Feb 08 2024

China had “persistent” access to U.S. critical infrastructure

Category: Access Control,Cyber Espionagedisc7 @ 7:59 am
https://www.axios.com/2024/02/07/china-volt-typhoon-critical-cyberattacks

China-backed hackers have had access to some major U.S. critical infrastructure for “at least five years,” according to an intelligence advisory released Wednesday.

Why it matters: The hacking campaign laid out in the report marks a sharp escalation in China’s willingness to seize U.S. infrastructure — going beyond the typical effort to steal state secrets.

  • The advisory provides the fullest picture to-date of how a key China hacking group has gained and maintained access to some U.S. critical infrastructure.

Details: The U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Federal Bureau of Investigation released an advisory Wednesday to warn critical infrastructure operators about China’s ongoing hacking interests.

  • According to the advisory, China-backed hacking group Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country.
  • The group has relied heavily on stolen administrator credentials to maintain access to the systems — and in some cases it has maintained access for “at least five years,” per the advisory.
  • Volt Typhoon has been seen controlling some victims’ surveillance camera systems, and its access could have allowed the group to disrupt critical energy and water controls.

Of note: Volt Typhoon uses so-called “living off the land” techniques that limit any trace of their activities on a network — making the actors more difficult to detect.

  • CNN first reported details from the advisory earlier today.

Between the lines: U.S. officials are increasingly worried China will launch destructive cyberattacks either during or in the lead up to a possible Chinese invasion of Taiwan.

  • Authorities in Canada, Australia and New Zealand contributed to today’s advisory, citing concerns that China is also targeting organizations in their countries.

Catch up quick: Intelligence officials have been ringing alarm bells about Volt Typhoon for nearly a year.

  • Last May, Microsoft and the U.S. government warned that Volt Typhoon had been positioning itself to launch attacks on infrastructure across the country, including water utilities and ports.
  • This month, officials said they had successfully thwarted Volt Typhoon’s access to these networks — but warned that the group had shown a willingness to keep looking for new ways in.

The big picture: U.S. critical infrastructure is riddled with security problems, including poor password management and a lack of procedures to install security updates.

  • Some critical infrastructure, including water systems, lack the funds to hire security personnel or upgrade equipment.
  • Government attempts to require basic cybersecurity audits have also hit legal hurdles.

Be smart: U.S. cyber defenders are urging infrastructure operators to apply available software updates to all internet-facing systems, implement multi-factor authentication and turn on activity logs to track for any suspicious user behavior.

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Advanced Persistent Threats

Jan 30 2024

Aembit Announces New Workload IAM Integration With CrowdStrike To Help Enterprises Secure Workload-To-Workload Access

Category: Access Control,Information Securitydisc7 @ 3:12 pm
Aembit Announces New Workload IAM Integration with CrowdStrike to Help Enterprises Secure Workload-to-Workload Access

Aembit Becomes the First Workload IAM Platform to Integrate with the Industry-Leading CrowdStrike Falcon Platform to Drive Workload Conditional Access

Aembit, the Workload Identity and Access Management (IAM) platform that enables DevOps and security teams to discover, manage, enforce and audit access between workloads, today announced the availability of a new integration with the industry-leading CrowdStrike Falcon® platform to give enterprises the ability to dynamically manage and enforce conditional access policies based on the real-time security posture of their applications and services.

This integration signifies a significant leap in Aembit’s mission to empower organizations to apply Zero Trust principles to make workload-to-workload access more secure and manageable. 

Workload IAM transforms enterprise security by securing workload-to-workload access through policy-driven, identity-based, and secretless access controls, moving away from the legacy unmanaged, secrets-based approach. 

Through this partnership, the Aembit Workload IAM solution checks to see if a CrowdStrike Falcon agent is running on the workload and evaluates its real-time security posture to drive workload access decisions to applications and data.

With this approach, now enterprises can protect their workloads from unauthorized access, even against the backdrop of changing conditions and dynamic access requirements. Additional customer benefits from this partnership include:

  • Managed Workload-to-Workload Access: Enforce and manage workload access to other applications, SaaS services, and third-party APIs based on identity and policy set by the security team, driving down risk.
  • Seamless Deployment: Drive consolidation by effortlessly integrating the Aembit Workload IAM Platform with the Falcon platform in a few clicks, providing a unified experience for managing workload identities while understanding workload security posture.
  • Zero Trust Security Model: Embrace a Zero Trust approach, ensuring that every access request, regardless of the source, is verified before granting access rights. Aembit’s solution enforces the principle of least privilege based on identity, policy, and workload security posture, minimizing potential security vulnerabilities.
  • Visibility and Monitoring: Gain extensive visibility into workload identities and access permissions, enabling swift detection and response to potential security threats. Monitor and audit access logs based on identity for comprehensive security oversight.

This industry-first collaboration builds on the recent CrowdStrike Falcon Fund strategic investment in Aembit, underscoring the global cybersecurity leader’s commitment to fostering innovation within the space. The investment reflects the recognition of the growing demands for securing workload access.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Aembit, CrowdStrike Falcon, IAM

Jan 06 2023

Researchers Claim That RSA Algorithm Can Be Broken by Quantum Computers

Category: Access ControlDISC @ 10:27 am
Researchers Claim That RSA Algorithm Can Be Broken by Quantum Computers

It was recently reported that Chinese researchers had made a breakthrough in the field of quantum computing. A quantum computer with around the same power as what will soon be available to the general public has been designed to break the RSA public-key encryption system.

