Serious PwnKit flaw in default Linux installations requires urgent patching

Read Time:34 Second

Security researchers have found a privilege escalation vulnerability in pkexec, a tool that’s present by default on many Linux installations. The flaw, called PwnKit, could allow attackers to easily gain root privileges on systems if they have access to a regular user without administrative privileges.

Researchers from security firm Qualys who discovered and reported the vulnerability were able to confirm it is exploitable in default configurations on some of the most popular Linux distributions including Ubuntu, Debian, Fedora and CentOS. They believe others are likely impacted as well, since the vulnerable code has existed in pkexec since the tool’s first version, over 12 years ago.

To read this article in full, please click here

Read More

SASE in the spotlight as businesses prioritize edge network security

Read Time:37 Second

Edge is the concept that moves computing from a centralized model to a decentralized one, away from datacenter consolidation across cloud and infrastructure, applications, and workloads and closer to where data is generated or consumed. According to a new report from AT&T Business, edge network definitions and usage are in a state of flux across industries as organizations search for effective security strategies that address edge-related risks and allow them to explore its opportunities. Secure access service edge (SASE) is on the radar of some businesses seeking to augment traditional security controls, bring the network and security closer together, and allow for broader, more centralized visibility across an edge network attack surface.

To read this article in full, please click here

Read More

SASE in the spotlight as businesses prioritize edge network security

Read Time:37 Second

Edge is the concept that moves computing from a centralized model to a decentralized one, away from datacenter consolidation across cloud and infrastructure, applications, and workloads and closer to where data is generated or consumed. According to a new report from AT&T Business, edge network definitions and usage are in a state of flux across industries as organizations search for effective security strategies that address edge-related risks and allow them to explore its opportunities. Secure access service edge (SASE) is on the radar of some businesses seeking to augment traditional security controls, bring the network and security closer together, and allow for broader, more centralized visibility across an edge network attack surface.

To read this article in full, please click here

Read More

BotenaGo strikes again – malware source code uploaded to GitHub

Read Time:7 Minute, 53 Second

Executive summary

In November 2021, AT&T Alien Labs™ first published research on our discovery of new malware written in the open-source programming language Golang. The team named this malware “BotenaGo.” (Read previous article here.) In this article, Alien Labs is updating that research with new information.

Recently BotenaGo source code was uploaded to GitHub, potentially leading to a significant rise of new malware variants as malware authors will be able to use the source code and adapt it to their objectives. Alien Labs expects to see new campaigns based on BotenaGo variants targeting routers and IoT devices globally. As of the publishing of this article, antivirus (AV) vendor detection for BotenaGo and its variants remains behind with very low detection coverage from most of AV vendors.

Key takeaways:

BotenaGo malware source code is now available to any malicious hacker or malware developer.
New BotenaGo samples were found with very low AV detection (3/60 engines).
With only 2,891 lines of code, BotenaGo has the potential to be the starting point for many new variants and new malware families using its source code.

Background

In September 2016, source code of one of the most popular botnets named Mirai was leaked and uploaded to one of the hacking community forums, and later uploaded to GitHub with detailed information on the botnet, its infrastructure, configuration and how to build it.

Since the release of that information, the popularity of Mirai has increased dramatically. Multiple malware variants such as Moobot, Satori, Masuta, and others use the source code of Mirai. They then add unique functionality, which has resulted in these multiple variants causing millions of infections. The Mirai botnet targets mostly routers and IoT devices, and it supports different architectures including Linux x64, different ARM versions, MIPS, PowerPC, and more. Since the Mirai botnet can be now modified and compiled by different adversaries, many new variants have become available over time featuring new capabilities and new exploits.

In our November 2021 research article, Alien Labs first described its findings about the new BotenaGo malware along with technical details. We used online tools such as Shodan to show the potential damage the BotenaGo malware could cause, and its potential for putting millions of IoT devices at risk.

Alien Labs recently discovered that the source code of BotenaGo malware was uploaded to GitHub on October 16th 2021, allowing any malicious hacker to use, modify, and upgrade it —  or even simply compile it as is and use the source code as an exploit kit, with the potential to leverage all BotenaGo’s exploits to attack vulnerable devices. The original source of the code is yet unknown. In the same repository, we have found additional hacking tools collected from several different sources.

