Apr 24 2023

Preventing Malware & Cyber Attacks: Simple Tips for Your Computer

Category: Cyber Attack,MalwareDISC @ 8:15 am
Preventing Malware & Cyber Attacks: Simple Tips for Your Computer

Living without the Internet is hardly imaginable today. However, the anonymity of the internet has led to the flourishing of cyber attacks and malware. Malicious software can cause damage to our devices, steal personal data, and lead to monetary loss. Therefore, protecting your computer from these threats is crucial. This article will outline some methods and resources for protecting your devices from malicious software, and explain why it’s essential to use malware removal at all times.

Tip #1: Keep Your Operating System and Software Up to Date

One of the most crucial things you can do to keep your computer secure is to keep your operating system and software up to date. Security patches are frequently released by software developers to address flaws that hackers could exploit. Failing to update your system and software leaves your computer vulnerable to potential threats.

To ensure that your operating system and software are up to date, it’s important to turn on automatic updates. This will ensure that your system gets updates as soon as they become available. Additionally, you can manually check for updates by accessing the settings for your software or operating system. By doing this, you can be certain that your computer is protected against potential threats.

Tip #2: Use Antivirus and Anti-Malware Software

Antivirus and malware removal software are essential tools for protecting your computer against malicious software such as viruses, spyware, and ransomware. These programs scan your computer on a regular basis for malware and remove it if found. By using antivirus and anti-malware software, you can safeguard your computer from malicious attacks and maintain its security.

When it comes to antivirus and anti-malware software, it’s crucial to choose a reputable and trustworthy option that offers comprehensive protection against various types of malware. With numerous software options available on the market, selecting the right one can be overwhelming. However, by doing some research and selecting the one that meets your needs, you can ensure that your computer remains protected from potential threats.

Tip #3: Use a Firewall

firewall is a crucial security system that monitors and controls network traffic, both incoming and outgoing. It serves as a barrier between your computer and the internet, blocking unauthorized access. By utilizing a firewall, you can protect your computer from potential cyber attacks and enhance its security.

Most operating systems come with a built-in firewall that you can enable by going to your system’s settings. However, you can further increase your computer’s security by installing a third-party firewall. These firewalls offer additional features and customization options that can help you tailor the protection to your needs. By using a firewall, you can safeguard your computer against potential threats and enhance its overall security.

Tip #4: Use Strong and Unique Passwords

Using strong and unique passwords is crucial in safeguarding your device against potential cyber attacks. Cybercriminals frequently use automated programs to guess passwords and weak passwords are easily guessed, allowing them to gain access to your computer more easily. By using strong and unique passwords, you can significantly enhance your computer’s security.

To create a strong password, use a combination of letters, numbers, and symbols. Avoid using common phrases or words that are easily guessed. Additionally, do not use the same password for multiple accounts, as this can leave you vulnerable if one account is compromised. Consider using a password manager to generate and store strong and unique passwords for all your accounts. By taking these steps, you can ensure that your computer remains protected against potential threats.

Tip #5: Be Wary of Phishing Scams

Phishing scams are a type of social engineering attack that cybercriminals use to trick people into disclosing sensitive information like passwords and credit card numbers. These scams can be sent via email, text messages, or even social media. Falling prey to a phishing scam can lead to significant financial loss and compromise your personal information.

To avoid falling victim to phishing scams, it’s important to be cautious of any suspicious emails or messages. Do not click on any unknown links or download any attachments from suspicious sources. Always check the sender’s email address to ensure that it is from a legitimate source.

If you receive an email that appears to be from your bank or another financial institution, do not provide any sensitive information. Instead, contact the institution directly to confirm the authenticity of the email. By taking these steps, you can protect yourself from phishing scams and keep your personal information secure.

Tip #6: Use Two-Factor Authentication

Two-factor authentication (2FA) is a crucial security measure that adds an extra layer of protection to your online accounts. This security measure requires users to provide two forms of identification before accessing their accounts, making it more difficult for cybercriminals to access your information. Two-factor authentication can prevent unauthorized access to your accounts and protect your sensitive information from being compromised.

Many online services, such as email and social media platforms, offer two-factor authentication as an additional security measure. To enable two-factor authentication, go to your account settings and follow the instructions provided by the service. You can usually choose between receiving a code via text message or using an authentication app. Enabling two-factor authentication can greatly improve the security of your accounts and help keep your personal information safe.

Tip #7: Back Up Your Data Regularly

The best practice to protect your data from cyber attacks is to regularly back it up. If your computer is infected with malware or hacked, you might lose all your data. By backing up your data regularly, you can easily restore your data in the event of a cyber attack.

In conclusion, adhering to the tips and tools mentioned above can not only safeguard your personal or business data but also prevent potential embarrassment and costly fines.
Use anti-virus and anti-malware software.

The Cybersecurity Playbook for Modern Enterprises: An end-to-end guide to preventing data breaches and cyber attacks


InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services


InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: cyber attacks, data breaches, Malware

Mar 30 2023

New WiFi Flaw Let Attackers Hijack Network Traffic

Category: Cyber Attack,Wi-Fi SecurityDISC @ 8:27 am
New WiFi Flaw Let Attackers Hijack Network Traffic

A fundamental security issue in the design of the IEEE 802.11 WiFi protocol standard, according to a technical study written by Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef of imec-DistriNet, KU Leuven, allows attackers to deceive access points into exposing network frames in plaintext.

When the receiver is in sleep mode, for example, Wi-Fi devices routinely queue frames at different tiers of the network stack before sending.

WiFi frames are data packages comprising a header, data payload, and trailer containing data like the MAC addresses of the source and destination and control and management information.

By keeping track of the busy/idle states of the receiving points, these frames are broadcast in a regulated manner to prevent collisions and maximize data exchange performance.

According to the researchers, queued/buffered frames are not sufficiently protected from attackers, who can control data transmission, client spoofing, frame redirection, and capturing.

Adversary Can Abuse the Power-Save Mechanisms

The initial version of the 802.11 standards already included power-saving features that let clients go into a sleep or doze mode to use less power. All frames intended for a client station are queued when it goes into sleep mode because it sends a frame to the access point with a header that includes the power-saving flag.

Nevertheless, the standard does not specify how to manage the security of these queued frames and does not impose any time restrictions on how long the frames may remain in this state.

The access point dequeues the buffered frames, adds encryption, and transmits them to the target after the client station has awakened.

Attack Diagram

In this case, a hacker might impersonate a network device’s MAC address and transmit power-saving frames to access points, making them queue up frames for the intended target. To obtain the frame stack, the attacker then sends a wake-up frame.

Typically, the WiFi network’s group-addressed encryption key or a pairwise encryption key, specific to each device and used to encrypt frames sent between two devices, are used to encrypt the transmitted frames.

By providing authentication and association frames to the access point, the attacker can force it to transmit the frames in plaintext or encrypt them using a key provided by the attacker, changing the security context of the frames.

“As a result of the attack, anyone within the communication range of the vulnerable access point can intercept the leaked frames in plaintext or encrypted using the group-addressed encryption key, depending on the respective implementation of the stack (i.e., user-space daemon, kernel, driver, firmware).”, explain the researchers.

Network Device Models That Are Known To Be Vulnerable:

“An adversary can use their Internet-connected server to inject data into this TCP connection by injecting off-path TCP packets with a spoofed sender IP address,” researchers warn.

“This can, for instance, be abused to send malicious JavaScript code to the victim in plaintext HTTP connections with as goal to exploit vulnerabilities in the client’s browser.”

