Sep 08 2022

DEADBOLT ransomware rears its head again, attacks QNAP devices

Category: RansomwareDISC @ 8:37 am
DEADBOLT ransomware rears its head again, attacks QNAP devices

Yes, ransomware is still a thing.

No, not all ransomware attacks unfold in the way you might expect.

Most contemporary ransomware attacks involve two groups of criminals: a core gang who create the malware and handle the extortion payments, and “members” of a loose-knit clan of “affiliates” who actively break into networks to carry out the attacks.

Once they’re in, the affiliates then wander around the victim’s network, getting the lie of the land for a while, before abruptly and often devastatingly scrambling as many computers as they can, as quickly as they can, typically at the worst possible time of day.

The affiliates typically pocket 70% of the blackmail money for any attacks they conduct, while the core criminals take an iTunes-ike 30% of every attack done by every affiliate, without ever needing to break into anyone’s computers themselves.

That’s how most malware attacks happen, anyway.

But regular readers of Naked Security will know that some victims, notably home users and small business, end up getting blackmailed via their NAS, or networked attached storage devices.

Plug-and-play network storage

NAS boxes, as they are colloquially known, are miniature, preconfigured servers, usually running Linux, that are typically plugged directly into your router, and then act as simple, fast, file servers for everyone on the network.

No need to buy Windows licences, set up Active Directory, learn how to manage Linux, install Samba, or get to grips with CIFS and other network file system arcana.

NAS boxes are “plug-and-play” network attached storage, and popular precisely because of how easily you can get them running on your LAN.

As you can imagine, however, in today’s cloud-centric era, many NAS users end up opening up their servers to the internet – often by accident, though sometimes on purpose – with potentially dangerous results.

Notably, if a NAS device is reachable from the public internet, and the embedded software, or firmware, on the NAS device contains an exploitable vulnerability, you could be in real trouble.

Crooks could not ony run off with your trophy data, without needing to touch any of the laptops or mobile phones on your network, but also modify all the data on your NAS box…

…including directly rewriting all your original files with encrypted equivalents, with the crooks alone knowing the unscrambling key.

Simply put, ransomware attackers with direct access to the NAS box on your LAN could derail almost all your digital life, and then blackmail you directly, just by accessing your NAS device, and touching nothing else on the network.

The infamous DEADBOLT ransomware

That’s exactly how the infamous DEADBOLT ransomware crooks operate.

They don’t bother attacking Windows computers, Mac laptops, mobile phones or tablets; they just go straight for your main repository of data.

(You probably turn off, “sleep”, or lock most of your devices at night, but your NAS box probably quietly runs 24 hours a day, every day, just like your router.)

By targeting vulnerabilities in the products of well-known NAS vendor QNAP, the DEADBOLT gang aims to lock everyone else on your network out of their digital lives, and then to squeeze you for several thousands dollars to “recover” your data.

After an attack, when you next try to download a file from the NAS box, or to configure it via its web interface, you might see something like this:

In a typical DEADBOLT attack, there’s no negotiation via email or IM – the crooks are blunt and direct, as you see above.

In fact, you generally never get to interact with them using words at all.

If you don’t have any other way to recover your scrambled files, such as a backup copy that’s not stored online, and you’re forced to pay up to get your files back, the crooks expect you simply to send them the money in a cryptocoin transaction.

The arrival of your bitcoins in their wallet serves as your “message” to them.

In return, they “pay” you the princely sum of nothing, with this “refund” being the sum total of their communication with you.

The “refund” is a payment worth $0, submitted simply as a way of including a bitcoin transaction comment.

That comment consists of 16 apparently random data bytes, seen encoded as 32 hexadecimal characters in the screenshot below, which constitute the AES decryption key you will use to recover your data:

Source: DEADBOLT ransomware rears its head again, attacks QNAP devices

Tags: Deadbolt ransomware

Sep 07 2022

PenTesting at the speed of Your SDLC

Category: Information Security,Pen TestDISC @ 2:49 pm
Cobalt’s has announced a new offering, Agile Pentesting! With Agile Pentesting, conduct a pentest that has a targeted scope focused on a specific area of an asset, or a specific vulnerability across an asset. Agile Penesting is flexible in nature, and aligns pentesting to DevSecOps workflows in a way that’s friction-free.

Leverage Agile Pentesting to level up your security program for:

* New Release Testing: pentest a new release before or shortly after it reaches production

* Delta Testing: pentest for incremental improvements based on code differences since date or version

* Single OWASP Category Testing: pentest a single vulnerability or small subset of vulnerabilities across an asset to validate fixes 

* Microservice Testing: pentest Kubernetes within AWS, Azure, or GCP, as well as hosted network devicesReady to ship code securely with Cobalt’s Agile Pentesting?

Ready to ship code securely with Cobalt’s Agile Pentesting?

Learn More

Enter to Win a Free Cobalt Agile Pentest!Sometimes the best things in life actually are free! Click here to enter your information to be one of the three lucky winners to receive a free Agile Pentest from Cobalt, worth $6,600 in value! The drawing will take place on September 22nd.
Enter to Win

Tags: Agile Pentesting

Sep 07 2022

ISO 27001 & ISO 27017 & ISO 27018 CLOUD DOCUMENTATION TOOLKIT

Category: ISO 27k,Security ToolsDISC @ 10:26 am

Implement ISO 27001 & ISO 27017 & ISO 27018 yourself, and do it easily and efficiently with our Documentation Toolkit.

a close up of text on a white background

Step-by-step guidance with LIVE EXPERT SUPPORT

  • 47 document templates – unlimited access to all documents required for ISO 27001 & 27017 & ISO 27018 certification, plus commonly used non-mandatory documents 
  • Access to video tutorials 
  • Email support 
  • Expert review of a document 
  • One hour of live one-on-one online consultations
    with an ISO 27001 & ISO 27017 & ISO 27018 expert 
  • Upcoming: free toolkit update for the new ISO 27001 2022 revision 

Fully optimized for small and medium-sized companies

TOOLKIT DOCUMENTS

Look at EVERY template in the ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit – for free! – before making a purchase.

Tags: iso 27001, iso 27017, ISO 27018, toolkit

Sep 07 2022

Some Employees Aren’t Just Leaving Companies — They’re Defrauding Them

Category: Insider ThreatDISC @ 9:44 am

Here are a few measures your organization can implement to minimize fraudulent behavior and losses.

Fraud_Charlotte_Allen_Alamy.jpg

Since the Great Resignation in 2021, millions of employees across the nation have left their roles with current employers in search of better ones. According to Microsoft, 40% of employees reported they are considering leaving their current roles by the end of 2022. With many still working in remote or hybrid positions due to the pandemic, larger businesses have started implementing measures to gain a better understanding of employee morale and sentiment to prevent turnover.

While most employees leave companies on good terms, some may become extremely unhappy or disgruntled prior to their departure and are more likely to defraud the company either before leaving or on their way out the door. The unfortunate reality is that no business is immune to fraud, but luckily, there are several steps you can take to prevent it from happening.

Understand Contributors to Fraudulent Behavior

According to the Cressey Fraud Triangle, fraudulent behavior often occurs due to three contributing factors. These include pressure or motive to commit a fraud (usually a personal financial problem), perceived opportunity within the organization to commit a fraud (poor oversight or internal controls), and rationalization (the ability to justify the crime to make it seem acceptable).

