Tags: authentication, MFA, phishing, Problems with Multifactor Authentication, ransomware, social engineering, Two-factor authentication
Oct 20 2021
China-linked LightBasin group accessed calling records from telcos worldwide
A China-linked hacking group, tracked as LightBasin (aka UNC1945), hacked mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies.
The cyberespionage group has been active since at least 2016, according to the CrowdStrike researchers it is using a very sophisticated toolset. CrowdStrike researchers reported that at least 13 telecommunication companies were compromised by since 2019.
The campaign was uncovered by CrowdStrike by investigating a series of security incidents in multiple countries, the security firm added that the threat actors show an in-depth knowledge of telecommunications network architectures.
“LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.” reads the report published by Crowdstrike. “Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.”
The hacking group initially compromised one of the telecommunication companies by leveraging external DNS (eDNS) servers which are part of the General Packet Radio Service (GPRS) network.
The eDNS are used in roaming between different mobile operators, threat actors leveraged it to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously deployed implants.
The group was able to target other telecommunications-specific systems in the GPRS network such as Service Delivery Platform (SDP) systems, and SIM/IMEI provisioning, as well as Operations Support Systems (OSS), and Operation and Maintenance Units (OMU).
Crowdstrike collected evidence of the use of password-spraying attempts using extremely weak either third-party-focused passwords (i.e. huawei) for the initial compromise.
Oct 19 2021
FBI, CISA, NSA published a joint advisory on BlackMatter ransomware operations
FBI, CISA, NSA have published a joint advisory about the operation of the BlackMatter ransomware gang and provides defense recommendations.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have published an advisory that provides details about the BlackMatter ransomware operations and defense recommendations.
This advisory provides information on tactics, techniques, and procedures (TTPs) associated with the ransomware gang that were obtained from the analysis of a sample of BlackMatter ransomware as well from trusted third-party reporting.
The BlackMatter group launched its operations at at the end of July, the gang claims to be the successor of Darkside and REvil groups. Like other ransomware operations, BlackMatter also set up its leak site where it publishes data exfiltrated from the victims before encrypting their system.
The launch of the BlackMatter ransomware-as-a-service (RaaS) was first spotted by researchers at Recorded Future who also reported that the gang is setting up a network of affiliates using ads posted on two cybercrime forums, such as Exploit and XSS.
Oct 19 2021
Using Machine Learning to Guess PINs from Video
#MachineLearning: Hacking Tools for Computer + Hacking With Kali Linux + Python Programming- The ultimate beginners guide to improve your knowledge of programming and data science
Oct 19 2021
WFH is here to stay: Five tactics to improve security for remote teams
Working from home comes with a slew of security concerns. Businesses planning to look at remote work as a long-term strategy should take the time to reassess any “band-aid” security solutions that may have been applied at the beginning of the pandemic and look at ways that security can be prioritized permanently.
Oct 18 2021
Experts hacked a fully patched iOS 15 running on iPhone 13 at China’s Tianfu Cup hacking contest
White hat hackers earned $1.88 million at the Tianfu Cup hacking contest by finding vulnerabilities in popular software.
The Tianfu Cup is the most important hacking contest held in China, this year white hat hackers earned $1.88 Million demonstrating vulnerabilities in popular software.
The edition of this year took place on October 16 and 17 in the city of Chengdu, participants had three attempts of 5 minutes to demonstrate their exploits.
The winner is the security firm Kunlun Lab who earned $654,500, below the tweet of the amazing expert @mj0011 CEO of Cyber-Kunlun & Kunlun Lab and former CTO of Qihoo 360 and founder of team 360Vulcan.
Oct 15 2021
U.S. Treasury Offers Crypto Guidance Amid Ransomware Surge
US Treasury says there was $590M in suspicious ransomware activity in H1 2021, exceeding the entire amount in 2020, when $416M was reported — Suspicious activity reports related to ransomware jumped significantly in 2021, according to the U.S. Treasury Department’s Financial Crimes Enforcement Network.
