InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
What seems to be the largest password collection of all time has been leaked on a popular hacker forum. A forum user posted a massive 100GB TXT file that contains 8.4 billion entries of passwords, which have presumably been combined from previous data leaks and breaches.
According to the post author, all passwords included in the leak are 6-20 characters long, with non-ASCII characters and white spaces removed. The same user also claims that the compilation contains 82 billion passwords. However, after running our own tests, the actual number turned out to be nearly ten times lower ā at 8,459,060,239 unique entries:
The compilation itself has been dubbed āRockYou2021ā by the forum user, presumably in reference to the infamousĀ RockYou data breachĀ that occurred in 2009 and rockyou2021.txt filename containing all passwords, when threat actors hacked their way into the social app websiteās servers and got their hands on more than 32 million user passwords stored in plain text.Ā
With a collection that exceeds its 12-year-old namesake by more than 262 times, this leak is comparable to the Compilation of Many Breaches (COMB), the largest data breach compilation ever. Its 3.2 billion leaked passwords, along with passwords from multiple other leaked databases, are included in the RockYou2021 compilation that has been amassed by the person behind this collection over several years.
Considering the fact that only about 4.7 billion people are online, numbers-wise the RockYou2021 compilation potentially includes the passwords of the entire global online population almost two times over. For that reason, users are recommended to immediately check if their passwords were included in the leak.
How to check if your password was leaked?
Updated on 10/06:Ā We have now uploaded nearly 7.9 billion out of 8.4 billion entries in the RockYou2021 password list to our leak databases. To safely check whether your password is part of this gigantic leak, make sure to head over to theĀ CyberNews personal data leak checkerĀ or ourĀ leaked password checker.
Note:Ā We take our readersā privacy extremely seriously. To protect your privacy and security, the data that you enter in the search field is hashed, and we use only this hash to perform a search in our database. We do not collect entered emails or passwords, nothing is logged when you perform a leak check.
Microsoft spotted a series of attacks that use SEO poisoning to deliver a remote access trojan (RAT) used by threat actors to steal sensitive data.
Microsoft is monitoring a wave of cyber attacks that leverages SEO poisoning to deliver a remote access trojan (RAT) to steal sensitive data from the infected systems
Microsoft 365 Defender data shows that the SEO poisoning technique is effective, given that Microsoft Defender Antivirus has detected and blocked thousands of these PDF documents in numerous environments.
— Microsoft Security Intelligence (@MsftSecIntel) June 11, 2021
The IT giant revealed that the SEO poisoning technique is effective, its Microsoft Defender Antivirus has thousands of PDF documents delivered as part of the ongoing campaign.
Upon opening the PDF files, users are prompted to download a .doc file or a .pdf version of their desired info. Once clicked the links, users will be redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga. The sites appear as a clone of Google Drive web pages used to serve the SolarMaker malware.
As intended, these PDF files or pages referencing them turn up in search results. When opened, the PDFs prompt users to download a .doc file or a .pdf version of their desired info. Users who click the links are redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga. pic.twitter.com/cBeTfteyGl
— Microsoft Security Intelligence (@MsftSecIntel) June 11, 2021
Microsoft experts noticed that the PDF files are hosted on Amazon Web Services and Strikingly primarily.
The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from āinsurance formā and āacceptance of contractā to āhow to join in SQLā and āmath answersā.
— Microsoft Security Intelligence (@MsftSecIntel) June 11, 2021
If there is any moral to this, itās one that all of my blog readers should already know: trust is essential to security. And the number of people you need to trust is larger than you might originally think. For an app to be secure, you need to trust the hardware, the operating system, the software, the update mechanism, the login mechanism, and on and on and on. If one of those is untrustworthy, the whole system is insecure.
Itās the same reason blockchain-based currencies are so insecure, even if the cryptography is sound.
If you’re building a career in information security the Certified Information Systems Security Professional (CISSP) is the must-have qualification to help you progress. It is a globally recognized standard that demonstrates your competence as an IT professional.
