InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The investigation started in November after Google TAG published a blogpost about watering-hole attacks targeting macOS users in Hong Kong.
Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina
The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors.
The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group.
One of the websites used to infect HK dissidents fightforhk[.]com seems to have been created from scratch for that unique purpose. Do not hesitate to check your logs/mails/SMS/private messages etc. against this domain. [1/2] pic.twitter.com/TfTSN5pqbf
Researchers also found the legitimate website of Hong Kong, pro-democracy radio station D100 that was compromised to distribute the same exploit before the Google TAG report.
âThe exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely. Itâs interesting to note that some code, which suggests the vulnerability could also have been exploited on iOS and even on PAC-enabled (Pointer Authentication Code) devices such as the iPhone XS and newer, has been commented outâ reads the analysis published by ESET.
The âKnown Exploited Vulnerabilities Catalogâ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.
, recently addressed by SolarWinds in Serv-U products that threat actors are actively exploited in the wild. The company pointed out that all the attack attempts failed.
CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation
Google Project Zero researchers Natalie Silvanovich disclosed details of two zero-day vulnerabilities in Zoom clients and Multimedia Router (MMR) servers. An attacker could have exploited the now-fixed issues to crash the service, execute malicious code, and even leak the content of portions of the memory.
The researcher focused its search for bugs in the Zoom client software, including zero-day issues that allowed her to take over the victimâs system without requiring any user interaction.
The two vulnerabilities have been fixed on November 24, 2021, they are a buffer overflow information leakage issue tracked as CVE-2021-34423 and CVE-2021-34424 respectively.
The CVE-2021-34423 vulnerability, is a buffer overflow issue that received a CVSS score of 9.8. An attacker can trigger the vulnerability to execute arbitrary code or crash the service or application.
The experts focused the analysis on the RTP (Real-time Transport Protocol) traffic used for audio and video communications. Silvanovich discovered that manipulating the contents of a buffer that supports reading different data types by sending a malformed chat message, could trigger the flaw causing the client and the MMR server to crash.
âNote that the string buffer is allocated based on a length read from the msg_db_t buffer, but then a second length is read from the buffer and used as the length of the string that is read. This means that if an attacker could manipulate the contents of the msg_db_t buffer, they could specify the length of the buffer allocated, and overwrite it with any length of data (up to a limit of 0x1FFF bytes, not shown in the code snippet above).â reads the analysis published by Project Zero. âI tested this bug by hooking SSL_write with Frida, and sending the malformed packet, and it caused the Zoom client to crash on a variety of platforms.â
The CVE-2021-34424 is a process memory exposure flaw that received a CVSS score of 7.5. An attacker can trigger the flaw to potentially gain insight into arbitrary areas of the productâs memory.
The second flaw is caused by the lack of a NULL check that allows to leak data from the memory by joining a Zoom meeting via a web browser.
âThis bug allows the attacker to provide a string of any size, which then gets copied out of bounds up until a null character is encountered in memory, and then returned. It is possible for CVE-2021-34424 to return a heap pointer, as the MMR maps the heap that gets corrupted at a low address that does not usually contain null bytes, however, I could not find a way to force a specific heap pointer to be allocated next to the string buffer that gets copied out of bounds. C++ objects used by the MMR tend to be virtual objects, so the first 64 bits of most object allocations are a vtable which contains null bytes, ending the copy.â continues the analysis.
The researcher pointed out that lack of ASLR in the Zoom MMR process exposed users to the risk of attacks, the good news it that Zoom has recently enabled it.
Project Zero experts also pointed out that the closed nature of Zoom also heavily impacted the analysis. Unlike most video conferencing systems, Zoom use a proprietary protocol that make it hard to analyze it.
âClosed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it,â Silvanovich concludes. âWhile the Zoom Security Team helped me access and configure server software, it is not clear that support is available to other researchers, and licensing the software was still expensive.â
âDefinitely worseâ The platform has yet to confirm that it has indeed been attacked [but] Crypto.com announced it was pausing withdrawals after âa small number of users experienced unauthorized activity in their accounts.â ⊠A household name in Asian markets, the Singapore-based exchange recently spent $700 million to buy the naming rights to the Staples Centerâthe Los Angeles home venue of the NBAâs Lakers and Clippers. ⊠Events took a turn for the worse when security research company Peckshield [said] Crypto.com has lost at least 4,600 ETH (around $15 million in current prices) [and] that the true scale of the damage is âdefinitely worse.â ⊠Peckshield added that half of the stolen funds were sent to Tornado Cash, the Ethereum-centric mixing service. ⊠Remarkably, a few hours later, Crypto.com CEO Kris Marszalek said that no customer funds were lost.