There was $590 million in suspicious activity related to ransomware in the first six months of 2021, exceeding the entire amount in 2020, when $416 million was reported, according to a report released Friday by the U.S. Treasury Department’s Financial Crimes Enforcement Network.
The average amount of reported ransomware transactions per month in 2021 was $102.3 million, according to the report. If the current trend continues, suspicious activity reports filed in 2021 “are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined,” according to the report. SARs is shorthand for suspicious activity reports.
U.S. based cybersecurity companies filed most of the SARs related to ransomware while banks and cryptocurrency exchanges filed more than a third of the reports. The reports reflect just how quickly ransomware attacks have grown.
The report offers new insight into the scale of ransomware attacks devastating U.S. businesses and impacting critical infrastructure. A Treasury spokesperson said the SARs don’t represent all ransomware payments.
Reporting ransomware payments to the Treasury via a suspicious activity report is often a requirement of cybersecurity insurance policies, according to a person familiar with the matter.
The Treasury Department also identified 68 ransomware variants, noting that the most commonly reported types were REvil, Conti and DarkSide. Ransomware groups often sell their malware, or variant, to affiliates who then use it to plot attacks, in what is known as ransomware-as-a-service. REvil, Conti and DarkSide are suspected by cybersecurity firms of being tied to Russia in some way — because they use the Russian language or are suspected of being based there.
The report was filed as the Treasury Department issued guidance to the virtual currency industry to prevent exploitation by entities sanctioned by the U.S. and ransomware groups. It is part of a broader effort by the Biden administration to attempt to curb ransomware attacks. In ransomware attacks, hackers encrypt a victim’s files and promise to unlock them if they are paid a fee.
Among the more notable attacks were those in May on Colonial Pipeline Co. in May that squeezed fuel supplies on the East Coast and on the meatpacker JBS SA.
The Treasury report stated that ransomware actors are increasingly requesting payment in cryptocurrencies like Monero, which are designed to enhance anonymity.
More: BleepingComputer, The Record, CNET, The Hill, PYMNTS.com, CyberScoop, and CoinDesk
Oct 15 2021
Human hacking increased as apps and browsers moved completely to the cloud
“Today’s hyper-targeted spear phishing attacks, coming at users from all digital channels, are simply not discernable to the human eye. Add to that the increasing number of attacks coming from legitimate infrastructure, and the reason phishing is the number one thing leading to disruptive ransomware attacks is obvious.”
Human interaction online has largely moved to the cloud
Apps and browsers are used as humans connect with work, family, and friends. Cybercriminals are taking advantage of this by attacking outside of email and taking advantage of less protected channels like SMS text, social media, gaming, collaboration tools, and search apps.
Spear phishing and human hacking from legitimate infrastructure increased in August 2021, 12% (or 79,300) of all malicious URLs identified came from legitimate cloud infrastructure like including AWS, Azure, outlook.com, and sharepoint.com – enabling cybercriminals the opportunity to easily evade current detection technologies.
Oct 15 2021
Three more ransomware attacks hit Water and Wastewater systems in 2021
A joint cybersecurity advisory published by US agencies revealed that three ransomware attacks on wastewater systems this year.
A joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA revealed three more attacks launched by Ransomware gangs against US water and wastewater treatment facilities (WWS) this year.
This is the first time that these attacks are publicly disclosed, they took place in March, July, and August respectively. The three facilities hit by ransomware operators are located in the states of Nevada, Maine, and California. In all the attacks the ransomware encrypting files on the infected systems and in one of the security incidents threat actors compromised a system used to control the SCADA industrial equipment.
The advisory reports common tactics, techniques, and procedures (TTPs) used by threat actors to compromise IT and OT networks of WWS facilities, they include:
- Spearphishing campaign aimed at the personnel to deliver malicious payloads such as ransomware and RAT;
- Exploitation of services and applications exposed online that enable remote access to WWS networks (i.e. RDP accesses);
- Exploitation of vulnerabilities affecting control systems running vulnerable firmware versions.
The three new incidents included in the advisory
What’s the Difference Between OT, ICS, SCADA and DCS?
