Max_UL

Researchers say that nearly 336,000 devices exposed to the Internet remain vulnerable to a critical vulnerability in firewalls sold by Fortinet because admins have yet to install patches the company released three weeks ago.

CVE-2023-27997 is a remote code execution in Fortigate VPNs, which are included in the company’s firewalls. The vulnerability, which stems from a heap overflow bug, has a severity rating of 9.8 out of 10. Fortinet released updates silently patching the flaw on June 8 and disclosed it four days later in an advisory that said it may have been exploited in targeted attacks. That same day, the US Cybersecurity and Infrastructure Security Administration added it to its catalog of known exploited vulnerabilities and gave federal agencies until Tuesday to patch it.

The Russian-linked hacktivist group NoName has been relentlessly targeting the Ukrainian financial sector in its latest campaign against the war-torn nation.

“We will start today's journey with an attack on the financial sector of Ukraine,” the gang posted on their encrypted Telegram channel June 27.

Since the threat actors edict four days ago, nearly a dozen major Ukrainian banks have been hit daily by the gang’s signature DDoS attack method.

Targets include four of the nation's largest commercial banks, including First Ukrainian International Bank (PUMB), State Savings Bank of Ukraine (Oshchadbank), Credit Agricole Bank, and Universal Bank.

The pro-Russian hacking conglomerate, official known in the security world as NoName057(16), said its latest campaign is aimed at disrupting Ukraine’s online banking Internet infrastructure.

Besides claiming to have knocked several of the bank websites completely offline, the gang has also specifically gone after authorization services, login portals, customer service systems, and loan processing services.

A year after the Russian invasion of Ukraine, MITRE efforts to develop and deliver needed technology and relief endure, and grow, helping the people on the ground who need it most .

When Russian forces invaded Ukraine, SpaceX sent Starlink satellite internet kits to counter Russian attacks disrupting the country’s internet service. But Starlink technology needs a reliable power source and secure connection to the satellite constellation that processes communications signals. The designers didn’t intend it to be portable or to function in a war zone. Humanitarian and aid-group relief workers in Ukraine needed a system with added resilience.

Enter MITRE. Engineer Joseph Roth and team designed the Starlink Advantage kit to provide energy-independent, reliable access that incorporates cybersecurity, as well as protection from physical targeting. A tote can hold all the components: a terminal providing 100+ mbps internet speed, a VPN-secured Wi-Fi router, a battery-powered/solar panel generator, a laptop, a car adapter, and technology to protect the network from missile strikes.

Microsoft researchers have recently discovered an attack leveraging custom and open-source tools to target internet-facing Linux-based systems and IoT devices. The attack uses a patched version of OpenSSH to take control of impacted devices and install cryptomining malware.

Utilizing an established criminal infrastructure that has incorporated the use of a Southeast Asian financial institution’s subdomain as a command and control (C2) server, the threat actors behind the attack use a backdoor that deploys a wide array of tools and components such as rootkits and an IRC bot to steal device resources for mining operations. The backdoor also installs a patched version of OpenSSH on affected devices, allowing threat actors to hijack SSH credentials, move laterally within the network, and conceal malicious SSH connections. The complexity and scope of this attack are indicative of the efforts attackers make to evade detection.

SolarWinds — the technology firm at the center of a December 2020 hack that affected multiple U.S. government agencies — said its executives may soon face charges from the U.S. Securities and Exchange Commission (SEC) for its response to the incident.

The widespread hack – which the U.S. government attributed to the Russian Foreign Intelligence Service – affected several large companies as well as the Defense Department, Justice Department, Commerce Department, Treasury Department, the Department of Homeland Security, the State Department, the Department of Energy and more.

Hackers found a way to insert malware into a version of the company’s Orion IT monitoring application, allowing Russian operatives to gain a foothold in high-value targets. They used the access to deploy additional malware to compromise internal and cloud-based systems and steal sensitive information over several months.

Unidentified hackers claimed to have targeted Dozor, a satellite telecommunications provider that services power lines, oil fields, Russian military units and the Federal Security Service (FSB), among others, according to a message posted to Telegram late Wednesday night.

