Jan 25 2021
New campaign targeting security researchers
Over the past several months, the Threat Analysis Group has identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attribute to a government-backed entity based in North Korea, have employed a number of means to target researchers which we will outline below. We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.
In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.
While we are unable to verify the authenticity or the working status of all of the exploits that they have posted videos of, in at least one case, the actors have faked the success of their claimed working exploit. On Jan 14, 2021, the actors shared via Twitter a YouTube video they uploaded that proclaimed to exploit CVE-2021-1647, a recently patched Windows Defender vulnerability. In the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake. Multiple comments on YouTube identified that the video was faked and that there was not a working exploit demonstrated. After these comments were made, the actors used a second Twitter account (that they control) to retweet the original post and claim that it was “not a fake video.”
Source: New campaign targeting security researchers
Jan 25 2021
VisualDoor: SonicWall SSL-VPN Exploit
TL;DR: SonicWall “Virtual Office” SSL-VPN Products ship an ancient version of Bash vulnerable to ShellShock, and are therefore vulnerable to unauthenticated remote code execution (as a “nobody” user) via the /cgi-bin/jarrewrite.sh URL.
The exploit is incredibly trivial. We simply spaff a shellshock payload containing a bash /dev/tcp backconnect at it, and we get a shell. Now, the environment on these things is incredibly limited – its stripped down Linux. But we have bash, openssl, and FTP. So you could always download your own toolkit for further exploitation.
Anyway, here is the public exploit. It is incredibly trivial and recycles the telnetlib handler for reverse shells from exploits released by Stephen Seeley. https://github.com/darrenmartyn/visualdoor.
Source: VisualDoor: SonicWall SSL-VPN Exploit
Jan 23 2021
New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys via The Hacker News
Hardware security keys—such as those from Google and Yubico—are considered the most secure means to protect accounts from phishing and takeover attacks.
But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it.
The vulnerability (tracked as CVE-2021-3011) allows the bad actor to extract the encryption key or the ECDSA private key linked to a victim’s account from a FIDO Universal 2nd Factor (U2F) device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections.
“The adversary can sign in to the victim’s application account without the U2F device, and without the victim noticing,” NinjaLab researchers Victor Lomne and Thomas Roche said in a 60-page analysis.
“In other words, the adversary created a clone of the U2F device for the victim’s application account. This clone will give access to the application account as long as the legitimate user does not revoke its second factor authentication credentials.”
Source: New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys
Jan 23 2021
Hacker blunder leaves stolen passwords exposed via Google search
Source: Hacker blunder leaves stolen passwords exposed via Google search
Hackers hitting thousands of organizations worldwide in a massive phishing campaign forgot to protect their loot and let Google the stolen passwords for public searches.
The phishing campaign has been running for more than half a year and uses dozens of domains that host the phishing pages. It received constant updates to make the fraudulent Microsoft Office 365 login requests look more realistic.
Creds in plain sight
Despite relying on simple techniques, the campaign has been successful in bypassing email protection filters and collected at least 1,000 login credentials for corporate Office 365 accounts.
Researchers at cybersecurity companies Check Point and Otorio analyzing this campaign discovered that the hackers exposed the stolen credentials to the public internet.
In a report published today, they explain that the attackers exfiltrated the information to domains they had registered specifically for the task. Their mistake was that they put the data in a publicly visible file that Google indexed.
As a result, Google could show results for queries of a stolen email address or password, as seen in the screenshot above:
Jan 22 2021
US administration adds “subliminal” ad to White House website
Well, it turns out that the new 2021 White House website added a job ad, too, presumably hoping to get some publicity and to attract job applicants to the US Digital Service (USDS).
The USDS describes itself as a part of the public service that aims to use “design and technology to deliver better services to the American people”, and its goal is to attract at least some of those technophiles that might otherwise be lured to join the fast-paced, dollar-sign world of commercial cloud-based products and services.
After all, today’s technology business juggernauts are in a position to offer eye-watering starting salaries and the promise of fast-paced, ever-changing coding challenges based on the very latest hardware platforms and programming languages.
Jan 22 2021
Key 2021 Insights: Proactive Security Needed for Ransomware, Phishing
Healthcare leaders will need to shift into a proactive security approach into 2021, if they hope to defend against the onslaught of ransomware and phishing threats.
The ransomware surge during the last few months has already continued into 2021. And though the malware will remain a key trend into this year, healthcare industry stakeholders will need adopt a proactive security approach and secure key entry points, including phishing threats and vulnerable endpoints.
Listen to the full podcast to learn more about Xtelligent Healthcare Media’s predictions for 2021. And don’t forget to subscribe on iTunes, Spotify, or Google Podcasts.
Xtelligent Healthcare Media Editors recently compiled predictions for the healthcare sector in the year ahead on a Healthcare Strategies podcast episode. In the healthcare security space, leaders can expect continued email-based attacks and other schemes that prey on COVID-19 fears.
Source: Proactive Security Needed for Ransomware, Phishing
Jan 22 2021
70% of Financial Service Firms Hit by COVID Cyber Attacks
A new report has emerged detailing that 70% of financial service firms have been hit by COVID-related cyber attacks in the past twelve months that were more damaging due to the unusual circumstances of the COVID-19 virus.
The numbers come from Keeper Security, who took responses from more than 370 information technology leaders in the UK while compiling a global report into financial service firms being targeted by cyber attacks.
Authors of the report state that 70% of financial service firms were hit by cyber attacks, with the majority of IT leaders saying that COVID-19 working conditions made the attacks more severe.
Jan 21 2021
WordPress Security: The Ultimate Guide
WordPress Security: The Ultimate Guide
WordPress security can be intimidating, but it doesn’t hhttps://ithemes.com/wordpress-security-the-ultimate-guide/?ave to be. In this comprehensive guide to WordPress security, we’ve simplified the basics of securing your WordPress website so that any non-technical person can understand and protect their website from hacker attacks.
This guide to WordPress security is broken down into 10 easily digestible sections. Each section will guide you through a specific aspect of WordPress security. By the end of the guide, you will learn the different types of vulnerabilities, the motives of hackers, and how to secure everything from your server to the individual users of your WordPress website.
Source: WordPress Security: The Ultimate Guide
Jan 20 2021
Health Insurer Fined $5.1M For 17-Month-Long Data Breach
An American health insurer has been fined $5.1M for a potential HIPAA violation after a data breach saw more than 9.3 million customers impacted and their personal health information potentially accessed.
The health insurer was fined after news of a 17-month data breach came to light, which forced the Excellus Health Plan, Inc. to pay the Office for Civil Rights (OCR) a $5.1 million settlement.
The settlement came after the Department of Health and Human Services identified a series of violations of the Health Insurance Portability and Accountability (HIPAA) Act, which aims to protect the confidentiality and integrity of protected health information (PHI).
Jan 20 2021
Sophisticated Watering Hole Attack
Google’s Project Zero has exposed a sophisticated watering-hole attack targeting both Windows and Android:
Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers (both companies have since patched the security flaws). The hackers delivered the exploits through watering-hole attacks, which compromise sites frequented by the targets of interest and lace the sites with code that installs malware on visitors’ devices. The boobytrapped sites made use of two exploit servers, one for Windows users and the other for users of Android
The use of zero-days and complex infrastructure isn’t in itself a sign of sophistication, but it does show above-average skill by a professional team of hackers. Combined with the robustness of the attack code — Âwhich chained together multiple exploits in an efficient manner — the campaign demonstrates it was carried out by a “highly sophisticated actor.”
« Previous Page — Next Page »