Oct 14 2021
Ex-DoD Security Chief: China is Winning—it’s ‘A Done Deal’
The former chief software officer for the U.S. Air Force, Nicolas Chaillan, says the U.S. is falling far behind China in cybersecurity. In a no-holds-barred interview, he unloads his frustrations, built up over three years of inept bungling at the Pentagon.
He quit his job last month, in disgust. “We are setting up critical infrastructure to fail,” Chaillan warned. And now Defense Department officials will be bracing themselves for more criticism as he vows to testify to Congress.
Lauren Knausenberger now holds the poisoned chalice. In today’s SB Blogwatch, we plan to fail.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Fruit salad word salad.
Beijing Back Better
What’s the craic? Katrina Manson reports—“Chaillan speaks of ‘good reason to be angry’ as Beijing heads for ‘global dominance’”:
Kindergarten level”
In his first interview since leaving the post at the Department of Defense a week ago, Nicolas Chaillan told [me] the failure of the US to respond to Chinese cyber and other threats was putting his children’s future at risk. “We have no competing fighting chance against China in 15 to 20 years. Right now, it’s already a done deal; it is already over in my opinion,” he said.
…
Chaillan, 37, who spent three years on a Pentagon-wide effort to boost cyber security and as first chief software officer for the US Air Force, said Beijing is heading for global dominance because of its advances in artificial intelligence, machine learning and cyber capabilities. He argued these emerging technologies were far more critical to America’s future than hardware such as big-budget fifth-generation fighter jets such as the F-35.
…
Senior defence officials have acknowledged they “must do better” to attract, train and retain young cyber talent. … Chaillan announced his resignation in a blistering letter at the start of September, saying military officials were repeatedly put in charge of cyber initiatives for which they lacked experience, decrying Pentagon “laggards” and absence of funding.
…
Chaillan said he plans to testify to Congress about the Chinese cyber threat to US supremacy, including in classified briefings, over the coming weeks. … He added US cyber defences in some government departments were at “kindergarten level.”
Ex-DoD Security Chief: China is Winning—it’s ‘A Done Deal’
The New Art of War: China’s Deep Strategy Inside the United States
Oct 13 2021
How Coinbase Phishers Steal One-Time Passwords
A recent phishing campaign targeting Coinbase users shows thieves are getting smarter about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts.
Coinbase is the world’s second-largest cryptocurrency exchange, with roughly 68 million users from over 100 countries. The now-defunct phishing domain at issue — coinbase.com.password-reset[.]com — was targeting Italian Coinbase users (the site’s default language was Italian). And it was fairly successful, according to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security.
More details on: How Coinbase Phishers Steal One-Time Passwords
Oct 13 2021
Cybersecurity awareness month: Fight the phish!
It’s the second week of Cybersecurity Awareness Month 2021, and this week’s theme is an alliterative reminder: Fight the Phish!
Unfortunately, anti-phishing advice often seems to fall on deaf ears, because phishing is an old cybercrime trick, and lots of people seem to think it’s what computer scientists or mathematical analysts call a solved game.
Tic-tac-toe (noughts and crosses outside North America), for example, is a solved game, because it’s easy to create a list of every possible play, and figure out the best possible move from every game position on the list. (If neither player makes a mistake then the game will always be a draw.)
Even games that are enormously more complex have been “solved” in this way too, such as checkers (draughts)…
…and in comparison to playing checkers, spotting phishing scams feels like an easy contest that the recipient of the message should always win.
And if phishing is a “solved game”, surely it’s not worth worrying about any more?
How hard can it be?
Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails
Don’t Get Caught
Oct 12 2021
GitKraken flaw lead to the generation of weak SSH keys
The development team behind the Git GUI client GitKraken has fixed a vulnerability that was leading to the generation of weak SSH keys. The developers addressed the flaw with the release of version 8.0.1.
The issue resides in the open-source library used by the Git GUI client to generate SSH keys, all the keys generated using versions 7.6.x, 7.7.x, and 8.0.0 of GitKraken are potentially affected.