Source code analysis

The malware source code, containing a total of only 2,891 lines of code (including empty lines and comments), is simple yet efficient. It includes everything needed for a malware attack, including but not limited to:

Reverse shell and telnet loader, which are used to create a backdoor to receive commands from its operator
Automatic set up of the malware’s 33 exploits, giving the hacker a “ready state” to attack a vulnerable target and infect it with an appropriate payload based on target type or operating system

The top of the source code on GitHub shows a comment with the list of current exploits for “supported” vendors and software, as shown in Figure 1.

  

Figure 1 shows BotenaGo’s available exploits for multiple vendors.

As described in our previous blog, the malware initiates a total of 33 exploit functions targeting different routers and IoT devices by calling the function “scannerInitExploits” (see figure 2).

Figure 2 shows the initialization of 33 exploits.

Each exploit function contains the exploit configuration (such as a specific “GET” request) and specific payload for the targeted system (see figure 3). Some exploits are a chain of commands, such as multiple “GET” requests (see figures 4 and 5).

Figure 3 shows the specific payload for different targets.

Figure 4 shows the implementation of CVE-2020-10987.

Figure 5 shows the implementation of CVE-2020-10173

The code contains additional configuration for a remote server, including available payloads and a path to folders that contains additional script files to execute on infected devices (see figure 6).

Figure 6 shows an example of additional configuration.

On top of all that, the main function calls together all of the necessary pieces: setting up a backdoor, loading additional payload scripts, initializing exploit functions, and waiting for commands (see figure 7). It is simple and clean malware creation in just 2,891 lines of code.

Figure 7 shows BotenaGo’s main function.

Additional updates

Since our first article on BotenaGo, the samples have continued to be used to exploit routers and IoT devices, spreading Mirai botnet malware. Even more worrisome, the samples continue to have a very low AV detection rate, as shown below in VirusTotal (figure 8).

 

Figure 8 shows the low level of antivirus detections for BotenaGo’s new variants.

One of the variants is configured to use a new Command and Control (C&C) server (see figure 9).

It’s worth noting that the IP address for one of BotenaGo’s payload storage servers is included in the list of indicators of compromise (IOC) for detecting exploitation of the Apache Log4j security vulnerabilities. Read the Alien Labs Report on Log4Shell.

Figure 9 shows a command to configure a C&C server for a BotenaGo variant.

Recommended actions

Maintain minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
Install security and firmware upgrades from vendors, as soon as possible.
Check your system for unnecessary open ports and suspicious processes.

Conclusion

Today, BotenaGo variants serve as a standalone exploit kit and as a spreading tool for other malware. Now with its source code available to any malicious hacker, new malicious activity can be added easily to the malware.  Alien Labs sees the potential for a significant increase in these malware variants, giving rise to potentially new malware families that could put millions of routers and IoT devices at risk of attack.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051)

4000456: AV EXPLOIT Netgear Device RCE (CVE-2016-1555)

4000898: AV EXPLOIT Netgear DGN2200 ping.cgi – Possible Command Injection ( CVE-2017-6077 )

2027093: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6077)

2027881: ET EXPLOIT NETGEAR R7000/R6400 – Command Injection Inbound (CVE-2019-6277)

2027882: ET EXPLOIT NETGEAR R7000/R6400 – Command Injection Outbound (CVE-2019-6277)

2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561)

2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)

2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561)

2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)

2831296: ETPRO EXPLOIT XiongMai uc-httpd RCE (CVE-2018-10088)

4001914: AV EXPLOIT DrayTek Unauthenticated root RCE (CVE-2020-8515)

2029804: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1

2029805: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1

2029806: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2

2029807: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2

4002119: AV EXPLOIT Comtrend Router ping.cgi RCE (CVE-2020-10173)

2030502: ET EXPLOIT Possible Authenticated Command Injection Inbound – Comtrend VR-3033 (CVE-2020-10173)

4001814: AV EXPLOIT TOTOLINK Router PostAuth RCE (CVE-2019-19824)

2029616: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M1

2029617: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M2

4001142: AV EXPLOIT ManagedITSync – Kaseya exploitation (CVE-2017-18362) v1

4001143: AV EXPLOIT ManagedITSync – Kaseya exploitation (CVE-2017-18362) v2

2032077: ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)

4000897: AV EXPLOIT Netgear DGN2200 dnslookup.cgi Lookup – Possible Command Injection (CVE-2017-6334)

2027094: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in an Alien Labs Open Threat Exchange™ (OTX™) pulse. You can access the OTX pulse here. If you are not an OTX member, it is free to join our global, open-source threat intelligence community of more than 200,000.