This course will prepare you with the knowledge and skills to complete the CISSP exam, which will get you Certified Information Systems Security Professional status. professional. Covering topics including cloud computing, mobile security, application development security, and risk management, you will gain the knowledge to best manage information security issues back in your organization.
Duration: 5 days
“I would highly recommend the course to a friend, and in fact I already have! I’d also recommend it to a security team within an organization, even if they’re not specifically targeting a CISSP certification as it teaches a broad range of best practices and will help instill a culture of security and best practice in any organization.”
Who should attend?
This training course is intended for professionals who have at least 5 years of recent full-time professional work experience in 2 or more of the 8 domains of the CISSP common body of knowledge (CBK), such as:
Security consultants
Security managers
IT directors/managers
Security auditors
Security architects
Security analysts
Security systems engineers
Chief information security officers
Security directors
Network architects
Please note: A one year experience waiver is available with a 4-year college degree, or regional equivalent, or additional credentials from the (ISC)Ā² approved list, thus requiring four years of direct full-time professional security work experience in 2 or more of the 8 domains of the CISSP CBK.
Don’t have 5 years of experience? – Become an Associate of (ISC)Ā²
Cybercriminals and black hat hackers exploit system vulnerabilities and human weaknesses as well. This hacking tutorial discusses how a malicious actor can access any mobile or computer camera, microphone, physical location, and device information by just sending a URL along with some basic social engineering techniques.
Throughout this tutorial, we will glance at How Hackers Access Target WebCam Remotely and see what is happening on the other hand. To break into the victimās webcam, we will utilize the tool Storm-Breaker andĀ Kali Linux.
A group of hackers breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc. gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons, and schools.
Storm-BreakerĀ is going to assist us with a hack. With Storm-Breaker, you have.
In their minds, this security approach can only be applied to fresh, or āgreenfield,ā environments ā and even there organizations are hesitant as they may believe security will hinder business agility.
The true reason for why businesses are hesitant when it comes to zero trust is due to a lack of understanding of the process and the unfortunate influence of the myths stated above. Forresterās zero trust framework gives a clear overview of the seven pillars that provide a comprehensive zero trust strategy: data, people, workloads, devices, networks, automation and orchestration, and visibility and analytics. Even after seeing the different elements set out, businesses may feel overwhelmed by the number of areas that can be linked with zero trust ā itās the classic āboiling the oceanā problem.
But what if companies instead took a more incremental and agile approach where benefits are realized at each stage along the way? This approach not only results in a regular and measurable improvement in security posture, but it also facilitates the integration of further capabilities throughout the process.
In a world of deepfakes, it will soon be impossible to tell what is real and what isn’t. As advances in artificial intelligence, video creation, and online trolling continue, deepfakes pose not only a real threat to democracy — they threaten to take voter manipulation to unprecedented new heights. This crisis of misinformation which we now face has since been dubbed the “Infocalypse.”
In DEEPFAKES, investigative journalist Nina Schick uses her expertise from working in the field to reveal shocking examples of deepfakery and explain the dangerous political consequences of the Infocalypse, both in terms of national security and what it means for public trust in politics. This all-too-timely book also unveils what this all means for us as individuals, how deepfakes will be used to intimidate and to silence, for revenge and fraud, and just how truly unprepared governments and tech companies are for what’s coming.
Threat hunting and adversarial cyber intelligence company Group-IB published a comprehensive analysis of fraud cases on a global scale.
Group-IB, a global threat hunting and adversarial cyber intelligence company specializing in the investigation and prevention of high-tech cybercrime, has published a comprehensive analysis of fraud cases on a global scale.
Group-IB, a global threat hunting and adversarial cyber intelligence company specializing in the investigation and prevention of high-tech cybercrime, has published a comprehensive analysis of fraud cases on a global scale.
Overall, fraud accounts for 73% of all online attacks: 56% are scams (fraud that results in the victim voluntarily disclosing sensitive data) and 17% are phishing attacks (theft of bank card details). Using patented Digital Risk Protection (DRP) technologies, the experts at Group-IB discovered over 70 groups of fraudsters that are only used in one of the fraudulent schemes, Classiscam, of which 36 are aimed at Europe. Classiscam threat actors alone were found to defraud users by $ 7.75 million in one year .