The latest version of the Git GUI client (version 8.0.1) uses a new SSH key generation library.
“This issue only affects GitKraken users who generated SSH keys through the GitKraken interface using versions 7.6.x, 7.7.x, 8.0.0. If you are not sure what version you used to generate your SSH key, we encourage you to renew your key through the following process.” reads the advisory.
“Affected users need to:
1. Remove all old generated SSH keys stored locally.
2. Generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers.“
The development team already notified the Git hosting service providers GitHub, Bitbucket, GitLab, and Azure DevOps, they also revoked the weak public keys used.
The development team is not aware of any accounts being compromised due to this weakness.
Oct 11 2021
An Adoption Guide for FAIR
Jack draws on years of experience introducing quantified risk analysis to organizations like yours, to write An Adoption Guide For FAIR. In this free eBook, he’ll show you how to:
Lay the foundation for a change in thinking about risk
Plan an adoption program that suits your organization’s style.
Identify stakeholders and key allies for socialization of FAIR
Select and achieve an initial objective, then integrate business-aligned, risk-based practices across your organization.
Oct 08 2021
Apache patch proves patchy – now you need to patch the patch
Software patches are sometimes a bit like buses.
You don’t get one for a while, and then three come at once.
For buses on busy urban routes, at least, the explanation of the phenomenon goes something like this.
If three buses start out travelling the same route together in a nicely spaced sequence, then the first one is most likely to be the slowest, because it will be stopping to scoop up most of the waiting passengers, while the ones behind will tend to travel faster because they need to stop less often or for shorter periods.
So buses naturally tend to scrunch up and arrive in bursts.
Burst-mode software patches
When it comes to software patches, however, the problem often works the other way around.
If the first patch arrives too quickly, then it may not have been reviewed or tested quite as much as you might like.
So it’s not so much that the next patch in the queue catches up because the first one is too slow, but that the next one has to be completed in a rush to keep up…
…and, if you aren’t careful, then that second patch might itself beget a third patch, needed to patch the patch that patched the first patch.
Three Apache buses
And thus with Apache: just two days ago, we reported a path validation bug dubbed CVE-2021-41773 that was introduced in Apache 2.4.49:
Oct 07 2021
PoC exploit for 2 flaws in Dahua cameras leaked online
A proof of concept exploit for two authentication bypass vulnerabilities in Dahua cameras is available online, users are recommended to immediately apply updates.
Experts warn of the availability of proof of concept (PoC) exploit code for a couple of authentication bypass vulnerabilities in Dahua cameras, tracked as CVE-2021-33044 and CVE-2021-33045.
A remote attacker can exploit both vulnerabilities by sending specially crafted data packets to the vulnerable cameras.
“The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.” reads the advisory published by the vendor in early September.
The flaw received a CVSS v3 score of 8.1, the vendor recommended its customers to install security updates.
The list of affected models is very long, it includes IPC-X3XXX,HX5XXX, HUM7XX, VTO75X95X, VTO65XXX, VTH542XH, PTZ Dome Camera SD1A1, SD22, SD49, SD50, SD52C, SD6AL, Thermal TPC-BF1241, TPC-BF2221, TPC-SD2221, TPC-BF5XXX, TPC-SD8X21, TPC-PT8X21B, NVR1XXX, NVR2XXX, NVR4XXX, NVR5XXX, NVR6XX.
It could be quite easy for threat actors in the wild to find exposed Dahua devices using a search engine like Shodan and attempt to hack them using the available PoC code. In order to protect Dahua devices, users have to install the latest firmware version.
Oct 07 2021
Divide Between Security, Developers Deepens
Security professionals work hard to plan secure IT environments for organizations, but the developers who are tasked with implementing and carrying these plans and procedures are often left out of security planning processes, creating a fractured relationship between development and security.
This was the conclusion from a VMware and Forrester study of 1,475 IT and security managers, including CIOs and CISOs and managers with responsibility for security strategy and decision-making.