The researchers warn that these attacks may be exploited to inject malicious content, such as JavaScript, into TCP packets.

Cisco is the first firm to recognize the significance of the WiFi protocol weakness, acknowledging that the attacks described in the paper may be effective against Cisco wireless access point products and Cisco Meraki products.

“This attack is seen as an opportunistic attack, and the information gained by the attacker would be of minimal value in a securely configured network.” – Cisco.

The company advises implementing mitigating strategies such as employing software like Cisco Identity Services Engine (ISE), which can impose network access restrictions by implementing Cisco TrustSec or Software Defined Access (SDA) technologies.

“Cisco also recommends implementing transport layer security to encrypt data in transit whenever possible because it would render the acquired data unusable by the attacker,” Cisco.

Hacking Exposed Wireless, Third Edition: Wireless Security Secrets & Solutions 

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Hijack Network Traffic

Mar 28 2023

HACKING PHONES REMOTELY WITHOUT TOUCHING VIA NEW INAUDIBLE ULTRASOUND ATTACK

Category: Cyber Attack,Smart PhoneDISC @ 8:25 am
Hacking phones remotely without touching via new inaudible ultrasound attack 

The Near-Ultrasound Invisible Trojan, or NUIT, was developed by a team of researchers from the University of Texas at San Antonio and the University of Colorado Colorado Springs as a technique to secretly convey harmful orders to voice assistants on smartphones and smart speakers.

If you watch videos on YouTube on your smart TV, then that television must have a speaker, right? According to Guinevere Chen, associate professor and co-author of the NUIT article, “the sound of NUIT harmful orders will [be] inaudible, and it may attack your mobile phone as well as connect with your Google Assistant or Alexa devices.” “That may also happen in Zooms during meetings. During the meeting, if someone were to unmute themselves, they would be able to implant the attack signal that would allow them to hack your phone, which was placed next to your computer.

The attack works by playing sounds close to but not exactly at ultrasonic frequencies, so they may still be replayed by off-the-shelf hardware, using a speaker, either the one already built into the target device or anything nearby. If the first malicious instruction is to mute the device’s answers, then subsequent actions, such as opening a door or disabling an alarm system, may be initiated without warning if the first command was to silence the device in the first place.

“This is not only a problem with software or malicious software. It is an attack against hardware that makes use of the internet. According to Chen, the non-linearity of the microphone design is the flaw that has to be fixed by the manufacturer in order to eliminate the vulnerability. “Among the 17 smart gadgets we evaluated, [only] Apple Siri devices need the user’s voice to be hijacked, while other voice assistant devices may be triggered by using any voice or a robot voice,” the study’s authors write.

How to damage hard drives with ultrasonic attack

Using headphones is Chen’s recommendation for anybody worried about the NUIT attack, despite the fact that a genuine defense against NUIT would involve the usage of customized hardware. She indicates that the risk of being attacked by NUIT is reduced if you do not utilize the speaker to emit sound. “When using earphones, there is a limit to the amount of sound that can be sent to the microphone since the volume of the sound coming from the earphones is too low. In the event that the microphone is unable to pick up the subversive inaudible order, the underlying voice assistant won’t be able to be maliciously triggered by NUIT.


InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: HACKING PHONES REMOTELY, ULTRASOUND ATTACK

Mar 24 2023

Top ways attackers are targeting your endpoints

Category: Cyber Attack,Endpoint securityDISC @ 7:19 am
Top ways attackers are targeting your endpoints

Over the last several years, endpoints have played a crucial role in cyberattacks. While there are several steps organizations can take to help mitigate endpoint threats – such as knowing what devices are on a network (both on-premises and off-site), quarantining new or returning devices, scanning for threats and vulnerabilities, immediately applying critical patches, etc. – there is still much to be done to ensure endpoint security.

To achieve that, it’s important to understand some of the primary attack vectors hackers use against endpoints.

Phishing/spear-phishing

Phishing, especially spear-phishing, is an effective way for gaining access to endpoints to harvest user credentials.

It is not itself an exploit, but a method that threat actors use to deliver a payload – whether it’s a link to a fake Microsoft 365 web portal (for credential harvesting), or a macro-enabled word document with a malware payload that executes on opening.

Because of this nuance, it’s critical that security analysts implement not only email filtering (a crude defense, at best) but endpoint tools that would block the deployment of malware payloads delivered by email: antivirus (AV) and antimalware (AM). Implementing AV/AM products creates a safety net, blocking malware execution if a phishing email successfully bypasses corporate email filters.

We recently saw how threat actors deployed phishing to infect user endpoints at a massive scale with the IceXLoader malware. The malware is bundled into an innocent-looking ZIP file delivered as an email attachment. Once opened, the malware extracts itself to a hidden file directory on the C drive of an endpoint, providing a beachhead for the attacker to perform additional attacks to further breach the corporate network.

OS vulnerability exploitation

Vulnerabilities are made possible by bugs, which are errors in source code that cause a program to function unexpectedly, in a way that can be exploited by attackers. By themselves, bugs are not malicious, but they are gateways for threat actors to infiltrate organizations. These allow threat actors to access systems without needing to perform credential harvesting attacks and may open systems to further exploitation. Once they are within a system, they can introduce malware and tools to further access assets and credentials.

For attackers, vulnerability exploitation is a process of escalation, whether through privileges on a device or by pivoting from one endpoint to other assets. Every endpoint hardened against exploitation of vulnerabilities is a stumbling block for a threat actor trying to propagate malware in a corporate IT environment.

There are routine tasks and maintenance tools that allow organizations to prevent these vulnerabilities getting exploited by attackers. Patch management tools can scan devices, install patches (fixes), and provide reports on the success or failure of these actions. In addition, organizations can leverage configuration management tools to maintain OS configuration files in the desired secure state.

Software vulnerability exploitation

Software vulnerabilities exist in products (software) installed within an OS environment. For example, Google Chrome gets frequent patches from Google, primarily because it is a massive target for exploitation.

As with OS vulnerabilities, the best defense against exploits are the frequently released third-party patches/updates, the implementation of which can be facilitated by endpoint management tools.

Additionally, enforcing acceptable use policies can help reduce the opportunities for end users to engage in behaviors that could put their endpoints and company assets at risk.

And beyond security information and event management (SIEM) and antivirus tools, organizations can drastically decrease the impact caused by a successfully executed ransomware attack by:

  • Implementing data loss prevention (DLP) solutions
  • Creating off-site backups
  • Taking advantage of data storage solutions in the cloud

Conclusion

The changing cyberattack landscape requires IT and security departments to be nimble and evolve in tandem with threats. The fixes of yesterday may not work today – while the threats could be the same, their tactics are likely different. When working to mitigate network threats, do not forget the increasingly vital role endpoints play.

hole

Endpoint security Complete Self-Assessment Guide

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: endpoints

Mar 23 2023

Cybersecurity 101: What is Attack Surface Management?

Category: Cyber Attack,cyber securityDISC @ 9:39 am
Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.

ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.

Understanding Attack Surface Management

Here are some key terms in ASM:

  • Attack vectors are vulnerabilities or methods threat actors use to gain unauthorized access to a network. These vulnerabilities include vectors such as malware, viruses, email attachments, pop-ups, text messages and social engineering. 
  • An attack surface is the sum of attack vectors that threat actors can potentially use in a cyberattack. In any organization, all internet-connected hardware, software and cloud assets add to the attack surface. 
  • Shadow IT is any software, hardware or computing resource being used on a company’s network without the consent or knowledge of the IT department. Quite often, shadow IT uses open-source software that is easy to exploit. 
  • Attackers use sophisticated computer programs and programming techniques to target vulnerabilities in your attack surface, like shadow IT and weak passwords. These cyber criminals launch attacks to steal sensitive data, like account login credentials and personally identifiable information (PII)

Read the Threat Index

Why is Attack Surface Management Important?