â$16.3 millionâ Several users had reported on social media that their cryptocurrencies, at times equating to tens of thousands of dollars, had disappeared from their Crypto.com accounts in recent days. ⊠Technical issues on crypto trading platforms have become commonplace as the hype surrounding digital assets grows. ⊠Crypto influencer and podcast host Ben Baller said in a tweet on Monday that around 4.28 Ether, which equates to roughly $14,000, had been âstolen out of nowhereâ [despite] two-factor authentication security measures. ⊠Baller later allegedââŠâa wallet belonging to Crypto.com had lost approximately 5,000 Ether, which equates to roughly $16.3 million. ⊠A spokesperson from Crypto.com didnât respond to a request for comment.
The credentials are contained in files that common info-stealers and keyloggers use to exfiltrate them from infected machines.
These files can end up hosted on VirusTotal due to hackers using VirusTotal to promote selling victimsâ data or due to attackers uploading them by mistake, Tomer Bar, Director of Security Research at SafeBreach, told Help Net Security.
They may also be uploaded by third parties (e.g., a security researcher or the company where the C2 server is hosted) who are unaware they contain sensitive information. Finally, some environments are configured to automatically upload files to VirusTotal to verify whether they are âcleanâ.
Finding the files with stolen credentials
Just like Google Search can be used to search for vulnerable websites/systems, IoT devices, and sensitive data (the method is known as Google hacking or dorking), VirusTotalâs APIs and tools (VT Graph, Retrohunt, etc.) can be used to find files containing stolen data.
To prove it, the researchers compiled a list of those filesâ names, acquired a monthly VirusTotal license that allowed them to do searches, explore VirusTotalâs dataset, and perform malware hunts â and started searching for them.
It didnât take long to find some. Depending on the malware, these files contain credentials for email and social media accounts, e-commerce sites, online payment services, gaming platforms, online government services, streaming platforms, online banking accounts, and private keys of cryptocurrency wallets.
Theyâve also connected some of these files to specific sellers of stolen credentials on a variety of hacking forums and Telegram groups, and have shown that in some cases it may be easy for criminals to discover credentials for accessing malwareâs C2 FTP server and use them to âcollectâ stolen credentials.
âOur goal was to identify the data a criminal could gather with a VirusTotal license,â Bar noted, and said that they have proven this method â dubbed âVirusTotal Hackingâ â works at scale.
âA criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach. We called it the perfect cyber crime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity. After victims are hacked by the original hacker, most have little visibility into what sensitive information is uploaded and stored in VirusTotal and other forums.â
The researchers urged Google â the owner of VirusTotal via its subsidiary Chronicle â to periodically search and remove files with sensitive user data and ban API keys that upload those files, and to add an algorithm that disallows uploads of files that contain sensitive cleartext data or encrypted files with the decryption password attached (either as text or included in an image).
They also pointed out that malwaresâ unsecured C2 communication protocols should be exploited by defenders â in concert with hosting companies â to sinkhole or terminate C2 servers.
As a final side note, stolen credentials are not the only sensitive information that can occasionally be found on VirusTotal:
A vulnerability in the implementation of multi-factor authentication (MFA) for Box allowed attackers to take over accounts without having access to the victimâs phone, Varonis researchers reported.
Box develops and markets cloud-based content management, collaboration, and file-sharing tools for businesses. The platform supports 2FA based on an authenticator application or SMSs.
Varonis Threat Labs researchers disclosed the vulnerability via HackerOne and the company fixed it in November 2021.
Upon attempting to log into a Box account, the platform sets a session cookie and redirects the user to a form where they need to provide the time-based one-time password (TOTP) generated with an authenticator app (at /mfa/verification) or a code received via SMS (at /2fa/verification).
The researchers pointed out that if the user does not navigate to the SMS verification form, no SMS message will be sent despite the session cookie having been generated. A threat actor can provide the userâs email and password to get a valid session cookie bypassing SMS-based 2FA.
An attacker can easily obtain login credentials for a targeted user from past data breaches or through phishing attacks.
When the user adds an authenticator app, the eBox platform assigns a factor ID and, at login, they are required to provide a one-time password generated by the app along with the credentials.
The experts devised a method to bypass MFA for accounts where SMS-based MFA is enabled by abandoning the SMS-based verification process and initiating TOTP-based MFA instead, technically mixing the MFA modes.
The attacker could access the victimâs account using the correct username and password, but providing a factor ID and code from a Box account and authenticator app associated with an account under his control.
