IOC Resource for Russia-Ukraine Conflict-Related CyberattacksĀ – byĀ Trend Micro
Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers
Mar 08 2022
CISA urges to fix actively exploited Firefox zero-days by March 21
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added recently disclosed Firefox zero-days to its Known Exploited Vulnerabilities Catalog.
The Cybersecurity and Infrastructure Security Agency (CISA) added two critical security vulnerabilities in Mozilla firefox, tracked asĀ CVE-2022-26485Ā andĀ CVE-2022-26486, to its Known Exploited Vulnerabilities Catalog. The US agency has ordered federal civilian agencies to address both issues by March 21, 2022.
Yesterday Mozilla hasĀ releasedĀ Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to address the two zero-day vulnerabilities that are actively exploited in attacks.
The two vulnerabilities are āUse-after-freeā issues in XSLT parameter processing and in the WebGPU IPC Framework respectively.
Successful exploitation of the flaws can cause a program crash or execute arbitrary commands on the machine.
Below is the description of both flaws included in the advisory published by Mozilla:
- CVE-2022-26485: Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw.
- CVE-2022-26486: An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.
CISA added nine other vulnerabilities to itsĀ Known Exploited Vulnerabilities CatalogĀ that are reported in the following table along with the associated due date.
| CVE ID | Vulnerability Name | Due Date |
| CVE-2022-26486 | Mozilla Firefox Use-After-Free Vulnerability | 03/21/22 |
| CVE-2022-26485 | Mozilla Firefox Use-After-Free Vulnerability | 03/21/22 |
| CVE-2021-21973 | VMware vCenter Server, Cloud Foundation Server Side Request Forgery (SSRF) | 03/21/22 |
| CVE-2020-8218 | Pulse Connect Secure Code Injection Vulnerability | 09/07/22 |
| CVE-2019-11581 | Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability | 09/07/22 |
| CVE-2017-6077 | NETGEAR DGN2200 Remote Code Execution Vulnerability | 09/07/22 |
| CVE-2016-6277 | NETGEAR Multiple Routers Remote Code Execution Vulnerability | 09/07/22 |
| CVE-2013-0631 | Adobe ColdFusion Information Disclosure Vulnerability | 09/07/22 |
| CVE-2013-0629 | Adobe ColdFusion Directory Traversal Vulnerability | 09/07/22 |
| CVE-2013-0625 | Adobe ColdFusion Authentication Bypass Vulnerability | 09/07/22 |
| CVE-2009-3960 | Adobe BlazeDS Information Disclosure Vulnerability | 09/07/22 |
Mar 07 2022
CVE-2022-0492 flaw in Linux Kernel cgroups feature allows container escape
A Linux kernel flaw, tracked as CVE-2022-0492, can allow an attacker to escape a container to execute arbitrary commands on the container host.
A now-patched high-severity Linux kernel vulnerability, tracked as CVE-2022-0492 (CVSS score: 7.0), can be exploited by an attacker to escape a container to execute arbitrary commands on the container host.
The issue is a privilege escalation flaw affecting the Linux kernel feature calledĀ control groups (groups), that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.
āA vulnerability was found in the Linux kernelās cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.ā reads theĀ advisoryĀ published for this flaw.
Major Linux distros, includingĀ Suse,Ā Ubuntu, andĀ Redhat,Ā also published their own advisories.
The flaw resides in the cgroups v1 release_agent functionality which is executed after the termination of any process in the group.
The root cause of the problem is the cgroups implementation in the Linux kernel that did not properly restrict access to the feature. A local attacker could exploit this vulnerability to gain administrative privileges.
The vulnerability was discovered by the security researchers Yiqi Sun and Kevin Wang.
āOn Feb. 4, Linux announcedĀ CVE-2022-0492, a new privilege escalation vulnerability in the kernel.Ā CVE-2022-0492Ā marks a logical bug in control groups (cgroups), a Linux feature that is a fundamental building block of containers.ā reads theĀ analysisĀ published by Palo Alto Networks Unit 42 researcher Yuval Avrahami. āThe issue stands out as one of the simplest Linux privilege escalations discovered in recent times: The Linux kernel mistakenly exposed a privileged operation to unprivileged users.ā
According to Palo Alto Networks, CVE-2022-0492 is caused by the lack of check that the process setting the release_agent file has administrative privileges (i.e. the CAP_SYS_ADMIN capability).
Attackers that can write to the release_agent file, can force the kernel into invoking a binary of their choosing with elevated privileges and take over the machine. Only processes with ārootā privileges can write to the file.