Security teams can use ASM practices and tools to prevent risks in the following ways:

  • Reduce blind spots to get a holistic view of your IT infrastructure and understand which cloud or on-premise assets are exposed to attackers.
  • Eliminate shadow IT to remove unknown open-source software (OSS) or unpatched legacy programs.
  • Minimize human error by building a security-conscious culture where people are more aware of emerging cyber threats. 
  • Prioritize your risk. You can get familiar with attack patterns and techniques that threat actors use.

How Attack Surface Management Works

There are four core processes in attack surface management: 

  1. Asset discovery is the process of automatically and continuously scanning for entry points that threat actors could attack. Assets include computers, IoT devices, databases, shadow IT and third-party SaaS apps. During this step, security teams use the following standards:
    • CVE (Common Vulnerabilities and Exposures): A list of known computer security threats that helps teams track, identify and manage potential risks.
    • CWE (Common Weakness Enumeration): A collection of standardized names and descriptions for common software weaknesses.
  2. Classification and prioritization is the process of assigning a risk score based on the probability of attackers targeting each asset. CVEs refer to actual vulnerabilities, while CWEs focus on the underlying weaknesses that may cause those vulnerabilities. After analysis, teams can categorize the risks and establish a plan of action with milestones to fix the issues.
  3. Remediation is the process of resolving vulnerabilities. You could fix issues with operating system patches, debugging application code or stronger data encryption. The team may also set new security standards and eliminate rogue assets from third-party vendors.
  4. Monitoring is the ongoing process of detecting new vulnerabilities and remediating attack vectors in real-time. The attack surface changes continuously, especially when new assets are deployed (or existing assets are deployed in new ways).  

You can learn more about the four core processes and how attack surface management works on the IBM blog. 

How to Get a Job in Attack Surface Management

Anyone who works in attack surface management must ensure the security team has the most complete picture of the organization’s attack vectors — so they can identify and combat threats that present a risk to the organization.

Hiring companies look for people with a background and qualifications in information systems or security support. The minimum expectations typically include the following:

  • Strong technical security skills
  • Strong analytical and problem-solving skills
  • Working knowledge of cyber threats, defenses and techniques
  • Working knowledge of operating systems and networking technologies
  • Proficiency in scripting languages, like Perl, Python or Shell Scripting
  • Experience with attack surface management and offensive security identity technologies.

What’s Next in Attack Surface Management?

Cyber Asset Attack Surface Management (CAASM) is an emerging technology that presents a unified view of cyber assets. This powerful technology helps cybersecurity teams understand all the systems and discover security gaps in their environment.

There is no one-size-fits-all ASM tool — security teams must consider their company’s situation and find a solution that fits their needs. 

Some key criteria include the following:

  • Easy-to-use dashboards
  • Extensive reporting features to offer actionable insights
  • Comprehensive automated discovery of digital assets (including unknown assets, like shadow IT)
  • Options for asset tagging and custom addition of new assets
  • Continuous operation with little to no user interaction
  • Collaboration options for security teams and other departments.

With a good ASM solution, your security team can get a real cyber criminal’s perspective into your attack surface. You can find, prioritize and solve security issues quickly and continuously. Ultimately, a diligent attack surface management strategy helps protect your company, employees and customers. 

Side view of young businessman using laptop in office. Male professional sitting at conference table working on laptop computer.

Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intelligence programs

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Attack Surface, Cyber Threat, Threat Intelligence

Mar 10 2023

US Lawmakers Face Cyberattacks, Potential Physical Harm After DC Health Link Breach

Category: Cyber Attack,Data Breach,Information Security,Security BreachDISC @ 12:24 pm

The threat actor who posted the data for sale has claimed credit for multiple other breaches, including one at grocery platform Weee! that exposed data on more than 1.1 million customers.

Jai VijayanContributing Writer, Dark Reading

US House of Representatives seal
Source: Ron Adar via Shutterstock

Hundreds of US lawmakers and their families are at risk of identity theft, financial scams, and potentially even physical threats after a known info-theft threat actor called IntelBroker made House of Representatives members’ personally identifiable information (PII) available for sale on the “Breached” criminal forum.

The information, confirmed as being obtained via a breach at health insurance marketplace DC Health Link, includes names, Social Security numbers, birth dates, addresses, and other sensitive identifying information. The data on the House members was part of a larger data set of PII belonging to more than 170,000 individuals enrolled with DC Health Link that the threat actor put up for sale this week.

DC Health Link: A Significant Breach

In a March 8 email to members of the House and their staff, US House Chief Administrative Officer Catherine Szpindor said the attack on DC Health Link does not appear to have specifically targeted US lawmakers. But the breach was significant and potentially exposed PII on thousands of people enrolled with DC Health Link.

“The FBI also informed us that they were able to purchase this PII, along with other enrollee information, on the Dark Web,” Speaker of the House Kevin McCarthy (R-Calif.) and House Minority Leader Hakeem Jeffries (D-N.Y.) said in a joint letter to the executive director at DC Health Link on March 8. The letter sought specifics from the health exchange on the breach, including details on the full scope of the attack and DC Health Link’s plans to notify affected individuals and offer credit monitoring services for them.

Despite the letter, details of the intrusion at DC Health Link are not yet available. The organization, governed by an executive board appointed by the DC mayor, did not immediately respond to a request for comment on the incident.

A report in BleepingComputer this week first identified the threat actor as the appropriately named IntelBroker, after the cybercriminals put the stolen data up for sale on March 6. According to the underground forum ad, the data set is available for “an undisclosed amount in Monero cryptocurrency.” Interested parties are asked to contact the sellers via a middleman for details.

IntelBroker’s Resume of Previous Breaches

This is not the first big heist for the group: A threat actor, using the same moniker in February, had claimed credit for a breach at Weee!, an Asian and Hispanic food delivery service. IntelBroker later leaked some 1.1 million unique email addresses and detailed information on over 11.3 million orders placed via the service. 

Security vendor BitDefender, which covered the incident in its blog at the time, published an ad that IntelBroker placed on BreachedForums that showed the attacker boasting about obtaining full names, email addresses, phone number, and even order notes which included apartment and building access codes.

Meanwhile, Chris Strand, chief risk and compliance officer at Cybersixgill says his company has been tracking IntelBroker since 2022 and is about to release a report on the actor. “IntelBroker is a highly active Breached member with an 9/10 reputation score, who claimed in the past to be the developer of Endurance ransomware,” Strand says.

IntelBroker’s use of Breached to sell the health exchange PII, instead of a dedicated leak site or a Telegram channel, is consistent with the threat actor’s previous tactics. It suggests either a lack of resources or inexperience on the individual’s part, Strand says. 

“In addition to IntelBroker’s presence on Breached, the threat actor has maintained a public GitHub repository titled Endurance-Wiper,” he tells Dark Reading.

In November, IntelBroker claimed that it used Endurance to steal data from high level US government agencies, Strand notes. The threat actor has in total made some 13 claims about breaching top US government agencies, likely to attract customers to a ransomware-as-a-service (RaaS) program. Other organizations that IntelBroker claims to have broken into include Volvo, cult footwear maker Dr. Martens, and an Indonesian subsidiary of The Body Shop.

