Jan 20 2021
Sophisticated Watering Hole Attack
Google’s Project Zero has exposed a sophisticated watering-hole attack targeting both Windows and Android:
Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers (both companies have since patched the security flaws). The hackers delivered the exploits through watering-hole attacks, which compromise sites frequented by the targets of interest and lace the sites with code that installs malware on visitors’ devices. The boobytrapped sites made use of two exploit servers, one for Windows users and the other for users of Android
The use of zero-days and complex infrastructure isn’t in itself a sign of sophistication, but it does show above-average skill by a professional team of hackers. Combined with the robustness of the attack code — Âwhich chained together multiple exploits in an efficient manner — the campaign demonstrates it was carried out by a “highly sophisticated actor.”
Jan 20 2021
List of DNSpooq vulnerability advisories, patches, and updates
Yesterday, seven Dnsmasq vulnerabilities were disclosed, collectively known as DNSPooq, that attackers can use to launch DNS Cache Poisoning, denial of service, and possibly remote code execution attacks, on affected devices.
Dnsmasq is a widely used open-source Domain Name System (DNS) forwarding application commonly installed on routers, operating systems, access points, and other networking equipment.
Vendors have started to release information on how customers can protect themselves from DNSPooq. To make it easier to find this information, BleepingComputer will be listing security advisories as they are released.
The related CVEs from JSOF’s DNSpooq advisory are listed below, along with their descriptions.
| Name | CVSS | Description |
|---|---|---|
| CVE-2020-25681 | 8.1 | Dnsmasq versions before 2.83are susceptible to a heap-based buffer overflow in sort_rrset() when DNSSEC is used. This can allow a remote attacker to write arbitrary data into target device’s memory that can lead to memory corruption and other unexpected behaviors on the target device. |
| CVE-2020-25682 | 8.1 | Dnsmasq versions before 2.83 are susceptible to buffer overflow in extract_name() function due to missing length check, when DNSSEC is enabled. This can allow a remote attacker to cause memory corruption on the target device. |
| CVE-2020-25683 | 5.9 | Dnsmasq versions before 2.83 are susceptible to a heap-based buffer overflow when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in dnsmasq, resulting in a Denial of Service. |
| CVE-2020-25687 | 5.9 | Dnsmasq versions before 2.83are vulnerable to a heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rfc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of Service. |
| CVE-2020-25684 | 4 | A lack of proper address/port check implemented in dnsmasq versions |
| CVE-2020-25685 | 4 | A lack of query resource name (RRNAME) checks implemented in dnsmasq’s versions before 2.83 reply_query function allows remote attackers to spoof DNS traffic that can lead to DNS cache poisoning. |
| CVE-2020-25686 | 4 | Multiple DNS query requests for the same resource name (RRNAME) by dnsmasq versions before 2.83 allows for remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452), that can lead to DNS cache poisoning. |
BleepingComputer suggests checking this page throughout the coming days to see if new information is available for devices you may be using.
Source: List of DNSpooq vulnerability advisories, patches, and updates
Jan 19 2021
FreakOut botnet target 3 recent flaws to compromise Linux devices
The botnet appeared in the threat landscape in November 2020, in some cases the attacks leveraged recently disclosed vulnerabilities to inject OS commands. The attacks aimed at compromising the tarted systems to create an IRC botnet, which can later be used to conduct several malicious activities, including DDoS attacks and crypto-mining campaign.
The attacks observed by Check Point aimed at devices that run one of the following products:
- TerraMaster TOS(TerraMaster Operating System) – the operating system used for managing TerraMaster NAS (Network Attached Storage) servers
- Zend Framework – a collection of packages used in building web application and services using PHP, with more than 570 million installations
- Liferay Portal – a free, open-source enterprise portal. It is a web application platform written in Java that offers features relevant for the development of portals and websites
Once infected a device, it will be later used as an attacking platform.
Jan 19 2021
CPRA Compliance
This tool enables you to identify your organization’s CPRA (California Privacy Rights Act) compliance gaps, and helps you plan the steps necessary to achieve ongoing compliance.
Jan 18 2021
Crafting the InfoSec PlayBook
Any good attacker will tell you that expensive security monitoring and prevention tools aren’t enough to keep you secure. This practical book demonstrates a data-centric approach to distilling complex security monitoring, incident response, and threat analysis ideas into their most basic elements. You’ll learn how to develop your own threat intelligence and incident detection strategy, rather than depend on security tools alone.
Written by members of Cisco’s Computer Security Incident Response Team, this book shows IT and information security professionals how to create an InfoSec playbook by developing strategy, technique, and architecture.
