InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The internet is making the world a much smaller place over the period, allowing millions of users throughout the globe to interact and share digital information, ushering the rest of the world into the âdigital world.â
Images are also incredibly helpful in an OSINT investigation since they can reveal what a target seems like, where the target has been, or any devices that were used.
Researchers can utilize pics to create the intelligence image, discover equipment used to capture photographs, determine where and when photos were taken, and determine if a social media profile relates to a target utilizing search engines and free resources.
This article is a list of tools and tips. It will show you how to look for, obtain, extract, and analyze digital photos.
8 Steps to Better Security: A Simple Cyber Resilience Guide for Business
Harden your business against internal and external cybersecurity threats with a single accessible resource.
In 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business, cybersecurity researcher and writer Kim Crawley delivers a grounded and practical roadmap to cyber resilience in any organization. Offering you the lessons she learned while working for major tech companies like Sophos, AT&T, BlackBerry Cylance, Tripwire, and Venafi, Crawley condenses the essence of business cybersecurity into eight steps.
A massive social engineering campaign targeting banks has been delivered in the last two years in several countries.
A massive social engineering campaign has been delivered in the last two years in several countries, including Portugal, Spain, Brazil, Mexico, Chile, the UK, and France. According to Segurança InformĂĄtica publication, the malicious waves have impacted banking organizations with the goal of stealing the usersâ secrets, accessing the home banking portals, and also controlling all the operations on the fly via Command and Control (C2) servers geolocated in Brazil.
In short, criminal groups are targeting victimsâ from different countries to collect their homebanking secrets and payment cards. The campaigns are carried out by using social engineering schemas, namely smishing, and spear-phishing through fake emails.
Criminals obtain lists of valid and tested phone numbers and emails from other malicious groups, and the process is performed on underground forums, Telegram channels or Discord chats.
The spear-phishing campaigns try to lure victims with fake emails that impersonate the banking institutions. The emails are extremely similar to the originals, exception their content, mainly related to debts or lack of payments.
According to the analysis, the malicious campaign consists of a redirector system, capable of performing an initial screening to verify that the usersâ requests are valid and expected. The system is equipped with a blacklisting mechanism and a logging feature that notifies criminals of new infections.
When the victim matches all the rules, several pathways are possible, with different landing-pages. Some of them only collect raw data, including the homebanking credentials, SMS tokens and bank codes. On the other hand, a well-structured C2 server can be used to orchestrate all the processes in real-time, simulating a flow extremely similar to the legitimate service.
As phishing and malware campaigns make headlines every day, monitoring these types of behaviors and IoCs is crucial to fighting this emerging segment, which has grown in both volume and sophistication.
The heightened risk of cyberattacks on businesses is being compounded by significant recruitment and retention issues within cybersecurity teams, making businesses more vulnerable to potential attacks, according to a research from ThreatConnect.
With the number of data breaches in 2021 soaring past that of 2020, there is added pressure on cybersecurity teams to keep businesses secure. The research has found a concerning level of staff turnover, skills shortages, burnout, and low staff morale, pointing towards depleted reserves trying to manage the growing risk.
Cybersecurity teams recruitment and retention issues
Senior decision-makers across the US report an average security staff turnover rate of 20%.
64% of senior decision-makers have seen a rise in turnover over the past year.
43% of US respondents attribute a lack of skills as the biggest barrier for recruitment.
1 in 5 US respondents are considering quitting their jobs in the next six months.
57% of US respondents have experienced an increase in stress over the past six months.
The COVID-19 pandemic has created what many are calling the Great Resignation, which has affected all industries for the past two years. Employees, specifically those in the security industry, are now being expected to do more with less.
Cybercrime has increased significantly over the past year, making digital protection for businesses both more important and more difficult to achieve. Companies cannot afford to lose any security team members with cybercrime increasing so rapidly.