“Our intelligence analysts have been tracking IntelBroker since 2022, and we have been collecting intel attributed to that threat actor since then, as well as associated threats that have been related or attributed to IntelBroker,” Strand says.

Is House Members’ PII a National Security Threat?

Justin Fier, senior vice president of red team operations at Darktrace, says the threat actor’s reason for putting the data up for sale appears to be purely financially motivated rather than political. And given the high profile of the victims, IntelBroker may find that the attention the breach is garnering will increase the value of the stolen data (or bring more heat than it would like).

The buyers might be another story. Given the availability of physical addresses and electronic contact information, the kinds of potential follow-on attacks are myriad, ranging from social engineering for identity theft or espionage, to physical targeting, meaning that interested parties could run the gamut in terms of motivation.

“The amount tells you a great deal about who they may be thinking of in terms of buyers,” he says. If all that the threat actor ends up asking is a couple of thousand dollars, they are likely to be a smaller criminal enterprise. But “you start talking millions, they are clearly then catering to nation-state buyers,” he says.

Fier assesses that the data that the threat actor stole on US House members as potentially posing a national security issue. “We shouldn’t only think external nation-states that might want to purchase this,” Fier says. “Who is to say that other political parties and/or activists couldn’t weaponize it?”

https://www.darkreading.com/application-security/us-lawmakers-cyberattacks-physical-harm-dc-health-link-breach

Previous posts on Cyber Attacks

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Cyberattacks, US Lawmakers

Dec 30 2022

EarSpy – A New Attack on Android Devices Use Motion Sensors to Steal Sensitive Data

Category: Cyber Attack,Smart PhoneDISC @ 10:17 am
EarSpy – A New Attack on Android Devices Use Motion Sensors to Steal Sensitive Data

There has been a new eavesdropping attack developed by a team of security experts for Android devices which has been dubbed “EarSpy.” With the help of this attack, attackers can detect the following things:-

  • Caller’s gender
  • Caller’s identity to various degrees
  • Speech content

As part of its exploratory purpose, EarSpy aims to capture motion sensor data readings generated by the reverberations from the ear speaker in mobile devices in order to create new methods of eavesdropping.

Universities Involved in this Project

Cybersecurity researchers from five American universities have undertaken this academic project called EarSpy. These are all the names of the universities that are affiliated with this project:-

  • Texas A&M University 
  • New Jersey Institute of Technology
  • Temple University
  • University of Dayton
  • Rutgers University

Evolution of Smartphone Tech

Smartphone loudspeakers have been explored as a potential target for such attacks. As a result of this, the ear speakers are incapable of generating enough vibration to allow eavesdropping to be executed properly for the side-channel attack.

While the audio quality and vibrations of modern smartphones have improved greatly as a result of more powerful stereo speakers.

Even the tiniest resonance from a speaker can be measured by a modern device because it has more sensitive motion sensors and gyroscopes.

It is remarkable how little data is recorded on the spectrogram from the earphones of a 2016 OnePlus 3T, while a stereo ear speaker on the 2019 OnePlus 7T produces a significant amount of information.

As part of their experiments, the researchers used a OnePlus 7T device as well as a OnePlus 9 device. Both of these devices were used by the researchers to play pre-recorded audio through their ear speakers only using a variety of pre-recorded audio sets.

Although the results of the tests varied according to the dataset and device, they indicated that eavesdropping via ear speakers can be accomplished successfully.

To Check more on Detection Performance & Recommendation:

Based on the features in the time/frequency domain of the ML algorithm, the detection performance for the OnePlus 7T device has been tested, and here below we have mentioned the output chart:- 

EarSpy Android


Infosec books | InfoSec tools | InfoSec services

Tags: Android, Steal Sensitive Data

Dec 21 2022

Windows Code-Execution Vulnerability Let Attackers Run Malicious Code Without Authentication

Category: Cyber Attack,Remote code,Security vulnerabilities,Windows SecurityDISC @ 3:13 pm
Windows Code-Execution Vulnerability Let Attackers Run Malicious Code Without Authentication

It has recently been discovered by researchers that Windows has a vulnerability that allows code execution that rivals EternalBlue in terms of potential. It is possible for an attacker to execute malicious code without authentication by exploiting this newly-tracked vulnerability CVE-2022-37958

It is possible to exploit this vulnerability in a wormable way, which can lead to a chain reaction that can impact other systems that are vulnerable, and a new attack can be launched.

A greater range of network protocols is affected by this vulnerability as opposed to the earlier version, which gave attackers more flexibility.

Successful exploitation of this vulnerability allows any Windows application protocol that accesses the NEGOEX protocol may enable an attacker to remotely execute arbitrary code.

Despite the list of protocols that have been identified, there could be other protocols and standards that are affected as well.

On a target system, there is no user input or authentication required by a victim in order for this vulnerability to succeed. This vulnerability has been classified by Microsoft as “Critical,” with a maximum severity for all categories.

As a result, CVSS 3.1 now has an overall score of 8.1 out of 10. It is important to note that systems with unpatched default configurations are vulnerable to this flaw.

The reclassification was performed by X-Force Red in accordance with its responsible disclosure policy with Microsoft.

Recommendations

For the time being, IBM won’t release the full technical details regarding the vulnerabilities and patches until Q2 2023, in order to give defenders a chance and enough time to apply them.

Security Intelligence recommends that users and administrators apply the patch as soon as possible due to the widespread use of SPNEGO, which ensures that they are protected.

All systems running Windows 7 and newer are compatible with this fix, which is part of the security updates for September 2022.

Moreover, X-Force Red recommends the following additional recommendations:-

  • Identify which services are exposed to the internet, such as SMB and RDP.
  • You should continuously monitor your attack surface, including Windows Authentication-enabled servers.
  • In the event that the patch cannot be applied, set Kerberos or Net-NTLM as the default authentication providers on Windows and remove Negotiate as the default authentication provider.

Windows Code-Execution Flaw

Infosec books | InfoSec tools | InfoSec services

Tags: Windows Code-Execution Vulnerability

Dec 09 2022

ATTACKING ACTIVE DIRECTORY WITH LINUX

Category: Cyber Attack,Windows SecurityDISC @ 11:33 am

ATTACKING-ACTIVE-DIRECTORY-with-Linux-compressed-1Download

Mastering Active Directory: Design, deploy, and protect Active Directory Domain Services for Windows Server 2022

Tags: ATTACKING ACTIVE DIRECTORY, Mastering Active Directory

Nov 03 2022

Samsung Galaxy Store Flaw Allows Remote Attacker to Run Code on Affected Phones

Category: Cyber Attack,Mobile Security,Remote codeDISC @ 10:26 pm
Samsung Galaxy Store Flaw Allows Remote Attacker to Run Code on Affected Phones

A security flaw in the Galaxy Store allows attackers to trigger remote code execution on affected smartphones.

 The now patched vulnerability, which affects Galaxy Store version 4.5.32.4, relates to a cross-site scripting (XSS) bug that occurs when handling certain deep links. An independent security researcher has been credited with reporting the issue.

Vulnerability Details

The now-patched vulnerability is related to a cross-site scripting (XSS) flaw that occurs when handling specific deep links and it affects Galaxy Store version 4.5.32.4. The problem was first reported by an independent security researcher.

Particularly, deeplink can be called from another application or from a browser. The store receives appropriate deeplinks, it will process and show them in a webview.

In this case, by failing to secure the deeplink, the attacker is able to run JS code in the Galaxy Store application’s webview context whenever a user hits a link from a website that contains the deeplink.