The breaking of 2048-bit RSA encryption would have a major impact on the security of the system. 

Basically, what Chinese experts are looking for is a method of finding the secret prime numbers that underpin the algorithm in a consistent and quick manner.

RSA Algorithm Can Be Broken

There is no doubt that the RSA algorithm itself has been largely replaced by others in consumer-facing protocols like:-

  • Transport Layer Security
  • Older enterprise
  • Operational technology software
  • Code-signing certificates

Researchers stated that breaking the widely used RSA-2048 algorithm is possible using a “universal quantum algorithm for integer factorization by combining the classical lattice reduction with a quantum approximate optimization algorithm (QAOA). The number of qubits required is O(logN/loglogN), which is sublinear in the bit length of the integer N, making it the most qubit-saving factorization algorithm to date.”

Chinese Researchers Claim

There is a possibility that malicious adversaries could generate these signing keys or decrypt messages that are protected by RSA encryption. If they managed to generate these keys or decrypt the messages, they could also observe internet traffic as well. 

Some of these attacks have even been known to pass off malicious code as genuine software updates, which would allow them to seize control of third-party devices by posing as legitimate updates.

There are several key components that pose a significant threat to traditional cryptography that are raised by quantum computing.

Quantum vs Classical

It is claimed that a 372-qubit quantum computer can be utilized to break the 2048-bit algorithm. Although there are some caveats to this statement, it is still worth noting. 

In order to demonstrate their hypothesis, they were only able to use a device with 10 qubits to practice on, and they were unable to use any device with more than 48 bits to demonstrate it.

The findings of these studies have been questioned by many experts. Without any meaningful peer review, the paper was published on the preprint service ArXiv by the authors.

An acceptable minimum standard for evaluating a research paper’s scientific merit would be considered by many to be an essential part of the scientific procedure.

A computer security expert named Bruce Schneier said in a paper published in October that there was still much to be decided about whether the technique can be applied in a real-world setting.

There are several prestigious universities in China that the authors are affiliated with. Schneier argued that even if the claims of the research are proven untrue, they point to a race between researchers to develop a way to break encryption in the near future using quantum computing.

We find that a quantum circuit with 372 physical qubits and a depth of thousands is necessary to challenge RSA-2048 even in the simplest 1D-chain system. Such a scale of quantum resources is most likely to be achieved on NISQ devices in the near future, researchers stated.

Tags: Quantum Computers, RSA Algorithm

Nov 30 2022

10 Best Vulnerability Scanning Tools For Penetration Testing

Category: Access Control,Security ToolsDISC @ 10:57 am
10 Best Vulnerability Scanning Tools For Penetration Testing – 2023

A Vulnerability Scanning Tool is one of the essential tools in IT departments Since vulnerabilities pop up every day and thus leaving a loophole for the organization.

The Vulnerability scanning tools help in detecting security loopholes in the application, operating systems, hardware, and network systems.

Hackers are actively looking for these loopholes to use them to their advantage. Vulnerabilities inside a network need to be identified and fixed immediately to leave your attackers at bay.

What does a Vulnerability Scanner do?

Vulnerability scanners are one right way to do this, with their continuous and automated scanning procedures they can scan the network for potential loopholes.

It is on your internet or any device, they would help the IT departments identify the vulnerability and fix it both manually and automatically.

Vulnerability scanning tools do have two different approaches for performing their routines, authenticated and unauthenticated scans.

In the latter case, a penetration tester will show the scan disguised as a hacker without him having trusted access to the corporate network.

What are the Three types of Vulnerability Scanners?

This type of scan will help organizations identify the loopholes which will allow hackers to penetrate the system without trusted permissions.

Following are the types of vulnerability scanners

  • Discovery Scanning
  • Full Scanning
  • Compliance Scanning

What is an example of a Vulnerability Scanner?

The best Web vulnerability scanner in the market should allow you to perform both authenticated and unauthenticated types of scans to nullify network vulnerabilities among other related vulnerability scanners online

In this article, we’ll take a look at the top 10 best vulnerability scanning tools available in the market.

10 Best Vulnerability Scanner Tools

Vulnerability ScannerKey Features
OpenVAS Vulnerability ScannerCustom Scan Configuration
Targeted IP Address
Task Naming
Authorized (credentialed) Scans
Scheduling scans
Tripwire IP360Flexible Scanning
Full Network Discovery
Vulnerability Risk Scoring
Asset Discovery
Nessus vulnerability scannerTarget Profiling
Sensitive data discovery
Malware Detection
PCI DSS requirements
Vulnerability scanning
Comodo HackerProofDaily Vulnerability Scanning
Web-based Management Tool
PCI Scanning Tools
Nexpose communityReal Risk Score
Integration with Metasploit
Powerful Reporting
Adaptive Security
Vulnerability Manager PlusCustomization of Patches to Application
Detecting zero-day vulnerabilities
Audit end-of-life software
Security recommendations
NiktoSupport for Proxy with authentication
Cookies Support
Username Enumeration
Outdated component report
WiresharkLive capture and offline analysis
Deep inspection of protocols
VoIP analysis
Read/write Capture file
Coloring rules
Aircrack-ngAnalyzing WiFi networks for weaknesses
Capture and injection of WiFi cards
Sniff wireless packets
Recover lost keys
Retina network security scannerDiscover the Full network Environment
Identify Application Flaw
Analyze threats and gain security intelligence