âIn todayâs digital ecosystem it is crucial that security employees receive adequate training, support, and resources needed to work efficiently in their jobs,â said Adam Vincent, CEO of ThreatConnect. âAs employee turnover increases in this sector, it creates a vicious cycle that impacts a companyâs performance and ability to mitigate cyber risks.â
âThis makes it even more difficult for security teams to fulfill the companyâs needs. Organizations must look at these numbers and recognize that there is more that can be done to protect their employees and in turn, the welfare of their company.â
The âKnown Exploited Vulnerabilities Catalogâ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.
Below is the list of the new entries in the catalog:
CVE ID
Description
Patch Deadline
CVE-2022-22587
Apple IOMobileFrameBuffer Memory Corruption Vulnerability
2/11/2022
CVE-2021-20038
SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability
2/11/2022
CVE-2014-7169
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
7/28/2022
CVE-2014-6271
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
7/28/2022
CVE-2020-0787
Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability
7/28/2022
CVE-2014-1776
Microsoft Internet Explorer Use-After-Free Vulnerability
7/28/2022
CVE-2020-5722
Grandstream Networks UCM6200 Series SQL Injection Vulnerability
7/28/2022
CVE-2017-5689
Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability Privilege Escalation Vulnerability
7/28/2022
âCISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below.â reads the announcement published by CISA. âThese types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.â
Among the recent entries, there is the CVE-2022-22587 memory corruption issue that resides in the IOMobileFrameBuffer and affects iOS, iPadOS, and macOS Monterey. The exploitation of this flaw leads to arbitrary code execution with kernel privileges on compromised devices.
A few days ago, Apple has released security updates to address a couple of zero-day vulnerabilities, one of them being actively exploited in the wild by threat actors to compromise iPhone and Mac devices.
CISA is ordering federal agencies to address the CVE-2022-22587 flaw by February 11, 2022, along with the CVE-2021-20038vulnerability in SonicWall SMA 100 Appliances.
The vulnerability is an unauthenticated stack-based buffer overflow that was reported by Jacob Baines, lead security researcher at Rapid7. TheÂ
CVE-2021-20038
 vulnerability impacts SMA 100 series appliances (including SMA 200, 210, 400, 410, and 500v) even when the web application firewall (WAF) is enabled.
A remote attacker can exploit the vulnerability to execute arbitrary code as the ânobodyâ user in compromised SonicWall appliances.
CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation.
Apple last year addressed multiple macOS vulnerabilities discovered by the security researcher Ryan Pickren in the Safari browser that could allow threat actors to access usersâ online accounts, microphone, and webcam.
Pickren received a total of $100,500 payouts for these issues as part of Appleâs bug bounty program.
The security researcher chained the vulnerabilities in iCloud Sharing and Safari 15 to gain unauthorized camera access. An attacker can trick victims into clicking âopenâ on a popup from my website in order to hijack multimedia permissions and gain full access to every website ever visited by the victim.
The expert pointed out that an attacker could exploit this attack chain to turn the userâs camera, and also to hack their iCloud, PayPal, Facebook, Gmail, and other accounts.
âMy hack successfully gained unauthorized camera access by exploiting a series of issues with iCloud Sharing and Safari 15. While this bug does require the victim to click âopenâ on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.â reads the post published by the expert. âThis research resulted in 4 0day bugs (
CVE-2021-30861
,Â
CVE-2021-30975
, and two without CVEs), 2 of which were used in the camera hack. I reported this chain to Apple and was awarded $100,500 as a bounty.â
The bugs reside in the iCloud file-sharing mechanism named ShareBear. The iCloud Sharing Application ShareBear prompts users only upon attempting to open a shared document for the first time. Successive actions will no more display the prompt again once the users have accepted to open the file. Pickren successfully exploited this behavior by altering the fileâs content and file extension after user agree to open it.
The CVE-2021-30861 is a logic issue in WebKit that could allow a malicious application to bypass Gatekeeper checks. The flaw was reported by Wojciech ReguĆa (@_r3ggi) and Ryan Pickren (ryanpickren.com). The second bug, tracked as CVE-2021-30975, resides in the Script Editor and could allow a malicious OSAX scripting addition to bypass Gatekeeper checks and circumvent sandbox restrictions.