Very often, a fraudster needs all three sides of the triangle to successfully commit a crime. Therefore, it is extremely important for organizations to do their best to create controls and understand the risk associated with each of these areas. For example, an employee may be disgruntled and also have personal financial issues. However, if internal controls are robust and the employee doesn’t have access to financial instruments, valuable assets or software systems, their ability to defraud the company is extremely limited or will get identified immediately.

Additionally, there are actions an organization can take that may significantly mitigate the risk that an employee would find themselves in a situation where they could justify stealing from their employer, even if internal controls are limited or the employee is in a position of a high level of trust or authority. These including offering strong employee assistance programs, investing in the employee experience, exploring employee enrichment opportunities, surveying employees, monitoring morale, performing adequate exit interviews, and completing frequent anti-fraud training.

Create a Web of Fraud Detectors

There are typically eight key warning signs which may indicate an employee is more likely to commit fraud in an organization. According to the ACFE Global Fraud Survey, the top three are living beyond one’s means, financial difficulties, and an unusually close association with a vendor/customer. Businesses must stay vigilant and identify potentially fraudulent behavior as soon as possible; monitoring for red flags among employees is often a helpful step.

Educating all employees about how to identify warning signs and report fraudulent activity is a beneficial practice for any business. According to that same ACFE Global Fraud Survey, organizations that implement fraud awareness training and other anti-fraud controls have seen quicker fraud detection and lower fraud losses as a result of their efforts. In fact, 42% of fraud is discovered by a tip, and 55% of all fraud is reported by employees of the company. Utilizing company employees to monitor for fraudulent behavior within the organization and creating a culture in which fraud is unacceptable under all circumstances are helpful in creating a team of full-time fraud detectors.

Create and Maintain Strong Internal Controls

There are many aspects about an employee’s personal life that an employer can’t control. And no matter how hard you try, an employer cannot always keep all employees engaged, satisfied and ultimately happy. But employers can control the opportunity side of the fraud triangle.

Establishing and maintaining strong and effective internal controls can greatly improve the chances that an organization either prevents fraudulent behavior or detects it before it can damage the company. Specifically, adequate fraud prevention controls over bank account activity, cash handling, purchasing and vendor management, credit card use, expense reimbursements, payroll, and inventory are crucial in protecting the company against a rogue employee who uses their position to misappropriate company assets.

When employers create enriching work environments where their employees feel supported and can convey internal or external stressors, they’re boosting employee morale and minimizing the risk of fraudulent behavior. Unfortunately, you can’t control all employee behavior no matter how hard you try, so it is crucial to also invest in adequate anti-fraud controls and trainings to protect your company even further. Very often, the cost of anti-fraud activities is far less than the cost of an actual fraud. Unfortunately, many companies don’t discover this fact until it’s too late.

https://www.darkreading.com/vulnerabilities-threats/some-employees-aren-t-just-leaving-companies-they-re-defrauding-them

Insider Threats (Cornell Studies in Security Affairs)

Tags: Defrauding

Sep 07 2022

Government guide for supply chain security: The good, the bad and the ugly

Category: Information Security,Vendor AssessmentDISC @ 8:11 am
Government guide for supply chain security: The good, the bad and the ugly

ust as developers and security teams were getting ready to take a breather and fire up the BBQ for the holiday weekend, the U.S.’s most prestigious security agencies (NSA, CISA, and ODNI) dropped a 60+ page recommended practice guide, Securing the Software Supply Chain for Developers.

My first reaction was that it’s great to see these agencies adding to the public discourse in these still heady days where we’re all sorting out software supply chain security best practices. This is an important voice in shaking out the still many requirements, frameworks, and best practices, and kudos to them for sharing some of their hard-fought lessons learned.

But I think it’s also important for developers at large to weigh what makes sense in the most extraordinarily sensitive national security environments, versus what makes sense for the average enterprise developer and security team.

Here’s what stuck out to me as the good, bad, and ugly implications of the report.

The good

There are some excellent, prescriptive recommendations in the report where these agencies are advocating specific frameworks like Supply chain Levels for Software Artifacts (SLSA, pronounced “salsa”) and Secure Software Development Framework (SSDF). The report mentions these frameworks 14 and 38 times, respectively, and for developers and security teams that realize they have a software supply chain security problem but don’t know where to start, now they have a clear path to take their first steps.

The upshot of these frameworks is they give developers clear guidance on (1) how to develop secure code, from design issues to organizational structure issues for more secure software; (2) build system integrity (making sure malicious code isn’t being injected in our build systems); and (3) what happens after software is built and how to operate systems security (vulnerability remediation, monitoring, those types of aspects).

I also think the report does an excellent job of emphasizing what software signing buys developers in terms of artifact security, and how by making the investment in signing and verifying at the start of the software development lifecycle, you can save yourself a lot of toil not having to worry about the security of the package managers further down the line.

The bad

The guide suggests that “all development systems must be restricted to development operations only” … and goes on to say “no other activity such as email should be conducted for business nor personal use.”

I can’t see a future where developers are told they can’t do Slack, email and web browsing on their dev machines, and here’s an example where what’s mandatory in air-gapped environments like the NSA don’t really map out to mainstream developer scenarios.

I also find that the SBOM guidance has great points, but also misses concrete threats and mitigation examples. Overall the industry continues to tell everyone to use SBOMs, but doesn’t really explain what to do with them or what the real benefits are. And while I like the guidance to compare SBOMs with software composition analysis (SCA) results, the reality is that today’s vulnerability scanners actually miss a lot of the transitive dependencies that make software supply chains an attractive threat surface in the first place.

The ugly

While open source is mentioned 31 times in the guide, it’s mostly superficial references, with no new recommendations. We all know most source code being used today is open source, and it has unique aspects for security – the report doesn’t pay any care to how to choose which open source projects to use, what to look for when deciding on a new dependency, approaches to scoring systems, or how to tell the security health of an OSS project.

There’s quite a bit of information overload. Half of the document explains what its contents are, and the other half presents a couple of frameworks and the intersections of those frameworks. I think what we’re going to see next is a tidal wave of security vendor product whitewashing, claiming to have the first capabilities conforming to these guidelines – but it’s important to remember that there is no accreditation process, and most of this will simply be marketing bluster.

What’s next

Software supply chain security is pretty unique – you’ve got a whole lot of different types of attacks that can target a lot of different points in the software lifecycle. You can’t just take one piece of security software, turn it on, and get protected from everything.

Guides and recommendations like this that come down from the most sophisticated organizations that have gone through the early paces give a lot of great clues for developers at large, and I hope the NSA/CSA/ODNI will continue to disclose this type of insight … even if it may require some decoding for what applies to more mainstream developer scenarios outside of the Pentagon.

Cyber Security and Supply Chain Management: Risks, Challenges, and Solutions

Tags: supply chain, Vendor Security Assessment

Sep 06 2022

5 Vulnerability Scanner Tools that are Open Source and Free to Download

Category: Security vulnerabilitiesDISC @ 11:38 am

A list of free open source vulnerability scanners which developers and penetration testers can use to scan systems for vulnerabilities and potential malware.