āBecause Linux sets the owner of the release_agent file to root, only root can write to it (or processes that can bypass file permission checks via the CAP_DAC_OVERRIDE capability). As such, the vulnerability only allows root processes to escalate privileges.ā continues the analysis. āAt first glance, a privilege escalation vulnerability that can only be exploited by the root user may seem bizarre. Running as root doesnāt necessarily mean full control over the machine: Thereās a gray area between the root user and full privileges that includes capabilities, namespaces, and containers. In these scenarios where a root process doesnāt have full control over the machine, CVE-2022-0492 becomes a serious vulnerability.ā
Users are recommended toĀ applyĀ theĀ security fixes as soon as possible. Containers running AppArmor or SELinux security systems are not impacted.
LinuxĀ® Hardening in Hostile Networks
Mar 06 2022
Firefox patches two in-the-wild exploits ā update now!
Mozilla has publishedĀ Firefox 97.0.2, an āout-of-bandā update that closes two bugs that are officially listed as critical.
Mozilla reports that both of these holes are already actively being exploited, making them so-called zero-day bugs, which means, in simple terms, that the crooks got there first:
We have had reports of attacks in the wild abusing [these] flaw[s].
Access to information about the bugs is still restricted to Mozilla insiders, presumably to make it harder for attackers to get at the technical details of how to exploit these security holes.
Assuming that the existing zero-day exploits are not widely known (these days, true zero-days are often jealously guarded by their discoverers because theyāre considered both scarce and valuable), temporarily limiting access to the source code changes does provide some protection against copycat attacks.
As weāve mentioned many times before on Naked Security, finding and exploiting a zero-day hole when you know where to start looking, and what to start looking for, is very much easier than discovering such a bug from scratch.
The bugs are listed as:
- CVE-2022-26485. Use-after-free in XSLT parameter processing. This bug has apparently already been exploited for remote code exection (RCE), implying that attackers with no existing privileges or accounts on your computer could trick you into running malware code of their choice simply by luring you to an innocent-looking but booby-trapped website.
- CVE-2022-26486, Use-after-free in WebGPU IPC Framework. This bug has apparently already been exploited for whatās known as a sandbox escape. This sort of security hole can typically be abused on its own (for example, to give an attacker access to files that are supposed to be off limits), or in combination with an RCE bug to allow implanted malware to escape from the security confines imposed by your browser, thus making an already bad situation even worse.
Use-after-free bugs occur when one part of a program signals its intention to stop using a chunk of memory that was allocated to itā¦
ā¦but carries on using it anyway, thus potentially trampling on data that other parts of the program are now relying on.
What to do?
Go to the About Firefox dialog to check your current version.
If you are out of date then Firefox will offer to fetch the update and then present a [Restart Firefox] button; click the button, or exit and restart the browser, to deploy the update.
The version numbers you want are: Firefox 97.0.2 (if you are using the regular release), or Firefox 91.6.1 ESR (if you are using the extended support release), or Firefox 97.3.0 for Android.
If youāre on Android, check for updates via the Play Store.
If youāre a Linux user where Firefox is managed by your distro, check your distro creator.
Mar 04 2022
What Security Engineers Hate About SIEM
SIEM Satisfaction is Mediocre
When CISOs, CIOs, CTOs, security engineers, security analysts and security architects were asked to rank the primary capabilities of a traditional SIEM according to how satisfied they were with those capabilities, an interesting picture emerged. The survey results indicated that every primary capability of traditional SIEM solutions, at best, only somewhat met the majority of usersā needs. Some capabilities were irrelevant to many users. This tepid level of satisfaction is what drove many security teams to undertake the effort to build their own security monitoring tools.
Data Coverage and Data Use
Less than 25% of the respondents believed that their SIEM covered more than 75% of their security-relevant data. Nearly 17% responded that their existing platform covered less than a quarter of their data.
Furthermore, when asked if they believed their current SIEM platform were capable of handling the volume of security data their organization will generate in the future, a third of the respondents said they expected their existing platform to keep falling behind.
These results underscore the risks security teams (and their organizations) are forced to tolerate due to the cost and overhead required to bring high volumes of security-relevant data into traditional SIEM platforms. Without full visibility into all necessary data, security teams will undoubtedly have blind spots that impede their ability to protect their organizations.
OK, so what can they do instead? Well, a cloud-native architecture capable of ingesting, normalizing and analyzing terabytes of data per day cost-effectively is necessary to keep up.
Moving From Static to Dynamic
Security professionals are well aware of the static nature of traditional SIEM platforms. Many believe they pay too much for the capabilities provided and are concerned about what the future holds.
SIEMs were designed over ten years ago when the world was a very different place. The technology hasnāt evolved its approach to keep up with the needs of cloud-scale environments. Adequate security today depends on full visibility into security-relevant data, structured, scalable data lakes, cloud-native workflows and fast detection and response times. Security teams need a modern approach to security monitoring built for the cloud-first world.
Security Information and Event Management (SIEM) ImplementationĀ
Mar 04 2022
75% of medical infusion pumps affected by known vulnerabilities
Researchers analyzed more than 200,000 network-connected medical infusion pumps and discovered that over 100,000 of them are vulnerable.