On June 10th, during the Digital Risk Summit 2021 online conference ( Amsterdam ), Group-IB presented its research on various fraudulent machinations, obtained thanks to neural networks and ML-based scorings of the Group-IB Digital Risk Protection System. Group-IB also unveiled Scam Intelligence, a fraud-tracking technology that paved the way for DRP, the companyās proprietary solution. In one year, the system has helped save ā¬ 363 million for companies in Asia Pacific, Europe and the Middle East by preventing potential damage.
The number of scam and phishing violations detected by Group-IB in Europe in 2020 increased by 39% compared to the previous year. DRPās research into threat actorsā fraud activity around the world helped categorize fraud schemes, uncovering over 100 basic schemes and their modifications. For example, a scheme of fake branded social media accounts (typical of the financial sector) affected over 500 fake accounts per bank on average in 2020 . Insurance companies around the world are now suffering from phishing. Over the past year, an average of over 100 phishing websites were created per insurer.
In 2020, a multi-stage scam called Rabbit Hole targeted companiesā brands, primarily retail and online services. Users received a link from friends, via social media or in messengers with the request to take part in a competition, a promotional offer or a survey. On average, users visited 40,000 fraudulent websites every day. Rabbit Hole has attacked the customers of at least 100 brands worldwide. The threat actors target the theft of personal and bank card details.
Classiscam has been the most widespread fraud in the world during the pandemic. The scheme is aimed at people using marketplaces and services related to property rentals, hotel bookings, online bank transfers, online retail stores, ridesharing and deliveries. The scheme aims to extort money as payment for non-existent goods. At least 44 countries, including Austria, France, Italy, the Netherlands and Great Britain, are affected by Classiscam. According to Group IB, a total of 93 brands were misused as part of Classiscam. As of early 2021, there were more than 12,500 threat actors made money with fake delivery services. The total number of websites involved in the scheme reached 10,000. A Classiscam -Bedrohungsgruppe makes up to 97,000 euros per month.
āLast year the world was searched by the scamdemicheim, which represents the influx of online scams on an unprecedented scale: if your business is successful and well-known, itās only a matter of time before scammers keep an eye outā, explainsĀ Ā Dmitry TiunkinĀ , Group-IB DRB Head,Ā Europe.Ā āDigital risks to brands such as online fraud, the illegal sale of products and services, and intellectual property infringement are the most widespread crimes on the Internet.Ā Group-IBās DRP system gives analysts a tool to uncover the entire infrastructure of fraudsters and learn about different categories of fraud attempts that could target their organizations.Ā Group-IB DRP helps our clients identify the person behind the wrongdoing, gather as much information about them as possible, and bring them to justice.ā
Penetration testing has been one of the industries that are relatively slow adopters of automation. As security firms started automating many parts of the cybersecurity process including scanning and threat intelligence updates, security testing for some time was still mostly about traditional methods.
āIn the past few years, the use of automation in many spheres of cybersecurity has increased dramatically, but penetration testing has remained stubbornly immune to it,ā as noted CISO Alex Haynes explains in an article exploring the potential of AI replacing humans in this field.
This is perfectly understandable, considering that penetration testing needs to be thorough and supervised by experts. Many of its parts are repetitive, but they require the scrutiny of human cybersecurity professionals to be carried out effectively. AI and machine learning technology has yet to reach a level advanced enough to competently handle the complexities of security testing.
However, the past years have produced excellent examples of solutions that take advantage of automation. These pen-testing platforms employ automation in specific areas that make excellent sense. These existing solutions provide convincing evidence of the benefits of automation in this field of cybersecurity.
Many thought leaders have approached the skills shortage from a cumulative perspective. They ask āHow on Earth can companies afford to keep re-training their teams for the latest cyber-threats?ā The challenge, to them, emanates from the impracticalities of entry level training becoming obsolete as new challenges emerge.
