Search This Blog

Showing posts with label Vulnerabilities. Show all posts

US Army Says North Korea Has Hackers and Electronic Warfare Specialists Working and Operating Abroad


In a report published a month ago by the US Army said North Korea has at least 6,000 hackers and electronic warfare specialists working in its ranks with a large number of these are operating in nations, like Belarus, China, India, Malaysia, and Russia. 
The report is a tactical manual that the US Army uses to train their troops and military pioneers, and which the Army has made public for the first time just the previous month. 

Named "North Korean Tactics," the 332-page report consists of a 'treasure trove' of data about the Korean People's Army (KPA) like the military strategies, weaponry, leadership structure, troop types, logistics, and electronic warfare capacities. 

By far most of the report manages exemplary military tactics and capacities; the report likewise highlights North Korea's clandestine hacking units. "Most EW [electronic warfare] and cyberspace warfare operations take place within the Cyber Warfare Guidance Unit, more commonly known as Bureau 121," the US Army said. 

This evaluation is equivalent to the past reports from the intelligence and cybersecurity communities, which have additionally connected all of North Korea's hackers back to Bureau 121, a division of the Reconnaissance General Bureau, a North Korean intelligence agency that is a part of the National Defence Commission. 

The US Armed force says Bureau 121 has developed exponentially lately, as North Korea has expanded it’s the cyberspace exercises. According to the report, Bureau 121 developed from "at least 1,000 elite hackers in 2010" to more than 6,000 members today. 

The number is a steady one with comparable figures published by the South Korean Defence Ministry, which said that North Korea was operating a cyberwarfare staff of 3,000 out of 2013, a number that later multiplied to 6,000 by 2015. 

Notwithstanding, the US Army as of now believes that it's 6,000 figure isn't totally accurate. Army officials state that they have estimates for the internal divisions within Bureau 121, numbers that seem to have not been released previously, until the previous month. 

They don't have an exact number for the members part of the Lazarus Group sub-division, yet this group is the one, for the most part, the one to which North Korean authorities turn "to create social chaos by weaponizing enemy network vulnerabilities and delivering a payload if directed to do so by the regime." 

While the US Army report doesn't go a lot into details on why the Pyongyang regime lets military hackers travel abroad, there are previous reports and court documents that have gone into these details, with the Pyongyang regime utilizing its hackers to set up shell companies that serve both as cover when setting up 'foreign-based server infrastructure', yet in addition as 'intermediary entities in money laundering operations'. 

In any case, while the US Army report acknowledges that North Korean hackers have been engaged with financial cybercrime, Armed officials go significantly further and outline the whole North Korean government as a criminal network, with the Kim regime being associated with a wide scope of activities that likewise incorporated drug trading, counterfeiting, and human trafficking, and not simply the variety of cybercrime.

About 84% of Russian companies have vulnerable IT system

More than 80% of companies in Russia neglect the basic means of protecting information systems and data, as a result of which 84% of companies have vulnerabilities in their IT systems that can be exploited, including by novice hackers who do not have a high level of programming skills.

According to Ekaterina Kilyusheva, head of the research group of the information security analytics department at Positive Technologies, companies suffer from inexperienced hackers in about 10% of cases.

Based on the testing of 19 large companies from different sectors of the economy, it turned out that in 58% of cases, companies have at least one security breach that can be hacked by publicly available software for hackers.

It is noted that most often in Russian companies, security gaps are associated with the use of outdated software, the vulnerabilities of which are already known.

As noted by ESET security specialist Tony Anscomb, in addition to outdated software, companies often have poorly configured network infrastructure and operating systems, lack of encryption and two-factor authentication, which also increases the likelihood of a system being compromised.

It is noted that the best protected are companies in the financial sector and energy industry, which process large amounts of personal information and where the high dependence of business development on the stability of the IT direction, explained the head of Analytics and special projects InfoWatch Andrey Arsentiev.

New Network Protocols Abused To Launch Large-Scale Distributed Denial of Service (DDoS) Attacks


The Federal Bureau of Investigation issued an alert just the previous week cautioning about the discovery of new network protocols that have been exploited to launch large-scale distributed denial of service (DDoS) attacks. 

The alert records three network protocols and a web application as newfound DDoS attack vectors.  

The list incorporates CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service), and the Jenkins web-based automation software. 

Three of the four (CoAP, WS-DD, ARMS) have just been exploited in reality to launch monstrous DDoS attacks, the FBI said dependent on ZDNet's previous reporting. 


 COAP 

In December 2018, cyber actors began exploiting the multicast and command transmission features of the Constrained Application Protocol (CoAP) to lead DDoS reflection and amplification assaults, bringing about an enhancement factor of 34, as indicated by open-source reporting. 


