Cybersecurity

185 readers
1 users here now

All about cybersecurity. Be nice, no spam!

founded 1 year ago
MODERATORS
1
 
 

cross-posted from: https://lemmy.ml/post/1895271

FYI!!! In case you start getting re-directed to porn sites.

Maybe the admin got hacked?


edit: lemmy.blahaj.zone has also been hacked. beehaw.org is also down, possibly intentionally by their admins until the issue is fixed.

Post discussing the point of vulnerability: https://lemmy.ml/post/1896249

Github Issue created here: https://github.com/LemmyNet/lemmy-ui/issues/1895

So far, there hasn't been any confirmation if any sensitive data is stolen.

2
3
 
 

Researchers say that nearly 336,000 devices exposed to the Internet remain vulnerable to a critical vulnerability in firewalls sold by Fortinet because admins have yet to install patches the company released three weeks ago.

CVE-2023-27997 is a remote code execution in Fortigate VPNs, which are included in the company’s firewalls. The vulnerability, which stems from a heap overflow bug, has a severity rating of 9.8 out of 10. Fortinet released updates silently patching the flaw on June 8 and disclosed it four days later in an advisory that said it may have been exploited in targeted attacks. That same day, the US Cybersecurity and Infrastructure Security Administration added it to its catalog of known exploited vulnerabilities and gave federal agencies until Tuesday to patch it.

4
5
 
 

The Russian-linked hacktivist group NoName has been relentlessly targeting the Ukrainian financial sector in its latest campaign against the war-torn nation.

“We will start today's journey with an attack on the financial sector of Ukraine,” the gang posted on their encrypted Telegram channel June 27.

Since the threat actors edict four days ago, nearly a dozen major Ukrainian banks have been hit daily by the gang’s signature DDoS attack method.

Targets include four of the nation's largest commercial banks, including First Ukrainian International Bank (PUMB), State Savings Bank of Ukraine (Oshchadbank), Credit Agricole Bank, and Universal Bank.

The pro-Russian hacking conglomerate, official known in the security world as NoName057(16), said its latest campaign is aimed at disrupting Ukraine’s online banking Internet infrastructure.

Besides claiming to have knocked several of the bank websites completely offline, the gang has also specifically gone after authorization services, login portals, customer service systems, and loan processing services.

6
 
 

A year after the Russian invasion of Ukraine, MITRE efforts to develop and deliver needed technology and relief endure, and grow, helping the people on the ground who need it most .

When Russian forces invaded Ukraine, SpaceX sent Starlink satellite internet kits to counter Russian attacks disrupting the country’s internet service. But Starlink technology needs a reliable power source and secure connection to the satellite constellation that processes communications signals. The designers didn’t intend it to be portable or to function in a war zone. Humanitarian and aid-group relief workers in Ukraine needed a system with added resilience.

Enter MITRE. Engineer Joseph Roth and team designed the Starlink Advantage kit to provide energy-independent, reliable access that incorporates cybersecurity, as well as protection from physical targeting. A tote can hold all the components: a terminal providing 100+ mbps internet speed, a VPN-secured Wi-Fi router, a battery-powered/solar panel generator, a laptop, a car adapter, and technology to protect the network from missile strikes.

7
 
 

Microsoft researchers have recently discovered an attack leveraging custom and open-source tools to target internet-facing Linux-based systems and IoT devices. The attack uses a patched version of OpenSSH to take control of impacted devices and install cryptomining malware.

Utilizing an established criminal infrastructure that has incorporated the use of a Southeast Asian financial institution’s subdomain as a command and control (C2) server, the threat actors behind the attack use a backdoor that deploys a wide array of tools and components such as rootkits and an IRC bot to steal device resources for mining operations. The backdoor also installs a patched version of OpenSSH on affected devices, allowing threat actors to hijack SSH credentials, move laterally within the network, and conceal malicious SSH connections. The complexity and scope of this attack are indicative of the efforts attackers make to evade detection.