âAfter the cookie is generated, the threat actor can abandon the SMS-based MFA process (which is what the user is enrolled in) and instead initiate the TOTP-based MFA processâthus mixing MFA modes.â reads the analysis published by Varonis.
âThe attacker completes the authentication process by posting a factor ID and code from their own Box account and authenticator app to the TOTP verification endpoint using the session cookie they received by providing the victimâs credentials.â Box did not verify whether the victim was enrolled in TOTP verification and did not validate that the authenticator app used belonged to the user that was logging in. This made it possible to access the victimâs Box account without the victimâs phone and without notifying the user via SMS.â
Below are the attack flow devised by the experts:
Attacker enrolls in multi-factor authentication using an authenticator app and stores the deviceâs factor ID.
Attacker enters a userâs email address and password onÂ
account.box.com
/login.
If the password is correct, the attackerâs browser is sent a new authentication cookie and redirects to:Â /2fa/verification.
The attacker, however, does not follow the redirect to the SMS verification form. Instead, they pass their own factor ID and code from the authenticator app to TOTP verification endpoint:Â /mfa/verification.
The attacker is now logged in to the victimâs account and the victim does not receive an SMS message.
The platform did not check whether the user was indeed to be the one that was enrolled in TOTP-based MFA or whether the authenticator app belonged to the account that is attempting to log in.
This trick allowed an attacker to log into the victimâs Box account, bypassing SMS-based 2FA.
âWe want to underscore that MFA implementations are prone to bugs, just like any other code. MFA can provide a false sense of security. Just because MFA is enabled doesnât necessarily mean an attacker must gain physical access to a victimâs device to compromise their account,â Varonis concludes.
Microsoft has released emergency out-of-band (OOB) updates for Windows to address multiple issues caused by security updates issued as part of the January 2021 Patch Tuesday.
The Windows Server updates for January were causing a series of issues for administrators, multiple administrators reported anomalous reboots of Windows domain controllers, and Hyper-V that was no longer starting on Windows servers.
Reports also claim that the Windows Resilient File System (ReFS) volumes were no longer accessible after the installation of January 2021 updates.
Some administrators and users reported problems with L2TP VPN connections on Windows 10 after installing the recent Windows 10 and Windows 11 cumulative updates.
âMicrosoft is releasing out-of-band (OOB) updates for some versions of Windows today, January 18, 2022,â the company said. âThis update fixes issues related to VPN connectivity, Windows Server domain controller restarts, virtual machine startup failures, and ReFS-formatted removable media that fails to mount.â
The OOB updates can be downloaded from the Microsoft Update Catalog, if they are not installed directly from Windows Update as optional updates.
Emergency out-of-band (OOB) updates through Windows Update are optional updates and have to be manually installed.
Below are the updates can only be downloaded through the Microsoft Update Catalog:
Microsoft said today that it has observed a destructive attack taking place in Ukraine where a malware strain has wiped infected computers and then tried to pass as a ransomware attack, but without providing a ransomware payment and recovery mechanism.
âAt present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues,â the Microsoft Threat Intelligence Center said in a blog post late Saturday night.
The OS maker said the affected systems belong to multiple government agencies, non-profits, and information technology organizations, all based in Ukraine.
Microsoft said it has not yet identified the distribution vector or if the attack spread beyond the original Ukrainian targets.
The attack does not appear to be at the same scale and virality as the NotPetya and BadRabbit wiper events that targeted Ukrainian organizations in June and November 2017, respectively, and then spread all across the world.
Just like the NotPetya and BadRabbit wipers, Microsoft said that this recent one also comes with a component that overwrites a computer Master Boot Record (MBR) and prevents them from booting.
The malware corrupts files, rewrites MBR, hides as ransomware
The malware, which Microsoft calls WhisperGate, then replaces the boot-up screen with a ransom note, which, according to Microsoft, includes a ransom fee, a Bitcoin address to receive payments, and a Tox ID to get in contact with the attackers.
In case victims manage to restore their MBR and their boot-up sequence, Microsoft says the malware also corrupts files with a certain extension by overwritting their contents with a fixed number of 0xCC bytes up to a total file size of 1MB.
âAfter overwriting the contents, the destructor renames each file with a seemingly random four-byte extension,â Microsoft said.
Researchers from WordPress security company Wordfence discovered a high-severity vulnerability that affects three different WordPress plugins that impact over 84,000 websites. The vulnerability tracked as CVE-2022-0215 is a cross-site request forgery (CSRF) issue that received a CVSS score of 8.8.
A threat actor could exploit the vulnerability to take over vulnerable websites.