A vulnerability assessment is an in-depth analysis of a network’s hardware, software, and other components to locate and fix potential security holes. Once identified, the software prioritizes security holes by how quickly they must be patched or mitigated. In most cases, the vulnerability scanning tool will also include guidance on how to fix or lessen the impact of any vulnerabilities it finds.

The results from vulnerability scanners can be used as a guide by security teams as they evaluate the safety of their network and take preventative measures.

Devs can use the following open-source vulnerability assessment tools to test their vulnerabilities for free.

Aqua Trivy

For developers to make informed decisions about which components to use in their applications and containers, open-source tools like Aqua Trivy can help them identify vulnerabilities and understand the associated risks. Trivy’s array of vulnerability scanners allows it to detect vulnerabilities in a wide variety of systems.

Static analysis of vulnerabilities in application containers is the focus of the Clair open-source project (currently including OCI and Docker).


Clients can index their container images via the Clair API and compare them to a database of known security flaws.

Tsunami

Tsunami is a flexible, plugin-based network security scanner designed to detect and scan critical vulnerabilities accurately.


Tsunami is scalable, runs quickly, and scans quietly.

Vaf

Vaf is a platform-independent web fuzzer that can quickly thread through requests, fuzz HTTP headers, and even act as a proxy.

Zed Attack Proxy ZAP

Under the OWASP banner, Zed Attack Proxy (ZAP) is developed and maintained as a free, open-source penetration testing tool and can be used as an effective vulnerability scanner.


ZAP is highly adaptable and extensible; it can even be deployed on a Raspberry Pi and is optimized for testing websites and deployed as a vulnerability scanner.

5 Vulnerability Scanner Tools that are Open Source and Free to Download

Tags: Open source, Vulnerability Scanner Tools

Sep 06 2022

Chrome and Edge fix zero-day security hole – update now!

Category: Zero dayDISC @ 9:30 am
Chrome and Edge fix zero-day security hole – update now!

Just three days after Chrome’s previous update, which patched 24 security holes that were not in the wild…

…the Google programmers announced the release of Chrome 105.0.5195.102, where the last of the four numbers in the quadruplet jumps up from 52 on Mac and Linux and 54 on Windows.

The release notes confirm, in the clipped and frustrating “indirect statement made in the passive voice” bug-report style that Google seems to have borrowed from Apple:

  
CVE-2022-3075
: Insufficient data validation in Mojo.

   Reported by Anonymous on 2022-08-30

   [...]

   Google is aware of reportsrts [sic] that an exploit 
   for 
CVE-2022-3075
 exists in the wild.

Microsoft has put out an update, too, taking its browser, which is based on Chromium, to  Edge 105.0.1343.27.

Following Google’s super-brief style, Microsfoft wrote merely that:

  This update [Edge 105.0.1343.27] contains a fix for 
CVE-2022-3075
, 
   which has been reported by the Chromium team as having an exploit 
   in the wild
As always, our translation of security holes written up in this non-committal way is: “Crooks or spyware vendors found this vulnerability before we did, have figured out how to exploit it, and are already doing just that.”

…………..

What to do?

Patch early, patch often!

In Chrome, check that you’re up to date by clicking Three dots > Help > About Google Chrome, or by browsing to the special URL chrome://settings/help.

The Chrome version you are looking for (or Chromium version , if you’re using the non-proprietary, open source flavour) is: 105.0.5195.102 or later.

In Edge, it’s Three dots > Help and feedback > About Microsoft Edge.

The Edge version you’re after is: 105.0.1343.27 or later.

Google’s release notes also list an update to the Extended Stable Channel, which you might be using if you’re on a computer provided by work – like Mozilla’s Extended Support Release or ESR, it’s an official version that lags behind on features but keeps up with security patches, so you aren’t forced to adopt new features just to get patched.

The Extended Stable version you want is: 104.0.5112.114.

Google has also just announced a Chrome for iOS update, available (as always) via the App Store.

There’s no mention of whether the iOS version was affected by CVE-2022-3075, but the version you’re after, in any case, is 105.0.5195.100.

(We’re guessing that by iOS, Google means both iOS and iPadOS, now shipped as different variants of Apple’s underlying mobile operating system.)

Nothing in the release notes so far [2022-09-05T13:45Z] about Android – check in Google Play to see if you’re up to date.

Tags: Chrome, Edge

Sep 06 2022

Experts discovered TeslaGun Panel used by TA505 to manage its ServHelper Backdoor

Category: BackdoorDISC @ 8:18 am
Experts discovered TeslaGun Panel used by TA505 to manage its ServHelper Backdoor

Researchers discovered a previously undocumented software control panel, named TeslaGun, used by a cybercrime gang known as TA505.

Researchers from cybersecurity firm PRODAFT have discovered a previously undocumented software control panel, tracked as TeslaGun, used by a cybercrime group known as TA505.

Russian TA505 hacking group, aka Evil Corp, has been active since 2014 focusing on Retail and banking sectors. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.

The TA505 group was involved in campaigns aimed at distributing the Dridex banking Trojan, along with LockyBitPaymerPhiladelphiaGlobeImposter, and Jaff ransomware families.

Now PRODAFT experts state that the group has carried out mass phishing campaigns against at
least 8160 targets. Most of the victims are in the finance sector or individuals. TeslaGun victim data revealed that 3667 targets are in the US.

The financially-motivated group is known to have used multiple malware in its attacks, including FlawedAmmyy, the ServHelper backdoor and FlawedGrace malware.

The ServHelper backdoor is written in Delphi and according to the experts, the development team continues to update it by implementing new features since 2019. Researchers pointed out that almost every new campaign used a new variant of the malware.

Once downloaded the ServHelper backdoor set up reverse SSH tunnels that allow attackers to access to the infected system via Remote Desktop Protocol (RDP) on port 3389. In 2019, Proofpoint experts also discovered another ServHelper variant that does not include the tunneling and hijacking capabilities, in this case, the backdoor was used only as a downloader for the FlawedGrace RAT.

The TeslaGun control panel was used by the threat actors to manage the ServHelper backdoor, it acts as a C2 infrastructure allowing operators to issue commands.

“The actors regularly migrate their proxy servers to new servers in the same datacenter to attain a low detection rate. During our investigation, we observed several TeslaGun management panels predominantly residing in MivoCloud SRL, Moldova” reads the report published by the experts. “The TeslaGun panel has a pragmatic, minimalist design. The main dashboard only contains infected victim data, a generic comment section for each victim, and several options for filtering victim records.”

TeslaGun panel shows a table containing victims’ data, including SYSID/ID/IP, Country/State/City, First Time Connected/Last Time Connected, Command, Answer Operations/Tun Port/Operations, and Comments.

TeslaGun

TeslaGun also allows operators to send one command to all victim devices at the same time, or to configure a default command that runs when a new victim device is added to the panel.

During this investigation, the PTI researchers also discovered TA505 users executing RDP connections using tunnels.

The tool used by the gang to execute RDP connections allows to launch multiple hidden RDP instances. Once infected a victim, TA505 operators can connect to the victim via RDP to use remote connections simultaneously.