8
9
 
 

SolarWinds — the technology firm at the center of a December 2020 hack that affected multiple U.S. government agencies — said its executives may soon face charges from the U.S. Securities and Exchange Commission (SEC) for its response to the incident.

The widespread hack – which the U.S. government attributed to the Russian Foreign Intelligence Service – affected several large companies as well as the Defense Department, Justice Department, Commerce Department, Treasury Department, the Department of Homeland Security, the State Department, the Department of Energy and more.

Hackers found a way to insert malware into a version of the company’s Orion IT monitoring application, allowing Russian operatives to gain a foothold in high-value targets. They used the access to deploy additional malware to compromise internal and cloud-based systems and steal sensitive information over several months.

10
 
 

Unidentified hackers claimed to have targeted Dozor, a satellite telecommunications provider that services power lines, oil fields, Russian military units and the Federal Security Service (FSB), among others, according to a message posted to Telegram late Wednesday night.

“The DoZor satellite provider (Amtel group of companies), which serves power lines, oil fields, military units of the Russian Defense Ministry, the Federal Security Service, the pension fund and many other projects, including the northern merchant fleet and the Bilibino nuclear power plant, went to rest,” the group’s first message read, according to a translation. “Part of the satellite terminals failed, the switches rebooted, the information on the servers was destroyed.”

11
 
 

Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard.

The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat intelligence team said.

Midnight Blizzard, formerly known as Nobelium, is also tracked under the monikers APT29, Cozy Bear, Iron Hemlock, and The Dukes.

The group, which drew worldwide attention for the SolarWinds supply chain compromise in December 2020, has continued to rely on unseen tooling in its targeted attacks aimed at foreign ministries and diplomatic entities.

12
 
 

BlackLotus is a sophisticated piece of malware that can infect a computer's low-level firmware, bypassing the Secure Boot defences built into Windows 10 and Windows 11, and allowing the execution of malicious code before a PC's operating system and security defences have loaded.

In this way, attackers could disable security measures such as BitLocker and Windows Defender, without triggering alarms, and deploy BlackLotus's built-in protection against the bootkit's own removal.

Although Microsoft issued a patch for the flaw in Secure Boot back in January 2022, its exploitation remains possible as the affected, validly-signed binaries have not been added to the UEFI revocation list.

Earlier this year, security researchers explained how BlackLotus was taking advantage of this, "bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability."

According to the NSA, there is "significant confusion" about the threat posed by BlackLotus:

“Some organizations use terms like 'unstoppable,' 'unkillable,' and 'unpatchable' to describe the threat. Other organizations believe there is no threat due to patches that Microsoft released in January 2022 and early 2023 for supported versions of Windows. The risk exists somewhere between both extremes."

According to the NSA's advisory, patching Windows 10 and Windows 11 against the vulnerabilities is only "a good first step."

In its mitigation guide, the agency details additional steps for hardening systems.

However, as they involve changes to how UEFI Secure Boot is configured they should be undertaken with caution - as they cannot be reversed once activated, and could leave current Windows boot media unusable if mistakes are made.

"Protecting systems against BlackLotus is not a simple fix," said NSA platform security analyst Zachary Blum.

13
 
 

The recently discovered Chinese state-backed advanced persistent threat (APT) "Volt Typhoon," aka "Vanguard Panda," has been spotted using a critical vulnerability in Zoho's ManageEngine ADSelfService Plus, a single sign-on and password management solution. And it's now sporting plenty of previously undisclosed stealth mechanisms.

Volt Typhoon came to the fore last month, thanks to joint reports from Microsoft and various government agencies. The reports highlighted the group's infection of critical infrastructure in the Pacific region, to be used as a possible future beachhead in the event of conflict with Taiwan.

14
 
 

Apple issued a security update on Wednesday for all its operating systems to patch dangerous vulnerabilities that could allow attackers to take over someone’s entire device.

The vulnerabilities in question, first revealed on June 1, appeared to have led the main Russian intelligence agency to make unusually public claims that Apple intentionally left the flaws in its iOS so the National Security Agency and other U.S. entities could compromise “thousands” of iPhones in Russia. Apple has denied those claims.