The expert focuses on deep links configured for Samsung’s Marketing & Content Service (MCS).

Although the Samsung MCS Direct Page website was extracting the argument from the url and displaying it on the website, it did not encrypt, which resulted in an XSS problem.

“We can see the website is processing the abc, def parameters and displaying as above without encoding, the url is passed directly to href this is very dangerous and will cause XSS.” reads the advisory published by SSD Secure Disclosure.

Experts observed two functions ‘downloadApp’ and ‘openApp’ here these two functions will get the app id and download them from the store or open them.

This indicates that these two functions can be called using JS code. In this case, an attacker has the ability to execute arbitrary code by injecting it into the MCS website.

“To be able to successfully exploit the victim’s server, it is necessary to have HTTPS and CORS bypass of Chrome,” advisory published by SSD Secure Disclosure

Affected Products and Patch Available

The vulnerability impacts Galaxy Store version 4.5.32.4.

Therefore, Samsung has issued patches that are now in wide circulation for all Samsung devices.

Samsung Galaxy Store Flaw

Tags: Samsung Galaxy Store Flaw

Sep 09 2022

Why Ports Are at Risk of Cyberattacks

Category: Cyber AttackDISC @ 7:44 am

More docked ships bring a new challenge. The longer a ship is docked, the more vulnerable the port is to a cyberattack.

Docked ships
Source: Hans-Joachim Aubert via Alamy Stock Photo

Evidence indicates that the world’s ports are returning to pre-pandemic levels. During the first 11 months of 2021, the value of US international freight increased by more than 22% (PDF) compared with the same 11 months in 2020. More freight means more ships docking at port. And not only are more ships docking, but their dwell times are increasing as well. The average container vessel dwell time at the top 25 US container ports was estimated at 28.1 hours in 2020. In the first half of 2021, average container vessel dwell times increased to 31.5 hours.

While this increase in activity is undoubtedly welcome, more docked ships bring a new challenge. The longer a ship is docked, the more vulnerable the port is to a cyberattack.

The Cyber-Risk to Ships

The maritime industry is especially vulnerable to cyber incidents. There are multiple stakeholders involved in the operation and chartering of a ship, which often results in a lack of accountability for the IT and OT system infrastructure and the ship’s networks. The systems may rely on outdated operating systems that are no longer supported and cannot be patched or run antivirus checks.

Going forward, this threat is expected to increase. Critical ship infrastructure related to navigation, power, and cargo management has become increasingly digitized and reliant on the Internet to perform a broad range of legitimate activities. The growing use of the Industrial Internet of Things (IIoT) will increase the ships’ attack surface.

Common ship-based cyber vulnerabilities include the following:

  • Obsolete and unsupported operating systems
  • Unpatched system software
  • Outdated or missing antivirus software and protection from malware
  • Unsecured shipboard computer networks
  • Critical infrastructure continuously connected with the shore side
  • Inadequate access controls for third parties including contractors and service providers
  • Inadequately trained and/or skilled staff on cyber-risks

Troubled Waters?

Maritime cybersecurity has become a significant issue affecting ports around the world. According to the firm Naval Dome, cyberattacks on maritime transport increased by 400% in 2020. Cybersecurity risks are especially problematic to ports around the globe since docked ships regularly interact digitally with shore-based operations and service providers. This digital interaction includes the regular sending of shipping documents via email or uploading documents via online portals or other communications with marine terminals, stevedores, and port authorities.

For example, many port authorities require a Port State Control (PSC) survey to be completed by foreign ships docking in their ports. Among other activities, this survey verifies several ship certificates and approximately 40 different documents required by international maritime authorities.

Some past examples of port-based cyber breaches:

Port of Rotterdam: In June 2017, the port of Rotterdam was hit with a ransomware attack that paralyzed the activities of two container terminals operated by APMT, a subsidiary of the MĂžller-Maersk group. Note that the port of Rotterdam had completely automated its operations as part of a Smart Port strategy.

Port of Shahid Rajaee: In May 2020, the port of Shahid Rajaee, Iran, suffered a cyberattack that almost totally shut down its operations. The Washington Post reported that the “computers that regulate the flow of vessels, trucks and goods all crashed at once, creating massive backups on waterways and roads leading to the facility.” This cyberattack was presumed to be Israel’s response to an attack on its water network.

Port of Kennewick: In November 2020, the port of Kennewick, Wash., was hit with ransomware that completely locked access to its servers. Even with the small size of this port, it took nearly a week for port authorities to access their data. Malware injected via a phishing email is thought to be the cause of this attack.

Knowing that they are vulnerable to cyber breaches does not help alleviate the challenge to ports that have no choice but to accept documents originating from these ships. If ports block these documents, the ships cannot dock, and this ultimately causes delays in global logistics and the supply chain.

The Danger

Ports have no choice but to accept the ships’ documents. Refusal to accept these documents means loss of port revenue and blockages in the smooth flow of the supply chain. Document sending must proceed. But file-borne threats pose a significant challenge for ports. Malware is designed to access or damage a computer without the owner’s knowledge. Hackers embed malicious code into seemingly innocent files. When those files are opened, the malware automatically executes and allows the hackers to gain access to valuable data or cause damage to the maritime industry.

Many of these threats first enter the ship through email phishing schemes — attempts to fool employees and individuals into opening and clicking on malicious links or attachments in emails or uploading malicious documents to website portals. These “hacks” often exploit vulnerabilities in the ships’ networks, using the vessel to gain access to the ship’s partners, including the port.

https://www.darkreading.com/attacks-breaches/why-ports-are-at-risk-of-cyberattacks

Maritime Cybersecurity: A Guide for Leaders and Managers

Tags: Maritime Cybersecurity, maritime industry, ports attacks, shipping attacks

Sep 01 2022

List of Data Breaches and Cyber Attacks in August 2022 – 97 Million Records Breached

Category: Cyber Attack,Data Breach,data security,Information Security,Security BreachDISC @ 9:01 am

August 2022 has been a lesson in being careful with whom you provide sensitive information. In a month that saw the former US president accused of misappropriating classified government documents, there were also a spate of malicious insiders compromising their employer’s systems.

Meanwhile, the bastion of password security, LastPass, announced that its systems had been breached – although the organisation is confident that customers’ details remain secure.

In total, we identified 112 publicly disclosed security incidents in August, resulting in 97,456,345 compromised records.

You can find the full list of incidents below, broken into their respective categories.

Contents

Data Breaches

Data Security

Free Basic network and Data Security Awareness

Tags: data breach, data security, infosec breach

Aug 26 2022

How to Protect Your Small Business From Personalized Cyberattacks

Category: Cyber AttackDISC @ 10:50 am
How to Protect Your Small Business From Personalized Cyberattacks

Small businesses (SMBs) are increasingly targets of cyberattacks and are often financially devastated by a single successful attack. Even with a significant network of security tools in place, SMBs can be caught off guard by the increasing number of attack methods threat actors choose to employ. However, with the following information, SMBs can safeguard their business and their employees from two common attack types: Executive impersonation and business email compromise (BEC).

One of the most crucial things to watch out for is executive impersonation, which can start with a spear phishing attack on a key member of the executive team. A successful initial attack will lead to the compromise of the individual’s phone number or email account, providing a threat actor with both a window into internal events, but also a means to request funds transfers or other financial theft. Interestingly, once successful, the threat actor may also monitor the same executive’s social media accounts and wait until they are on vacation or out of the office before making first contact.

This is not directly part of the attack vector; however, it is an effective surveillance tool.