Researchers from Palo Alto Networks have analyzed more than 200,000 medical infusion pumps on the networks of hospitals and other healthcare organizations and discovered that 75% are affected by known vulnerabilities that could be exploited by attackers.
āWe reviewed crowdsourced data from scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations usingĀ IoT Security for HealthcareĀ from Palo Alto Networks.ā reads theĀ reportĀ published by Palo Alto Networks. āAn alarming 75 percent of infusion pumps scanned had known security gaps that put them at heightened risk of being compromised by attackers. These shortcomings included exposure to one or more of some 40 known cybersecurity vulnerabilities and/or alerts that they had one or more of some 70 other types of known security shortcomings for IoT devices.ā
One of the most interesting findings that emerged from the report is that 52% of all infusion pumps analyzed by the experts were susceptible to two vulnerabilities publicly disclosed in 2019. These data are disconcerting considering that the average infusion pump has a life of eight to 10 years.
The following table reports the 10 most prevalent issues that emerged from the scan of network-connected medical devices.Ā
CVE | Severity (Score) | % of analyzed pumps with CVEs | |
| 1 | CVE-2019-12255 | 9.8 (Critical) | 52.11% |
| 2 | CVE-2019-12264 | 7.1 (High) | 52.11% |
| 3 | CVE-2016-9355 | 5.3 (Medium) | 50.39% |
| 4 | CVE-2016-8375 | 4.9 (Medium) | 50.39% |
| 5 | CVE-2020-25165 | 7.5 (High) | 39.54% |
| 6 | CVE-2020-12040 | 9.8 (Critical) | 17.83% |
| 7 | CVE-2020-12047 | 9.8 (Critical) | 15.23% |
| 8 | CVE-2020-12045 | 9.8 (Critical) | 15.23% |
| 9 | CVE-2020-12043 | 9.8 (Critical) | 15.23% |
| 10 | CVE-2020-12041 | 9.8 (Critical) | 15.23% |
Table 1. The top 10 most prevalent vulnerabilities found in the more than 200,000 inf
Experts grouped the issues is several categories, including leakage of sensitive information, unauthorized access and buffer overflow. Palo Alto Networks reported that some issues are related to third-party cross-platform libraries used by the devices, such as network stacks.Ā CVE-2019-12255Ā andĀ CVE 2019-12264Ā vulnerabilities in the TCP/IP stack IPNet.
Both flaws affect 52% of the analyzed infusion pumps, approximately more than 104,000 devices.
Palo Alto Networks recommends healthcare providers adopt a proactive security strategy to prevent attacks, below are some key capabilities to consider when evaluating IoMT security strategies and technologies for healthcare:
- Accurate discovery and inventory
- Holistic risk assessment
- Apply risk reduction policies
- Prevent Threats
āAmong the 200,000 infusion pumps we studied, 75% were vulnerable to at least one vulnerability or threw up at least one security alert. While some of these vulnerabilities and alerts may be impractical for attackers to take advantage of unless physically present in an organization, all represent a potential risk to the general security of healthcare organizations and the safety of patients ā particularly in situations in which threat actors may be motivated to put extra resources into attacking a target.ā concludes the report.
Do No Harm: Protecting Connected Medical Devices, Healthcare, and Data from Hackers and Adversarial Nation States – Ā cybersecurity expert Matthew WebsterĀ deliversĀ an insightful synthesis of the health benefits of the Internet of Medical Things (IoMT),Ā the evolution of security risks that haveĀ accompanied the growth of those devices, and practical steps we can take to protectĀ ourselves,Ā Ā ourĀ data, and our hospitalsĀ from harm.Ā
Mar 03 2022
Popular open-source PJSIP library is affected by critical flaws
Researchers from JFrogās Security Research team discovered five vulnerabilities in the popularĀ PJSIPĀ open-source multimedia communication library.
PJSIP is a communication library written in C language implementing standard-based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. It combines signaling protocol (SIP) with rich multimedia framework and NAT traversal functionality into high level API that is portable and suitable for almost any type of systems ranging from desktops, embedded systems, to mobile handsets.
PJSIP supports audio, video, presence, and instant messaging, the APT supplied by the library can be used by IP telephony applications, including VoIP devices.
Many popular communication applications use the library, including WhatsApp, BlueJeans and Asterisk.
An attacker can exploit the flaws to gain arbitrary code execution on devices running applications using the vulnerable library or to trigger a denial-of-service (DoS) condition.
The list of the flaws discovered in the PJSIP library:
Open Source Security: Your Network More Secure With Open Source ToolsĀ
Mar 02 2022
How to keep your medical device IP safe from cyber attacks
Guarding intellectual property (IP) has always been a priority for medical device manufacturers as competitors and even nation states are constantly trying to compromise or steal IP. For example, in January 2019, a Chinese national who stole secrets while working for medical device companies including Medtronic and Edwards, was sentenced to over two years in federal prison. Over time, Wenfeng Lu had copied numerous documents belonging to both of his employers that contained technical information and trade secrets, took them home, and placed them on his personal laptop computer. He was arrested as he prepared to board a plane to the PRC.