âOnce the user clicks Open, the file is downloaded onto the victimâs machine at the location /Users/<user>/Library/Mobile Documents/com~apple~CloudDocs then automatically opened via Launch Services. Then the user will never see this prompt again. From that point forward, ShareBear (and thus any website in Safari) will have the ability to automatically launch this file.â continues the post.âThe truly problematic part of this agreement is that the file can be changed by anybody with write access to it. For example, the owner of the file could change the entire byte content and file extension after you agree to open it. ShareBear will then download and update the file on the victimâs machine without any user interaction or notification.â
In June 2019, three Israeli computer engineers arrived at a New Jersey building used by the F.B.I. They unpacked dozens of computer servers, arranging them on tall racks in an isolated room. As they set up the equipment, the engineers made a series of calls to their bosses in Herzliya, a Tel Aviv suburb, at the headquarters for NSO Group, the worldâs most notorious maker of spyware. Then, with their equipment in place, they began testing.
The F.B.I. had bought a version of Pegasus, NSOâs premier spying tool. For nearly a decade, the Israeli firm had been selling its surveillance software on a subscription basis to law-enforcement and intelligence agencies around the world, promising that it could do what no one else â not a private company, not even a state intelligence service â could do: consistently and reliably crack the encrypted communications of any iPhone or Android smartphone.
Since NSO had introduced Pegasus to the global market in 2011, it had helped Mexican authorities capture JoaquĂn GuzmĂĄn Loera, the drug lord known as El Chapo. European investigators have quietly used Pegasus to thwart terrorist plots, fight organized crime and, in one case, take down a global child-abuse ring, identifying dozens of suspects in more than 40 countries. In a broader sense, NSOâs products seemed to solve one of the biggest problems facing law-enforcement and intelligence agencies in the 21st century: that criminals and terrorists had better technology for encrypting their communications than investigators had to decrypt them. The criminal world had gone dark even as it was increasingly going global.
But by the time the companyâs engineers walked through the door of the New Jersey facility in 2019, the many abuses of Pegasus had also been well documented. Mexico deployed the software not just against gangsters but also against journalists and political dissidents. The United Arab Emirates used the software to hack the phone of a civil rights activist whom the government threw in jail. Saudi Arabia used it against womenâs rights activists and, according to a lawsuit filed by a Saudi dissident, to spy on communications with Jamal Khashoggi, a columnist for The Washington Post, whom Saudi operatives killed and dismembered in Istanbul in 2018.
More than 3,600 network-attached storage (NAS) devices from Taiwanese company QNAP have been infected and had their data encrypted by a new strain of ransomware named Deadbolt.
Devices attacked by the Deadbolt gang are easy to recognize because the login screen is typically replaced with a ransom note, and local files are encrypted and renamed with a .deadbolt extension.
The threat actor behind the attacks is extorting not only the owners of the NAS devices but also the QNAP company itself.
According to a copy of the ransom note, device owners are told to pay 0.03 Bitcoin ($1,100) to receive a decryption key to unlock their files, while in an second note, the hackers demand 5 Bitcoin ($1.86 million) from QNAP to reveal details about the supposed zero-day vulnerability they have been using to attack its users, and another 50 Bitcoin ($18.6 million) to release a master decryption key that unlock all of the victimsâ files.
Here is some map related to the compromised #QNAPs by the #Deadbolt#ransomware. Most of them are 5.0.0 (77.95%) and 4.5.4 (21.50%) + few 4.5.3 (0.57%) – data from this morning âïž pic.twitter.com/Adgy9KJRK7
For its part, QNAP was quick to formally acknowledge the attacks in a blog post on Wednesday, hours after hundreds of users started flocking to its support forum to report finding their files encrypted.
In the first days following the attack, the company has been telling users to disconnect devices from the internet and, if not possible, at least disable features such as port forwarding and UPnP on their routers, to prevent attackers from connecting to the NAS systems.