10 Best Vulnerability Scanning Tools 2023

  1. OpenVAS Vulnerability Scanner
  2. Tripwire IP360
  3. Nessus vulnerability scanner
  4. Comodo HackerProof
  5. Nexpose community
  6. Vulnerability Manager Plus
  7. Nikto
  8. Wireshark
  9. Aircrack-ng
  10. Retina network security scanner

for more details on these vulnerability scanning tools

Vulnerability Scanning Tools

Checkout latest books on Vulnerability Scanning Tools

Tags: Vulnerability Scanning Tools

Nov 21 2022

How social media scammers buy time to steal your 2FA codes

Category: 2FA,Access ControlDISC @ 12:41 pm
How social media scammers buy time to steal your 2FA codes

Phishing scams that try to trick you into putting your real password into a fake site have been around for decades.

As regular Naked Security readers will know, precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps, because:

  • Password managers associate usernames and passwords with specific web pages. This makes it hard for password managers to betray you to bogus websites by mistake, because they can’t put in anything for you automatically if they’re faced with a website they’ve never seen before. Even if the fake site is a pixel-perfect copy of the original, with a server name that’s close enough be almost indistinguishable to the human eye, the password manager won’t be fooled because it’s typically looking out for the URL, the whole URL, and nothing but the URL.
  • With 2FA turned on, your password alone is usually not enough to log in. The codes used by 2FA system typically work once only, whether they’re sent to your phone via SMS, generated by a mobile app, or computed by a secure hardware dongle or keyfob that you carry separately from your computer. Knowing (or stealing, buying or guessing) only your password is no longer enough for a cybercriminal to falsely “prove” they are you.

Unfortunately, these precautions can’t immunise you completely against phishing attacks, and cybercriminals are getting better and better at tricking innocent users into handing over both their passwords and their 2FA codes at the same time, as part of the same attack…

…at which point the crooks immediately try to use the combination of username + password + one-time code they just got hold of, in the hope of logging in quickly enough to get into your account before you realise there’s anything phishy going on.

Even worse, the crooks will often aim to create what we like to call a “soft dismount”, meaning that they create a believable visual conclusion to their phishing expedition.

This often makes it look as though the activity that you just “approved” by entering your password and 2FA code (such as contesting a complaint or cancelling an order) has completed correctly, and therefore no further action is necessary on your part.

Thus the attackers not only get into your account, but also leave you feeling unsuspicious and unlikely to follow up to see if your account really has been hijacked.

The short but winding road

Here’s a Facebook scam we received recently that tries to lead you down exactly that path, with differing levels of believability at each stage.

The scammers:

  • Pretend that your own Facebook page violates Facebook’s terms of use. The crooks warn that this could to your account being shut down. As you know, the brouhaha currently erupting on and around Twitter has turned issues such as account verification, suspension and reinstatement into noisy controversies. As a result, social media users are understandably concerned about protecting their accounts in general, whether they’re specifically concerned about Twitter or not:

more details: How social media scammers buy time to steal your 2FA codes

Sep 19 2022

Critical Flaws in Airplanes WiFi Access Point Let Attackers Gain Root Access

Category: Access Control,Security vulnerabilitiesDISC @ 9:36 am
Critical Flaws in Airplanes WiFi Access Point Let Attackers Gain Root Access

Two critical vulnerabilities have been found recently in the wireless LAN devices of Contec. These critical vulnerabilities were discovered by the cybersecurity analysts, Samy Younsi and Thomas Knudsen of Necrum Security Lab.

There are two models of the FLEXLAN FXA2000 and FXA3000 series from CONTEC which are primarily used in airplane installations as WiFi access points.

As a result, these devices offer extremely high-speed connectivity during flight trips for the following purposes:-

  • Movies
  • Musics
  • Buy foods
  • Buy goodies
Critical Flaws in Airplanes WiFi Access Point Let Attackers Gain Root Access

Tags: critical flaws, WiFi Access Point

Aug 25 2022

Twilio Hackers Scarf 10K Okta Credentials in Sprawling Supply Chain Attack

Category: Access Control,Attack Matrix,Cyber Attack,Vendor AssessmentDISC @ 2:02 pm

The “0ktapus” cyberattackers set up a well-planned spear-phishing effort that affected at least 130 orgs beyond Twilio and Cloudflare, including Digital Ocean and Mailchimp.

Okta logo on a mobile phone screen

The hackers who breached Twilio and Cloudflare earlier in August also infiltrated more than 130 other organizations in the same campaign, vacuuming up nearly 10,000 sets of Okta and two-factor authentication (2FA) credentials.

That’s according to an investigation from Group-IB, which found that several well-known organizations were among those targeted in a massive phishing campaign that it calls 0ktapus. The lures were simple, such as fake notifications that users needed to reset their passwords. They were sent via texts with links to static phishing sites mirroring the Okta authentication page of each specific organization.

“Despite using low-skill methods, [the group] was able to compromise a large number of well-known organizations,” researchers said in a blog post today. “Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

Such was the case with the Twilio breach that occurred Aug. 4. The attackers were able to social-engineer several employees into handing over their Okta credentials used for single sign-on across the organization, allowing them to gain access to internal systems, applications, and customer data. The breach affected about 25 downstream organizations that use Twilio’s phone verification and other services — including Signal, which issued a statement confirming that about 1,900 users could have had their phone numbers hijacked in the incident.

