerable healthcare institutions, which witnessed a huge improvement in their way of working and handling patients. 

"Although old malware variants such as Cerber tend to resurface, these are often re-factored to include new tricks, though at the core are still leveraging tried and true techniques," stated Greg Foss, senior cybersecurity strategist at VMware Carbon Black. 

He further added, "All it takes is a quick search on the dark web for someone to license out a ransomware payload to infect targets. Today, it's unfortunately just as easy to sign up for a grocery delivery service as it is to subscribe to ransomware.” 

Unfortunately, hospitals are a frequent target for cyber criminals who spread ransomware because health care is focused on networks that are open to patients. This can also lead to hospitals making fast decisions to pay a ransom request because observably, it is the only way to prevent jeopardizing patients' privacy and to stop hackers from releasing compromised records, which can be very serious threat in healthcare.

The largest international phishing center has been blocked in Ukraine

As a result of an international special operation, the Office of the Prosecutor General of Ukraine has stopped the activity of one of the world's largest phishing services for attacks on financial institutions in different countries.

The Prosecutor's Office said that as a result of the work of the phishing center, banks in 11 countries - Australia, Spain, the United States, Italy, Chile, the Netherlands, Mexico, France, Switzerland, Germany and the United Kingdom - were affected. According to preliminary data, the losses reach tens of millions of dollars.

It is reported that a hacker from Ternopil developed a phishing package and a special administrative panel aimed at the web resources of banks and their clients.

"The admin panel allowed to control the accounts of users who registered on compromised resources and entered their payment data, which were later received by the fraudsters. He created his own online store on the DarkNet network to demonstrate the functionality and sell his developments," the Prosecutor's Office explained the algorithm of the center's functioning.

More than 200 active buyers of malicious software were found.

According to the investigation, the hacker did not only sell their products but also provide technical support in the implementation of phishing attacks.

"According to the results of the analysis of foreign law enforcement agencies, more than 50% of all phishing attacks in 2019 in Australia were carried out with the help of the development of the Ternopil hacker," said the Department.

A criminal case has been opened on this fact under the article on unauthorized interference in the operation of computers, automated systems, computer networks, or telecommunications networks, as well as the creation of harmful software products for the purpose of using, distributing, or selling them.

Earlier, the deputy director of the National Coordination Center for Computer Incidents (NCCI), Nikolai Murashov, said that the United States had placed hackers in Montenegro and Ukraine. This was done allegedly under the pretext of protecting the elections.


Singapore Assessing WhatsApp Privacy Policy Change, Not 'Adversely Affected' In SolarWinds Breach

 

Currently, it is safe to say that Singapore’s government and non-government departments are safe from the adverse effects of SolarWinds security breach, nevertheless, the Singapore government has made requests to their organizations to protect their systems against potential threats. 

Additionally, the government has also exhibited deep concern regarding upcoming privacy policy changes on WhatsApp messenger, which is one of the platforms employed by the government to provide information to their citizens. The Minister for Communications and Information, S. Iswaran, said that when we got the news regarding the big data breach threat (SolarWinds security breach), our Cybersecurity Agency (CSA) has raised the national cyber threat alert level and immediately started working towards it. 

"There is no indication, thus far, that Singapore's CII and government systems have been adversely affected by the SolarWinds breach," said Iswaran, who was responding to questions raised in parliament. He added that, "The government is, nonetheless, adopting a cautious stance." 

Furthermore, he said that the “CSA had issued public advisories on steps enterprises should take to safeguard their systems against potential threats, including having full visibility of their networks and detecting unusual activity in a timely manner. The situation still was evolving as affected companies continued to investigate the breach’’. 

While advising on the matter, he suggested for the government to move towards a Zero Trust security posture, where organizations should not trust any activities until verification and there should be constant surveillance and alertness towards suspicious activities. Organizations should be establishing strong cyber-attack response plans to cope up with such incidents, as chronicled in the recent past. 

"The SolarWinds incident underscores the global and trans-border nature of cyber threats," the minister noted, “Though difficult to completely prevent, we need deliberate, targeted, and consistent efforts to strengthen our cyber defenses against [such] sophisticated threats, which exploit the supply chain of trusted vendors and software." 

Singapore Government's WhatsApp Channel Has 1.22M Subscribers

Ministry has also responded to the questions regarding WhatsApp's upcoming privacy policy changes, explaining that the government is concerned regarding this too as consumers have raised their voices on the matter. According to Iswaran, at present, there are 1.22 million users to Singapore's Gov.sg WhatsApp channel, which is one of the many platforms used to reach our local population, including Telegram, Twitter, as well as its own Gov.sg website.

Further, he ensured, "Private-sector organizations contracted by the government to perform data-related activities, including the processing and communication of personal data, are bound by contractual terms and conditions. These will determine whether organizations are permitted to share, for their own commercial purposes, the data that has been provided by, or collected on behalf of, the government”.

Chinese Firms Infiltrate into U.S. Healthcare Data

 

The gulf between the two most powerful nations has widened after the United States National Counterintelligence and Security Center (NCSC) revealed that Chinese firms have secured access to U.S. healthcare data by collaborating with universities, hospitals, and various other research organizations.