It has never been easier or more profitable to hack devices for their IP. More and more medical devices have transformed from mechanical devices with limited software, to software packed devices. Companies spend billions of dollars on R&D for years upon years, only to leave vulnerabilities in the software and firmware of the devices, opening the door for hackers to waltz in, and steal their IP. Something is horribly wrong with this scenario.
Sometimes the vulnerabilities are created during the development process, and sometimes they come part and parcel from the components received from their supply chain providers. Amplifying the challenge is the shortage of parts and components caused in part by the pandemic. This is driving many manufacturers to seek alternative suppliers who can produce steady supplies.Ā With new suppliers comes the added risk of new, untested componentsĀ and the potential for many new threats and vulnerabilities.
Organizations that wish to secure their IP from theft and misuse need to do a much better job at securing the devices that they produce.
Whatās at stake
Stolen intellectual property enables hackers to re-engineer and sell the same device with a fraction of the investment in R&D. Wenfeng Lu for example had obtained financing and was preparing to open a company in the PRC that would manufacture devices used to treat vascular problems and would use technology he had stolen from his American employers, according to court documents.
The Commission on the Theft of American Intellectual Property estimates that annual costs from IP losses range from $225 billion to $600 billion. IP infringement may significantly affect a companyās revenue and put downward pressure on its prices. If a competitor steals a companyās product trade secrets, it may beat that company to market with a new and innovative product, undercutting the victimās market share.
Medical device companies face a very competitive environment, increasing the incentive for IP theft. Stealing IP using online hacking techniques has become more widespread and harmful due to low costs, difficult attribution and the ability to remotely hack systems.
The device is the target
While it is true that the IP can leak from internal sources and insider threats, IP is being hacked more and more through cyber-attacks on the device itself. For example, a recent case was reported where a Massachusetts medical device engineering company experienced hacking of source code for its medical devices and algorithms, essential to operate the devices. Devices reside at the customerās location and can often be accessed, investigated and reverse engineered at the attackerās leisure.
New Common Vulnerabilities and Exposures (CVEs) frequently appear and risk assessments are often only sporadically executed during the development process, and not done at all after the product is launched. This means that there are significant time periods when devices are wide open to hacks, allowing hackers to steal software and firmware algorithms and disappear, without anyone ever knowing they were there.
Hardening the device
Protecting IP assets is a business-critical task. Protecting the IP on a device requires a holistic approach to device security. Locking down the interfaces, as well as protecting the software code and firmware, is crucial for defending against IP theft. While there is no guarantee of protection, the goal is to increase the level of difficulty to the point where there are many more obstacles, and more time and cost required for hacking the device.
Itās imperative that medical manufacturers defend themselves from IP theft, including targeted cyber-attacks. To protect IP, enterprises need product security systems that automatically and continuously monitor medical device software and firmware, uncovering known and zero day vulnerabilities.
Protecting the code
The software and firmware running the device are a valuable target for attackers. Adding layers of protection to make the code less accessible to attackers, is essential to securing IP. This includes uncovering errors in the code that could allow attackers to enter, encryption of the data and storage, and using obfuscation techniques to make reverse engineering more challenging.
Manufacturers should employ continuous vulnerability assessments of the software deployed on medical devices, using vulnerability databases. They should ensure that the cybersecurity platform they enlist is also able to detect zero-day vulnerabilities. The monitoring should stretch through the entire lifecycle from design to end-of-life of the device. The solution should also be able to output software bill of materials (SBOM) or cyber bill of materials (CBOM) and remediation options for any threats or vulnerabilities discovered.
Keeping products secure
One of the most effective ways to secure the IP on a device is to eliminate the easiest method for hacking the device, known vulnerabilities. Attackers scan targets for known and published vulnerabilities to use as starting points for attacks.Ā Vulnerability managementĀ requires continuous monitoring of threats and vulnerabilities throughout the product lifecycle. Late discovery or lack of proper remediation of discovered vulnerabilities can lead to costly recalls, and damage to brand and bottom line.
Mar 02 2022
NVIDIA discloses data breach after the recent ransomware attack
Chipmaker giant Nvidia confirmed a data breach after the recently disclosed security incident, proprietary information stolen.
The chipmaker giant Nvidia was recentty victim of aĀ ransomware attackĀ that impacted some of its systems for two days. The security breach is not connected to the ongoing crisis in Ukraine, according to a person familiar with the incident.
The incident also impacted the companyās developer tools and email systems, but business and commercial activities were not affected.
