Jan 26 2021
Ghost hack â criminals use deceased employeeâs account to wreak havoc
Many, if not most, organisations will tell you that they have processes and procedures that they follow when employees leave.
In particular, most companies have a slick and quick procedure for removing ex-staff from the payroll.
Firstly, it doesnât make economic sense to pay someone who is no longer entitled to the money; secondly, many countries require employers to withold payroll taxes automatically, to pay them in promptly, and to account for them accurately.
Why get into trouble with the tax office over former employees when you can have a simple âstaff leavingâ checklist that will help to keep you compliant and solvent at the same time?
Unfortunately, weâre not always quite so switched on (or, to be more precise, not quite so good at switching things off) when it comes to ex-staff and cybersecurity.
History is full of stories of havoc wreaked by ex-employees who maintained both their grudges and their paswords or access tokens after being fired or laid off.
Some of these revenge attacks have acquired legendary status, like the man from the splendidly named town of Maroochydore in Maroochy Shire in Queensland, Australia, who used insider information and a purloined computer to âhackâ the councilâs waste management system.
This crook quite literally, if you will pardon the expression, showered the shire with⊠well, with 1,000,000 litres of raw sewage, by operating all the right pumps in all the wrong ways.
As amusing as this crime sounds with 20 years of hindsight â it happened in the year 2000 â the disgruntled former contractor caused an environmental hazard, including polluting a tidal canal, that took days to clean up.
He was caught, tried and convicted of 27 counts of unauthorised computer access, and one count of wilfully and unlawfully causing serious environmental harm:
âMarine life died, the creek water turned black and the stench was unbearable for residents,â said Janelle Bryant, investigations manager for the Australian Environmental Protection Agency.
Then there was the US sysadmin who was fired in 2009 and decided to get his own back by planting keyloggers on his former employeeâs network, harvesting passwords until he had access to the accounts of senior staff, and then remotely hacking into a presentation by the CEO to the board of directors.
Source: Ghost hack
Jan 25 2021
New campaign targeting security researchers
Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.
In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including âguestâ posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.
While we are unable to verify the authenticity or the working status of all of the exploits that they have posted videos of, in at least one case, the actors have faked the success of their claimed working exploit. On Jan 14, 2021, the actors shared via Twitter a YouTube video they uploaded that proclaimed to exploit CVE-2021-1647, a recently patched Windows Defender vulnerability. In the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake. Multiple comments on YouTube identified that the video was faked and that there was not a working exploit demonstrated. After these comments were made, the actors used a second Twitter account (that they control) to retweet the original post and claim that it was ânot a fake video.â
Source: New campaign targeting security researchers
Jan 25 2021
VisualDoor: SonicWall SSL-VPN Exploit
TL;DR: SonicWall âVirtual Officeâ SSL-VPN Products ship an ancient version of Bash vulnerable to ShellShock, and are therefore vulnerable to unauthenticated remote code execution (as a ânobodyâ user) via the /cgi-bin/jarrewrite.sh URL.
The exploit is incredibly trivial. We simply spaff a shellshock payload containing a bash /dev/tcp backconnect at it, and we get a shell. Now, the environment on these things is incredibly limited â its stripped down Linux. But we have bash, openssl, and FTP. So you could always download your own toolkit for further exploitation.
Anyway, here is the public exploit. It is incredibly trivial and recycles the telnetlib handler for reverse shells from exploits released by Stephen Seeley. https://github.com/darrenmartyn/visualdoor.
Source: VisualDoor: SonicWall SSL-VPN Exploit
Jan 23 2021
Hacker blunder leaves stolen passwords exposed via Google search
Source: Hacker blunder leaves stolen passwords exposed via Google search
Hackers hitting thousands of organizations worldwide in a massive phishing campaign forgot to protect their loot and let Google the stolen passwords for public searches.