Finland Ministry for Foreign Affairs revealed that devices of Finnish diplomats have been infected with NSO Groupâs Pegasus spyware.
Finlandâs Ministry for Foreign Affairs revealed that the devices of some Finnish diplomats have been compromised with the infamous NSO Groupâs Pegasus spyware.
The diplomats were targeted with the popular surveillance software as part of a cyber-espionage campaign.
âFinnish diplomats have been targets of cyber espionage by means of the Pegasus spyware, developed by NSO Group Technologies, which has received wide publicity. The highly sophisticated malware has infected usersâ Apple or Android telephones without their noticing and without any action from the userâs part. Through the spyware, the perpetrators may have been able to harvest data from the device and exploit its features.â reads a statement published by the Ministry.
According to the statement, threat actors have stolen data from the infected devices belonging to employees working in Finnish missions abroad. The attacks were spotted following an investigation that started in the autumn of 2021, anyway, according to the government experts the campaign is no longer active.
The announcement pointed out that the data transmitted or stored on diplomatsâ devices are either public or classified at the lowest level of classified information (level 4).
Finlandâs Ministry for Foreign Affairs warns that even if the information is not directly classified, the information itself and its source may be subject to diplomatic confidentiality.
âThe Ministry for Foreign Affairs is continually monitoring events and activities in its operating environment and assessing related risks. The Ministry for Foreign Affairs monitors its services and strives to prevent harmful activities. The preparation of and decisions on foreign and security policy, in particular, are matters that attract much interest, which may also manifest itself as unlawful intelligence.â concludes the Ministry. âThe Ministry responds to the risk by various means, but complete protection against unlawful intelligence is impossible.â
In December, Apple warned that the mobile devices of at least nine US Department of State employees were compromised with NSO Group âs Pegasus spyware.
The Senate of Puerto Rico announced this week that it was hit by a major cyberattack that disabled its internet provider, phone system and official online page. Local and federal authorities are investigating the attack.
This isnât the first time that Puerto Rico was hit by a cyber attack in recent years.
In March 2021, Puerto Rico Electric Power Authority (PREPA) power utility confirmed early this week that it has been hacked over the weekend.
In June 2021, a large fire at the Lumaâs Monacillo electrical substation in San Juan for Puerto Ricoâs new electricity provider, Luma Energy, caused major blackouts across Puerto Rico on Thursday. The same day the blackout took place, the company announced that a major DDoS attack disrupted its online services.
It is still unclear whether the fire and DDoS attack are connected.
In October 2020, Puerto Ricoâs firefighting department disclosed a security breach, hackers breached its database and demanded a $600,000 ransom.
Threat intelligence feeds are a critical part of modern cybersecurity. Widely available online, these feeds record and track IP addresses and URLs that are associated with phishing scams, malware, bots, trojans, adware, spyware, ransomware and more. Open source threat intelligence feeds can be extremely valuableâif you use the right ones. While these collections are plentiful, there are some that are better than others. Being an actively updated database doesnât guarantee that it is a highly reliable or detailed one either, as some of the best online havenât necessarily been updated in a few months.
We will try to keep our own tally of some of the better open source threat intelligence feeds below, regularly updating it with new feeds and more details about each one. A share of the entries will be managed by private companies that have premium, or at least closed-source, offerings as well. This list is meant to cover free and open source security feed options.
Developed and offered by Proofpoint in both open source and a premium version, The Emerging Threats Intelligence feed (ET) is one of the highest rated threat intelligence feeds. ET classifies IP addresses and domain addresses associated with malicious activity online and tracks recent activity by either. The feed maintains 40 different categories for IPs and URLs, as well as a constantly updated confidence score.
This being backed by the Federal Bureau of Investigation definitely gives it some clout. Itâs actually a collaboration between the FBI and the private sector, with its information freely available to private companies and public sector institutions to keep appraised on threats relevant to 16 specific categories of infrastructure identified by the Cybersecurity and Infrastructure Security Agency (a department of the US Department for Homeland Security). Sectors include energy and nuclear power, communications, chemicals, agriculture, healthcare, IT, transportation, emergency services, water and dams, as well as manufacturing and financial.