- Learn incident response fundamentals—and the importance of getting back to basics
- Understand threats you face and what you should be protecting
- Collect, mine, organize, and analyze as many relevant data sources as possible
- Build your own playbook of repeatable methods for security monitoring and response
- Learn how to put your plan into action and keep it running smoothly
- Select the right monitoring and detection tools for your environment
- Develop queries to help you sort through data and create valuable reports
- Know what actions to take during the incident response phase
Jan 18 2021
Introduction to Hacking
This book will show you how Hacking works. You will have a chance to understand how
attackers gain access to your systems and steal information. Also, you will learn what you
need to do in order to protect yourself from all kind of hacking techniques.
Structured on 10 chapters, all about hacking, this is in short what the book covers in its
pages:
- The type of hackers
- How the process of Hacking works and how attackers cover their traces
- How to install and use Kali Linux
- The basics of CyberSecurity
- All the information on malware and cyber attacks
- How to scan the servers and the network
- WordPress security & Hacking
- How to do Google Hacking
- What’s the role of a firewall and what are your firewall options
- What you need to know about cryptography and digital signatures
- What is a VPN and how to use it for your own security
Get this book NOW. Hacking is real, and many people know how to do it. You can protect
yourself from cyber attacks by being informed and learning how to secure your computer and
other devices.
Tags: Computer Security, Hacking, CyberSecurity, Cyber Security, Hacker, Malware, Kali Linux, Security, Hack, Hacking with Kali Linux, Cyber Attack, VPN, Cryptography
Jan 17 2021
President Biden’s Peloton exercise equipment under scrutiny
President Joe Biden can’t bring his Peloton exercise equipment to the White House due to security reasons.
Peloton devices are connected online and are equipped with a camera and microphone that give the users an immersive experience and communications capabilities. On the other side, these features pose a potential risk to the user in case of a hack, and President Joe Biden is a privileged target.
To secure the exercise equipment, Biden’s Peloton may have to be modified, removing the microphone, camera and networking equipment.
“If you really want that Peloton to be secure, you yank out the camera, you yank out the microphone, and you yank out the networking equipment … and you basically have a boring bike,” Max Kilger, Ph.D., director of the Data Analytics Program and Associate Professor in Practice at the University of Texas at San Antonio, told Popular Mechanics. “You lose the shiny object and the attractiveness.”
Source: President Biden’s Peloton exercise equipment under scrutiny
So long Peloton Joe Biden may need new exercise equipment when he moves
httpv://www.youtube.com/watch?v=m7VjoflLL8k&ab_channel=InsideNews
Jan 03 2021
Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways
The username and password (zyfwp/PrOw!aN_fXp) were visible in one of the Zyxel firmware binaries.
More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.
The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets in terms of vulnerabilities.
Device owners are advised to update systems as soon as time permits.
Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse this backdoor account to access vulnerable devices and pivot to internal networks for additional attacks
Source: Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways | ZDNet
[Tech News] Backdoor Account Discovered in More Than 100,000 Zyxel Firewalls, VPN Gateways podcast
httpv://www.youtube.com/watch?v=tQeBp_oim4A
Dec 30 2020
Ransomware Is Headed Down a Dire Path
2020 was a great year for ransomware gangs. For hospitals, schools, municipal governments, and everyone else, it’s going to get worse before it gets better.
AT THE END of September, an emergency room technician in the United States gave WIRED a real-time account of what it was like inside their hospital as a ransomware attack raged. With their digital systems locked down by hackers, health care workers were forced onto backup paper systems. They were already straining to manage patients during the pandemic; the last thing they needed was more chaos. “It is a life-or-death situation,” the technician said at the time.
The same scenario was repeated around the country this year, as waves of ransomware attacks crashed down on hospitals and health care provider networks, peaking in September and October. School districts, meanwhile, were walloped by attacks that crippled their systems just as students were attempting to come back to class, either in person or remotely. Corporations and local and state governments faced similar attacks at equally alarming rates.
Ransomware has been around for decades, and it’s a fairly straightforward attack: Hackers distribute malware that mass-encrypts data or otherwise blocks access to a target’s systems, and then demand payment to release the digital hostages. It’s a well-known threat, but one that’s difficult to eradicate—something as simple as clicking a link or downloading a malicious attachment could give attackers the foothold they need. And even without that type of human error, large corporations and other institutions like municipal governments still struggle to devote the resources and expertise necessary to lay down basic defenses. After watching these attacks in 2020, though, incident responders say that the problem has escalated and that the ransomware forecast for next year looks pretty dire.