“ServHelper is an example of backdoor malware runs by a financially motivated and highly sophisticated threat group. TA505 appears to be well-embedded in the international cybercrime community, as demonstrated by its ability to collect and sell RDP connections to victim devices. The PTI team was able to gain valuable insight into how TA505 organizes its activities and achieves its goals. This will help cybersecurity policies to protect against backdoor attacks like ServHelper.” concludes the report. “From how TA505 commented their victims on TeslaGun panels perspective, it is obviously seen that TA505 is actively searching for online banking and shopping accounts, particularly from victims in the United States, but also from Russia, Romania, Brazil, and the UK.”

Bypassing the gatekeepers in CyberSecurity

Tags: TA505, TeslaGun Panel

Sep 02 2022

What is ISO 27001 Information Classification?

Category: Information Classification,ISO 27kDISC @ 10:50 am

Information classification is a process in which organisations assess the data that they hold and the level of protection it should be given.

Organisations usually classify information in terms of confidentiality – i.e. who is granted access to view it. A typical system contains four levels of confidentiality:

  • Confidential (only senior management have access)
  • Restricted (most employees have access)
  • Internal (all employees have access)
  • Public information (everyone has access)

As you might expect, larger and more complex organisations will need more levels, with each one accounting for specific groups of employees who need access to certain information.

The levels shouldn’t be based on employees’ seniority but on the information that’s necessary to perform certain job functions.

Take the healthcare sector for example. Doctors and nurses need access to patients’ personal data, including their medical histories, which is highly sensitive.

However, they shouldn’t have access to other types of sensitive information, such as financial records.

In these cases, a separate classification should be created to distinguish between sensitive medical information and sensitive administrative information.

Where does ISO 27001 fit in?

Organizations that are serious about data protection should follow ISO 27001.

The Standard describes best practices for creating and maintaining an ISMS (information security management system), and the classification of information plays a crucial role.

Control objective A.8.2 is titled ‘Information Classification’, and instructs that organisations “ensure that information receives an appropriate level of protection”.

ISO 27001 doesn’t explain how you should do that, but the process is straightforward. You just need to follow four simple steps.

1) Enter your assets into an inventory

The first step is to collate all your information into an inventory (or asset register).

You should also note who is responsible for it (who owns it) and what format it’s in (electronic documents, databases, paper documents, storage media, etc.).

2) Classification

Next, you need to classify the information.

Asset owners are responsible for this, but it’s a good idea for senior management to provide guidelines based on the results of the organization’s ISO 27001 risk assessment.

Information that would be affected by more significant risks should usually be given a higher level of confidentiality. But be careful, because this isn’t always the case.

There will be instances where sensitive information must be made available to a broader set of employees for them to do their job. The information may well pose a threat if it’s confidentiality is compromised, but the organisation must make it widely available in order to function.

3) Labelling

Once you’ve classified your information, the asset owner must create a system for labelling it.

You’ll need different processes for information that’s stored digitally and physically, but it should be consistent and clear.

For example, you might decide that paper documents will be labelled on the cover page, the top-right corner of each subsequent page and the folder containing the document.

For digital files, you might list the classification in a column on your databases, on the front page of the document and the header of each subsequent page.

4) Handling

Finally, you must establish rules for how to protect each information asset based on its classification and format.

For example, you might say that internal paper documents can be kept in an unlocked cabinet that all employees can access.

By contrast, restricted information should be placed in a locked cabinet, and confidential information stored in a secure location.

Additional rules should be established for data in transit – whether it’s being posted, emailed or employees carry it with them.

You can keep track of all these rules by using a table like this:

Information classification table example

Use a table to simplify the data handling documentation process.

Source: What is ISO 27001 Information Classification

Introduction to Cataloging and Classification

Tags: classification, Introduction to Cataloging and Classification

Sep 02 2022

Researchers analyzed a new JavaScript skimmer used by Magecart threat actors

Category: Cyber Threats,pci dssDISC @ 8:33 am

Researchers from Cyble analyzed a new, highly evasive JavaScript skimmer used by Magecart threat actors.

Cyble Research & Intelligence Labs started its investigation after seeing a post on Twitter a new JavaScript skimmer developed by the Magecart threat group used to target Magento e-commerce websites.

In Magecart attacks against Magento e-stores, attackers attempt to exploit vulnerabilities in the popular CMS to gain access to the source code of the website and inject malicious JavaScript. The malicious code is designed to capture payment data (credit/debit owner’s name, credit/debit card number, CVV number, and expiry date) from payment forms and checkout pages. The malicious code also performs some checks to determine that data are in the correct format, for example analyzing the length of the entered data.

In this specific case, the researchers discovered that when a user visits the compromised website, the skimmer loads the payment overlay and asks the user to enter the payment information.

The skimmer is obfuscated and embedded in the JavaScript file “media/js/js-color.min.js”

Magecart skimmer

nce the victim has entered its payment data in the form, the JavaScript file collects them and then sends the Base64-encoded data to the URL included in the JavaScript using the POST method

Cyble experts noticed that upon executing the JavaScript, it checks if the browser’s dev tool is open to avoid being analyzed.

“Online shopping activity is constantly on the rise due to its ease of use, digital transformation, and the sheer convenience. Skimmer groups continue to infect e-commerce sites in large numbers and are improving their techniques to remain undetected.” concludes the report. “Historically, Magento e-commerce websites have been the most highly targeted victims of skimmer attacks. While using any e-commerce website, ensure that you only use known and legitimate platforms.”

Researchers analyzed a new JavaScript skimmer used by Magecart threat actors

Data Privacy: A runbook for engineers

Tags: data protection, JavaScript skimmer, Magecart threat actors

Sep 01 2022

IMPLEMENT ISO 27001 AND ISO 22301 EFFORTLESSLY

Category: CISO,ISO 27k,vCISODISC @ 12:30 pm
Advisera Conformio presentation

IMPLEMENT-ISO-27001-AND-ISO-22301-EFFORTLESSLY-1Download

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: ISO 22301, iso 27001

Sep 01 2022

List of Data Breaches and Cyber Attacks in August 2022 – 97 Million Records Breached

Category: Cyber Attack,Data Breach,data security,Information Security,Security BreachDISC @ 9:01 am

August 2022 has been a lesson in being careful with whom you provide sensitive information. In a month that saw the former US president accused of misappropriating classified government documents, there were also a spate of malicious insiders compromising their employer’s systems.

Meanwhile, the bastion of password security, LastPass, announced that its systems had been breached – although the organisation is confident that customers’ details remain secure.

In total, we identified 112 publicly disclosed security incidents in August, resulting in 97,456,345 compromised records.

You can find the full list of incidents below, broken into their respective categories.

Contents

Data Breaches

Data Security

Free Basic network and Data Security Awareness

Tags: data breach, data security, infosec breach

Sep 01 2022

URGENT! Apple slips out zero-day update for older iPhones and iPads

Category: Zero dayDISC @ 8:19 am
URGENT! Apple slips out zero-day update for older iPhones and iPads

Our much-loved iPhone 6+, now nearly eight years old but in pristine, as-new condition until a recent UDI (unintended dismount incident, also known as a bicycle prang, which smashed the screen but left the device working fine otherwise), hasn’t received any security updates from Apple for almost a year.

The last update we received was back on 2021-09-23, when we updated to iOS 12.5.5.