The charges from the Federal Security Service, or FSB, came the same day that researchers with cybersecurity firm Kaspersky published a report detailing what they said was an “ongoing” zero-click iMessage exploit campaign dubbed “Operation Triangulation” targeting iOS that allowed attackers to run code on phones with root privileges, among other capabilities. Kaspersky published an additional analysis Wednesday, saying that after roughly six months of collecting and analyzing the data, “we have finished analyzing the spyware implant and are ready to share the details.”

15
 
 

The rapid pace of change in AI makes it difficult to weigh the technology's risks and benefits and CISOs should not wait to take charge of the situation. Risks range from prompt injection attacks, data leakage, and governance and compliance.

All AI projects have these issues to some extent, but the rapid growth and deployment of generative AI is stressing the limits of existing controls while also opening new lines of vulnerability.

If market research is any indication of where the use of AI is going, CISOs can expect 70% of organizations to explore generative AI driven by the use of ChatGPT. Nearly all business leaders say their company is prioritizing at least one initiative related to AI systems in the near term, according to a May PricewaterhouseCoopers’ report.

16
 
 

The rise of ChatGPT has been well-documented as a cybercrime gamechanger, democratizing highly advanced tactics, techniques, and procedures (TTPs) so average adversarial threat actors can increase lethality at low costs. Empowering run-of-the-mill hackers to continuously punch above their weight class will only continue to amplify the volume and velocity of attacks. heightening the importance of effective penetration testing programs that help mitigate the severe business impact of breaches. On average, victims lost a record-high $9.4 million per breach in 2022.

Compounding the issue is a pattern of poor security posture across the public and private sectors. SANS 2022 Ethical Hacking Survey found that more than three-quarters of respondents indicated “only a few or some” organizations have effective Network Detection and Response (NDR) capabilities in place to stop an attack in real-time. Furthermore, nearly 50% said that most organizations are either moderately or highly incapable of detecting and preventing cloud- and application-specific breaches. It’s clear that more must be done to swing the balance of power away from adversaries.

Enter penetration testing, which can provide unrivalled contextual awareness for refining cyber defences, threat remediation, and recovery processes within an overarching risk management architecture. For organizations implementing penetration testing programs at scale, keep the following fundamental tenets top of mind to maximize impact.

17
 
 

Microsoft Teams vulnerability allows attackers to deliver malware to employees Security researchers have uncovered a bug that could allow attackers to deliver malware directly into employees’ Microsoft Teams inbox.

Apple fixes zero-day vulnerabilities used to covertly deliver spyware (CVE-2023-32435) Apple has released patches for three zero-day vulnerabilities (CVE-2023-32434, CVE-2023-32435, CVE-2023-32439) exploited in the wild.

VMware Aria Operations for Networks vulnerability exploited in the wild (CVE-2023-20887) CVE-2023-20887, a pre-authentication command injection vulnerability in VMware Aria Operations for Networks (formerly vRealize Network Insight), has been spotted being exploited in the wild.

18
 
 

I'm a newbie to podcasts, but I got hooked recently because I can listen while doing something else.

What are your favorite cybersecurity podcasts? I'm not even sure the best way to link podcasts either, but regardless: the ones I'm liking so far are:

The Cyberwire: https://thecyberwire.com/podcasts

CISO Series: https://cisoseries.com/

Darknet Diaries: https://darknetdiaries.com/

Cybersecurity Today: https://www.itworldcanada.com/podcasts

Smashing Security: https://www.smashingsecurity.com/

Malicious Life: https://malicious.life/

Any more great recommendations? Any drama about the above ones?

19
 
 

Executive summary

In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.

The malware gained access to the healthcare institution systems through an infected USB drive. During the investigation, the Check Point Research (CPR) team discovered newer versions of the malware with similar capabilities to self-propagate through USB drives. In this way, malware infections originating in Southeast Asia spread uncontrollably to different networks around the globe, even if those networks are not the threat actors’ primary targets.