The phishing campaign has been running for more than half a year and uses dozens of domains that host the phishing pages. It received constant updates to make the fraudulent Microsoft Office 365 login requests look more realistic.
Creds in plain sight
Despite relying on simple techniques, the campaign has been successful in bypassing email protection filters and collected at least 1,000 login credentials for corporate Office 365 accounts.
Researchers at cybersecurity companies Check Point and Otorio analyzing this campaign discovered that the hackers exposed the stolen credentials to the public internet.
In a report published today, they explain that the attackers exfiltrated the information to domains they had registered specifically for the task. Their mistake was that they put the data in a publicly visible file that Google indexed.
As a result, Google could show results for queries of a stolen email address or password, as seen in the screenshot above:
Jan 22 2021
Key 2021 Insights: Proactive Security Needed for Ransomware, Phishing
Healthcare leaders will need to shift into a proactive security approach into 2021, if they hope to defend against the onslaught of ransomware and phishing threats.
The ransomware surge during the last few months has already continued into 2021. And though the malware will remain a key trend into this year, healthcare industry stakeholders will need adopt a proactive security approach and secure key entry points, including phishing threats and vulnerable endpoints.
Listen to the full podcast to learn more about Xtelligent Healthcare Mediaâs predictions for 2021. And donât forget to subscribe on iTunes, Spotify, or Google Podcasts.
Xtelligent Healthcare Media Editors recently compiled predictions for the healthcare sector in the year ahead on a Healthcare Strategies podcast episode. In the healthcare security space, leaders can expect continued email-based attacks and other schemes that prey on COVID-19 fears.
Source: Proactive Security Needed for Ransomware, Phishing
Jan 22 2021
70% of Financial Service Firms Hit by COVID Cyber Attacks
A new report has emerged detailing that 70% of financial service firms have been hit by COVID-related cyber attacks in the past twelve months that were more damaging due to the unusual circumstances of the COVID-19 virus.
The numbers come from Keeper Security, who took responses from more than 370 information technology leaders in the UK while compiling a global report into financial service firms being targeted by cyber attacks.
Authors of the report state that 70% of financial service firms were hit by cyber attacks, with the majority of IT leaders saying that COVID-19 working conditions made the attacks more severe.
Jan 21 2021
WordPress Security: The Ultimate Guide
WordPress Security: The Ultimate Guide
WordPress security can be intimidating, but it doesnât hhttps://ithemes.com/wordpress-security-the-ultimate-guide/?ave to be. In this comprehensive guide to WordPress security, weâve simplified the basics of securing your WordPress website so that any non-technical person can understand and protect their website from hacker attacks.
This guide to WordPress security is broken down into 10 easily digestible sections. Each section will guide you through a specific aspect of WordPress security. By the end of the guide, you will learn the different types of vulnerabilities, the motives of hackers, and how to secure everything from your server to the individual users of your WordPress website.
Source: WordPress Security: The Ultimate Guide
Jan 20 2021
List of DNSpooq vulnerability advisories, patches, and updates
Yesterday, seven Dnsmasq vulnerabilities were disclosed, collectively known as DNSPooq, that attackers can use to launch DNS Cache Poisoning, denial of service, and possibly remote code execution attacks, on affected devices.
Dnsmasq is a widely used open-source Domain Name System (DNS) forwarding application commonly installed on routers, operating systems, access points, and other networking equipment.
Vendors have started to release information on how customers can protect themselves from DNSPooq. To make it easier to find this information, BleepingComputer will be listing security advisories as they are released.