Every subsequent update for iOS and iPadOS 15 has understandably reinforced our assumption that Apple had dropped iOS 12 support for evermore, and so we relegated the old iPhone to background duty, solely as an emergency device for maps or phone calls while on the road.

(We figured that another crash would be unlikely to wreck the screen any further, so it seemed a useful compromise.)

But we’ve just noticed that Apple has decided to update iOS 12 again after all.

This new update applies to the following models: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation. (Before iOS 13.1 and iPadOS 13.1 came out, iPhones and iPads used the same operating system, referred to as iOS for both devices.)

We didn’t receive a Security Advisory email from Apple, but an alert Naked Security reader who knows we still have that old iPhone 6+ let us know about Apple Security Bulletin HT213428. (Thanks!)

Simply put, Apple has published a patch for 

CVE-2022-32893
, which is one of the two mysterious zero-day bugs that received emergency patches on most other Apple platforms earlier in August 2022:

Apple patches double zero-day in browser and kernel – update now!

Malware implantation

As you will see in the article just above, there was a WebKit remote code execution bug, CVE-2022-32893, by means of which a jailbreaker, a spyware peddler, or some devious cybercriminal could lure you to a booby-trapped website and implant malware on your device, even if all you did was glance at an otherwise innocent-looking page or document.

Then there was a second bug in the kernel, CVE-2022-32894, by which said malware could extend its tentacles beyond the app it just compromised (such as a browser or a document viewer), and get control over the innards of the operating system itself, thus allowing the malware to spy on, modify or even install other apps, bypassing Apple’s much vaunted and notoriously strict security controls.

So, here’s the good news: iOS 12 isn’t vulnerable to the kernel-level zero-day CVE-2022-32894, which almost certainly avoids the risk of total compromise of the operating system itself.

But here’s the bad news: iOS 12 is vulnerable to the WebKit bug CVE-2022-32893, so that individual apps on your phone definitely are at risk of compromise.

We’re guessing that Apple must have come across at least some high-profile (or high-risk, or both) users of older phones who were compromised in this way, and decided to push out protection for everyone as a special precaution.

The danger of WebKit

Remember that WebKit bugs exist, loosely speaking, at the software layer below Safari, so that Apple’s own Safari browser isn’t the only app at risk from this vulnerability.

All browsers on iOS, even Firefox, Edge, Chrome and so on, use WebKit (that’s an Apple requirement if you want your app to make it into the App Store).

And any app that displays web content for purposes other than general browsing, such as in its help pages, its About screen, or even in a built-in “minibrowser”, is also at risk because it will be using WebKit under the covers.

In other words, just “avoiding Safari” and sticking to a third-party browser is not a suitable workaround in this case.

What to do?

We now know that the absence of an update for iOS 12 when the latest emergency patches came out for more recent iPhones was not down to the fact that iOS was already safe.

It was simply down to the fact that an update wasn’t available yet.

So, given that we now know that iOS 12 is at risk, and that exploits against CVE-2022-32893 are being used in real life, and that there is a patch available…

…then it’s an urgent matter of Patch Early/Patch Often!

Go to Settings > General > Software Update, and check that you have iOS 12.5.6.

If you haven’t yet received the update automatically, tap Download and Install to begin the process right away:

Go to Settings > General > Software Update.
You’re looking for iOS 12.5.6.
Use Download and Install if needed.

Tags: Apple patches

Aug 31 2022

The Inevitability of Cloud Breaches: Tales of Real-World Cloud Attacks

Category: Cloud computingDISC @ 9:43 am

While cloud breaches are going to happen, that doesn’t mean we can’t do anything about them. By better understanding cloud attacks, organizations can better prepare for them.

Cloud computing
Source: Wavebreakmedia Ltd IW-210409 via Alamy Stock Photo

Cloud breaches are inevitable.

It’s the reality we live in. The last few years have demonstrated that breaches occur, no matter how much security organizations put in place. The increased complexity of organizations — where a single mistake or vulnerability can lead to a compromise — coupled with the increased motivation, sophistication, and dedication of attackers, means breaches are here to stay. At the same time, organizations are transitioning to the cloud, making attackers shift focus to rapidly increase their attacks on cloud environments.

While this means that cloud breaches are inevitable, that doesn’t mean we can’t do anything about them. By better understanding cloud attacks, organizations can better prepare for them. Then, hopefully, they can contain and respond to attacks faster, reducing their impact and averting a crisis.

This two-part series will explore real-world attacks that unravel, investigate, and share insights on practical ways organizations can respond to cloud attacks in today’s threat landscape.

SaaS Marketplace Hack Leads to Major Breach

In the last few years, software-as-a-service (SaaS) platforms have been replacing traditional enterprise applications, making it easier for organizations to adopt and manage them. Part of the value such platforms provide is the ability to integrate and expand rapidly, supporting the ever-growing demands of users for more functionality. Further enhancing their platforms, SaaS vendors are creating a marketplace to allow third-party providers to add functionality and integration for its users. These marketplaces, however, can introduce substantial third-party risk, as can be seen in the following scenario.

After a company was notified by GitHub of a potential risk, GitHub didn’t provide any specific indicators of unauthorized access. Instead, GitHub provided only a generic notice that DeepSource, one of the apps the company had previously been using on the marketplace, was breached, making it hard to understand whether the organization was affected or not. An initial review done by the company of its GitHub logs did not help, as it could not see any access to its code by DeepSource.

The reason for this was rather simple — and it is at the heart of how many SaaS marketplaces operate. A few months before the breach, one of the company’s developers tried out the DeepSource app, wherein the developer granted DeepSource access to the code under his username. When the attackers used DeepSource’s access to download the entire code repository, what appeared in the logs was a pull request under the name of a legitimate user. The only indicator that it was malicious was the identification of an irregular IP address, which eventually was tied to other known attacks.

At this point, it became clear that the entire code repository had been stolen, and a full-blown response was needed to contain and recover from the breach. As with most code leakage cases, the immediate concern was access to secrets (passwords/keys) in the code. While it is generally bad practice to have hardcoded secrets in code, it is still a common practice by many — and this case was no different. By identifying the relevant secrets in the code, the next steps of the attackers — which, as expected, started accessing some of the Amazon Web Services (AWS) infrastructure — was predicted. By quickly identifying them, the company was able to block access to all relevant resources, contain the breach, and recover before more damage could be done.

Cryptominer Injected into a Virtual Machine Template

What if one could mine cryptocurrency at somebody else’s expense? This idea is at the heart of many cryptomining attacks we see today, where attackers take over cloud resources, then run cryptominers on them collecting cryptocurrency while the hacked organization pays the cloud compute bills for it.

In a recent incident, a company had identified unknown files on 18 AWS EC2 machines they were running in the cloud. Looking at the files, it became clear they had fallen victim to the ongoing TeamTNT Watchdog cryptomining campaign. It was initially unclear how the attackers managed to infect so many EC2 instances, but as the investigation unfolded, it became apparent that instead of targeting individual machines, the attackers targeted the Amazon Machine Image (AMI) template used to create each machine. During the creation of the original image, there was a short time where a service was misconfigured, allowing remote access. TeamTNT used automatic tools to scan the network, identify it, and immediately place the miners there, which then got duplicated to every new machine created.

This highlights another common attack pattern: implanting cryptominers in publicly available AMIs through the Amazon marketplace.