The majority of the 130 companies targeted were SaaS and software companies in the US — unsurprising, given the supply chain nature of the attack.

For instance, additional victims in the campaign include email marketing firms Klaviyo and Mailchimp. In both cases, the crooks made off with names, addresses, emails, and phone numbers of their cryptocurrency-related customers, including for Mailchimp customer DigitalOcean (which subsequently dropped the provider).

In Cloudflare’s case, some employees fell for the ruse, but the attack was thwarted thanks to the physical security keys issued to every employee that are required to access all internal applications.

Lior Yaari, CEO and co-founder of Grip Security, notes that the extent and cause of the breach beyond Group IB’s findings are still unknown, so additional victims could come to light.

“Identifying all the users of a SaaS app is not always easy for a security team, especially those where users use their own logins and passwords,” he warns. “Shadow SaaS discovery is not a simple problem, but there are solutions out there that can discover and reset user passwords for shadow SaaS.”

Time to Rethink IAM?

On the whole, the success of the campaign illustrates the trouble with relying on humans to detect social engineering, and the gaps in existing identity and access management (IAM) approaches.

“The attack demonstrates how fragile IAM is today and why the industry should think about removing the burden of logins and passwords from employees who are susceptible to social engineering and sophisticated phishing attack,” Yaari says. “The best proactive remediation effort companies can make is to have users reset all their passwords, especially Okta.”

The incident also points out that enterprises increasingly rely on their employees’ access to mobile endpoints to be productive in the modern distributed workforce, creating a rich, new phishing ground for attackers like the 0ktapus actors, according to Richard Melick, director of threat reporting at Zimperium.

“From phishing to network threats, malicious applications to compromised devices, it’s critical for enterprises to acknowledge that the mobile attack surface is the largest unprotected vector to their data and access,” he wrote in an emailed statement.

https://www.darkreading.com/remote-workforce/twilio-hackers-okta-credentials-sprawling-supply-chain-attack

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: authentication, authorization, Identity and Access Management

Jul 27 2022

DUCKTAIL operation targets Facebook’s Business and Ad accounts

Category: Access Control,App Security,AuthenticationDISC @ 8:29 am
DUCKTAIL operation targets Facebook’s Business and Ad accounts

Researchers uncovered an ongoing operation, codenamed DUCKTAIL that targets Facebook Business and Ad Accounts.

Researchers from WithSecure (formerly F-Secure Business) have discovered an ongoing operation, named DUCKTAIL, that targets individuals and organizations that operate on Facebook’s Business and Ads platform.

Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018.

“Our investigation reveals that the threat actor has been actively developing and distributing malware linked to the DUCKTAIL operation since the latter half of 2021. Evidence suggests that the threat actor may have been active in the cybercriminal space as early as late 2018.” reads the report published by the experts.

The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.

The end goal is to hijack Facebook Business accounts managed by the victims.

The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.

WithSecure researchers noticed that samples employed in the DUCKTAIL operation were written in .NET Core and were compiled using its single file feature. This feature bundles all dependent libraries and files into a single executable, it also includes the main assembly. Experts pointed out that the usage of .NET Core and its single-file feature is uncommon in malware development.

The use of .Net Core allows the attackers to embed Telegram.Bot client as well as any other external
dependencies into a single executable and use Telegram channels as Command and Control (C&C).

“Since late last year, the threat actor has shifted entirely to using Telegram as their C&C channel making use of the Telegram Bot functionality. Currently, the adversary only exfiltrates stolen information through the C&C channel and no commands are sent from the C&C to the victim’s machine other than potentially sending e-mail addresses for business hijacking purposes.” continues the report.

In order to steal Facebook session cookies from the victims, the malware scans the machine for popular browsers, including Google Chrome, Microsoft Edge, Brave Browser, and Firefox. For each of the browsers that it finds, it extracts all the stored cookies, including any Facebook session cookie.

The malware also steals information from the victim’s personal Facebook account, including name, email address, date of birth, and user ID, along with other data such as 2FA codes, user agents, IP address, and geolocation

Ducktail

Once obtained the above data, the attackers can access to the victim’s personal account, hijack it by adding their email address retrieved from the Telegram channel and grant themselves Admin and Finance editor access.

“They can edit business credit card information and financial details like transactions, invoices, account spend and payment methods. Finance editors can add businesses to your credit cards and monthly invoices. These businesses can use your payment methods to run ads.” states the report.

Countries affected by DUCKTAIL samples analyzed by the experts includes US, India, Saudi Arabia, Italy, Germany, Sweden, Finland, and the Philippines.

“WithSecure cannot determine the success, or lack thereof, that the threat actor has had in circumventing Facebook’s existing security features and hijacking businesses.” concludes the report. “However, the threat actor has continued to update and push out the malware in an attempt to improve its ability to bypass existing/new Facebook security features alongside other implemented features.”

Facebook Business administrators are recommended to check access permissions for their business accounts and remove any unknown users.

Security Manual. Whatsapp and FacebookSecurity Manual. Whatsapp and FacebookSecurity Manual. Whatsapp and Facebook

Tags: DUCKTAIL operation, Facebook security, Security Manual

Jul 12 2022

Flaws in the ExpressLRS Protocol allow the takeover of drones

Category: Access Control,Wi-Fi SecurityDISC @ 8:51 am
Flaws in the ExpressLRS Protocol allow the takeover of drones

The protocol for radio-controlled (RC) drones, named ExpressLRS, is affected by vulnerabilities that can allow device takeover.