Dan is a collection of 10 tools that together report on IP and domain information. It includes info on IP subnets, the TOR status of IP addresses, DNS blacklists, IP address checking for autonomous systems, and node lists.
The CINS Score is supported by Sentinel. Like ETâs confidence score, the CINS Score rates IP addresses according to their trustworthiness. They add data about suspected or confirmed attacks from those IPs in the form of frequency, nature and breadth. They also try to create âpersonasâ around the sorts of attacks those IPs are tied to: scanning, network or remote desktop vulnerabilities, malware bots, or command-and-control servers.
Blocklist.de pays attention to server attacks from SSH, FTP, email and webserver sources. Their site claims to report an average of 70,000 attacks every 12 hours using a combo of the abusix.org database, Ripe-Abuse-Finder, and Whois information.
hpHosts is a searchable database and hosts file that is community managed. While it was last updated in August 2019, it is considered one of the more reliable data stores of malicious IPs online. It can also be sorted by PSH and FSA-only.
AlienVault Open Threat Exchange (OTX) is the companyâs free, community-based project to monitor and rank IPs by reputation. It generates alert feeds called âpulses,â which can be manually entered into the system, to index attacks by various malware sources. While some pulses are generated by the community, AlienVault creates its own as well that automatically subscribes all OTXâs users. Most pulses are automatically API-generated and submitted via the OTX Python SDK. This example, SSH bruteforce logs 2016-06-09, shows the indicators, geoip of the attacks, and a full list of the IPs used. It also links to reports in other pulses that include the same IPs.
This abuse.ch offering focuses on botnets and command-and-control infrastructure (C&C). The blocklist is an amalgamation of several minor blocklists with attention paid to Heodo and Dridex malware bots. There were 5,374 entries as of 03-03-2020.
Of course, the name itself is a direct response to an older trojan virus called Feodo, which was a successor to the Cridex e-banking trojan. (to which both Dridex and Heodo both trace their source code). Feodo Tracker also tracks an associative malware bot, TrickBot.
The first of two projects from Swiss website abuse.ch, URLhaus is a depository of malicious domains tied to distributing malware. The database can be accessed via a URLhaus API, allowing you to download CSV collections of flagged URLs, those siteâs respective statuses, the type of threat associated with them, and more. Ready-made downloads include periods of recent additions (going back 30 days), or all active URLs.
The full URLhaus datasetâas updated every 5 minutesâis automatically and immediately available for CSV download. It also includes a ruleset suited for use in Suricata or Snort. URLhaus also offers a DNS firewall dataset that includes all marked URLs for blocking.
An attacker can exploit a vulnerability in Polkitâs pkexec component, tracked as CVE-2021-4034, that affects all major Linux distributions to gain full root privileges on the system. The good news is that this issue is not remotely exploitable, but if an attacker can log in as any unprivileged user, it can allow to gain root privileges.
The flaw, dubbed PwnKit, was introduced more than 12 years ago (May 2009) since the initial commit of pkexec, this means that all the versions are affected.
Polkit (formerly PolicyKit) is a component used to controll system-wide privileges in Unix-like OS. It allows non-privileged processes to communicate with privileged processes. polkit also allow to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).
Researchers from Qualys Research Team have discovered a memory corruption vulnerability in SUID-root program polkit.
âThe Qualys Research Team has discovered a memory corruption vulnerability in polkitâs pkexec, a SUID-root program that is installed by default on every major Linux distribution.â reads the post published by Qualys.âSuccessful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable.â
âThis vulnerability is an attackerâs dream come trueâ explained Qualys:
pkexec is installed by default on all major Linux distributions (we exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are probably also exploitable);
pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83, âAdd a pkexec(1) commandâ);
any unprivileged local user can exploit this vulnerability to obtain full root privileges;
although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way;
and it is exploitable even if the polkit daemon itself is not running.