The flaw impacts three plugins maintained by Xootix:
âOn November 5, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in âLogin/Signup Popupâ, a WordPress plugin that is installed on over 20,000 sites. A few days later we discovered the same vulnerability present in two additional plugins developed by the same author: âSide Cart Woocommerce (Ajax)â, installed on over 60,000 sites, and âWaitlist Woocommerce ( Back in stock notifier )â, installed on over 4,000 sites.â reads the advisory published by Wordfence. âThis flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a siteâs administrator into performing an action, such as clicking on a link.â
The threats are constantly shifting, subject to trends in cryptocurrency use, geopolitics, the pandemic, and many other things; for this reason, a clear sense of the landscape is essential. Below, youâll find a quick guide to some of the most pressing threats of the coming year.
Linux and cloud infrastructure will continue to be a target
For threat actors, there is a simple calculus at play â namely, what method of attack is a) easiest and b) most likely to yield the biggest return? And the answer, at this moment, is Linux-based cloud infrastructure, which makes up 80%+ of the total cloud infrastructure. With cloud adoption increasing because of the pandemic, this has the potential to be a massive problem.
In just the last few months, ransomware gangs like BlackMatter, HelloKitty, and REvil have been observed targeting Linux via ESXi servers with ELF encryptors. And we have recently seen the PYSA ransomware gang adding Linux support. Meanwhile, experts are identifying new and increasing complex Linux malware families, which adds to the already-mounting list of concerns. Working pre-emptively against these threats is more essential than ever.
A weakness in the Microsoft Defender antivirus can allow attackers to retrieve information to use to avoid detection.
Threat actors can leverage a weakness in Microsoft Defender antivirus to determine in which folders plant malware to avoid the AV scanning.
Microsoft Defender allows users to exclude locations on their machines that should be excluded from scanning by the security solution.
The knowledge of the list of scanning exceptions allows attackers to know where to store their malicious code to avoid detection. This means that once inside a compromised network, threat actors can decide were store their malicious tools and malware without being detected.
The issue seems to affect Windows 10 21H1 and Windows 10 21H2 since at least eight years, but it does not affect Windows 11.
Noticed that almost 8 years ago when I started in Tech Support. Always told myself that if I was some kind of malware dev I would just lookup the WD exclusions and make sure to drop my payload in an excluded folder and/or name it the same as an excluded filename or extension…
SentinelOne threat researcher Antonio Cocomazzi pointed out that the list of scanning exceptions can be accessed by any local user, regardless of its permissions.
Running the âreg queryâ command it is possible to access the list.
The smartphones of dozens of journalists and activists from El Salvador have been hacked with a version of the Pegasus spyware.
The malware was found on 37 mobile devices belonging to 35 individuals.
âTargets included journalists at El Faro, GatoEncerrado, La Prensa GrĂĄfica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists. Civil society targets included FundaciĂłn DTJ, Cristosal, and another NGO,â Citizen Lab said in a report published last night.
The hardest hit was news site El Faro, where Pegasus was found on the devices of 22 reporters.
Attacks likely carried out by the local government
Citizen Lab said the hacked devices were compromised between July 2020 and November 2021 by a threat actor they were calling Torogoz, with some devices being hacked multiple times.
The investigators, who have a long history of analyzing the Pegasus spyware, said they had âno conclusive technical evidenceâ about the identity of the attackers, but the focus on El Salvador individuals suggests that Torogoz is most likely an entity associated with the Salvadoran government.
Additional circumstances to sustain this attribution also include the fact that many victims had their devices compromised around the same time they were investigating or reporting on sensitive issues involving the local government, such as a scandal involving alleged negotiations between the administration of President Bukele and the MS-13 criminal cartel.
The Citizen Lab report suggests that the El Salvador administration or someone close to it might have rented access to Pegasus, a hacker-for-hire platform developed by Israeli company NSO Group, and then used it to go after their critics.
The proposed theory is not a far-fetched scenario as NSO Group has done this before, providing its Pegasus spyware to many oppressive regimes across the world, which then used it to track and silence their critics and political rivals.
While NSO Group has always publicly stated that they sell their software only to legitimate law enforcement agencies and that they canât control how their customers use its tools, the rampant abuse of its software by oppressive regimes for human rights abuses has forced the US government to put the NSO Group on its sanctions list in November last year.
A few weeks later, Apple, whose iPhones are the main target of Pegasus attacks, also sued the Israeli company in a US court, hoping to get an injunction against NSO Group developers and block them from using its platform to develop the iPhone hacks needed to keep the Pegasus malware up-to-date.