āOur business and commercial activities continue uninterrupted,āĀ Nvidia said in a statement. āWe are still working to evaluate the nature and scope of the event and donāt have any additional information to share at this time.ā
The Lapsus$ ransomware gang is claiming responsibility for this attack, the group announced to have stolen 1 TB of data from Nvidiaās network. The ransomware gang leaked online around 20GB of data, including credentials for all Nvidia employees.
The company launched an investigation into the incident to determine the extent of the intrusion that confirmed that the attackers have stolen data from the chipmaker.
NVIDIA said employee credentials and proprietary information were stolen during a cyberattack they announced on Friday.
The chipmaker giant discovered the intrusion on February 23, the attack also impacted its IT resources.
āAccess to NVIDIA employee VPN requires the PC to be enrolled in MDM (Mobile Device Management). With this they were able to connect to a [virtual machine] we use. Yes they successfully encrypted the data,ā the group claimed in a subsequent message.ā the LAPSU$ ransomware gang wrote on its Telegram change. āHowever we have a backup and itās safe from scum! We are not hacked by a competitors groups or any sorts.ā
Below is the statement shared by NVIDIA with some websites andĀ publishedĀ by BleepingComputer.
āOn February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources. Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.āĀ reads the statement. āWe have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident.ā
Big Breaches: Cybersecurity Lessons for Everyone
Mar 01 2022
CISA and FBI warn of potential data wiping attacks spillover
US CISA and the FBI warned US organizations that data wiping attacks targeting Ukraine entities could spill over to targets worldwide.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint cybersecurity advisory to warn US organizations of data wiping attacks targeting Ukraine that could hit targets worldwide.
The advisory warns of the potential effects of the two destructive malware, tracked asĀ WhisperGateĀ andĀ HermeticWiper, on organizations worldwide.
The US agencies believe that further disruptive data wiping attacks could target organizations in Ukraine and may unintentionally spill over to organizations in other countries.
This joint Cybersecurity Advisory (CSA) provides information on the two wipers as well as indicators of compromise (IOCs) that could be used by defenders to detect and prevent infections. The advisory also provides recommended guidance and considerations for organizations to address as part of network architecture, security baseline, continuous monitoring, and incident response practices.
āDestructive malware can present a direct threat to an organizationās daily operations, impacting the availability of critical assets and data. Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries.ā reads theĀ advisory. āOrganizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.ā
Below is the list of actions recommended to the organizations:
ā¢ Set antivirus and antimalware programs to conduct regular scans.
ā¢ Enable strong spam filters to prevent phishing emails from reaching end users.
ā¢ Filter network traffic.
ā¢ Update software.
ā¢ Require multifactor authentication.
The advisory also includes recommendations for System and Application Hardening and Recovery and Reconstitution Planning along with Incident Response instructions.
Blackout Warfare: Attacking The U.S. Electric Power Grid A Revolution In Military AffairsĀ
Feb 28 2022
Cyber security for construction businesses
Feb 28 2022
Take a dev-centric approach to cloud-native AppSec testing
While some applications are still being built on a monolithic (all-in-one) architecture ā i.e., all components in a single code base, on a single server, connected to the internet ā an increasing number of them is now based on the microservices architecture, with each application microservice a self-contained functionality, āhousedā in a container managed by an orchestrator like Kubernetes, deployed on the cloud (public or private), and communicating with other application microservices over the network in runtime.
But with applications no longer self-contained, security vulnerabilities are no longer present just in the code; vulnerabilities can āstartā on one microservice, go through multiple components, and āfinishā on a different microservice.
āWe are no longer dealing with just vulnerabilities, but also with vulnerable flows between microservices. On top of that, as cloud-native applications are built on multiple infrastructure layers ā the container, the cluster, and the cloud ā they way these layers are configured affects what a hacker can do with these vulnerabilities,ā notes Ron Vider, one of the co-founders and the CTO of Oxeye.
Modern architectures require modern AppSec testing solutions
This dramatic change in how applications are structured has made traditional approaches to application security ineffectual and has created security blind spots for AppSec and DevOps teams.
āOld-schoolā software composition analysis (SCA) and static, dynamic, and interactive application security testing (SAST, DAST, IAST) tools are run independently, are not synchronized with one another, and are unable to cross-reference and use enriched data from other code layers in the environment. The incomplete and inaccurate results they provide when testing cloud-native apps have made it obvious that a new approach and new, better tools are needed.
OxeyeĀ is one such tool. It essentially combines all AST methodologies with a new generation of security control assessment capabilities and, as a result, excels in finding and correctly prioritizing vulnerabilities in cloud-native applications that need to be addressed. It helps clear the noise of false positives/negatives delivered by legacy solutions, and allows developers and AppSec teams to focus on high-risk, critical vulnerabilities.
Getting started with Oxeye is fantastically easy: you need to deploy a single component (Oxeye Observer) into your staging or testing environment, and you do it by using a single YAML file containing its definitions.