“The DoZor satellite provider (Amtel group of companies), which serves power lines, oil fields, military units of the Russian Defense Ministry, the Federal Security Service, the pension fund and many other projects, including the northern merchant fleet and the Bilibino nuclear power plant, went to rest,” the group’s first message read, according to a translation. “Part of the satellite terminals failed, the switches rebooted, the information on the servers was destroyed.”

Few areas of cybersecurity measure up against penetration testing in terms of importance and excitement. This activity boils down to finding flaws in computer systems so that organizations can address them proactively and forestall real-world attacks.

A pentester worth their salt should have outstanding tech skills, be a social engineering guru, and have enough confidence to try and outsmart seasoned IT professionals working for large corporations. Pentesters are often referred to as ethical hackers, and for good reason – they need to infiltrate well-secured systems to pinpoint loopholes that black hat hackers can parasitize for nefarious purposes.

Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard.

The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat intelligence team said.

Midnight Blizzard, formerly known as Nobelium, is also tracked under the monikers APT29, Cozy Bear, Iron Hemlock, and The Dukes.

The group, which drew worldwide attention for the SolarWinds supply chain compromise in December 2020, has continued to rely on unseen tooling in its targeted attacks aimed at foreign ministries and diplomatic entities.

BlackLotus is a sophisticated piece of malware that can infect a computer's low-level firmware, bypassing the Secure Boot defences built into Windows 10 and Windows 11, and allowing the execution of malicious code before a PC's operating system and security defences have loaded.

In this way, attackers could disable security measures such as BitLocker and Windows Defender, without triggering alarms, and deploy BlackLotus's built-in protection against the bootkit's own removal.

Although Microsoft issued a patch for the flaw in Secure Boot back in January 2022, its exploitation remains possible as the affected, validly-signed binaries have not been added to the UEFI revocation list.

Earlier this year, security researchers explained how BlackLotus was taking advantage of this, "bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability."

According to the NSA, there is "significant confusion" about the threat posed by BlackLotus:

“Some organizations use terms like 'unstoppable,' 'unkillable,' and 'unpatchable' to describe the threat. Other organizations believe there is no threat due to patches that Microsoft released in January 2022 and early 2023 for supported versions of Windows. The risk exists somewhere between both extremes."

According to the NSA's advisory, patching Windows 10 and Windows 11 against the vulnerabilities is only "a good first step."

In its mitigation guide, the agency details additional steps for hardening systems.

However, as they involve changes to how UEFI Secure Boot is configured they should be undertaken with caution - as they cannot be reversed once activated, and could leave current Windows boot media unusable if mistakes are made.

"Protecting systems against BlackLotus is not a simple fix," said NSA platform security analyst Zachary Blum.

The MOVEit Attack: 'Human2' Fingerprint

The group behind Cl0p has used a number of vulnerabilities in file transfer services, such as GoAnywhere MFT in January (CVE-2023-0669), and the MOVEit managed file transfer platforms in late May and early June (CVE-2023-34362).

Initially, the attackers installed a web shell, named LEMURLOOT, using the name "human2.aspx" and used commands sent through HTTP requests with the header field set to "X-siLock-Comment". The advisory from the Cybersecurity and Infrastructure Security Agency also includes four YARA rules for detecting a MOVEit breach.

The attack also leaves behind administrative accounts in associated databases for persistence — even if the Web server has been completely reinstalled, the attackers can revive their compromise. Sessions in the "activesessions" database with Timeout = '9999' or users in the User database with Permission = '30' and Deleted = '0' may indicate an attacker activity, according to CrowdStrike.

One hallmark of the MOVEit attack, however, is that often few technical indicators are left behind. The extended success of the Cl0p attack against MOVEit managed file transfer software and the difficulty in finding indicators of compromise shows that product vendors need to spend additional effort on ensuring that forensically useful logging is available, says Caitlin Condon, a security manager with vulnerability-management firm Rapid7.

The recently discovered Chinese state-backed advanced persistent threat (APT) "Volt Typhoon," aka "Vanguard Panda," has been spotted using a critical vulnerability in Zoho's ManageEngine ADSelfService Plus, a single sign-on and password management solution. And it's now sporting plenty of previously undisclosed stealth mechanisms.

Volt Typhoon came to the fore last month, thanks to joint reports from Microsoft and various government agencies. The reports highlighted the group's infection of critical infrastructure in the Pacific region, to be used as a possible future beachhead in the event of conflict with Taiwan.