Of course, the question of ongoing training is very important, but I believe it has misled us in our evaluation of the growing disparity between the supply and demand of cyber-professionals. What we should be asking is āHow can we create a generation of cyber-professionals with improved digital skills and resilience to tackle an enemy that continually mutates?ā
Defining the relationship between people and tech is of the utmost importance here. Cybersecurity is not merely a technical problem, itās a human problem. This is a critical intersection. People are not the weakest link in an effective cybersecurity defense strategy, but the most crucial. However, technology is the apparatus that can properly arm us with the skills to defend against attacks.
The silver bullet
The only thing we can be certain of is that cyberattacks are taking place right now and will continue to take place for the foreseeable future. As a result, cybersecurity will remain one of the most critical elements for maintaining operations in any organization.
In addition, COVID-19 has been a significant catalyst in increasing uptake and emphasis on cyber skills since the steep rise in the use of digital platforms in both our work and personal lives has expanded the surface area for attacks and created more vulnerability.
Overall, though, young people remain our best hope for tackling the global cyber skills gap, and only by presentingĀ cybersecurity to them as a viable career optionĀ can we start to address it. This is the critical starting point. Once we do this, the next important step is to give universities and schools the facilities to offer sophisticated cyber training.
The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members ā¦
The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members from all over the world for more than three years.
Named Operation Ironside, on Monday, law enforcement agencies from Australia, Europe, and the US conducted house searches and arrested hundreds of suspects across a wide spectrum of criminal groups, from biker gangs in Australia to drug cartels across Asia and South America, and weapons and human traffickers in Europe.
Knowing that the criminal underworld would move to a new platform, US and Australian officials decided to create their own service, which they called AnĆøm (also stylized as AN0M).
Just like Phantom Secure, the new service consisted of secure smartphones that were configured to run only the An0m app and nothing else.
The app, advertised through word of mouth and via the anom.io website, allowed phone owners to send encrypted text and voice messages between devices and prevented them from installing any other apps.
No phone number was required to use the app, which relayed all its messages via An0mās central platform.
But according to investigators, this app design allowed officials to intercept the messages and decrypt texts sent by gang members to each other, many of which included details of drug movements or murder plots.
According to Australian police officials, the FBI ran the platform while the AFP technical staff built a system to decrypt messages that passed through the platform in real-time.
Officials initially relied on undercover agents to promote the An0m devices, but as law enforcement agencies shut down competing platforms, such as EncroChat and Sky ECC, other gangs found refuge on the network, which eventually amassed more than 11,000 users.
Investigators described Operation Ironside as one of the largest sting operations in law enforcement history.
Investigators appear to have decided to shut down the sting operation after criminal groups started catching on that the An0m app was leaking their conversations.
On 21st March 2021, a (now deleted) blog post correctly identified that AnĆøm @anomsecure was in fact sending all the user messages to US-based LE. Criminals had caught onto the game as the arrests began. It can be viewed here in Google's cache. https://t.co/ck7bxun7la
— Hacker Fantastic (@hackerfantastic) June 7, 2021
Siloscape is a new strain of malware that targets Windows Server containers to execute code on the underlying node and spread in the Kubernetes cluster.
Researchers from Palo Alto Networks have spotted a piece of malware that targets Windows Server containers to execute code on the underlying node and then drop a backdoor into Kubernetes clusters.
SiloscapeĀ is a heavily obfuscated malwareĀ that was designed to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers and carry out malicious activities.
Compromising an entire cluster could allow an attacker to steal sensitive information, including credentials, confidential files, or even entire databases hosted in the cluster.
āSiloscape uses the Tor proxy and anĀ .onionĀ domain to anonymously connect to its command and control (C2) server. I managed to gain access to this server. We identified 23 active Siloscape victims and discovered that the server was being used to host 313 users in total, implying that Siloscape was a small part of a broader campaign. I also discovered that this campaign has been taking place for more than a year.ā reads theĀ analysisĀ published by Palo Alto Network researcher Daniel Prizmant.
The US Department of Justice (DOJ)Ā just announcedĀ that it has charged a 55-year-old Latvian woman, who went by the moniker ofĀ Max, with malware-writing crimes.
Max, whose real name is apparentlyĀ Alla Witte, is the sixth of seven defendants listed in the DOJāsĀ indictment, along with ten other unknown individuals identified only as CC8 to CC17. (CC is short forĀ co-conspirator.)