āThe Oxeye Observer immediately starts running within the cluster and starts it automatic discovery process,ā Vider told Help Net Security.
āFirst it analyzes the infrastructure to understand how the application is configured, and it does that by communicating with the with the Docker API, the containerd API, the Kubernetes API and the cloud provider API, and fetching the relevant configuration. Then, it detects potential vulnerabilities in the code (the applicationās code and the third-party components). Next, it analyzes the communication between the different components and traces their flow. Finally, it validates the found vulnerabilities by sending payloads to the application and analyzing its behavior, to understand whether itās exploitable or not.ā
Feb 27 2022
Help Net Security: Healthcare Cybersecurity Report has been released
Help Net Security newest report takes a closer look at one of the most targeted industries today ā healthcare.
As exhausted healthcare professionals struggle with an extraordinary situation, their IT departments face critical skills and staffing shortages. Routine security measures may fall by the wayside, breaches may go undetected for weeks, and efforts to validate the security measures undertaken by affiliates and third parties may fall short.
The idea behind the Help Net Security: Healthcare Cybersecurity Report is to provide you with an overview of the information security issues healthcare is dealing with, offer expert insight on what is needed to move defense capabilities in the right direction, and provide food for thought for those working to protect healthcare infrastructures worldwide.
Published Q1 2022
Since the start of the COVID-19 pandemic, security incidents at healthcare organizations have become more common. This not only increased costs for an already struggling industry, but inflicted a burden on the individuals whose personal information was exposed.
TheĀ Help Net Security: Healthcare Cybersecurity ReportĀ provides you with an overview of the information security issues healthcare is dealing with, offer expert insight on what is needed to move defense capabilities in the right direction, and provide food for thought for those working to protect healthcare infrastructures worldwide.
Feb 26 2022
Fileless SockDetour backdoor targets U.S.-based defense contractors
Researchers provided details about a stealthy custom malware dubbed SockDetour that targeted U.S.-based defense contractors.
Cybersecurity researchers from Palo Alto Networksā Unit 42 have analyzed a previously undocumented and custom backdoor tracked as SockDetour that targeted U.S.-based defense contractors.
According to the experts, the SockDetour backdoor has been in the wild since at least July 2019.
Unit 42 attributes the malware to an APT campaign codenamed TiltedTemple (akaĀ DEV-0322), threat actors also exploited the Zoho ManageEngine ADSelfService Plus vulnerability (CVE-2021-40539)Ā and ServiceDesk Plus vulnerability (CVE-2021-44077). The attackers successfully compromised more than a dozen organizations across multiple industries, including technology, energy, healthcare, education, finance and defense.
SockDetour serves as a backup fileless Windows backdoor in case the primary one is removed. The analysis of one of the command and control (C2) servers used by TiltedTemple operators revealed the presence of other miscellaneous tools, including memory dumping tool and several webshells.
āSockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails,ā reads the analsysi published by Palo Alto Networks. āIt is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers.ā
Once SockDetour is injected into the processās memory, it hijacks legitimate processesā network sockets to establish an encrypted C2 channel, then it loads an unidentified plugin DLL file retrieved from the server.
According to Microsoft DEV-0322 is an APT group based in China, which employed commercial VPN solutions and compromised consumer routers in their attacker infrastructure.
Microsoft first spotted the DEV-0322 attacks by analyzing the Microsoft 365 Defender telemetry during a routine investigation in July 2021.
At least four defense contractors were targeted by the threat actor, and one of them was compromised.
SockDetour was delivered from an external FTP server, a compromised QNAP to a U.S.-based defense contractorās internet-facing Windows server on July 27, 2021. The researchers speculate the QNAP NAS server was previously infected withĀ QLockerĀ ransomware.
āWhile it can be easily altered, the compilation timestamp of the SockDetour sample we analyzed suggests that it has likely been in the wild since at least July 2019 without any update to the PE file. Plus, we did not find any additional SockDetour samples on public repositories. This suggests that the backdoor successfully stayed under the radar for a long time.ā concludes the report.
Feb 25 2022
Ukraine: Belarusian APT group UNC1151 targets military personnel with spear phishing
The CERT of Ukraine (CERT-UA) warned of a spear-phishing campaign targeting Ukrainian armed forces personnel.
The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of an ongoing spear-phishing campaign targeting private email accounts belonging to Ukrainian armed forces personnel.
The Ukrainian agency attributes the campaign to the Belarus-linked cyberespionage group tracked as UNC1151.
In mid-January, the government of Kyiv attributed the defacement of tens of Ukrainian government websites to Belarusian APT group UNC1151. Defaced websites were displaying the following message in Russian, Ukrainian and Polish languages.
āUkrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.ā reads a translation of the message.
In November 2021, Mandiant Threat Intelligence researchers linked the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus. In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites. According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.
Unlike other disinformation campaigns, GhostWriter doesnāt spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.