Hacks discovered using open-source tool
Citizen Lab said it learned of the hacks in September 2021 after some El Salvador journalists used a free security tool developed by Amnesty International, named Mobile Verification Toolkit (MVT), to self-scan their devices for traces of the Pegasus spyware.
The reporters who found signs of a compromise contacted Access Nowâs Digital Security Helpline, which called on Citizen Lab to investigate the hacks further.
After Apple sued NSO Group, some of the victims of these attacks received confirmation about the hacks from Apple itself when the company notified past victims of Pegasus attacks using a new set of notifications the company rolled out. At the time, similar notifications were also sent to many Apple users in Thailand and Uganda.
The names of most of the El Salvador reporters and activists hacked in this latest campaign are available in the Citizen Lab report.
âNSO Groupâs tentacles continue to spread across the globe, crushing the privacy and rights of journalists and activists into oblivion,â said Angela AlarcĂłn, Latin America & the Caribbean Campaigner at Access Now. âRevelations that Pegasus software has been used to unjustly spy in El Salvador may not come as a complete surprise, but there is no match to our outrage.â
Recent reports indicate that NSO Group is on the brink of bankruptcy and shutting down after the Apple lawsuit. Nevertheless, there is a booming market of many other spyware vendors ready to fill the void left by a potential NSO closure.
ISO 27001 certification requires organizations to prove their compliance with the Standard with appropriate documentation, which can run to thousands of pages for more complex businesses. But with the ISO 27001 Cybersecurity Toolkit, you have all the direction and tools at hand to streamline your project.
Â
ISO 27001 Cybersecurity Toolkit Accelerate your ISO 27001 cybersecurity project and benefit from ready-to-use policies and procedures. The toolkit includes: A complete set of mandatory and supporting documentation templates Helpful project tools to ensure complete coverage of the Standard Guidance documents and direction from expert ISO 27001 practitioners
On the last point, one high-profile case illustrated the potential consequences of this behavior: two General Electric employees started a competing company based on trade secrets that they downloaded at work. These two former GE employees ended up with a prison sentence and a $1.4 million fine â a searing reminder that employees do not have the right to take company data to another company.
While most insider data breaches arenât quite as malicious or blatant, itâs important to prepare for the worst-case scenario.
What drives insider threat?
An insider threat typically refers to potential attacks from users with internal or remote access inside the systemâs firewall or other network perimeter defenses. These âthreat actorsâ can include employees, contractors, third-party vendors and even business partners. In other words, anyone with network access. Potential results include fraud, theft of intellectual property (IP), sabotage of security measures or misconfigurations to allow data leaks.
Of course, not all insider threats come from actual insiders. Itâs not hard to imagine instances where, for example, an external party gains access to the physical premises and connects to the network directly, deploying a router in a discreet location for future remote access. This example raises the importance of on-premises security and early detection whenever unapproved devices are added to the network.
A few common examples, like memory sticks or Bluetooth transmitters, can also often pass under the radar. Does your system detect these on insertion? Probably not. This is important because it emphasizes a few key points:
There is no single security solution to cover every possible threat
Insider threats are difficult to pin down without knowing the motivations or patterns of potential attackers.
Threat actors are actively exploiting public cloud services from Amazon and Microsoft to spread RATs such as Nanocore, Netwire, and AsyncRAT used to steal sensitive information from compromised systems.
The malware campaign was spotted by Cisco Talos in October 2021, most of the victims were located in the United States, Italy and Singapore.
Threat actors leverages cloud services like Azure and AWS because they can be easily set up with minimal efforts making it more difficult for defenders to detect and mitigate the campaigns.
The attackers used complex obfuscation techniques in the downloader script.
The attack chains starts with a phishing email using a malicious ZIP attachment that contain an ISO image with a loader in the form of JavaScript, a Windows batch file or Visual Basic script. Upon executing the initial script, the victimâs machine download the next stage from the C2 server, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.
âTo deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service. The malware families associated with this campaign are variants of the Netwire, Nanocore and AsyncRAT remote access trojans.â reads the analysis published by Talos. âOrganizations should be inspecting outgoing connections to cloud computing services for malicious traffic. The campaigns described in this post demonstrate increasing usage of popular cloud platforms for hosting malicious infrastructure.â
Once installed the malware on the target system, it can be used to steal confidential data or to deliver additional payloads such as ransomware attacks. Threat actors can also sell the access to other cybercrime gangs, including ransomware affiliates.
âOrganizations should deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets. Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints. It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible.â concludes the report that also includes Indicators of Compromise (IoCs).
![CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation by [United States Government Accountability Office]](https://m.media-amazon.com/images/I/51FIzAXr-CL._SX260_.jpg)