WS-DD 

In May and August 2019, cyber actors abused the Web Services Dynamic Discovery (WS-DD) convention to launch more than 130 DDoS attacks, with some reaching sizes of more than 350 Gigabits for every second (Gbps), in two separate influxes of attack, as indicated by open-source reporting. 


ARMS 

In October 2019, cyber actors abused the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD) feature, to lead DDoS amplification attacks, according to open-source reporting. 


JENKINS 

In February 2020, UK security researchers identified a vulnerability in the inherent network discovery protocols of Jenkins servers-free, open-source, automation workers used to help the software development process that cyber actors could exploit to conduct DDoS amplification attacks - as indicated by open-source reporting. 

FBI officials believe that these new DDoS threats will keep on being exploited further to cause downtime and damages for the 'foreseeable future'. 

The reason for the alert is to warn US companies about the 'imminent danger', so they can put resources into DDoS mitigation systems and create partnerships with their internet service providers to quickly respond to any attacks utilizing these new vectors. 

As of now, these four new DDoS attack vectors have been utilized inconsistently, however, industry specialists anticipate that them to become widely abused by DDoS-for-hire services.

A Brand New Virus That Incorporates Mining, Hacking and Backdoor Modules


Dubbed as CrazyCoin, a brand new virus has been recently discovered by researchers, which spreads through the NSA leaked EternalBlue exploit kit. The researchers came across this new computer virus as they found that it incorporates numerous capabilities in its arsenal. 

The virus allegedly incorporates mining, hacking, and 'backdoor' modules. After it taints a user's machine, it downloads mining and data-stealing modules. Later it plants the Double Pulsar backdoor program so that every one of these modules cooperates with one another and plays out their own activities. 

As indicated by researchers from 360 Baize Labs who found the infection, “The powershell script is responsible for downloading various modules to the victim’s machine for execution.” They state that the mining module incorporated in the virus is utilized to mine Monero and HNS coins. 

Furthermore, among the data stolen by the virus' stealing module are the victim's sensitive documents, like the ID cards, passwords, bitcoin wallets and so on. 

This stolen information is later sent back to a server controlled and handled by the attackers. Exhorting the users the researchers warn them about a few certain things as CrazyCoin 'leverages' the EternalBlue endeavor to proliferate across systems. This exploit kit is known for abusing a vulnerability in SMBv1, it is important to further update security patches against it. 

The vulnerability CVE-2017-0144 exists on the grounds that the SMB version 1 server in different variants of Microsoft Windows mishandles exceptionally created packets from remote attackers, permitting them to execute arbitrary code on the targeted computer. 

The CrazyCoin virus is said to listen and receive commands on port 3611.

The Russian Railways information system got hacked in 20 minutes


Specialists of Russian Railways will conduct an investigation after the statement of the Habr user that he hacked the Wi-Fi network during a trip on the Sapsan high-speed train and gained access to the data of all its users in 20 minutes. According to the company, the hacked network did not contain personal data, but only entertainment content.

On Friday, November 15, user keklick1337 on the portal Habr.com was returning from Saint-Peterburg, where he visited the ZeroNights information security conference, to Moscow. The programmer became bored, and he decided to check the reliability of the Wi-Fi and easily gained access to the hidden data of Russian Railways. He noted that " the same passwords and free security certificates are used everywhere, and the data is stored in text documents."

"It is not difficult to access the data of the passengers of the train and it takes at most 20 minutes", noted the author of the post.

"The server of the information and entertainment system of Sapsan trains does not store personal data of passengers. The multimedia portal provides information and entertainment content: news of Russian Railways, movies, books, music and other information, " — said the representative of Russian Railways.

According to the spokesman, for authorization in the system, the user must enter only the last four characters of the document, which he used to buy a ticket, as well as the rail car and the seat number. These data are not personal and in accordance with the current legislation of the Russian Federation are stored on the server for no more than one day.

"The infotainment system server is not connected to the internal network of Russian Railways or other internal control services on the train, it is designed exclusively for entertainment and information topics and does not store any confidential customer data," added the company.

The Russian Railways plans to conduct a technological investigation on the fact of hacking the train system Sapsan.

Earlier, E Hacking News reported that the personal data of 703 thousand employees of Russian Railways, from the CEO to the drivers, were publicly available.

New Vulnerability in Bluetooth Connections Allows Hackers to Spy on Private Conversations


Bluetooth is used worldwide as one of the most convenient methods of connecting and controlling the devices in range. However, according to a recent report, a vulnerability labeled as the KNOB (Key Negotiation of Bluetooth) attack has been found in Bluetooth connections.

All the Bluetooth compliant devices can be affected by the vulnerability, which allows attackers to spy on a victim's personal conversations. Hackers can also exploit the vulnerability to manipulate the data present on the compromised device.

How the attack unfolds? 