Source: Ransomware Is Headed Down a Dire Path
Dealing with a Ransomware Attack: A full guide
httpv://www.youtube.com/watch?v=g0yXmQx89x4&ab_channel=ThePCSecurityChannel
Dec 26 2020
Fake Amazon gift card emails deliver the Dridex malware
The Dridex malware gang is delivering a nasty gift for the holidays using a spam campaign pretending to be Amazon Gift Cards.
Dridex phishing campaign wants to send a gift
When distributing malware, malware gangs commonly use current events and the holidays as themes for phishing campaigns to lure people into opening malicious attachments.
Such is the case in a recent phishing campaign discovered by cybersecurity firm Cyberreason that pretends to be an Amazon gift certificate sent via email.
These emails, shown below, pretend to be a $100 gift certificate that users must redeem by clicking on a phishing email button.
Source: Fake Amazon gift card emails deliver the Dridex malware
Fake Amazon Email Scam 2020 | How to Detect & Defend | Alert | Windows 10 | Beginners Guide |
httpv://www.youtube.com/watch?v=LXPehYw-D0E
Dec 21 2020
SUPERNOVA, a backdoor found while investigating SolarWinds hack
While investigating the recent SolarWinds Orion supply-chain attack security researchers discovered another backdoor, tracked SUPERNOVA.
The investigation of the SolarWinds Orion supply-chain attack revealed the existence of another backdoor that was likely used by a separate threat actor.
After the initial disclosure of the SolarWinds attack, several teams of researchers mentioned the existence of two second-stage payloads.
Security experts from Symantec, Palo Alto Networks, and Guidepoint reported that threat actors behind the SolarWinds attack were also planting a .NET web shell dubbed Supernova.
Researchers from Palo Alto Networks revealed that the malicious code is a tainted version of the legitimate .NET library “app_web_logoimagehandler.ashx.b6031896.dll” included in the SolarWinds Orion software.
“In the analysis of the trojanized Orion artifacts, the .NET .dll app_web_logoimagehandler.ashx.b6031896.dll was dubbed SUPERNOVA, but little detail of its operation has been publicly explored.” reads the analysis published by Palo Alto Networks.
“SUPERNOVA differs dramatically in that it takes a valid .NET program as a parameter. The .NET class, method, arguments and code data are compiled and executed in-memory. There are no additional forensic artifacts written to disk, unlike low-level webshell stagers, and there is no need for additional network callbacks other than the initial C2 request. In other words, the SolarStorm attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network.”
Source: SUPERNOVA, a backdoor found while investigating SolarWinds hack
Learning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor
httpv://www.youtube.com/watch?v=cMauHTV-lJg
Dec 13 2020
Suspected Russian hackers spied on U.S. Treasury emails
Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury Department and an agency that decides internet and telecommunications policy, according to people familiar with the matter.
Three of the people familiar with the investigation said Russia is currently believed to be behind the attack.
Two of the people said that the breaches are connected to a broad campaign that also involved the recently disclosed hack on FireEye, a major U.S. cybersecurity company with government and commercial contracts.
“The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” said National Security Council spokesman John Ullyot.
The hack is so serious it led to a National Security Council meeting at the White House on Saturday, said one of the people familiar with the matter.
Source: Suspected Russian hackers spied on U.S. Treasury emails – sources
RUSSIAN GOVERNMENT HACKING GROUP ‘APT29’ BEHIND CYBER HACK ON US GOVERNMENT
httpv://www.youtube.com/watch?v=FM66FgFk6Ls
U.S. Agencies Hit in Brazen Cyber-Attack by Suspected Russian Hackers
httpv://www.youtube.com/watch?v=vlVGnu7i0tY
#Sandworm: A New Era of #Cyberwar and the Hunt for the #Kremlin’s Most #Dangerous #Hackers Paperback
Dec 11 2020
U.S. Schools Are Buying Phone-Hacking Tech That the FBI Uses to Investigate Terrorists
A Gizmodo investigation has found that schools in the U.S. are purchasing phone surveillance tools from Cellebrite and companies that offer similar tools just four years after the FBI used it to crack a terrorism suspect’s iPhone.
In May 2016, a student enrolled in a high-school in Shelbyville, Texas, consented to having his phone searched by one of the district’s school resource officers. Looking for evidence of a romantic relationship between the student and a teacher, the officer plugged the phone into a Cellebrite UFED to recover deleted messages from the phone. According to the arrest affidavit, investigators discovered the student and teacher frequently messaged each other, “I love you.” Two days later, the teacher was booked into the county jail for sexual assault of a child.
The Cellebrite used to gather evidence in that case was owned and operated by the Shelby County Sheriff’s Office. But these invasive phone-cracking tools are not only being purchased by police departments. Public documents reviewed by Gizmodo indicate that school districts have been quietly purchasing these surveillance tools of their own for years.