The related CVEs from JSOF’s DNSpooq advisory are listed below, along with their descriptions.
| Name | CVSS | Description |
|---|---|---|
| CVE-2020-25681 | 8.1 | Dnsmasq versions before 2.83are susceptible to a heap-based buffer overflow in sort_rrset() when DNSSEC is used. This can allow a remote attacker to write arbitrary data into target deviceâs memory that can lead to memory corruption and other unexpected behaviors on the target device. |
| CVE-2020-25682 | 8.1 | Dnsmasq versions before 2.83 are susceptible to buffer overflow in extract_name() function due to missing length check, when DNSSEC is enabled. This can allow a remote attacker to cause memory corruption on the target device. |
| CVE-2020-25683 | 5.9 | Dnsmasq versions before 2.83 are susceptible to a heap-based buffer overflow when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a Denial of Service. |
| CVE-2020-25687 | 5.9 | Dnsmasq versions before 2.83are vulnerable to a heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of Service. |
| CVE-2020-25684 | 4 | A lack of proper address/port check implemented in dnsmasq versions |
| CVE-2020-25685 | 4 | A lack of query resource name (RRNAME) checks implemented in dnsmasqâs versions before 2.83 reply_query function allows remote attackers to spoof DNS traffic that can lead to DNS cache poisoning. |
| CVE-2020-25686 | 4 | Multiple DNS query requests for the same resource name (RRNAME) by dnsmasq versions before 2.83 allows for remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452), that can lead to DNS cache poisoning. |
BleepingComputer suggests checking this page throughout the coming days to see if new information is available for devices you may be using.
Source: List of DNSpooq vulnerability advisories, patches, and updates
Jan 19 2021
CPRA Compliance
This tool enables you to identify your organizationâs CPRA (California Privacy Rights Act) compliance gaps, and helps you plan the steps necessary to achieve ongoing compliance.
Jan 18 2021
Crafting the InfoSec PlayBook
Any good attacker will tell you that expensive security monitoring and prevention tools arenât enough to keep you secure. This practical book demonstrates a data-centric approach to distilling complex security monitoring, incident response, and threat analysis ideas into their most basic elements. Youâll learn how to develop your own threat intelligence and incident detection strategy, rather than depend on security tools alone.
Written by members of Ciscoâs Computer Security Incident Response Team, this book shows IT and information security professionals how to create an InfoSec playbook by developing strategy, technique, and architecture.
- Learn incident response fundamentalsâand the importance of getting back to basics
- Understand threats you face and what you should be protecting
- Collect, mine, organize, and analyze as many relevant data sources as possible
- Build your own playbook of repeatable methods for security monitoring and response
- Learn how to put your plan into action and keep it running smoothly
- Select the right monitoring and detection tools for your environment
- Develop queries to help you sort through data and create valuable reports
- Know what actions to take during the incident response phase
Jan 17 2021
President Biden’s Peloton exercise equipment under scrutiny
President Joe Biden can’t bring his Peloton exercise equipment to the White House due to security reasons.
Peloton devices are connected online and are equipped with a camera and microphone that give the users an immersive experience and communications capabilities. On the other side, these features pose a potential risk to the user in case of a hack, and President Joe Biden is a privileged target.
To secure the exercise equipment, Bidenâs Peloton may have to be modified, removing the microphone, camera and networking equipment.
âIf you really want that Peloton to be secure, you yank out the camera, you yank out the microphone, and you yank out the networking equipment ⊠and you basically have a boring bike,â Max Kilger, Ph.D., director of the Data Analytics Program and Associate Professor in Practice at the University of Texas at San Antonio, told Popular Mechanics. âYou lose the shiny object and the attractiveness.â
Source: President Biden’s Peloton exercise equipment under scrutiny
So long Peloton Joe Biden may need new exercise equipment when he moves
httpv://www.youtube.com/watch?v=m7VjoflLL8k&ab_channel=InsideNews
Nov 29 2020
10 Best InfoSec Hacking Books
10 Best InfoSec Hacking Books
To download 10 Best InfoSec Hacking Books pdf
[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2020/11/10-best-InfoSec-hacking-books.pdf” title=”10 best InfoSec hacking books”]
To download 10 Best InfoSec Hacking Books pdf
[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2020/11/Metsploit-cheatsheet.pdf” title=”Metsploit cheatsheet”]
« Previous Page — Next Page »