The main payload variant, called WispRider, has undergone significant revisions. In addition to backdoor capabilities and the ability to propagate through USB using the HopperTick launcher, the payload includes additional features, such as a bypass for SmadAV, an anti-virus solution popular in Southeast Asia. The malware also performs DLL-side-loading using components of security software, such as G-DATA Total Security, and of two major gaming companies (Electronic Arts and Riot Games). Check Point Research responsibly notified these companies on the above-mentioned use of their software by the attackers.

The findings in this report, along with corroborating evidence from other industry reports, confirm that Chinese threat actors, including Camaro Dragon, continue to effectively leverage USB devices as an infection vector.

The prevalence and nature of the attacks using self-propagating USB malware demonstrate the need of protecting against those, even for organizations that may not be the direct targets of such campaigns. We found evidence of USB malware infections at least in the following countries: Myanmar, South Korea, Great Britain, India and Russia.

20
 
 

TIL the French government may have broken encryption on a LUKS-encrypted laptop with a "greater than 20 character" password in April 2023.

When upgrading TAILS today, I saw their announcement changing LUKS from PBKDF2 to Argon2id.

The release announcement above has some interesting back-of-the-envelope calculations for the wall-time required to crack a master key from a LUKS keyslot with PBKDF2 vs Argon2id.

And they also link to Matthew Garrett's article, which describes how to manually upgrade your (non-TAILS) LUKS header to Argon2id.

21
 
 

The U.S. Army’s Criminal Investigation Division is urging military personnel to be on the lookout for unsolicited, suspicious smartwatches in the mail, warning that the devices could be rigged with malware.

In an alert issued this week, the army said services members across the military have reported receiving smartwatches unsolicited in the mail and noted that the smartwatches, when used, “have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data.”

“These smartwatches may also contain malware that would grant the sender access to saved data to include banking information, contacts, and account information such as usernames and passwords,” the army warned.

“Malware may be present which accesses both voice and cameras, enabling actors access to conversations and accounts tied to the smartwatches,” it added.

What is unclear, however, is whether this is an attack targeting American military personnel. The smartwatches, the investigation division noted, may also be meant to run illegal brushing scams.

“Brushing is the practice of sending products, often counterfeit, unsolicited to seemingly random individuals via mail in order to allow companies to write positive reviews in the receiver’s name allowing them to compete with established products,” the agency said.

22
 
 

There are presently 201k people monitoring domains in Have I Been Pwned (HIBP). That's massive! That's 201k people that have searched for a domain, left their email address for future notifications when the domain appears in a new breach and successfully verified that they control the domain. But that's only a subset of all the domains searched, which totals 231k. In many instances, multiple people have searched for the same domain (most likely from the same company given they've successfully verified control), and also in many instances, people are obviously searching for and monitoring multiple domains. Companies have different brands, mergers and acquisitions happen and so on and so forth. Larger numbers of domains also means larger numbers of notifications; HIBP has now sent out 2.7M emails to those monitoring domains after a breach has occurred. And the largest number of the lot: all those domains being monitored encompass an eye watering 273M breached email addresses 😲

The point is, just as HIBP itself has escalated into something far bigger than I ever expected, so too has the domain search feature. Today, I'm launching an all new domain search experience and 5 announcements about major changes surrounding it. Let's jump into it!

Announcement #:

  • 1: There's an all new domain search dashboard
  • 2: From now on, domain verification only needs to happen once
  • 3: Domain searches are now entirely "serverless"
  • 4: There are lots of little optimisation tweaks
  • 5: Searches for small domains will remain free whilst larger domains will soon require a commercial subscription
23
4
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
 
 

Cybercrime has become a dominant concern for many businesses, as well as individuals. Cybercriminals will target any business, and any individual if they can realize a profit from their minimal efforts. One of the ways that criminals achieve their goals is through the use of malware that garners a fast profit, such as ransomware. More enterprising criminals will use more persistent malware, which enables them to return to the target for further victimization.