Researchers warn of vulnerabilities that affect the protocol for radio-controlled (RC) drones, named ExpressLRS, which can be exploited to take over unmanned vehicles.

ExpressLRS is a high-performance open-source radio control link that provides a low latency radio control link while also achieving maximum range.

According to a bulletin recently published, an attacker can take control of any receiver by observing the traffic from the associated transmitter.

Using only a standard ExpressLRS compatible transmitter, it is possible to take control of any receiver after observing traffic from a corresponding transmitter.

Security issues in the binding phase can allow an attacker to extract part of the identifier shared between the receiver and transmitter. The analysis of this part, along with brute force attack, can allow attackers to discover the remaining part of the identifier. Once the attacker has obtained the complete identifier, it can take over the craft containing the receiver, with no knowledge of the binding phrase, by using a transmitter. This attack scenario is feasible in software using standard ExpressLRS compatible hardware.

“ExpressLRS uses a ‘binding phrase’, built into the firmware at compile time to bind a transmitter to a receiver. ExpressLRS states that the binding phrase is not for security, it is anti-collision.” reads a bulletin published by NccGroup. “Due to weaknesses related to the binding phase, it is possible to extract part of the identifier shared between the receiver and transmitter. A combination of analysis and brute force can be utilised to determine the remaining portion of the identifier. Once the full identifier is discovered, it is then possible to use an attacker’s transmitter to control the craft containing the receiver with no knowledge of the binding phrase. This is possible entirely in software using standard ExpressLRS compatible hardware.”

The phrase used by the ExpressLRS protocol is encrypted using the hashing algorithm MD5 which is known to be cryptographically broken.

The experts observed that the “sync packets” that are exchanged between transmitter and receiver at regular intervals for synchronizing purposes leak a major part of the binding phrase’s unique identifier (UID). An attacker can determine the remaining part via brute-force attacks or by observing packets over the air without brute-forcing the sequences.

“Three weaknesses were identified, which allow for the discovery of the four bytes of the required UID to take control of the link. Two of these issues relate to the contents of the sync packet.

  1. The sync packet contains the final three bytes of the UID. These bytes are used to verify that the transmitter has the same binding phrase as the receiver, to avoid collision. Observation of a single sync packet therefor gives 75% of the bytes required to take over the link.
  2. The CRC initialiser uses the final two bytes of the UID sent with the sync packet, making it extremely easy to create a CRC check.” reads the advisory.

The third weakness occurs in the FHSS sequence generation.

  1. Due to weaknesses in the random number generator, the second 128 values of the final byte of the 4 byte seed produce the same FHSS sequence as the first 128.

The advisory recommends avoiding sending the UID over the control link. The data used to generate the FHSS sequence should not be sent over the air. It also recommends to improve the random number generator by using a more secure algorithm or adjusting the existing algorithm to work around repeated sequences.

ExpressLRS drones

Artificial Intelligence Applications for Drone Cyber Security

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: drones, ExpressLRS Protocol

Jun 23 2022

How Is Hospital Critical Infrastructure Protected?

Category: Access Control,hipaa,Policies & Controls,Security controlsDISC @ 3:01 pm
How Is Hospital Critical Infrastructure Protected?

Hospitals hold a lot of sensitive data. When they are hacked, patient information is exposed, putting patients at risk because the hackers can use stolen personal information in several identity theft schemes. The Department of Health and Human Services (HHS) has been working hard to protect hospitals from cyberattacks, but the fact is that while they do the best they can, there will always be breaches and more work to be done. The government is trying everything to ensure that hospitals are protected and that patients are aware of any breaches as quickly as possible when they do occur.

Table of Contents

  1. Hospitals as an important part of the critical infrastructure
  2. Hospitals need special protection to keep patients safe.
  3. Some Of the Specific Things That Can Be Done to Protect Hospitals Against Cyberattacks
  4. There are various practices and systems in place to protect critical infrastructure and hospitals.
  5. Is there anything hospital patients can do to reduce their risk?
  6. Conclusion

How-Is-Hospital-Critical-Infrastructure-Protected

Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Hospital Critical Infrastructure

May 27 2022

GhostTouch: how to remotely control touchscreens with EMI

Category: Access Control,Remote codeDISC @ 8:58 am
GhostTouch: how to remotely control touchscreens with EMI

Security researchers devised a technique, dubbed GhostTouch, to remotely control touchscreens using electromagnetic signals.

A team of researchers from Zhejiang University and Technical University of Darmstadt devised a technique, dubbed GhostTouch, to remotely control capacitive touchscreens using electromagnetic signals.

According to the experts, GhostTouch is the first active contactless attack against capacitive touchscreens.

GhostTouch uses electromagnetic interference (EMI) to remotely inject fake touch points into a capacitive device. The researchers demonstrated how to inject two types of basic touch events, taps and swipes, into targeted locations of the touchscreen. The events allowed the researchers to control the devices (i.e. answering an eavesdropping phone call, pressing the button, swiping up to unlock), the attack technique was successful on nine smartphone models.