As demonstrated by these cases, cloud attacks are here to stay. They’re different from what we’re used to observing, so it’s time to better prepare for their arrival. Stay tuned for part two, where we will dive into cloud ransomware and how to avoid it.

Cloud computing

https://

www.darkreading.com
/cloud/the-inevitability-of-cloud-breaches-tales-of-real-world-cloud-attacks-

Practical Cloud Security

Tags: cloud security, Practical Cloud Security

Aug 31 2022

Chrome patches 24 security holes, enables “Sanitizer” safety system

Category: Web SecurityDISC @ 8:20 am
Chrome patches 24 security holes, enables “Sanitizer” safety system

Google’s latest Chrome browser, version 105, is out, though the full version number is annoyingly different depending on whether you are on Windows, Mac or Linux.

On Unix-like systems (Mac and Linux), you want 105.0.5195.52, but on Windows, you’re looking for 105.0.5195.54.

According to Google, this new version includes 24 security fixes, though none of them are reported as “in-the-wild”, which means that there weren’t any zero-days patched this time.

Nevertheless, there’s one vulnerability dubbed Critical, and a further eight rated High.

Of the flaws that were fixed, just over half of them are down to memory mismanagement, with nine listed as use-after-free bugs, and four as heap buffer overflows.

Memory bug types explained

use-after-free is exactly what it says: you hand back memory to free it up for another part of the program, but carry on using it anyway, thus potentially interfering with the correct operation of your app.

Imagine, for instance, that the part of the program that thinks it has now sole access to the offending block of memory receives some untrusted input, and carefully verifies that the new data is safe to use…

…but then, in the instant before it starts using that validated input, your buggy “use-after-free” code interferes, and injects stale, unsafe data into the very same part of memory.

Suddenly, bug-free code elsewhere in the program behaves as if it were buggy itself, thanks to the flaw in your code that just invalidated what was in memory.

Attackers who can figure out a way to manipulate the timing of your code’s unexpected intervention may be able not only to crash the program at will, but also to wrest control from it, thus causing what’s known as remote code execution.

And a heap buffer overflow refers to a bug where you write more data to memory than will fit in the space that was originally allocated to you. (Heap is the jargon term for the collection of memory

blocks that are currently being managed by the system.)

If some other part of the program has a memory block just happens to be near to or next to yours in the heap, then the superfluous data that you just wrote out won’t overflow harmlessly into unused space.

Instead, it will corrupt data that’s in active use somewhere else, which similar consequences to what we just described for a use-after-free bug.

The “Sanitizer” system

Happily, as well as fixing misfeatures that weren’t supposed to be there at all, Google has announced the arrival of a new feature that adds protection against a class of browser flaws known as cross-site scripting (XSS).

XSS bugs are caused by the browser inserting untrusted data, say from a web form submitted by a remote user, directly into the current web page, without checking for (and removing) risky content first.

Imagine, for instance, that you have a web page that offers to show me what a text string of my choice looks like in your funky new font.

If I type in the sample text Cwm fjord bank glyphs vext quiz (a contrived but vaguely meaningful mashup of English and Welsh that contains all 26 letters of the alphabet in just 26 letters, in case you were wondering), then it’s safe for you to put that exact text into the web page you create.

In JavaScript, for example, you could rewrite the body of the web page like this, inserting the text that I supplied without any modification:

In JavaScript, for example, you could rewrite the body of the web page like this, inserting the text that I supplied without any modification:

document.body.innerHTML = "<p style='font-family:funky;'>Cwm fjord bank glyphs vext quiz"

But if I cheated, and asked you to “display” the text string Cwm fjord<script>alert(42)</script> instead, then it would be reckless for you to do this…

document.body.innerHTML = "<p style='font-family:funky;'>Cwm fjord<script>alert(42)</script>"

…because you would be allowing me to inject untrusted JavaScript code of my choosing directly into your web page, where my code could read your cookies and access data that would otherwise be off-limits.

So, to make what’s known as sanitising thine inputs easier, Chrome has now officially enabled support for a new browser function called setHTML().

This can be used to push new HTML content through a feature called the Sanitizer first, so that if you use this code instead…

document.body.setHTML("<p style='font-family:funky;'>Cwm fjord<script>alert(42)</script>")

…then Chrome will scan the proposed new HTML string for security problems first, and automatically remove any text that could pose a risk.

You can see this in action via the Developer tools by running the above setHTML() code at the Console prompt, and then retrieving the actual HTML that was injected into the document.body variable, as we did here:

Even though we explicitly put a <script> tag in the input that we passed to the setHTML() function, the script code was automatically purged from the output that was created.

If you genuinely need to add potentially dangerous text into an HTML element, you can add a second argument to the setHTML() function that specifies various types of risky content to block or allow.

By default, if this second argument is omitted as above, then the Sanitizer operates at its maximum security level and automatically purges all dangerous content that it knows about.

What to do?

  • If you’re a Chrome user. Check that you’re up to date by clicking Three dots > Help > About Google Chrome, or by browsing to the special URL chrome://settings/help.
  • If you’re a web programmer. Learn about the new Sanitizer and setHTML() functionality by reading advice from Google and the MDN Web Docs.

The Browser Hacker’s Handbook

Tags: Chrome patches

Aug 30 2022

Don’t Let ‘Perfect’ Be the Enemy of a Good AppSec Program

Category: App SecurityDISC @ 2:43 pm

These five suggestions provide a great place to start building a scalable and affordable program for creating secure apps.

go for good enough reminder note with a cup of coffee and a silver pen
Source: Marek Uliasz via Alamy Stock Photo

Some security programs need to have the absolute highest possible level of security assurance for the systems and the data they protect. They need to be as close to perfect as they can be. Examples of this would be managing evidence for top secret counterterrorism activities, invaluable intellectual property such as the first COVID-19 vaccine, or systems that require uptimes of five 9s (99.999%) or higher, for which downtime of a single minute can cost millions of dollars.

That said, for most companies, a “good” application security (AppSec) program will suffice. A good program is one where your applications are safe against the most common types of attacks but could still fall to a determined, well-funded, and advanced attacker. Let’s discuss the differences, and how to create something that meets your company’s needs.

Elections Require Perfection

For a “perfect” AppSec program, every single potential vulnerability reported by any test must be investigated by a security expert. This means running static application security testing (SAST), dynamic application security testing (DAST), and other automated tools with the confidence level for findings set to report “any and all” possibilities. That requires hiring one or more security experts who are trained to run down each item and given weeks to check each application. It also means hiring several security professionals to do manual security testing and code review, for multiple viewpoints, and to re-test that the bugs are truly fixed and have not created new bugs in the process. It is both time-consuming and quite expensive.

A few years ago, I worked on an application that had to run on a 32-kilobit modem in the Arctic. It makes our elections in Canada happen, which meant it had to be absolutely perfect. We hired several different security professionals, who used a multitude of tools and manual techniques to find both security and non-security issues within our application. We did stress testing, performance testing, integration testing, and so much more. We set up a functional returning office (the place that you vote), with every system fully functional, and ran an entire 36-day mock election, with fake security incidents thrown into the mix, 6 months before the big day. We spent the following 6 months finalizing every detail. It’s unlikely you would have noticed, as when the 52nd General Election happened on Oct. 19, 2015, it went off without a hitch.