Malware has progressed, revealing some trends that may help cybersecurity professionals in combatting current and future strains.

#1. Malware is becoming increasingly aggressive and evasive

Evasive malware, designed to thwart traditional security technologies like first-generation sandboxes and signature-based gateways, is not new. However, the trend toward more sophisticated, aggressive, and evasive malware will probably emerge as a result of the latest developments in Artificial Intelligence (AI). In the past, evasive maneuvers have made static malware analysis approaches insufficient. Fortunately, AI will also be useful in dynamic analysis. Sadly, this could result in a war of machines, creating service disruptions as the two entities battle for supremacy.

#2. Multi-Factor Authentication (MFA) Attacks

Multi-Factor Authentication has finally gained wider adoption in corporate as well as individual settings. What seemed like a panacea to the brute-force attack problem has been shown to be a bit more vulnerable than originally hoped. For example, if a person’s credentials have been compromised, a technique known as “prompt bombing” can be used to create MFA fatigue, eventually causing a person to accept a login notification just to silence the alerts. Many attacks against MFA involve scanning vulnerable login processes to inject the second-factor codes into websites. While not considered malware in the traditional sense, MFA exploits have the same effect of automating an exploit to gain access to sensitive information.

#3. Targeted attacks will give way to mass exploit customization

Targeted attacks require a substantial amount of manual work on the part of the attackers in order to identify victims and then engineer attacks that can fool the victim, as well as create customized compromises and better pre-attack reconnaissance. While attackers have not yet automated these tasks, it is reasonable to assume that some are attempting to do so. One tell-tale sign of automated reconnaissance is its inability to change its behavior. The best defense against this is for cybersecurity professionals to recognize the patterns that are used to compromise a target and work to mitigate those exposures.

#4. More consumer and enterprise data leaks via cloud apps

As we grow more dependent on cloud services, we introduce new exposures. More attackers are targeting cloud-based information. There also seems to be diminished awareness about the implications of putting personal and commercial data and media in the cloud. Moreover, as cloud data management becomes unwieldy, new security vulnerabilities may become public. Malware that results in cloud breaches could present fertile ground for attackers. Cybersecurity professionals must remember that cloud security is not the responsibility of the cloud provider. Proactive protection, as well as testing, remain vital to keeping cloud data safe.

#5. Your refrigerator is running exploits

Devices that weren’t previously connected to the internet, like home appliances, cars, or photo frames, could become the weakest link in our always-on lifestyles. As everything moves online and adoption grows markedly, there will be attacks through systems we haven’t even considered yet. As more personal devices enter office environments, and as office environments have spread to homes, the Internet of Things (IoT) becomes an even greater attack surface.

24
 
 

The Department of Justice established a cyber-focused section within its National Security Division to combat the full range of digital crimes, a top department official said Tuesday.

The National Security Cyber Section — NatSec Cyber, for short — has been approved by Congress and will elevate cyberthreats to “equal footing” with other major national security issues, including counterterrorism and counterintelligence, Assistant Attorney General for National Security Matt Olsen said in remarks at the Hoover Institution in Washington.

The new section enables the agency to “increase the scale and speed of disruption campaigns and prosecutions of nation-state cyberthreats as well as state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security,” Olsen said.

25
 
 

After years of breakneck growth, China’s security and surveillance industry is now focused on shoring up its vulnerabilities to the United States and other outside actors, worried about risks posed by hackers, advances in artificial intelligence and pressure from rival governments.

The renewed emphasis on self-reliance, combating fraud and hardening systems against hacking was on display at the recent Security China exhibition in Beijing, illustrating just how difficult it will be to get Beijing and Washington to cooperate even as researchers warn that humankind faces common risks from AI. The show took place just days after China’s ruling Communist Party warned officials of the risks posed by artificial intelligence.

Looming over the four-day meet: China’s biggest geopolitical rival, the United States. American-developed AI chatbot ChatGPT was a frequent topic of conversation, as were U.S. efforts to choke off China’s access to cutting-edge technology.

view more: next ›