Now Serhiy Demedyuk, deputy secretary of the national security and defence council, told Reuters, that the Ukrainian government blamed the UNC1151 APT group. Demedyuk explained that the attacks were carried out to cover for more destructive actions behind the scenes.
The nation-state group is using the compromised accounts to target contacts in the victimsā address books. Attackers spear-phishing messages have been sent from email accounts using the domainsĀ
i.ua-passport.space
Ā andĀ id.bigmir.space
.
The phishing messages used a classic social engineering technique in the attempt to trick victims into providing their information to avoid the permanent suspension of their email accounts.
The phishing attacks are also targeting Ukrainian citizens, reported the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).
Phishing and Communication Channels: A Guide to Identifying and Mitigating Phishing Attacks
Feb 24 2022
Iranian Broadcaster IRIB hit by wiper malware
Iranian national media corporation, Islamic Republic of Iran Broadcasting (IRIB), was hit by a wiper malware in late January 2022.
An investigation into the attack that hit the Islamic Republic of Iran Broadcasting (IRIB) in late January, revealed the involvement of a disruptive wiper malware along with other custom-made backdoors, and scripts and configuration files used to install and configure the malicious executables.
Researchers from CheckPoint that investigated the attack reported that the attackers used a wiper malware to disrupt the stateās broadcasting networks, damaging both TV and radio networks.
According to the experts, the effects of the attack were more serious than officially reported.
Check Point was not able to find any evidence that demonstrates a previous use of these tools, or attribute them to a specific threat actor.
During the attack, threat actors transmitted pictures of Mujahedin-e-Khalq Organization (MKO) leaders Maryam and Massoud Rajavi along with the image of Ayatollah Khamenei crossed out with red lines andĀ the declaration āSalute to Rajavi, death to (Supreme Leader) Khamenei!.āĀ
āDuring a period of 10 seconds, the faces and voices of hypocrites appeared on (our) Channel One,ā IRIB said.
āOur colleagues are investigating the incident. This is an extremely complex attack and only the owners of this technology could exploit and damage the backdoors and features that are installed on the systems,ā Deputy IRIB chief Ali DadiĀ told state TV channel IRINN.
āSimilar disruptions happened to the Koran Channel, Radio Javan and Radio Payam,ā he added, referring to other state-affiliated broadcast channels.
The experts discovered two identical .NET samples named msdskint.exe that were used to wipe the files, drives, and MBR on the infected devices, making them unusable.
The malware has also the ability to clear Windows Event Logs, delete backups, kill processes, and change usersā passwords.
The report details the use of four backdoors in the attack:
- WinScreeny, used to make screenshots of the victimās computer;
- HttpCallbackService, a Remote Administration Tool (RAT);
- HttpService, another backdoor that listens on a specified port;
- ServerLaunch, a C++ dropper.
Iranian officials attribute the attack to MEK, however, the opposition group itselfĀ deniesĀ any involvement.
The hacktivist group Predatory Sparrow, which claimed responsibility for the attacks against the nationalĀ railway services, the transportation ministry, and theĀ Iranian gas stations, claimed responsibility for the attack on IRIB via its Telegram channel.
āThe use of wiper malware in the attack against a state entity in Iran begs us to compare the tools with those belonging toĀ Indra,Ā who, among other attacks, is responsible for unleashing a wiper in the Iranian Railways and Ministry of Roads systems. Although these wipers are coded and behave very differently, some implementation details such as execution based on batch files, or the password changing patterns ([random sequence]aA1!Ā for this attack andĀ Aa153![random sequence]Ā in Indraās case), suggests that the attackers behind the IRIB hack may have been inspired by previous attacks happened in Iran.ā the researchers conclude.
Ransomware Protection Playbook
Feb 23 2022
A comparison of NDR solutions: Deep packet inspection (DPI) vs. metadata analysis
DPI has become popular since it provides very detailed traffic analysis. However, this approach requires designated hardware sensors and large amounts of processing power, while at the same time being blind to encrypted network traffic and only analysing data flowing over the mirrored infrastructure.
Metadata analysis (MA) overcomes these limitations to provide detailed and insight-enriched visibility into the entire network. In addition, MA is completely unaffected by encryption and ever-increasing network traffic. These advantages make MA-based NDR solutions a superior and future-proof alternative to NDR solution relying on deep packet inspection.
Modern organisations are characterised by complex IT environments and expanding attack surfaces. To protect themselves, they need a robust cyber architecture with a reliable Network Detection and Response (NDR) solution. NDR is crucial to detect suspicious behaviours and malicious actors, and quickly respond to threats. NDR tools continuously analyse traffic to build models of ānormalā behaviour on enterprise networks, detect suspicious traffic, and raise alerts.