Identify Attacks

These types of phishing attacks are on the rise because they rely on human error rather than software or operating system vulnerabilities. Mistakes by well-intentioned employees are less preventable and predictable, but they can be identified and thwarted if recognized quickly. WMC Global recommends companies employ a service that monitors for active phishing attacks and for client interaction or compromise. Thus, when an employee in a business makes a mistake and visits a malicious site or provides credentials to a thief, the event can be identified quickly, and the company warned in real-time.

Securing Small Businesses Against BEC Attacks

When looking to secure small companies, the importance of employing BEC alerting also cannot be overlooked. According to the FBI, in 2021 small businesses lost upwards of $2.4 billion in email scams, including BEC attacks. Why are BEC attacks so successful? The threat actors do their research and are very selective about who they target. They complete full background profiles and potentially dox their targets as well. When employees fall for and submit credentials in these types of attacks, urgent action is needed to prevent damage and protect critical business systems.

So, how can small businesses protect their employees from these in both the short and long term?

1. Train Your Employees. Make sure to train employees about the signs of social engineering attacks at least quarterly. Emphasize identifying and avoiding phishing attacks sent not only to the business email but also via SMS phishing messages.
2. Develop Procedures for Critical Process. Ensure that your company has documented policies for making changes to key financial procedures, and especially external payments to suppliers and partners.
3. Test Your Employees. Run simulations to ensure that your employees can identify and report both phishing and social engineering attacks.
4. Keep Travel Plans Private. Key executives should avoid exposing personal travel plans on social media, especially on overseas trips. Threat actors will take advantage of difficult and limited communications in these situations to impersonate key business executives and make requests that are hard for the company to validate effectively – back to the need for the development of procedures for critical processes.
5. Continue Defense Measures. Leverage special intelligence that can identify if a business employee clicks on a malicious link or that urgently notifies the company when an employee’s email or credentials are recovered from an active phishing attack.

Guarding SMBs

It’s critical for small businesses to understand that they will always be vulnerable to cyberattacks, but the above measures can provide defense for companies from threats that lead to executive impersonation and business email compromise. Following these five tips, SMBs will be well guarded against any attacks launched against their organization. Staying vigilant can be a decision that ultimately liberates a small business from threat actors and marketplace attack trends.

business smb risk

Protecting small businesses against emerging and complex cyber-attacks

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: Cybersecurity for SMBs

Aug 25 2022

Twilio Hackers Scarf 10K Okta Credentials in Sprawling Supply Chain Attack

Category: Access Control,Attack Matrix,Cyber Attack,Vendor AssessmentDISC @ 2:02 pm

The “0ktapus” cyberattackers set up a well-planned spear-phishing effort that affected at least 130 orgs beyond Twilio and Cloudflare, including Digital Ocean and Mailchimp.

Okta logo on a mobile phone screen

The hackers who breached Twilio and Cloudflare earlier in August also infiltrated more than 130 other organizations in the same campaign, vacuuming up nearly 10,000 sets of Okta and two-factor authentication (2FA) credentials.

That’s according to an investigation from Group-IB, which found that several well-known organizations were among those targeted in a massive phishing campaign that it calls 0ktapus. The lures were simple, such as fake notifications that users needed to reset their passwords. They were sent via texts with links to static phishing sites mirroring the Okta authentication page of each specific organization.

“Despite using low-skill methods, [the group] was able to compromise a large number of well-known organizations,” researchers said in a blog post today. “Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

Such was the case with the Twilio breach that occurred Aug. 4. The attackers were able to social-engineer several employees into handing over their Okta credentials used for single sign-on across the organization, allowing them to gain access to internal systems, applications, and customer data. The breach affected about 25 downstream organizations that use Twilio’s phone verification and other services — including Signal, which issued a statement confirming that about 1,900 users could have had their phone numbers hijacked in the incident.

The majority of the 130 companies targeted were SaaS and software companies in the US — unsurprising, given the supply chain nature of the attack.

For instance, additional victims in the campaign include email marketing firms Klaviyo and Mailchimp. In both cases, the crooks made off with names, addresses, emails, and phone numbers of their cryptocurrency-related customers, including for Mailchimp customer DigitalOcean (which subsequently dropped the provider).

In Cloudflare’s case, some employees fell for the ruse, but the attack was thwarted thanks to the physical security keys issued to every employee that are required to access all internal applications.

Lior Yaari, CEO and co-founder of Grip Security, notes that the extent and cause of the breach beyond Group IB’s findings are still unknown, so additional victims could come to light.

“Identifying all the users of a SaaS app is not always easy for a security team, especially those where users use their own logins and passwords,” he warns. “Shadow SaaS discovery is not a simple problem, but there are solutions out there that can discover and reset user passwords for shadow SaaS.”

Time to Rethink IAM?

On the whole, the success of the campaign illustrates the trouble with relying on humans to detect social engineering, and the gaps in existing identity and access management (IAM) approaches.

“The attack demonstrates how fragile IAM is today and why the industry should think about removing the burden of logins and passwords from employees who are susceptible to social engineering and sophisticated phishing attack,” Yaari says. “The best proactive remediation effort companies can make is to have users reset all their passwords, especially Okta.”

The incident also points out that enterprises increasingly rely on their employees’ access to mobile endpoints to be productive in the modern distributed workforce, creating a rich, new phishing ground for attackers like the 0ktapus actors, according to Richard Melick, director of threat reporting at Zimperium.

“From phishing to network threats, malicious applications to compromised devices, it’s critical for enterprises to acknowledge that the mobile attack surface is the largest unprotected vector to their data and access,” he wrote in an emailed statement.

https://www.darkreading.com/remote-workforce/twilio-hackers-okta-credentials-sprawling-supply-chain-attack

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: authentication, authorization, Identity and Access Management

Aug 11 2022

AWS and Splunk partner for faster cyberattack response

Category: Cyber Attack,Information SecurityDISC @ 2:44 pm

OCSF initiative will give enterprise security teams an open standard for moving and analyzing threat data

BLACK HAT AWS and Splunk are leading an initiative aimed at creating an open standard for ingesting and analyzing data, enabling enterprise security teams to more quickly respond to cyberthreats.

Seventeen security and tech companies at the Black Hat USA 2022 show this week unveiled the Open Cybersecurity Schema Framework (OCSF) project, which will use the ICD Schema developed by Symantec as the foundation for the vendor-agnostic standard.

The creation of the OCSF, licensed under the Apache License 2.0, comes as organizations are seeing their attack surfaces rapidly expand as their IT environments become increasingly decentralized, stretching from core datacenters out to the cloud and the edge. Parallel with this, the number and complexity of the cyberthreats they face is growing quickly.

“Today’s security leaders face an agile, determined and diverse set of threat actors,” officials with cybersecurity vendor Trend Micro, one of the initial members of OCSF, wrote in a blog post. “From emboldened nation state hackers to ransomware-as-a-service (RaaS) affiliates, adversaries are sharing tactics, techniques and procedures (TTPs) on an unprecedented scale – and it shows.”

Trend Micro blocked more than 94 billion threats in 2021, a 42 percent year-on-year increase, and 43 percent of organizations responding to a survey from the vendor said their digital attack surface is getting out of control.

Cybersecurity vendors have responded by creating platforms that combine attack surface management, threat prevention, and detection and response to make it easier and faster for enterprises to counter attacks. They streamline processes, close security gaps, and reduce costs, but they’re still based on vendor-specific products and point offerings.

Vendors may use different data formats in their products, which means moving datasets from one vendor’s product to that of another often requires the time-consuming task of changing the format of the data.