According to the reports of the agency the People’s Republic of China (PRC) has successfully managed to infiltrate the US healthcare data, including genomic data via a variety of sources both legal and illegal. The agency also claimed that by securing access to the U.S. healthcare data, China is expanding the growth of its Artificial Intelligence and precision medicine firms.

NCSC wrote in a fact sheet that “for years, the People’s Republic of China (PRC) has collected large healthcare data sets from the U.S. and nations around the globe, through both legal and illegal means, for purposes only it can control. The PRC’s collection of healthcare data from America poses equally serious risks, not only to the privacy of Americans but also to the economic and national security of the U.S.”.

According to the agency, China’s access to the US healthcare and genomic data have raised serious concerns regarding the privacy and national security of the United States, there has been an escalation in the efforts of China during the Covid-19 pandemic with Chinese biotech firm offering Covid-19 testing kits to the majority of the nations and setting up 18 test labs in the past six months, allegedly as part of an attempt to secure health data. 

The agency wrote, “the PRC understands the collection and analysis of large genomic data sets from diverse populations helps foster new medical discoveries and cures that can have substantial commercial value and advance its precision medicine industries”.

The Chinese government is using health data and DNA as a weapon to suppress and control its own people, in the Xinjiang province of China the Uighur population had been forced to give fingerprints, blood groups, and other private data.

DDoS Attacks increase by 154% in 2020 states Neustar

 

DDoS- Distributed Denial of Service is a cyber attack on a specific server or network. It attempts to disrupt the normal functioning of operations. DDoS attacks do all this by flooding the targeted network or server with constant traffic, such as fraudulent requests which overwhelm the system, causing a disruption or denial of service to legitimate traffic. 

In the past few years, the DDoS attacks have doubled showing a significant hike in the attempts by the attackers to threaten the victim of such attacks unless the required ransom is paid to them. Security analysts in Neustar (a global information services and technology company and leader in identity resolution) studied cyber threats and illegal activities and it was found that the number of DDoS attacks between 2019 and 2020 rose by 154 percent. The areas that took a major hit are financial services, telecommunications, and government departments. This figure indicates the rising number, frequency, and severity of cyber-attacks of network sort as remote operations moved companies and grew employee dependency on the internet.

DDoS attacks are emerging, even more frequently now. One important factor why the DDoS attacks have become more common is that even for low-level cybercriminals they are fairly easy to carry out. The rise in smaller DDoS attacks has been largely linked with the rising attack sophistication and intensity. 

Instead of relying on ransomwares or other viruses to take a network-related hostage, DDoS attackers literally threaten DDoS victims if the payment – usually requested in bitcoin –is not received in time. In order to convince the victim to pay, offenders frequently present an assessment of what could come with a short-lived DDoS attack. All that the DDoS attackers require is a botnet to flood traffic to target networks – which can be recruited at cheap underground forums.

"Organisations should avoid paying these ransoms. Instead, any attack should be reported to the nearest law enforcement field office, as the information may help identify the attackers and ultimately hold them accountable," said Michael Kaczmarek, vice president of security product management at Neustar. 

Yet amid warnings of going off-line, it is advised to refrain from reacting to the demands of cybercriminals, so that ransom-led DDoS attacks can be contained to some extent.

Open Source Software Vulnerabilities Leads to RCE

 

Various vulnerabilities in open source video platforms YouPHPTube and AVideo could be utilized to accomplish remote code execution (RCE) on a client's gadget. It can take an average of more than four years for vulnerabilities in open-source software to be detected, an area in the security community that needs to be addressed, researchers say. Experts from Synacktiv found various vulnerabilities in the source code-shared by the ventures that were because of an absence of client input sanitization, a related write-up reads. The issues incorporate an unauthenticated SQL injection vulnerability, multiple cross-site scripting (XSS) flaws, and a file write vulnerability. 

SQL injection is a code injection technique, used to assault information-driven applications, in which vindictive SQL articulations are embedded into an entry field for execution (for example to dump the database contents to the assailant). 

SQL injection should abuse a security vulnerability in an application's product. SQL injection assaults permit attackers to spoof identity, alter existing information, cause repudiation issues, for example, voiding transactions or changing balances, permit the total divulgence of all information on the system, destroy the information or make it in any case inaccessible, and become administrators of the database server.

Numerous reflected XSS vulnerabilities could be utilized to steal administrators' session cookies and perform actions as an administrator. A file write flaw could permit an administrator to execute malevolent code on the server. 

Synacktiv said there is no official workaround right now, but added that clients ought to purify $catName input information appropriately prior to processing SQL queries to avoid SQL injection. “Removing simple quotes is not a sufficient process,” researchers added. The vulnerabilities influence AVideo variants 10.0 and below, and YouPHPTube renditions 7.8 and below. 

The open-source community now plays a critical part in the improvement of software, but similarly, as with any other industry, vulnerabilities will exist. GitHub says that project developers, maintainers, and clients should check their dependencies for vulnerabilities consistently and ought to consider implementing automated alerts to remedy security issues in a more efficient and fast manner. 

"Open source is critical infrastructure, and we should all contribute to the security of open-source software," GitHub added. "Using automated alerting and patching tools to secure software quickly means attack surfaces are evolving, making it harder for attackers to exploit."