Experts pointed out that it is very easy to exploit the flaw, while Qualys doesnât plan to release a PoC for this issue other experts are already working on releasing it.
Bleeping Computer reported that a working exploit was publicly released less than three hours after Qualys published the technical details for PwnKit. BleepingComputer has compiled and tested the available exploit, which proved to be reliable as it gave us root privileges on the system on all attempts.
The investigation started in November after Google TAG published a blogpost about watering-hole attacks targeting macOS users in Hong Kong.
Google TAG researchers discovered that threat actors leveraged a zero-day vulnerability in macOS in a watering hole campaign aimed at delivering malware to users in Hong Kong. The attackers exploited a XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina
The watering hole campaign targeted websites of a media outlet and important pro-democracy labor and political group. The researchers discovered that attackers deployed on the sites hosted two iframes that were used to serve iOS and macOS exploits to the visitors.
The experts believe that the attack was orchestrated by a nation-state actor, but did not attribute the campaign to a specific APT group.
One of the websites used to infect HK dissidents fightforhk[.]com seems to have been created from scratch for that unique purpose. Do not hesitate to check your logs/mails/SMS/private messages etc. against this domain. [1/2] pic.twitter.com/TfTSN5pqbf
Researchers also found the legitimate website of Hong Kong, pro-democracy radio station D100 that was compromised to distribute the same exploit before the Google TAG report.
âThe exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely. Itâs interesting to note that some code, which suggests the vulnerability could also have been exploited on iOS and even on PAC-enabled (Pointer Authentication Code) devices such as the iPhone XS and newer, has been commented outâ reads the analysis published by ESET.
The âKnown Exploited Vulnerabilities Catalogâ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.
, recently addressed by SolarWinds in Serv-U products that threat actors are actively exploited in the wild. The company pointed out that all the attack attempts failed.
CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation
Google Project Zero researchers Natalie Silvanovich disclosed details of two zero-day vulnerabilities in Zoom clients and Multimedia Router (MMR) servers. An attacker could have exploited the now-fixed issues to crash the service, execute malicious code, and even leak the content of portions of the memory.
The researcher focused its search for bugs in the Zoom client software, including zero-day issues that allowed her to take over the victimâs system without requiring any user interaction.
The two vulnerabilities have been fixed on November 24, 2021, they are a buffer overflow information leakage issue tracked as CVE-2021-34423 and CVE-2021-34424 respectively.
The CVE-2021-34423 vulnerability, is a buffer overflow issue that received a CVSS score of 9.8. An attacker can trigger the vulnerability to execute arbitrary code or crash the service or application.
The experts focused the analysis on the RTP (Real-time Transport Protocol) traffic used for audio and video communications. Silvanovich discovered that manipulating the contents of a buffer that supports reading different data types by sending a malformed chat message, could trigger the flaw causing the client and the MMR server to crash.
âNote that the string buffer is allocated based on a length read from the msg_db_t buffer, but then a second length is read from the buffer and used as the length of the string that is read. This means that if an attacker could manipulate the contents of the msg_db_t buffer, they could specify the length of the buffer allocated, and overwrite it with any length of data (up to a limit of 0x1FFF bytes, not shown in the code snippet above).â reads the analysis published by Project Zero. âI tested this bug by hooking SSL_write with Frida, and sending the malformed packet, and it caused the Zoom client to crash on a variety of platforms.â
The CVE-2021-34424 is a process memory exposure flaw that received a CVSS score of 7.5. An attacker can trigger the flaw to potentially gain insight into arbitrary areas of the productâs memory.
The second flaw is caused by the lack of a NULL check that allows to leak data from the memory by joining a Zoom meeting via a web browser.