“Unfortunately, normalizing and unifying data from across these disparate tools takes time and money,” Trend Micro said. “It slows down threat response and ties up analysts who should be working on higher value tasks. Yet up until now it has simply become an accepted cost of cybersecurity. Imagine how much extra value could be created if we found an industry-wide way to release teams from this operational burden?”

Dan Schofield, program manager for technology partnerships at IBM Security, another OCSF member, wrote that the lack of open industry standards for logging and event purposes creates challenges when it comes to detection engineering, threat hunting, and analytics, and until now, there has been no critical mass of vendors willing to address the issue.

Source: AWS and Splunk partner for faster cyberattack response

Tags: AWS, Splunk

Jul 20 2022

Million of vehicles can be attacked via MiCODUS MV720 GPS Trackers

Category: Cyber Attack,Hardware Security,Threat detectionDISC @ 8:28 am
Million of vehicles can be attacked via MiCODUS MV720 GPS Trackers

Multiple flaws in MiCODUS MV720 Global Positioning System (GPS) trackers shipped with over 1.5 million vehicles can allow hackers to remotely hack them.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of multiple security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers which are used by over 1.5 million vehicles.

MiCODUS flaws

An attacker can exploit the flaws to remote disruption of critical functions of the impacted vehicles.

“CISA has released an Industrial Controls Systems Advisory (ICSA) detailing six vulnerabilities that were discovered in MiCODUS MV720 Global Positioning System Tracker. Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control the global positioning system tracker.” reads the advisory published by CISA. “These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.”

The MiCODUS MV720 GPS Tracker is a popular vehicle GPS tracker manufactured in China, which is used by consumers for theft protection and location management, and by organizations for vehicle fleet management.

The flaws were discovered by BitSight researchers, they have been tracked as CVE-2022-2107; CVE-2022-2141; CVE-2022-2199; CVE-2022-34150; and CVE-2022-33944.

Researchers from BitSight who discovered the issues reported that threat actors could hack into the tracker to potentially cut off fuel, physically stop vehicles, or track the movement of vehicles using the device.

MiCODUS is used today by 420,000 customers in multiple industries, including government, military, law enforcement agencies, and Fortune 1000 companies.

The list of the vulnerabilities discovered by the researchers in September 2021 is reported below:

  • CVE-2022-2107 (CVSS score: 9.8) – The use of hard-coded credentials may allow an attacker to log into the web server, impersonate the user, and send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number.
  • CVE-2022-2141 (CVSS score: 9.8) – Improper authentication allows a user to send some SMS commands to the GPS tracker without a password.
  • CVE-2022-2199 (CVSS score: 7.5) – A cross-site scripting vulnerability could allow an attacker to gain control by deceiving a user into making a request.
  • CVE-2022-34150 (CVSS score: 7.1) – The main web server has an authenticated Insecure Direct Object References (IDOR) vulnerability on parameter “Device ID,” which accepts arbitrary Device IDs without further verification.
  • CVE-2022-33944 (CVSS score: 6.5) – The main web server has an authenticated IDOR vulnerability on POST parameter “Device ID,” which accepts arbitrary Device IDs.
  • Experts found a sixth issued that has yet to receive a CVE (CVSS score: 8.1) – all devices ship preconfigured with the default password 123456, as does the mobile interface. There is no mandatory rule to change the password nor is there any claiming process. The setup itself does not require a password change to use the device. We observed that many users have never changed their passwords.

The analysis of the sector usage on a global scale revealed significant differences by continent in the typical user profile. Most North American organizations using flawed MiCODUS devices are in the manufacturing sector, while those in South America are government entities. MiCODUS users in Europe belong to diverse sectors, ranging from finance to energy.

BitSight recommends users immediately cease using or disable any MiCODUS MV720 GPS trackers due to the severity of the flaw, at least until the vendor will address the issues.

“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, internationally renowned national security expert and former presidential advisor on cybersecurity. “With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind. BitSight’s research findings highlight how having secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security, and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.”

Researchers highlighted the risks that a nation-state actor could potentially exploit the above vulnerabilities to gather intelligence on entities operating in the military or one of its supplies. Data such as supply routes, troop movements, and recurring patrols could be revealed by exploiting these flaws-

“Although GPS trackers have existed for many years, streamlined manufacturing of these devices has made them accessible to anyone. Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features is useful to many individuals and organizations. However, such functionality can introduce serious security risks. Unfortunately, the MiCODUS MV720 lacks basic security protections needed to protect users from serious security issues. With limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem.” concludes the report. “BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable these devices until a fix is made available. Organizations using any MiCODUS GPS tracker, regardless of the model, should be alerted to insecurity regarding its system architecture, which may place any device at risk.”

Unpatched flaws in popular GPS devices could let hackers disrupt and track vehicles

Unpatched flaws in popular GPS devices could let hackers disrupt and track vehicles

These days security of car is very essential. Thieves are finding more ways of stealing cars and other four wheeler vehicles. In this book we have given details about the anti-theft system which will help to car owners to secure their cars. This system is efficient and affordable. This system gives more advantages than other anti-theft system. Main feature of this system is that owner will gate information if the car is being stolen and the location of car (longitude and altitude).

Anti-theft Locking and Tracking system using GSM and GPS Technology

Tags: Car Security, GPS Trackers

Jun 06 2022

Red TIM Research discovers a Command Injection with a 9,8 score on Resi

Category: App Security,Backdoor,Cyber Attack,Cyber Threats,CyberweaponDISC @ 8:33 am
Red TIM Research discovers a Command Injection with a 9,8 score on Resi

During the bug hunting activity, Red Team Research (RTR) detected 2 zero-day bugs on GEMINI-NET, a RESI Informatica solution.

It’s been detected an OS Command Injection, which has been identified from NIST as a Critical one, its score is 9,8.  This vulnerability comes from a failure to check the parameters sent as inputs into the system before they are processed by the server. 

Due to the lack of user input validation, an attacker can ignore the syntax provided by the software and inject arbitrary system commands with the user privileges of the application.

RESI S.p.A. has been for over thirty years a technological partner of the largest Italian organizations such as the Ministry of Defence, the Presidency of the Council of Ministers, the Italian Post Office, Leonardo, Ferrovie dello Stato, TIM, Italtel. Plus RESI S.p.A. Is one of the few Italian companies, that creates national technology.

Please note that patches for these specific vulnerabilities have been released by Resi.

Resi

What GEMINI-NET from Resi is

GEMINI-NET™ is a Resi product that allows active and passive monitoring of networks and communication services, used in many networks, both old and new generation. This platform is an OSS system that can be integrated, modular and scalable.

It monitors in real time all the needs related to typical network services and infrastructure issues and is able to optimize resources and data traffic on the network.

Resi

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 â€“ RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NIST
    https://nvd.nist.gov/vuln/detail/CVE-2022-29539

    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

According to the institutional website https:///www.gruppotim.it/redteam, once these vulnerabilities were identified, researchers Alessandro Bosco, Fabio Romano and Stefano Scipioni immediately started the process of Coordinated Vulnerability Disclosure (CVD) with Massimiliano Brolli, leading the project, by publishing only after the availability of the fixes made by the Vendor.

Below are the details that have been published on the institutional website and NIST ratings.

CVE-2022-29539 â€“ RESI S.p.A

  • Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection – CWE-78)
    Software Version: 4.2
    NISThttps://nvd.nist.gov/vuln/detail/CVE-2022-29539
    CVSv3: 9.8
    Severity: CriticalRESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.

In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.