“We can inject targeted taps continuously with a standard deviation of as low as 14.6 x 19.2 pixels from the target area, a delay of less than 0.5s and a distance of up to 40mm. We show the real-world impact of the GhostTouch attacks in a few proof-of-concept scenarios, including answering an eavesdropping phone call, pressing the button, swiping up to unlock, and entering a password.” reads the research paper published by the academics. “Finally, we discuss potential hardware and software countermeasures to mitigate the attack.”

The GhostTouch system consists of two components, a touch injector and a phone locator. The touch injector is used to inject touch events into the touchscreen and includes a signal generator, an amplifier, an on/off switch, and a receiving antenna array. The phone locator is used to identify the position of the touchscreen and consists of a sensing antenna array, a data acquisition device, and a location calculator.

The experimental lab setup up by the researchers is composed of an electrostatic gun used to generate a strong pulse signal which is sent to an antenna to transmit an electromagnetic field to the touchscreen.

Tak a look at

Take a look at a couple of video PoCs of attacks devised by the experts that show GhostTouch attack to answer the phone call and connect the malicious Bluetooth.

The experts tested the technique against nine different smartphone models, including Galaxy A10s, Huawei P30 Lite, Honor View 10, Galaxy S20 FE 5G, Nexus 5X, Redmi Note 9S, Nokia 7.2, Redmi 8, and an iPhone SE (2020).

“We demonstrate the feasibility of this attack in the real world.” concludes the paper. “In places like a cafe, library, meeting room, or conference lobbies, people might place their smartphone face-down on the table2. An attacker may embed the attack equipment under the table and launch attacks remotely. For example, an attacker may impersonate the victim to answer a phone call which would eavesdrop the private conversation, or visit a malicious website.”

The researchers provided a series of countermeasures to neutralize the attack, including adding electromagnetic shielding to block EMI, reinforcing the touchscreen, improving the detection algorithm of the touchscreen, and forcing some form of authentication for the execution of high-risk actions.

Remote Access Automated Monitoring And Control A Complete Guide

Tags: GhostTouch, remotely control touchscreens

May 10 2022

DCRat, only $5 for a fully working remote access trojan

Category: Access Control,Remote codeDISC @ 8:21 am
DCRat, only $5 for a fully working remote access trojan

Researchers warn of a remote access trojan called DCRat (aka DarkCrystal RAT) that is available for sale on Russian cybercrime forums.

Cybersecurity researchers from BlackBerry are warning of a remote access trojan called DCRat (aka DarkCrystal RAT) that is available for sale on Russian cybercrime forums. The DCRat backdoor is very cheap, it appears to be the work of a lone threat actor that goes online with the monikers of “boldenis44,” “crystalcoder,” and Кодер (“Coder”). Prices for the backdoor start at 500 RUB ($5) for a two-month license, 2,200 RUB ($21) for a year, and 4,200 RUB ($40) for a lifetime subscription.

“Sold predominantly on Russian underground forums, DCRat is one of the cheapest commercial RATs we’ve ever come across. The price for this backdoor starts at 500 RUB (less than 5 GBP/US$6) for a two-month subscription, and occasionally dips even lower during special promotions. No wonder it’s so popular with professional threat actors as well as script kiddies.” reads the report published by BlackBerry.

The author implemented an effective malware and continues to efficiently maintain it. The researchers pointed out that the price for this malware is a fraction of the standard price such RAT on Russian underground forums.

DCRat first appeared in the threat landscape in 2018, but a year later it was redesigned and relaunched.

DCRat is written in .NET and has a modular structure, affiliates could develop their own plugins by using a dedicated integrated development environment (IDE) called DCRat Studio.

The modular architecture of the malware allows to extend its functionalities for multiple malicious purposes, including surveillance, reconnaissance, information theft, DDoS attacks, and arbitrary code execution.

The DCRat consists of three components:

  • A stealer/client executable
  • A single PHP page, serving as the command-and-control (C2) endpoint/interface
  • An administrator tool

“All DCRat marketing and sales operations are done through the popular Russian hacking forum lolz.guru, which also handles some of the DCRat pre-sales queries. DCRat support topics are made available here to the wider public, while the main DCRat offering thread is restricted to registered users only.” continues the report.

The malware is under active development, the author announces any news and updates through a dedicated Telegram channel that had approximately 3k subscribers.

dcrat
DCRat Telegram announcing discounts and price specials (source BlackBerry)

During recent months, the researchers ofter observed DCRat clients being deployed with the use of Cobalt Strike beacons through the Prometheus TDS (traffic direction system).

DCRat also implements a kill switch, which would render all instances of the DCRat administrator tool unusable, irrespective of subscriber license validity.

The Administrator tool allows subscribers to sign in to an active C2 server, configure (and generate) builds of the DCRat client executable, execute commands on infected systems

Experts concluded that the RAT is maintained daily, which means that the author is working on this project full-time.

“There are certainly programming choices in this threat that point to this being a novice malware author who hasn’t yet figured out an appropriate pricing structure. Choosing to program the threat in JPHP and adding a bizarrely non-functional infection counter certainly point in this direction. It could be that this threat is from an author trying to gain notoriety, doing the best with the knowledge they have to make something popular as quickly as possible.” concludes the report that also includes Indicators of Compromise (IoCs). “While the author’s apparent inexperience might make this malicious tool seem less appealing, some could view it as an opportunity. More experienced threat actors might see this inexperience as a selling point, as the author seems to be putting in a lot of time and effort to please their customers.”