They don’t write news articles when everything goes right. We also put in quite a bit more work than what I shared above, which I am not at liberty to share. The point is that being perfect is not cheap, and it is not quick.

5 Ways to Make Good ‘Good Enough’

With that story in mind, does your organization need to be truly perfect? Or is “good” good enough? Let’s look at some ways your organization could create a scalable and affordable application security program that is good.

1. Automate. First off, leverage automation whenever possible. There are many free and paid security tools that can provide good results. When I say good, I mean most of the results they report are true positives, and the false negatives (missed bugs) are at a level your organization can be comfortable with. Some automated tools will allow you to set a confidence level for your results; starting with a confidence level of “high” in the first year of your program, and then shifting to “medium” in the second year, is a good way to get software developers to have faith in what you are reporting while not overwhelming them.

2. Use anti-pattern matching SAST. For SAST tools, when you’re aiming for “good” results, select a next-generation SAST that performs anti-pattern matching (regex looking for known-bad patterns) rather than an original SAST type that performs symbolic execution (running down every possible code outcome, searching for potential flaws and bugs). While the original types of SAST are ideal for creating a perfect application, next-generation SASTs are faster, provide more true positives, and are sometimes quite a bit cheaper as well.

3. Spell out technical requirements. When starting new projects, give your project team a list of expectations, both for technical security requirements and for activities you expect them to participate in as part of the project life cycle. You could create a list once for each type of technology (Web apps, APIs, serverless, infrastructure as code, containers, etc.), then reuse that list for every new project it applies to. This also allows a project manager to schedule time for the security activities to happen so that project teams don’t face unexpected overtime.

4. Run a threat model. During the design phase, reserve one hour with the product owner, the technical leader of the project, and a member of the AppSec team. Perform a simple threat model on your application and implement some of the recommendations from that session.

5. Train people on secure coding. Give your software developers secure coding training. There’s several free or almost-free courses on the Internet for this now, and every bug they help your people avoid creating saves you more time and money than you may realize.

Although this is just a short list of ways to build a scalable and affordable program for creating secure apps, these five suggestions provide a great place to start from or to add to an already existing program to make “good” software.

https://www.darkreading.com/edge-articles/don-t-let-perfect-be-the-enemy-of-a-good-appsec-program

Secure Application Development

Tags: App security by design

Aug 30 2022

US-based CISOs get nearly $1 million per year

Category: CISO,Information Security,vCISODISC @ 9:12 am
US-based CISOs get nearly $1 million per year

The role of the Chief Information Security Officer (CISO) is a relatively new senior-level executive position within most organizations, and is still evolving.

To find out how current CISOs landed in that role, their aspirations, the compensation they receive, and which risks they face and responsibilities they shoulder, analysts with international executive search firm Heidrick & Struggles have asked 327 CISOs (and CISOs in all but name) to participate in their 2022 Global CISO Survey.

The results of the survey revealed these main takeaways:

Who reports to CISOs and to whom do the CISOs report?

The main organizational functions that report to CISOs are SecOps (88%); governance, risk, and compliance (87%); penetration testing (87%); security architecture (86%); product and application security (79%); and business continuity planning or disaster recovery (79%).

OPIS

CISOs mostly report to the CIO (38%); the CTO or senior engineering executive (15%); the COO or CAO (9%); the global CISO (8%); and the CEO (8%). But 88% of them also report to the company board and/or advisory committee.

CISO roles are often terminal

Most CISOs move laterally into their current role and the career path forward for CISOs is most often to another CISO role, the analysts found.

If they were not CISOs before – and 53% of them were! – they were mostly a deputy CISO, a regional or business unit CISO, and the senior information security executive in their organization.

Many CISOs aspire to be a board member next, but that ambition is unlikely to be realized. Even though cybersecurity experience is sorely needed on boards, many boards still frequently prefer board members with prior board experience, the analysts pointed out.

The Chief Security Officer (CSO) or the Chief Information Officer (CIO) roles are also coveted by many of the respondents.

Threats CISOs are facing and personal risks they are worried about

CISOs say ransomware attacks are the most significant cyber risk to their organization (67%), followed by insider threats (32%) and nation/state attacks (31%).

On a more personal note, CISOs are most worried about stress related to the role (59%) and burnout (48%), and much less about job loss as a result of a breach (25%) or being faced with personal financial accountability for a breach (11%).

“Our survey responses here tell a few different stories,” the analysts noted.

“One is that there is burnout and stress associated with this role, which should lead organizations to consider succession plans and/or retention strategies so that CISOs don’t make unnecessary exits. The second story is that CISOs feel relatively secure in their jobs—job loss as a result of a breach wasn’t the highest risk. That is, in part, because the best CISOs are able to command executive-level protections (D&O insurance coverage and severance, for example) that enable them to do their jobs unencumbered by the threat of career risk.”

CISO compensation keeps rising

“In the United States, reported median cash CISO compensation has risen to $584,000 this year, up from $509,000 last year and $473,000 in 2020. Median total compensation, including any annualized equity grants or long-term incentives, also increased, to $971,000 from $936,000,” the company found.

New CISOs, in particular, saw the highest rises in overall compensation – probably because talent to fill out the role is hard to find and organizations are competing fiercely to take hold of it.

In the UK, the median cash CISO compensation has risen to £318,000 this year, but there was a 14% drop in annual equity.

For those interested, Heidrick & Struggles’s report offers more granular insight on the various factors that impact CISO compensation in different geographical locations.

ciso compensation

More on:

Chief Information Security Officer

Tags: CISO, vCISO as a service

Aug 30 2022

Three campaigns delivering multiple malware, including ModernLoader and XMRig miner

Category: MalwareDISC @ 8:27 am

Researchers spotted three campaigns delivering multiple malware, including ModernLoader, RedLine Stealer, and cryptocurrency miners

Three campaigns delivering multiple malware, including ModernLoader and XMRig miner

Cisco Talos researchers observed three separate, but related, campaigns between March and June 2022 that were delivering multiple malware, including the ModernLoader bot (aka Avatar bot), RedLine info-stealer and cryptocurrency miners to victims.

ModernLoader is a .NET remote access trojan that supports multiple features, including the capability of gathering system information, executing arbitrary commands, or downloading and running a file from the C2 server.

ModernLoader

Threat actors use PowerShell, .NET assemblies, and HTA and VBS files to perform lateral movements across a targeted network and eventually drop other pieces of malware, such as the SystemBC trojan and DCRAT. The attackers’ use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary.

The attack chain starts with an HTML Application (HTA) file that runs a PowerShell script hosted on the C2 server which executes the next stage of the loading process.

“The next stage is the PowerShell loader. The loader contains embedded code of three modules, which are loaded using reflection as additional .NET assemblies into the PowerShell process space. The downloaded PowerShell code also downloads and runs auxiliary modules and payloads.” reads the analysis published by Cisco Talos. “There are usually three modules in this loader format. The first disables AMSI scanning functionality, the second is the final payload, and the last injects the payload into the process space of a newly created process, usually RegSvcs.exe.”

The final payload appears to be a ModernLoader remote access trojan (RAT) and the XMRig miner. Talos reported that the March campaigns targeted users in Eastern Europe, including Bulgaria, Poland, Hungary, and Russia.