In two years, more than 70 CVEs have been published, 4 of them with a Critical severity (9.8 of CVSSv3 scores), 23 of them with a High severity and 36 of them with a Medium severity.

Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”.

It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, and contributing to the security of the products used by many organizations and several individuals.

Secure Application Development


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: command injection, Secure Application Development

Jun 01 2022

List of data breaches and cyber attacks in May 2022 – 49.8 million records breached

Category: Cyber Attack,Data Breach,Information SecurityDISC @ 3:41 pm

Welcome to our May 2022 review of data breaches and cyber attacks. We identified 77 security incidents during the month, resulting in 49,782,129 compromised records.

You can find the full list below, with incidents affecting UK organisations listed in bold.

Contents

cyber attacks in May 2022

source: List of data breaches and cyber attacks in May 2022

Tags: data breaches

Apr 15 2022

How vx-underground is building a hacker’s dream library

Category: Cyber Attack,Cyber crime,Dark Web,Information SecurityDISC @ 12:59 pm
How vx-underground is building a hacker’s dream library

Editor’s Note: When malware repository vx-underground launched in 2019, it hardly made a splash in the hacking world. “I had no success really,” said its founder, who goes by the online moniker smelly_vx.

But over the last couple of years, the site’s popularity has soared thanks in part to its robust Twitter presence that mixes breaking cybersecurity news with memes. The site now bills itself as “the largest collection of malware source code, samples, and papers on the internet,” with about 35 million samples overall.

vx-undergound operator smelly_vx recently talked to Recorded Future analyst and product manager Dmitry Smilyanets about the site’s goals, finances, and plans for the future. The interview, which was conducted over email in English, has been lightly edited for clarity.

Dmitry Smilyanets: I would like to start from the very beginning — please introduce yourself.

smelly_vx: Hi. I am “smelly__vx“. I am the creator of vx-underground and the guy who runs/maintains a good portion of vx-underground’s website and the vx-underground Twitter account.

I am in my early 30s. I have a wife. I have a dog. I don’t think I can say anything else which is interesting or important.

DSTell me about the site’s background — how did it start, how did you build it into what it is today?

VX: About vx-underground — it was created to act as the successor to the legendary vxHeaven (created by the Ukrainian dude herm1t). When I was a teenager I discovered vxHeaven and learned tons from it. It was an invaluable asset. Around 2017 or so, when I was a software engineer, I got tired of writing malware (as a hobbyist) by myself.

I began looking for vxHeaven, or whatever it had become. I was unable to find anything, to my disappointment, and one day on some random IRC server I discovered, I was conveying my disappointment to a guy named Phaith and he said to me, “Well, if you miss it so much, why don’t you make your own?” I thought this was a good idea — why not make my own? And that is precisely what I decided to do. The issue I faced was that my background was in low-level development, I primarily did C/C++ development on the Windows platform. I did not have any skills in web development, web security, system administration, etc. I also did not have any contacts, I had been a “lone wolf” for nearly a decade at this point — I was a “nobody.” However, I decided this shouldn’t be a restraining factor so I bought some random bullshit hosting, purchased the domain name ‘vx-underground’ and got to work.

I officially made vx-underground in May 2019. I had no success really, I did not have a Twitter account or any contacts or any relationships in the information security industry. I made the vx-underground Twitter account in August 2019 and, interestingly, shortly after I made the account I was contacted by a guy named Bane. Bane was a member of a group called ThugCrowd. They had a large follower base on Twitter (20,000+), they had connections, they knew their way around things, blah blah blah. ThugCrowd was very kind to me and supported the idea of a new vxHeaven. They introduced me to some people who also liked the idea of a new vxHeaven.

Unsurprisingly, in October 2019, vx-underground was banned from a lot of web hosts. I had places which housed neo-Nazis, pornography, and gambling, deny my hosting.

Nobody wanted to house malware samples, the only way I was going to get the ability to house malware samples was if I had become a company, and did paperwork and all sorts of bullshit. I did not like this idea. Luckily, and to my surprise, the people over at ThugCrowd introduced me to a group of people behind TCP.DIRECT. They also liked the idea of a new vxHeaven, as the main group of people behind it also had been on the vxHeaven forums ages ago. They assisted me with hosting, handling the web security, etc. This was very beneficial for me because, as TCP.DIRECT will confirm, I am a complete idiot with anything system administrative/web security related.

Following this introduction to TCP.DIRECT, vx-underground had essentially zero restraint. I was able to upload malware samples, malware papers, malware source code, etc. as much as I liked. The only thing I had to do then was add content and be consistent. Along the way I met a guy from the [Commonwealth of Independent States], Neogram, who assisted me with Russian translations and giving me a (metaphorical) tour of the CIS malware scene. This expanded my horizon and gave vx-underground better insight into current malware trends.

All of this happened very quickly, this ‘story’ encapsulates what happened between August 2019 and December 2019.

DSWhat are your mission and goals?

VX: I don’t know. vx-underground is a library, our goal is basically to
 collect malware samples, papers, and code? It exists and that is it. The closest thing to a ‘goal’ we have is simple: “more papers, more samples, more code.” It is as simple as that.

DS: Are you financially motivated? How do you monetize your work? Is it lucrative?

VX: No, we are not financially motivated. vx-underground is fueled by passion and love for the ‘game.’ In 2021 vx-underground made $13,000 all from donations. Every time I tell people vx-underground does not make money I am always greeted with shock and surprise. It appears people are unable to comprehend someone would do something for passion rather than financial gain. This is disappointing.

More on this article “vx-underground” – building a hacker’s dream library

DS: One may say you are a threat actor group. Are you?

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Hacker library

Apr 07 2022

A cyber attack forced the wind turbine manufacturer Nordex Group to shut down some of IT systems

Category: Cyber AttackDISC @ 8:45 am

Nordex Group, one of the largest manufacturers of wind turbines, was hit by a cyberattack that forced the company to shut down part of its infrastructure. 

https://securityaffairs.co/wordpress/129875/security/a-cyber-attack-forced-the-wind-turbine-manufacturer-nordex-group-to-shut-down-some-of-it-systems.html

Nordex Group, one of the world’s largest manufacturers of wind turbines, was the victim of a cyberattack that forced the company to take down multiple systems.

The attack was uncovered on March 31 and the company immediately started its incident response procedure to contain the attack.

Nordex Group shut down “IT systems across multiple locations and business units” as a precautionary measure to prevent the threat from spreading across its networks.

“On 31 March 2022 Nordex Group IT security detected that the company is subject to a cyber security incident. The intrusion was noted in an early stage and response measures initiated immediately in line with crisis management protocols. As a precautionary measure, the company decided to shut down IT systems across multiple locations and business units.” reads the announcement published by the company. “The incident response team of internal and external security experts has been set up immediately in order to contain the issue and prevent further propagation and to assess the extent of potential exposure.”

Nordex did not disclose technical details of the cyberattack, but the fact that it was forced to shut down part of its IT infrastructure suggests that it fell victim to a ransomware attack.

According to the press release, customers, employees, and other stakeholders may be affected by the shutdown of the company’s systems.

Nordex did not disclose technical details of the cyberattack, but the fact that it was forced to shut down part of its IT infrastructure suggests that it felt victim to a ransomware attack.

In November another manufacturer of wind turbines was hit by a cyber attack, it was the Danish wind turbine giant Vestas Wind Systems. The company was hit by the Lockbit 2.0 ransomware gang than published stolen data in December after the negotiation for the ransomware payment failed.

Nordex Group

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

Tags: Nordex Group, The Hacker and the State

Next Page »