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: RAT, remote access trojan, remote access trojan (RAT)

May 04 2022

General Access Control Guidance for cloud system

Category: Access Control,Cloud computingDISC @ 3:19 pm

General-Access-Control-Guidance-for-cloud-system-1Download

Role Based Access Control in Cloud Computing: Role Based Access Control Using Policy Specification and Ontology on Clouds

Tags: 800-210, NIST Special Publication 800-210

Feb 02 2022

General Access Control Guidance for Cloud Systems

Category: Access Control,Cloud computingDISC @ 11:42 pm

General-Access-Control-Guidance-for-cloud-system-1Download

Access Control Management in Cloud Environments

Tags: Access Control Management in Cloud Environments, NIST Special Publication 800-210

Dec 17 2021

Flaws in Lenovo laptops allow escalating to admin privileges

Category: Access Control,Endpoint securityDISC @ 10:47 am
Flaws in Lenovo laptops allow escalating to admin privileges

The ImControllerService service of Lenovo laptops is affected by a privilege elevation bug that can allow to execute commands with admin privileges.

Lenovo laptops, including ThinkPad and Yoga families, are affected by a privilege elevation issues that resides in the ImControllerService service allowing attackers to execute commands with admin privileges.

The vulnerabilities, tracked as CVE-2021-3922 and CVE-2021-3969, are a race condition vulnerability and a Time of Check Time of Use (TOCTOU) vulnerability respectively.

The flaws affect the ImControllerService service (“System Interface Foundation Service”) of all Lenovo System Interface Foundation versions below 1.1.20.3.

The Lenovo System Interface Foundation Service provides interfaces for multiple features, including system power management, system optimization, driver and application updates, for this reason it is not recommended to disable it.

The vulnerability was reported to Lenovo by researchers at NCC Group on October 29, 2021, and the vendor addressed it with the release of security updates on November 17, 2021. This week the company publicly disclosed the vulnerability.

“The following vulnerabilities were reported in the IMController component of Lenovo System Interface Foundation used by Lenovo Vantage.” reads the advisory published by the company.

“CVE-2021-3922: A race condition vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, that could allow a local attacker to connect and interact with the IMController child process’ named pipe.

CVE-2021-3969: A Time of Check Time of Use (TOCTOU) vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, that could allow a local attacker to elevate privileges.”

According to NCC Group, the ImController service comes installed on certain Lenovo devices, it runs as the SYSTEM user and periodically executes child processes that perform system configuration and maintenance tasks.

An attacker can exploit the vulnerabilities to elevate its privileges to SYSTEM and take over the vulnerable device.

The vulnerability resides in the way the ImControllerService handles the execution of highly privileged child processes which allows an unprivileged attacker with local access to the system to elevate their privileges.

The flawed vulnerable component periodically starts child processes to perform tasks and each of them opens a named pipe server to which any user on the system can connect.

“The parent process establishes a connection to the child’s server as soon as possible in order to send XML serialised commands over the named pipe. The child does not validate the source of the connection and parses the XML serialized commands. One of the commands that the parent process can send instructs the child to load a ‘plugin’ from an arbitrary location on the filesystem. The child process validates the digital signature of the plugin DLL file before loading the file into its address space and yielding execution to it.” reads the post published by NCC Group. “Successful exploitation of two vulnerabilities required to get the child to load a payload of the attacker’s choosing.”

The researchers noticed that the child process does not validate the source of the connection, this means it will begin accepting commands from the attacker using high-performance filesystem synchronization routines after the race condition has been exploited.

NCC Group researchers developed a proof of concept code that never failed to connect to the named pipe before the parent service could do so.

The second issue, the time-of-check to time-of-use (TOCTOU) vulnerability, is exploited to stall the loading process and replace the validated plugin with a malicious DLL file. The DLL is executed with high privileges.

Privilege Escalation Techniques: Learn the art of exploiting Windows and Linux systems

Privilege Escalation Techniques

System Security Threats

Tags: admin privileges, Lenovo laptops, Privilege Escalation Techniques

Nov 03 2021

Cybercrime underground flooded with offers for initial access to shipping and logistics orgs

Category: Access Control,Cyber Threats,CybercrimeDISC @ 9:02 am
Cybercrime underground flooded with offers for initial access to shipping and logistics orgs

Experts warn of the availability in the cybercrime underground of offers for initial access to networks of players in global supply chains.

Researchers from threat intelligence firm Intel 471 published an analysis of current cybercrime underground trends online, warning that initial access brokers are offering credentials or other forms of access to shipping and logistics organizations. 

These organizations provide essential services to the global supply chain in multiple industries, they operate air, ground and maritime cargo transport on several continents.

Experts believe threat actors selling initial access to the organizations have obtained these credentials by expliting well-known vulnerabilities in remote access solutions, including Remote Desktop Protocol (RDP), VPN, Citrix, and SonicWall.

Intel 471 experts monitored the activities on the Dark Web over the past few months and observed a prevalence in the listing of offers for initial access to organizations operating in the global supply chain are.

The experts provided multiple examples of the offers they have found:

Disrupting Logistics: Startups, Technologies, and Investors Building Future Supply Chains – “This book presents readers with a straightforward and comprehensive assessment of supply chain innovation and trends and their impact on the industry. With contributions from several industry leaders, it provides critical knowledge and insight that supply chain and logistics managers need to implement disruptive technologies strategically.” 