The threat actors behind the campaigns are likely Russian-speaking actors, that are experimenting with different technologies. Experts speculate that the usage of ready-made tools demonstrates that despite the actors understanding the TTPs required for a successful malware campaign, they haven’t the technical skills to develop their own arsenal.

Cisco Talos attributed the infections to a previously undocumented but Russian-speaking threat actor, citing the use of off-the-shelf tools. Potential targets included Eastern European users in Bulgaria, Poland, Hungary, and Russia.

The attackers also compromised vulnerable web applications to change their configuration to use malicious PHP scripts to deliver malware to their users.

The attackers attempted to compromise WordPress and CPanel installs to distribute the malware using files masquerades as fake Amazon gift cards.

“The actor is frequently using open-source components and code generators to achieve its goals. A number of remote access tools, stealers and cryptominers are used in the campaigns to eventually reap financial benefits for the actor. The actor has an interest in alternative distribution channels such as compromised web applications, archive infections and spreading by using Discord webhooks.” concludes the report. “Despite all the techniques and tactics used we estimate that the success of these campaigns is limited.”

Malware Analysis

Tags: ModernLoader, XMRig miner

Aug 29 2022

NATO Investigates Dark Web Leak of Data Stolen from Missile Vendor

Category: Cyber Threats,Cyber War,Dark Web,Digital cold warDISC @ 1:23 pm

Documents allegedly belonging to an EU defense dealer include those relating to weapons used by Ukraine in its fight against Russia.

blue hacker hands over keyboard
Source: Andrey Khokhlov via Alamy Stock Photo

NATO is investigating the leak of data reportedly stolen from a European missile systems firm, which hackers have put up for sale on the Dark Web, according to a published report.

The leaked data includes blueprints of weapons used by Ukraine in its current war with Russia.

Integrated defense company MBDA Missile Systems, headquartered in France, has acknowledged that data from its systems is a part of the cache being sold by threat actors on hacker forums after what appears to be a ransomware attack.

Contradicting the cyberattackers’ claims in their ads, nothing up for grabs is classified information, MBDA said. It added that the data was acquired from a compromised external hard drive, not the company’s internal networks.

NATO, meanwhile, is “assessing claims relating to data allegedly stolen from MBDA,” a NATO official told Dark Reading on Monday.

“We have no indication that any NATO network has been compromised,” the official said.

Double Extortion

MBDA acknowledged in early August that it was “the subject of a blackmail attempt by a criminal group that falsely claims to have hacked the company’s information networks,” in a post on its website.

The company refused to pay the ransom and thus the data was leaked for sale online, according to the post.

Specifically, threat actors are selling 80GB of stolen data on both Russian- and English-language forums with a price tag of 15 bitcoins, which is about $297,279, according to a report from the BBC, which broke the news about the NATO investigation Friday. In fact, cybercriminals claim to already have sold data to at least one buyer.

NATO is investigating one of the firm’s suppliers as the possible source of the breach, according to the report. MBDA is a joint venture between three key shareholders: AirBus, BAE Systems, and Leonardo. Though the company operates out of Europe, it has subsidiaries worldwide, including MBDA Missile Systems in the United States.

The company is working with authorities in Italy, where the breach occurred.

MBDA reported $3.5 billion in revenue last year and counts NATO, the US military, and the UK Ministry of Defense among its customers.

Classified Info & Ukraine

Hackers claimed in their ad for the leaked data to have “classified information about employees of companies that took part in the development of closed military projects,” as well as “design documentation, drawings, presentations, video and photo materials, contract agreements, and correspondence with other companies,” according to the BBC.

Among the sample files in a 50-megabyte stash viewed by the BBC is a presentation appearing to provide blueprints of the Land Ceptor Common Anti-Air Modular Missile (CAMM), including the precise location of the electronic storage unit within it. One of these missiles was recently sent to Poland for use in the Ukraine conflict as part of the Sky Sabre system and is currently operational, according to the report.

This might provide a clue about the motive of threat actors; advanced persistent threats (APTs) aligned with Russia began hitting Ukraine with cyberattacks even before the Russian official invasion on Feb. 24.

After the conflict on the ground began, threat actors continued to throttle Ukraine with a cyberwar to support the Russian military efforts.

The sample data viewed by the BBC also included documents labelled “NATO CONFIDENTIAL,” “NATO RESTRICTED,” and “Unclassified Controlled Information,” according to the report. At least one stolen folder contains detailed drawings of MBDA equipment.

The criminals also sent by email documents to the BBC including two marked “NATO SECRET,” according to the report. The hackers did not confirm whether the material had come from a single source or more than one hacked source.

Nonetheless, MBDA insists that the verification processes that the company has executed so far “indicate that the data made available online are neither classified data nor sensitive.”

https://

www.darkreading.com
/vulnerabilities-threats/nato-investigates-leak-of-data-stolen-from-missile-vendor

Cyber War

Tags: cyber threats, cyberwarfare, dark web

Aug 29 2022

Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers

Category: Security vulnerabilitiesDISC @ 11:55 am

Grab and deploy this backend update if you offer even repo read access

A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories.

Atlassian has fixed the security holes, which are present in versions 7.0.0 to 8.3.0 of the software, inclusive. Luckily there are no known exploits in the wild. 

But considering the vulnerability, tracked as CVE-2022-36804, received a 9.9 out of 10 CVSS score in terms of severity, we’d suggest you stop what you’re doing and update as soon as possible as it’s safe to assume miscreants are already scanning for vulnerable instances. 

As Atlassian explains in its security advisory, published mid-last week: “An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.”

Additionally, the Center for Internet Security has labeled the flaw a “high” security risk for all sizes of business and government entities. These outfits typically use Bitbucket for managing source code in Git repositories.

Atlassian recommends organizations upgrade their instances to a fixed version, and those with configured Bitbucket Mesh nodes will need to update those, too. There’s a compatibility matrix to help users find the Mesh version that’s compatible with the Bitbucket Data Center version.

And if you need to postpone a Bitbucket update, Atlassian advises turning off public repositories globally as a temporary mitigation. This will change the attack vector from an unauthorized to an authorized attack. However, “this can not be considered a complete mitigation as an attacker with a user account could still succeed,” according to the advisory.

Security researcher @TheGrandPew discovered and reported the vulnerability via Atlassian’s bug bounty program.

This latest bug follows a series of hits for the popular enterprise collaboration software maker. 

Last month, Atlassian warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of years-old, critical flaws threaten their security. It detailed the so-called Servlet Filter dispatcher vulnerabilities in its July security updates, and said the flaw allowed remote, unauthenticated attackers to bypass authentication used by third-party apps.

In June, Atlassian copped to another critical flaw in Confluence that was under active attack.

Plus, there was also the two-week-long embarrassing cloud outage that affected almost 800 customers this spring. This is less than half a percent of the company’s total customers, but still, as co-founder and co-CEO Mike Cannon-Brookes admitted on the firm’s most recent earnings call, it’s “one customer is too many.” And definitely not a good look for a cloud collaboration business. ®

https://www.theregister.com/2022/08/29/atlassian_bitbucket_critical_bug/

Guide for Atlassian Confluence and its marketplace

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: Atlassian, Critical hole

« Previous PageNext Page »