The report found security is still perceived as a barrier in organizations, with 52% of developer respondents saying they believed that security policies are stifling their ability to drive innovation.
Only one in five (22%) developers surveyed said they strongly agree that they understand which security policies they are expected to comply with and more than a quarter (27%) of the developers surveyed are not involved at all in security policy decisions, despite many of these decisions greatly impacting their roles.
The research indicated that security needs a perception shift and should be more deeply embedded across people, processes and technologies.
This means involving developers in security planning earlier and more often; learning to speak the language of the development team rather than asking development to speak security, sharing KPIs and increasing communication to improve relationships and automating security to improve scalability, the report recommended.
Set a Clear Scope for Security Requirements
“Regardless of whether if it’s customer-facing functionality or a business logic concern, every line of code developed should prioritize security as a design feature,” he said. “Once security is taken as seriously as other drivers for DevOps adoption, then a fully holistic integration can be achieved.”
#DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvement
Oct 06 2021
Arizona governor announces the launch of Command Center to protect state computer systems
The governor of Arizona, Doug Ducey, has announced the launch of a Cyber Command Center to address the thousands of attacks that daily target government computers.
The governor of Arizona, Doug Ducey, has launched a Cyber Command Center to repel the huge amount of attacks that every day hit the computer systems of the state.
The move is the response of the Arizona administration to hundreds of thousands of cyberattacks that hit the state.
At a ceremony Monday at the Department of Public Safety’s Arizona Counter Terrorism Information Center in Phoenix, Ducey explained that Cyber Command Center has been established to protect the IT infrastructure of the state.
“The Cyber Command Center brings four state public safety agencies together in one room with one mission: Guard the state’s computers against attacks and by extension, help protect the over 7 million residents of the Grand Canyon State.” reads a post published by AZCentral.
“When we protect your data, we protect you at home as well,” Arizona Department of Homeland Security Director Tim Roemer said in an interview. “We help you not fall victim to identity theft, for example. Because once your data is compromised, they use that to open up accounts.”
In the case of a severe cyber attack, experts at the center will coordinate the incident response activities.
Oct 05 2021
Cheating on Tests
Interesting story of test-takers in India using Bluetooth-connected flip-flops to communicate with accomplices while taking a test.
What’s interesting is how this cheating was discovered. It’s not that someone noticed the communication devices. It’s that the proctors noticed that cheating test takers were acting hinky.
Cheating on Tests: How To Do It, Detect It, and Prevent It
Oct 04 2021
Facebook, WhatsApp, and Instagram are down worldwide, it’s panic online
Users worldwide are not able to access Facebook, Instagram, and WhatsApp services due to a BGP problems. Users attempting to visit the above services are displaying “DNS_PROBE_FINISHED_NXDOMAIN.”
The mobile applications of the social network giant and its Tor hidden services are also not working.
At the time of this writing, it is unclear if the outage is the result of a technical issue or it is the result of a cyber attack against the infrastructure of the social network giant.
Source outage.report
FB Apps down report from NYT: Facebook and some of its apps go down simultaneously.
WhatsApp, Instagram, Facebook Down Globally, Report Users
Facebook is at it again…
In 2018, Facebook was caught selling our personal data to Cambridge Analytica, a data analysis firm.
It’s hard to say who is more evil and manipulative, Facebook or Cambridge Analytica.
If you’re not familiar with the scandal, Facebook collects massive amounts of data about us every day.
Cambridge Analytica used our personal data against ourselves (Facebook clearly does too).
When you’re on Facebook, you see content in your newsfeed.
That content is not there by accident or coincidence.
The Facebook ALGORITHM puts content in your newsfeed that triggers your emotions.
Facebook algorithm supports hateful and polarizing contents
Whistleblower: ☝️ Facebook will lose money if they fix algorithm. And they know it
The more polarizing the content, the more you will read.
The longer you stay on Facebook, the more ads you see and the more money Facebook makes…
Facebook and the Power of Big Data and Greedy Algorithms
Facebook AI Algorithm
« Previous Page — Next Page »