Tags: dark net, dark web, shipping and logistics

Aug 18 2021

Adopting Zero-Trust for API Security

Category: Access Control,App Security,Zero trustDISC @ 11:56 am
Adopting Zero-Trust for API Security

Why Use Zero-Trust for API Security

Think of APIs as the new network; interconnected in complex ways and with API interactions happening both within and outside  of the organization.

“Public-facing APIs—for example, consumer banking—are usually a key area of focus when it comes to zero-trust,” said Dunne. “This is due to the obvious risk exposure when APIs are documented and made available on the public internet.”

However, the larger risk is found in private and internal APIs, because there is a common assumption that since they aren’t documented or found on a public network, they aren’t exposed.

But as threat actors become more sophisticated in their search for and discovery of private APIs, there is increased risk of the bad guys gaining access to massive amounts of sensitive data. Private APIs need the same layers of protection as public-facing APIs.

“APIs are, by definition, atomic in nature—meaning they can be invoked independently,” explained Setu Kulkarni, vice president, strategy at NTT Application Security in an email interview. “That creates a real challenge for securing these APIs.”

Given that, Kulkarni added, a critical consideration for implementing zero-trust in APIs is to ensure that there is appropriate access control built into the API implementation. Every API function call requires not just authentication but also authorization. Also, adding zero-trust around session validation helps to prevent unintended data leakage.

Integrating Zero-Trust in APIs

API Security in Action

Tags: API Security

Aug 17 2021

Fortinet FortiWeb OS Command Injection allows takeover servers remotely

Category: Access Control,PowerShell Security,Security Breach,Security patching,Security ToolsDISC @ 8:38 am
Fortinet FortiWeb OS Command Injection allows takeover servers remotely

Fortinet addresses a command injection vulnerability that can allow attackers to take complete control of servers running vulnerable FortiWeb WAF installs.

An authenticated attacker could execute arbitrary commands as the root user on the underlying system via the SAML server configuration page. Experts pointed out that the flaw could be chained with an authentication bypass flaw that could allow an attacker

The vulnerability impacts Fortinet FortiWeb versions 6.3.11 and earlier, an authenticated attacker could exploit the issue to take complete control of servers running vulnerable versions of the FortiWeb WAF.

An authenticated attacker could execute arbitrary commands as the root user on the underlying system via the SAML server configuration page. Experts pointed out that the flaw could be chained with an authentication bypass flaw (i.e. CVE-2020-29015) to allow an unauthenticated attacker to trigger the vulnerability.

The vulnerability was reported by the researcher William Vu from Rapid7.

“An attacker, who is first authenticated to the management interface of the FortiWeb device, can smuggle commands using backticks in the “Name” field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.” reads the post published by Rapid7. “An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges. “

The flaw could allow an attacker to deploy a persistent shell, install crypto mining software, or other malware families. If the management interface is exposed to the internet, an attacker could trigger the issue to reach into the affected network beyond the DMZ. Rapid7 researchers discovered less than three hundred devices exposing their management interfaces online. Let’s remind that management interfaces for devices like FortiWeb should not be exposed online!

OWASP WEB APPLICATION SECURITY THREATS – MARKET INTEREST TREND : FULL REPORT PACKAGE by [CURIOSITY PUBLISHERS]

Tags: OS Command Injection

Jun 15 2021

RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries

Category: Access Control,Password SecurityDISC @ 9:34 am
rockyou2021.txt sample password's list

What seems to be the largest password collection of all time has been leaked on a popular hacker forum. A forum user posted a massive 100GB TXT file that contains 8.4 billion entries of passwords, which have presumably been combined from previous data leaks and breaches. 

According to the post author, all passwords included in the leak are 6-20 characters long, with non-ASCII characters and white spaces removed. The same user also claims that the compilation contains 82 billion passwords. However, after running our own tests, the actual number turned out to be nearly ten times lower – at 8,459,060,239 unique entries:

rockyou2021.txt

The compilation itself has been dubbed ‘RockYou2021’ by the forum user, presumably in reference to the infamous RockYou data breach that occurred in 2009 and rockyou2021.txt filename containing all passwords, when threat actors hacked their way into the social app website’s servers and got their hands on more than 32 million user passwords stored in plain text. 

With a collection that exceeds its 12-year-old namesake by more than 262 times, this leak is comparable to the Compilation of Many Breaches (COMB), the largest data breach compilation ever. Its 3.2 billion leaked passwords, along with passwords from multiple other leaked databases, are included in the RockYou2021 compilation that has been amassed by the person behind this collection over several years.

Considering the fact that only about 4.7 billion people are online, numbers-wise the RockYou2021 compilation potentially includes the passwords of the entire global online population almost two times over. For that reason, users are recommended to immediately check if their passwords were included in the leak. 

How to check if your password was leaked?

Updated on 10/06: We have now uploaded nearly 7.9 billion out of 8.4 billion entries in the RockYou2021 password list to our leak databases. To safely check whether your password is part of this gigantic leak, make sure to head over to the CyberNews personal data leak checker or our leaked password checker.

Note: We take our readers’ privacy extremely seriously. To protect your privacy and security, the data that you enter in the search field is hashed, and we use only this hash to perform a search in our database. We do not collect entered emails or passwords, nothing is logged when you perform a leak check.

Source: RockYou2021

Tags: Password breach, Rockyou2021

Next Page »