A decade ago, security officers would have been able to identify the repercussions of an attack almost immediately, as most took place in the top-level layers of a system, typically through a malware attack. Now however, threat actors work over greater lengths of time, with much broader, long-term horizons in mind.
Leaders can no longer assume that their business systems are safe. The only certainty is that nothing is certain. The past year has been evidence of that, as large, well-trusted companies have faced catastrophic breaches, such as the SolarWinds and Microsoft attacks. These organizations were believed to have some of the best systems installed to protect their data, yet they were still successfully infiltrated.
Threat actors are also pervading through underlying networks, passing from router to router and accessing data stored far below the top level in a system. The refinement of their attacks mean that businesses can go unaware of a breach for longer periods of time, increasing the amount of damage that can be done.
Businesses should take all precautions necessary when it comes to security and assume that anything is possible and devise their security plans around the worst-case scenario. This means adopting the attitude that any one employee could be a hackerās key to access company systems. Anyone could fall for one of the increasingly sophisticated attacks andĀ click on a phishing email, resulting in a rabbit hole of malicious elements.
Visibility and analytics
Moving forwards, visibility and analytics will be instrumental in strengthening a businessā security approach. These elements deliver invaluable insights into a companyās security standpoint and can help identify any vulnerabilities that have gone unnoticed. Where security and connectivity within an organization have been the two main focus points of leaders, visibility and analytics have now become the third and fourth fundamental elements.
The value of this information cannot be overstated. For a company who has identified a breach attempt and shut all systems down, the first challenge is understanding how far the criminals managed to get before being detected, and what data had been accessed.
In the scenario when businesses are faced with threats from ransomware attackers and take part in negotiations, it helps to have an overview of all business systems. For example, if an attack took place over one week and a company is able to see all incoming and outgoing traffic, then they can deduce roughly how far the criminals could have got.
This could be vital in seeing through any deceptions from the hackers, who may claim to have accessed ten terabytes of data, when realistically they may only have secured a couple of files before being shut out. Only with complete visibility will businesses be able to counter a criminalās threat.
Strengthening the architecture
There are a number of pathways that organizations can take to strengthen their network architecture against threats.Ā Zero-trust approachesĀ are highly recommended for businesses, especially in the age of remote working, as a way of limiting privileged accounts and the general amount of data left easily accessible. Requesting authentication before access not only protects the businessā external perimeter, but also any risks that exist within as well.
A lot of businesses will find themselves needing to re-address the very foundations of their infrastructure before any additional approaches can be taken. Integration is a massive part of strengthening a companyās network architecture as most will have existing technologies that will need to be combined into one fully functioning capability.
Not only will this allow for greater accessibility and flexibility, but it will also simplify the systems so that they are easier to manage. Achieving this integration will provide businesses with greater visibility into their platforms, making it significantly easier to identity and defend against incoming cyber threats.
Ensuring a secure future
Solutions such asĀ Secure Access Service Edge (SASE)Ā can assist in the strengthening of network architecture. SASE is the integration of networking and security solutions, such as zero trust and firewall-as-a-service (FWaaS), into a single service that can be delivered entirely through the cloud. This ability to deploy through the cloud allows for greater flexibility, making it easy to apply security services wherever they are needed. As a lot of applications used are cloud-based, including collaborative communications, seamless and secure transition to and from the cloud are crucial.
Cybersecurity will likely become more of a process model that is part of every new project. It will become imbedded in every business area, regardless of what their main function is. In such an extreme and sophisticated threat landscape, simply educating employees and home workers of security risks cannot be relied upon to protect companies from malicious attacks.
In an era where cybersecurity attacks are inevitable, strong network architecture and end-to-end visibility are the fundamentals to a resilient security posture. Providing a single point of control using solutions such as SASE will enable businesses to create a more streamlined network architecture, whether from remote locations or within the office. Regardless of their current standpoint, all businesses should be working towards one goal ā implementing a business approach that combines the three crucial elements: security, network and visibility.
We all ought to know by now that passwords that are easy to guess will get guessed.