Traditional NDR solutions rely on deep packet inspection (DPI). This approach supports detailed analysis and has thus become quite popular. But as data volumes increase and network traffic becomes increasingly encrypted, such solutions are becoming inadequate to protect enterprise networks moving forward. What organisations now need is a more future-proof NDR solution relying on metadata analysis.
In this article, we explore and compare two NDR approaches: deep packet inspection and metadata analysis. We will examine why metadata analysis is a superior detection technology to protect IT/OT networks from advanced cyber threats.
What is deep packet inspection and how does it work?
Deep packet inspection is the traditional approach to NDR. DPI monitors enterprise traffic by inspecting the data packets flowing across a specific connection point or core switch. It evaluates the packetās entire payload, i.e., its header and data part to look for intrusions, viruses, spam, and other issues. If it finds such issues, it blocks the packet from going through the connection point.
DPI relies on traffic mirroring. In effect, the core switch provides a copy (āmirrorā) of the network traffic to the sensor that then uses DPI to analyse the packetās payload. Thus, DPI provides rich information and supports detailed analysis of each packet on the monitored connection points. This is one of its biggest benefits.
However, its drawbacks outnumber this benefit. As network traffic continues to increase and IT environments become increasingly complex and distributed, DPI is reaching its limits.
Why DPI canāt detect or prevent advanced cyberattacks
Feb 22 2022
Why DDoS is still a major attack vector and how to protect against it
What is a DDoS attack?
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks arenāt new cyberattack vectors; They go all the way back to the early 1970s when modern commercial and enterprise networks emerged.
DDoS is a cyberattack in which the adversary seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. It doesnāt peruse any private data or get control over the targetās infrastructure; it just aims to bring the service down.
In todayās world, specifically with COVID, which accelerated organizationsā digital transformation, web presence is a must for just about any business. In this environment, DDoS attacks can be very destructive.
Main ingredients of DDoS attacks
Ingredient # 1 ā Botnet
A botnet is a group of infected, compromised machines with malware controlled by malicious software without the knowledge of the machine owner. It ranges from ordinary home or office PCs to IoT devices. Compromised machines called bots or āzombiesā are used to launch DDoS attacks, spread SPAM, or perform other malicious activities orchestrated by the attacker.
One of the most infamous Botnets is āMirai,ā which used hundreds of thousands of hijacked IoT devices. The creators of the Mirai botnet, Josiah White, Paras Jha, and Dalton Norman, who were all between 18 and 20 years old when they built Mirai, managed to hijack IoT devices by scanning the Internet for vulnerable IoT devices with factory-set usernames and passwords, log into them, and infect them with the Mirai malware.
The Mirai botnet was used in multiple DDoS attacks between 2014 and 2016 and, when the creators felt the heat coming from the authorities, they published the Mirai source code in a Hackersā forum in an attempt to cover their tracks. All three were eventually indicted, plead guilty, and are now fighting crime with the FBI. Amazing how life turns out.
Just like we have COVID variants and mutations, Mirai also evolved and its source code mutations have been used in the wild by hackers. Okiru, Satori/Fbot, Masuta, Moobot, and more than 60 other Mirai variants are out there.
Ingredient # 2 ā Command and Control
Feb 22 2022
Microsoft Safety Scanner
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
Ā Note
Starting November 2019, Safety Scanner will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to run Safety Scanner. To learn more, seeĀ 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
Important information
- The security intelligence update version of the Microsoft Safety Scanner matches the version describedĀ in this web page.
- Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
- Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
- This tool does not replace your antimalware product. For real-time protection with automatic updates, useĀ Microsoft Defender Antivirus on Windows 11, Windows 10, and Windows 8Ā orĀ Microsoft Security Essentials on Windows 7. These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help onĀ removing difficult threats.
System requirements
Safety Scanner helps remove malicious software from computers running Windows 11, Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. For details, refer to theĀ Microsoft Lifecycle Policy.
How to run a scan
- Download this tool and open it.
- Select the type of scan that you want to run and start the scan.
- Review the scan results displayed on screen. For detailed detection results, view the log at %SYSTEMROOT%\debug\msert.log.
To remove this tool, delete the executable file (msert.exe by default).
For more information about the Safety Scanner, see the support article onĀ how to troubleshoot problems using Safety Scanner.
Related resources
- Troubleshooting Safety Scanner
- Microsoft Defender Antivirus
- Microsoft Security Essentials
- Removing difficult threats
- Submit file for malware analysis
- Microsoft antimalware and threat protection solutions
Recommended content
- Microsoft Security Advisory 3033929
- Trojan malware – Windows security Trojans are a type of threat that can infect your device. This page tells you what they are and how to remove them.
- Prevent malware infection – Windows security Learn steps you can take to help prevent a malware or potentially unwanted software from infecting your computer.
- use the System Configuration utility – Windows Client Describes how to use the System Configuration utility to troubleshoot errors that may prevent from starting correctly.
« Previous Page — Next Page »