While establishing a functional Bluetooth connection, both the devices rely upon an encryption key. Therefore,
in order to execute the attack, hackers exploit the vulnerability in the Bluetooth standard and weaken this encryption of Bluetooth devices instead of breaking it straightaway.

The attacker gets in the way while the devices are setting up the encryption key and resorts to brute force attack for breaking the new key with less number of digits and manipulates both the devices to employ the new encryption key.

The vulnerability affects devices by some of the renowned manufacturers namely, Apple, Qualcomm, and Intel. Companies like Apple, Microsoft, Cisco, Google, Blackberry, Broadcom and Chicony has already issued a patch to fix the flaw, as per the reports by Mashable.

The group of researchers from the Singapore University of Technology and Design, University of Oxford, and CISPA Helmholtz Center for Information Security, who found this critical vulnerability, explained, "We found and exploited a severe vulnerability in the Bluetooth specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker is able to listen, or change the content of, nearby Bluetooth communication, even between devices that have previously been successfully paired."

TP-Link Wi-Fi Extenders: Detected With Vulnerability Making Them Hacker Prone!




The popular router company left its users shocked when researchers discovered a crucial vulnerability with its Wi-Fi extenders.

The vulnerability immensely compromised the extender to the hacker and let them have entire control of the device.

Victim’s traffic could easily be redirected via the taking over of the extender and could lead them to malware, the researchers cited.

To enhance the range of the Wi-Fi signals these extenders are used to “extend” the range. They provide a significant boot in the signal’s strength.

Security cameras, doorbells and other security equipment could easily be connected via the extender to the router.


But quite like the routers they are prone to vulnerabilities and need to be maintained and patched from time to time to ensure a safe network.

Allegedly, the particular extenders that were affected were the RE365, the RE350, the RE650 and the RE500.

According to sources, the researchers who were behind the digging up of this glitch belong to IBM’s X-Force of researchers.

 Ever since then IBM collectively with TP-Link has released updates for the affected users.

The to-be attackers don’t necessarily need to be within the range of the Wi-Fi extender for him to exploit the weakness.

The attacks procedure begins with the hacker sending a malicious HTTP request to the Wi-Fi extender.

 The vulnerability in turn aids the attacker to execute such commands form the request which is not the case with proper extenders which have limited access.

The attacker would need to know the extender’s IP address to abuse the vulnerability. Thousands of exposed devices could be easily found on “Shodan” and similar search engines.

The misuse of the vulnerability is not only limited to malicious code execution or simple taking control of the extender.

More sophisticated malicious activity could also be followed through using shell commands on the device’s operating system, sources cited.

Also creating a botnet out of the extender and redirecting the users to malicious pages are other things on the list of probable attacks.

Spectre Rises Yet Again With a Vulnerability In Tow


Spectre ,a class of vulnerabilities in the theoretical execution mechanism utilized in present day modern processor chips, is indeed living up to its name by ending up being unkillable.

In the midst of a progression of alleviations proposed by Intel, Google and others, the on-going claims by Dartmouth computer scientists to have comprehended Spectre variation 1, and a proposed chip configuration fix called Safespec, new variations and sub-variations continue showing up.

The discoveries likewise restore questions about whether the present and past chip plans can ever be really fixed. Just two weeks back, new data-stealing exploits named Ghost 1.1 and 1.2 were made public by specialists Vladimir Kiriansky and Carl Waldspurger. 


Presently there's another called SpectreRSB that endeavors the return stack buffer (RSB), a framework in the current modern CPUs utilized to help anticipate the return addresses, rather than the branch predictor unit.

In a paper titled Spectre Returns! Speculation Attacks utilizing the Return Stack Buffer , circulated through pre-print server ArXiv, boffins Esmaeil Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Tune, and Nael Abu-Ghazaleh detail another class of Spectre Attack that accomplished the similar from Spectre variation 1 – enabling pernicious programming software to take passwords, keys, and other sensitive data, from memory it shouldn't be permitted to contact.

These specialists by coincidence, are among the individuals who built up the SafeSpec mitigation in the first place.

The most recent data-theft burglary system includes constraining the processor to misspeculate utilizing the RSB. Utilizing a call direction on x86, SpectreRSB enables an attacker to push an incentive to the RSB with the goal that the return address for the call guideline never again coordinates with the contents of the RSB.

The paper, dated July 20, plots the steps associated with the SpectreRSB attack, which itself has six variations:         

"(1) after a context switch to the attacker, s/he flushes shared address entries (for flush reload). The attacker also pollutes the RSB with the target address of a payload gadget in the victim’s address space; (2) the attacker yields the CPU to the victim; (3) The victim eventually executes a return, causing speculative execution at the address on the RSB that was injected by the attacker. Steps 4 and 5 switch back to the attacker to measure the leakage."