âThis bug allows the attacker to provide a string of any size, which then gets copied out of bounds up until a null character is encountered in memory, and then returned. It is possible for CVE-2021-34424 to return a heap pointer, as the MMR maps the heap that gets corrupted at a low address that does not usually contain null bytes, however, I could not find a way to force a specific heap pointer to be allocated next to the string buffer that gets copied out of bounds. C++ objects used by the MMR tend to be virtual objects, so the first 64 bits of most object allocations are a vtable which contains null bytes, ending the copy.â continues the analysis.
The researcher pointed out that lack of ASLR in the Zoom MMR process exposed users to the risk of attacks, the good news it that Zoom has recently enabled it.
Project Zero experts also pointed out that the closed nature of Zoom also heavily impacted the analysis. Unlike most video conferencing systems, Zoom use a proprietary protocol that make it hard to analyze it.
âClosed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it,â Silvanovich concludes. âWhile the Zoom Security Team helped me access and configure server software, it is not clear that support is available to other researchers, and licensing the software was still expensive.â
âDefinitely worseâ The platform has yet to confirm that it has indeed been attacked [but] Crypto.com announced it was pausing withdrawals after âa small number of users experienced unauthorized activity in their accounts.â ⊠A household name in Asian markets, the Singapore-based exchange recently spent $700 million to buy the naming rights to the Staples Centerâthe Los Angeles home venue of the NBAâs Lakers and Clippers. ⊠Events took a turn for the worse when security research company Peckshield [said] Crypto.com has lost at least 4,600 ETH (around $15 million in current prices) [and] that the true scale of the damage is âdefinitely worse.â ⊠Peckshield added that half of the stolen funds were sent to Tornado Cash, the Ethereum-centric mixing service. ⊠Remarkably, a few hours later, Crypto.com CEO Kris Marszalek said that no customer funds were lost.
â$16.3 millionâ Several users had reported on social media that their cryptocurrencies, at times equating to tens of thousands of dollars, had disappeared from their Crypto.com accounts in recent days. ⊠Technical issues on crypto trading platforms have become commonplace as the hype surrounding digital assets grows. ⊠Crypto influencer and podcast host Ben Baller said in a tweet on Monday that around 4.28 Ether, which equates to roughly $14,000, had been âstolen out of nowhereâ [despite] two-factor authentication security measures. ⊠Baller later allegedââŠâa wallet belonging to Crypto.com had lost approximately 5,000 Ether, which equates to roughly $16.3 million. ⊠A spokesperson from Crypto.com didnât respond to a request for comment.
The credentials are contained in files that common info-stealers and keyloggers use to exfiltrate them from infected machines.
These files can end up hosted on VirusTotal due to hackers using VirusTotal to promote selling victimsâ data or due to attackers uploading them by mistake, Tomer Bar, Director of Security Research at SafeBreach, told Help Net Security.
They may also be uploaded by third parties (e.g., a security researcher or the company where the C2 server is hosted) who are unaware they contain sensitive information. Finally, some environments are configured to automatically upload files to VirusTotal to verify whether they are âcleanâ.
Finding the files with stolen credentials
Just like Google Search can be used to search for vulnerable websites/systems, IoT devices, and sensitive data (the method is known as Google hacking or dorking), VirusTotalâs APIs and tools (VT Graph, Retrohunt, etc.) can be used to find files containing stolen data.
To prove it, the researchers compiled a list of those filesâ names, acquired a monthly VirusTotal license that allowed them to do searches, explore VirusTotalâs dataset, and perform malware hunts â and started searching for them.
It didnât take long to find some. Depending on the malware, these files contain credentials for email and social media accounts, e-commerce sites, online payment services, gaming platforms, online government services, streaming platforms, online banking accounts, and private keys of cryptocurrency wallets.
Theyâve also connected some of these files to specific sellers of stolen credentials on a variety of hacking forums and Telegram groups, and have shown that in some cases it may be easy for criminals to discover credentials for accessing malwareâs C2 FTP server and use them to âcollectâ stolen credentials.
âOur goal was to identify the data a criminal could gather with a VirusTotal license,â Bar noted, and said that they have proven this method â dubbed âVirusTotal Hackingâ â works at scale.