We recently reminded ourselves of that by guessing, by hand, 17 of the top 20 passwords in the Have I Been Pwned (HIBP) Pwned Passwords database in under two minutes.
We tried the 10 all-digit sequences 1, 12, 123 and so on up to 1234567890, and eight of them were in the top 20.
Then we tried other obvious digit combos such as 000000, 111111 and 123123 (we started with six digits because thatās Appleās current minimum length, and because we noted that 123456 came out well ahead of 12345 and 1234).
The others were equally easy: qwerty, password, abc123, password1, iloveyou and qwertyuiop, the last being a useful reminder that length alone counts for very little.
Donāt re-use passwords.Ā And donāt try to invent a technique for modifying each password slightly from an original template to make them seem different, because the crooks are on the lookout for that.
Consider a password manager.Ā Password managers generate random and unrelated passwords for each account, so there are no similarities a crook could figure out, even if one of the password gets compromised. Remember that you donāt have to put all your passwords into the manager app if you donāt want to: itās OK to have a special way of dealing with your most important accounts, especially if you donāt use them often.
Turn on 2FA if you can.Ā Two-factor authentication doesnāt guarantee to keep the crooks out, but it stops attacks like this one from being carried out so easily and on such a broad scale, because the passwords alone would not have been enough.
Report payment anomalies.Ā Obviously, you need to look for outgoing payments that shouldnāt have happened, and for incoming payments that never arrived. But also look out for outgoing payments that somehow failed when they should have gone through, or for incoming funds you didnāt expect, no matter how small the amount. The sooner you report any errors, even if you didnāt lose any money, the sooner you help both yourself and everyone else.
Our community ā that is, technologists, mathematicians and information assurance professionals ā has generally adapted well to changes in the technology landscape.
At the start of the Cold War, the western security apparatus sought to understand the actions of their adversaries by intercepting radio signals bouncing off the ionosphere and analyzing the messages they carried. Later, when the Soviets moved to microwave transmissions, that same security apparatus deployed cutting-edge line-of-sight interception techniques.
Then, in 1977, after the Soviets began to successfully encrypt their communications, the NSA launched the Bauded Signals Upgrade program, delivering a supercomputer designed to compare encrypted messages with elements of plain text transmitted by mistake, allowing the agency to break many of the Sovietsā high-level codes. Time and time again, our innovation has kept us safe, but only when we have prepared to meet the threat.
Quantum information theory, which has been explored since the beginning of the 20th century, has led to an exciting yet dangerous new prospect: new quantum algorithms to solve computational problems which have thus far proven to be intractable ā or at least unachievable within a useful period ā by classical computers. One such problem is the breaking of the Advanced Encryption Standard, a key pillar of modern data encryption.
A joint research team of engineers from Google and the Swedish Royal Institute of Technology published a study that theorized the breaking of a 2048 bit key in just 8 hours, something that would take todayās classical computers over 300 trillion years. The catch? This theory requires a 20 million-qubit computer, and the largest quantum computer that exists today has only 65.
Their study, alongside many like it, tells us that quantum technology will present the greatest threat to the security of our critical systems in the history of computing. It may even be useful to us in future conflicts. However, quantum computers will need considerably more processing power than is available today and will require a significantly lower error rate if they are to be utilized for cyberspace operations.
To meet this challenge, institutions across the world are rushing to develop quantum computers that are capable of delivering on the promising theory.
The U.S. National Institute of Standards and Technology is currently evaluating over 60 methods for post-quantum cryptography, quantum key distribution, and other security applications. Early indications are that quantum technology will provide an ability to detect, defend, and even retaliate against all manner of future threats.
Away from security, most people understand that quantum computing has immense potential for good ā with applications in the scientific and medical research fields easy to imagine. However, this vast computing power could also be used to undermine the classical computer systems that our nation relies upon so heavily.
Just a few years ago, you may never have heard of ransomware. Nowadays, itās a Ā£10 billion-a-year industry and considered one of the biggest threats facing organizations, schools and essential services.
Dozens of ransomware cases are reported each month, with companies locked out of their files and facing extortionate demands. The current going rate for decryption keys is in the region of 0.3 bitcoin (about Ā£100,000, or $140,000), but sometimes attackers set their sights much higher.