TYPE

INDICATOR

DESCRIPTION

IP ADDRESS

[86].110.32.167:80

BotenaGo C&C

IP ADDRESS

[179].43.187.197

Malware payload server

IP ADDRESS

[2].56.56.78

Malware payload server

IP ADDRESS

[209].141.59.56

Malware payload server

SHA1

cca00b32d610becf3c5ae9e99ce86a320d5dac87

 

BotenaGo malware hash

SHA1

eb6bbfe8d2860f1ee1b269157d00bfa0c0808932

BotenaGo malware hash

SHA1

01dc59199691ce32fd9ae77e90dad70647337c25

BotenaGo malware hash

SHA1

97d5d30a4591df308fd62fa7ffd30ff4e7e4fab9 

BotenaGo Payload

SHA1

e9aa2ce4923dd9e68b796b914a12ef298bff7fe9

BotenaGo Payload

SHA1

251b02ea2a61b3e167253546f01f37b837ad8cda

BotenaGo Payload

SHA1

fa10e8b6047fa309a73d99ec139627fd6e1debe1

BotenaGo Payload

SHA1

154fc9ea3b0156fbcdcb6e7f5ba849c544a4adfd

BotenaGo Payload

SHA1

0c9ddad09cf02c72435a76066de1b85a2f5cf479

BotenaGo Payload

SHA1

b4af080ad590470eefaadc41f777a2d196c5b0ba

BotenaGo Payload

SHA1

87ef2fd66fdce6f6dcf3f96a7146f44836c7215d

BotenaGo Payload

SHA1

3c2f4fcd66ca59568f89eb9300bb3aa528015e1c

BotenaGo Payload

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

TA0008: Lateral Movement

T1210: Exploitation of Remote Services
T1570: Lateral Tool Transfer

TA0011: Command and Control

T1571: Non-Standard port

*Current as of the publishing of this article.

Read More

BotenaGo strikes again – malware source code uploaded to GitHub

Read Time:7 Minute, 53 Second

Executive summary

In November 2021, AT&T Alien Labs™ first published research on our discovery of new malware written in the open-source programming language Golang. The team named this malware “BotenaGo.” (Read previous article here.) In this article, Alien Labs is updating that research with new information.

Recently BotenaGo source code was uploaded to GitHub, potentially leading to a significant rise of new malware variants as malware authors will be able to use the source code and adapt it to their objectives. Alien Labs expects to see new campaigns based on BotenaGo variants targeting routers and IoT devices globally. As of the publishing of this article, antivirus (AV) vendor detection for BotenaGo and its variants remains behind with very low detection coverage from most of AV vendors.

Key takeaways:

BotenaGo malware source code is now available to any malicious hacker or malware developer.
New BotenaGo samples were found with very low AV detection (3/60 engines).
With only 2,891 lines of code, BotenaGo has the potential to be the starting point for many new variants and new malware families using its source code.

Background

In September 2016, source code of one of the most popular botnets named Mirai was leaked and uploaded to one of the hacking community forums, and later uploaded to GitHub with detailed information on the botnet, its infrastructure, configuration and how to build it.

Since the release of that information, the popularity of Mirai has increased dramatically. Multiple malware variants such as Moobot, Satori, Masuta, and others use the source code of Mirai. They then add unique functionality, which has resulted in these multiple variants causing millions of infections. The Mirai botnet targets mostly routers and IoT devices, and it supports different architectures including Linux x64, different ARM versions, MIPS, PowerPC, and more. Since the Mirai botnet can be now modified and compiled by different adversaries, many new variants have become available over time featuring new capabilities and new exploits.

In our November 2021 research article, Alien Labs first described its findings about the new BotenaGo malware along with technical details. We used online tools such as Shodan to show the potential damage the BotenaGo malware could cause, and its potential for putting millions of IoT devices at risk.

Alien Labs recently discovered that the source code of BotenaGo malware was uploaded to GitHub on October 16th 2021, allowing any malicious hacker to use, modify, and upgrade it —  or even simply compile it as is and use the source code as an exploit kit, with the potential to leverage all BotenaGo’s exploits to attack vulnerable devices. The original source of the code is yet unknown. In the same repository, we have found additional hacking tools collected from several different sources.