âA criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach. We called it the perfect cyber crime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity. After victims are hacked by the original hacker, most have little visibility into what sensitive information is uploaded and stored in VirusTotal and other forums.â
The researchers urged Google â the owner of VirusTotal via its subsidiary Chronicle â to periodically search and remove files with sensitive user data and ban API keys that upload those files, and to add an algorithm that disallows uploads of files that contain sensitive cleartext data or encrypted files with the decryption password attached (either as text or included in an image).
They also pointed out that malwaresâ unsecured C2 communication protocols should be exploited by defenders â in concert with hosting companies â to sinkhole or terminate C2 servers.
As a final side note, stolen credentials are not the only sensitive information that can occasionally be found on VirusTotal:
A vulnerability in the implementation of multi-factor authentication (MFA) for Box allowed attackers to take over accounts without having access to the victimâs phone, Varonis researchers reported.
Box develops and markets cloud-based content management, collaboration, and file-sharing tools for businesses. The platform supports 2FA based on an authenticator application or SMSs.
Varonis Threat Labs researchers disclosed the vulnerability via HackerOne and the company fixed it in November 2021.
Upon attempting to log into a Box account, the platform sets a session cookie and redirects the user to a form where they need to provide the time-based one-time password (TOTP) generated with an authenticator app (at /mfa/verification) or a code received via SMS (at /2fa/verification).
The researchers pointed out that if the user does not navigate to the SMS verification form, no SMS message will be sent despite the session cookie having been generated. A threat actor can provide the userâs email and password to get a valid session cookie bypassing SMS-based 2FA.
An attacker can easily obtain login credentials for a targeted user from past data breaches or through phishing attacks.
When the user adds an authenticator app, the eBox platform assigns a factor ID and, at login, they are required to provide a one-time password generated by the app along with the credentials.
The experts devised a method to bypass MFA for accounts where SMS-based MFA is enabled by abandoning the SMS-based verification process and initiating TOTP-based MFA instead, technically mixing the MFA modes.
The attacker could access the victimâs account using the correct username and password, but providing a factor ID and code from a Box account and authenticator app associated with an account under his control.
âAfter the cookie is generated, the threat actor can abandon the SMS-based MFA process (which is what the user is enrolled in) and instead initiate the TOTP-based MFA processâthus mixing MFA modes.â reads the analysis published by Varonis.
âThe attacker completes the authentication process by posting a factor ID and code from their own Box account and authenticator app to the TOTP verification endpoint using the session cookie they received by providing the victimâs credentials.â Box did not verify whether the victim was enrolled in TOTP verification and did not validate that the authenticator app used belonged to the user that was logging in. This made it possible to access the victimâs Box account without the victimâs phone and without notifying the user via SMS.â
Below are the attack flow devised by the experts:
Attacker enrolls in multi-factor authentication using an authenticator app and stores the deviceâs factor ID.
Attacker enters a userâs email address and password onÂ
account.box.com
/login.
If the password is correct, the attackerâs browser is sent a new authentication cookie and redirects to:Â /2fa/verification.
The attacker, however, does not follow the redirect to the SMS verification form. Instead, they pass their own factor ID and code from the authenticator app to TOTP verification endpoint:Â /mfa/verification.
The attacker is now logged in to the victimâs account and the victim does not receive an SMS message.
The platform did not check whether the user was indeed to be the one that was enrolled in TOTP-based MFA or whether the authenticator app belonged to the account that is attempting to log in.
This trick allowed an attacker to log into the victimâs Box account, bypassing SMS-based 2FA.
âWe want to underscore that MFA implementations are prone to bugs, just like any other code. MFA can provide a false sense of security. Just because MFA is enabled doesnât necessarily mean an attacker must gain physical access to a victimâs device to compromise their account,â Varonis concludes.
![CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation by [United States Government Accountability Office]](https://m.media-amazon.com/images/I/51FIzAXr-CL._SX260_.jpg)