In this blog, we look at some of the times attackers have done that ā as we review the five biggest reported ransomware payments.
Researchers from the Wordfence team at WordPress security company Defiant warn that a critical zero-day vulnerability, tracked as CVE-2021-24370, in the Fancy Product Designer WordPress plugin is actively exploited in the wild.
Fancy Product Designer is a premium plugin that allows customers to design and customize any kind of product in their online stores, it is currently installed on more than 17,000 websites.
Experts pointed out that the vulnerability could be exploited only in certain configurations, but even if the plugin is not active.
Attackers are exploiting the flaw to extract order information from site databases, anyway, this vulnerability is likely not being attacked on a large scale.
Users could modify their products by uploading images and PDF files, but experts noticed that the checks in place to prevent malicious files from being uploaded are not sufficient and could be easily be bypassed
āFancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products. Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed.ā reads theĀ postĀ published by the experts. āThis effectively made it possible forĀ any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.ā
The flaw has been rated with a CVSS score of 9.8 out of 10, an attacker could exploit the issue to upload executable PHP files to online stores that have the plugin installed.
If your password gets stolen as part of a data breach, youāll probably be told. But what if your password gets pwned some other way?
n case youāve never heard of it, Have I Been Pwned, or HIBP as it is widely known, is an online service run out of Queensland in Australia by a data breach researcher called Troy Hunt.
The idea behind HIBP is straightforward: to give you a quick way of checking your own online accounts against data breaches that are already known to be public.
Of course, youād hope that a company that suffered a data breach would let you know itself, so you wouldnāt need a third party website like HIBP to find out.
But there are numerous problems with relying on the combined goodwill and ability of a company thatās just suffered a breach, not least that the scale of the breach might not be obvious at first, if the company even realises at all.
And even if the company does do its best to identify the victims of the breach, it may not have up-to-date contact data for you; its warning emails might get lost in transit; or it might not be sure which users were affected.
Researchers from Ruhr-University Bochum have disclosed two new attack techniques, dubbedĀ Evil Annotation and Sneaky Signature attacks, on certified PDF documents that could potentially allow attackers to modify visible content without invalidating their digital signature.Ā The attacks are documented inĀ
The experts presented the results of the study at the 42nd IEEE Symposium on Security and Privacy (IEEE S&P 2021).
The attacks leverage the flexibility of PDF certification that allows signing or adding annotations to certified documents under different permission levels. The experts demonstrated that the EAA technique could be effective against 15 of 26 viewer applications while the SSA could work against 8 viewers.
āThe attack idea exploits the flexibility of PDF certification, which allows signing or adding annotations to certified documents under different permission levels. Our practical evaluation shows that an attacker could change the visible content in 15 of 26 viewer applications by using EAA and in 8 applications using SSA by using PDF specification compliant exploits.ā reads the post published by the researchers.
The experts explained that the certification of signed content also allows users with specific permissions set by the certifier to apply certain modifications to the PDF document. This means that the user could write text to specific form fields, provide annotations, or add its own signature if permitted by the certifier.
The idea behind Evil Annotation Attack (EAA) is to modify a certiļ¬ed document by inserting annotations that include malicious code.
āThe idea of the Evil Annotation Attack (EAA) is to show arbitrary content in a certified document by abusing annotations for this purpose. Since P3 certified document allow to add annotations, EAA breaks the integrity of the certification.ā continues the post.
The idea behind theĀ Sneaky Signature Attack (SSA)Ā is to manipulate the appearance of arbitrary content within the PDF by adding overlaying signature elements to a PDF document that is certified at levelĀ P2, which means that it allows to fill forms.
![RATS! How Hackers Take Over Your Computer: An Introduction to Remote Access Trojans by [James Wilson]](https://m.media-amazon.com/images/I/51fZz3kkIlL.jpg)
![The Cyber Skill Gap: How To Become A Highly Paid And Sought After Information Security Specialist! by [Vagner Nunes]](https://m.media-amazon.com/images/I/51mKZDGZ9vL.jpg)