In March 2020, the North East Independent School District, a largely Hispanic district north of San Antonio, wrote a check to Cellebrite for $6,695 for “General Supplies.” In May, Cypress-Fairbanks ISD near Houston, Texas, paid Oxygen Forensics Inc., another mobile device forensics firm, $2,899. Not far away, majority-white Conroe ISD wrote a check to Susteen Inc., the manufacturer of the similar Secure View system, for $995 in September 2016.
Source: U.S. Schools Are Buying Phone-Hacking Tech That the FBI Uses to Investigate Terrorists
Dec 11 2020
Brave browser-maker launches privacy-friendly news reader
By design, Brave Today doesn’t let the company or third parties build user profiles.
Brave Software, maker of the Brave Web browser, is introducing a news reader that’s designed to protect user privacy by preventing parties—both internal and third party—from tracking the sites, articles, and story topics people view.
Brave Today, as the service is called, is using technology that the company says sets it apart from news services offered by Google and Facebook. It’s designed to deliver personalized news feeds in a way that leaves no trail for Brave, ISPs, and third parties to track. The new service is part of Brave’s strategy of differentiating its browser as more privacy-friendly than its competitors’.
Key to Brave Today is a new content delivery network the company is unveiling. Typically, news services use a single CDN to cache content and then serve it to users. This allows the CDN or the service using it to see both the IP address and news feed of each user, and over time, that data can help services build detailed profiles of a person’s interests.
The Brave Today CDN takes a different approach. It’s designed in a way that separates a user’s IP address from the content they request. One entity offers a load-balancing service that receives TLS-encrypted traffic from the user. The load balancer then passes the traffic on to the CDN that processes the request.
The load balancer knows the user’s IP address, but because the request is encrypted, it has no visibility into the content the user is seeking. The CDN, meanwhile, sees only the request but has no way of knowing the IP address that’s making it. Responses are delivered in reverse order. To prevent the data from being combined, Brave says that it will use one provider for load balancing and a different one for content delivery.
Source: Brave browser-maker launches privacy-friendly news reader
Brave Browser-Maker Launches Privacy-Friendly News Reader podcast
httpv://www.youtube.com/watch?v=LynCc0Hl-i8
Dec 10 2020
Record Levels of Software Bugs Plague Short-Staffed IT Teams in 2020
As just one symptom, 83 percent of the Top 30 U.S. retailers have vulnerabilities which pose an “imminent” cyber-threat, including Amazon, Costco, Kroger and Walmart.
2020 is shaping up to be a banner year for software vulnerabilities, leaving security professionals drowning in a veritable sea of patching, reporting and looming attacks, many of which they can’t even see.
A trio of recent reports tracking software vulnerabilities over the past year underscore the challenges of patch management and keeping attacks at bay.
“Based on vulnerability data, the state of software security remains pretty dismal,” Brian Martin, vice president of vulnerability intelligence with Risk Based Security (RBS), told Threatpost.
Security researchers looked at CVE details across the Top 50 software vendors and found that since 1999, Microsoft is the hands-down leader with 6,700 reported, followed by Oracle with 5,500 and IBM with 4,600.
“New software is being released at a faster rate than old software is being deprecated or discontinued,” Comparitech’s Paul Bischoff told Threatpost. “Given that, I think more software vulnerabilities are inevitable. Most of those vulnerabilities are identified and patched before they’re ever exploited in the wild, but more zero days are inevitable as well. Zero days are a much bigger concern than vulnerabilities in general.”
Source: Record Levels of Software Bugs Plague Short-Staffed IT Teams in 2020
Dec 08 2020
U.S. Cyber Firm FireEye Says It Was Breached by Nation-State Hackers
The cybersecurity company said the attack compromised its software tools used to test the defenses of its thousands of customers.
“I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” Kevin Mandia, the chief executive at FireEye and a former Air Force officer, said in a blog post published Tuesday. “The attackers tailored their world-class capabilities specifically to target and attack FireEye.”
The company said the attacker also accessed some internal systems and primarily sought information about government clients. FireEye said it has seen no evidence so far that data belonging to its customers had been compromised from the primary systems used to store it.
FireEye declined to comment on who it believed was behind the breach of its hacking tools, which experts said could potentially be leveraged in future attacks against its customer base, including a diverse array of U.S. and Western national-security agencies and businesses.
Source: U.S. Cyber Firm FireEye Says It Was Breached by Nation-State Hackers
FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State
httpv://www.youtube.com/watch?v=EcBAuJoj2Ks
Fireeye shares plunge after it says it was breached by suspected hackers
httpv://www.youtube.com/watch?v=xYIK23FYiyM&ab_channel=CNBCTelevision
« Previous Page — Next Page »