Source code analysis

The malware source code, containing a total of only 2,891 lines of code (including empty lines and comments), is simple yet efficient. It includes everything needed for a malware attack, including but not limited to:

Reverse shell and telnet loader, which are used to create a backdoor to receive commands from its operator
Automatic set up of the malware’s 33 exploits, giving the hacker a “ready state” to attack a vulnerable target and infect it with an appropriate payload based on target type or operating system

The top of the source code on GitHub shows a comment with the list of current exploits for “supported” vendors and software, as shown in Figure 1.

  

Figure 1 shows BotenaGo’s available exploits for multiple vendors.

As described in our previous blog, the malware initiates a total of 33 exploit functions targeting different routers and IoT devices by calling the function “scannerInitExploits” (see figure 2).

Figure 2 shows the initialization of 33 exploits.

Each exploit function contains the exploit configuration (such as a specific “GET” request) and specific payload for the targeted system (see figure 3). Some exploits are a chain of commands, such as multiple “GET” requests (see figures 4 and 5).

Figure 3 shows the specific payload for different targets.

Figure 4 shows the implementation of CVE-2020-10987.

Figure 5 shows the implementation of CVE-2020-10173

The code contains additional configuration for a remote server, including available payloads and a path to folders that contains additional script files to execute on infected devices (see figure 6).

Figure 6 shows an example of additional configuration.

On top of all that, the main function calls together all of the necessary pieces: setting up a backdoor, loading additional payload scripts, initializing exploit functions, and waiting for commands (see figure 7). It is simple and clean malware creation in just 2,891 lines of code.

Figure 7 shows BotenaGo’s main function.

Additional updates

Since our first article on BotenaGo, the samples have continued to be used to exploit routers and IoT devices, spreading Mirai botnet malware. Even more worrisome, the samples continue to have a very low AV detection rate, as shown below in VirusTotal (figure 8).

 

Figure 8 shows the low level of antivirus detections for BotenaGo’s new variants.

One of the variants is configured to use a new Command and Control (C&C) server (see figure 9).

It’s worth noting that the IP address for one of BotenaGo’s payload storage servers is included in the list of indicators of compromise (IOC) for detecting exploitation of the Apache Log4j security vulnerabilities. Read the Alien Labs Report on Log4Shell.

Figure 9 shows a command to configure a C&C server for a BotenaGo variant.

Recommended actions

Maintain minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
Install security and firmware upgrades from vendors, as soon as possible.
Check your system for unnecessary open ports and suspicious processes.

Conclusion

Today, BotenaGo variants serve as a standalone exploit kit and as a spreading tool for other malware. Now with its source code available to any malicious hacker, new malicious activity can be added easily to the malware.  Alien Labs sees the potential for a significant increase in these malware variants, giving rise to potentially new malware families that could put millions of routers and IoT devices at risk of attack.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

4001488: AV TROJAN Mirai Outbound Exploit Scan, D-Link HNAP RCE (CVE-2015-2051)

4000456: AV EXPLOIT Netgear Device RCE (CVE-2016-1555)

4000898: AV EXPLOIT Netgear DGN2200 ping.cgi – Possible Command Injection ( CVE-2017-6077 )

2027093: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6077)

2027881: ET EXPLOIT NETGEAR R7000/R6400 – Command Injection Inbound (CVE-2019-6277)

2027882: ET EXPLOIT NETGEAR R7000/R6400 – Command Injection Outbound (CVE-2019-6277)

2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561)

2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)

2830690: ETPRO EXPLOIT GPON Authentication Bypass Attempt (CVE-2018-10561)

2027063: ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)

2831296: ETPRO EXPLOIT XiongMai uc-httpd RCE (CVE-2018-10088)

4001914: AV EXPLOIT DrayTek Unauthenticated root RCE (CVE-2020-8515)

2029804: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1

2029805: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1

2029806: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2

2029807: ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2

4002119: AV EXPLOIT Comtrend Router ping.cgi RCE (CVE-2020-10173)

2030502: ET EXPLOIT Possible Authenticated Command Injection Inbound – Comtrend VR-3033 (CVE-2020-10173)

4001814: AV EXPLOIT TOTOLINK Router PostAuth RCE (CVE-2019-19824)

2029616: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M1

2029617: ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M2

4001142: AV EXPLOIT ManagedITSync – Kaseya exploitation (CVE-2017-18362) v1

4001143: AV EXPLOIT ManagedITSync – Kaseya exploitation (CVE-2017-18362) v2

2032077: ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)

4000897: AV EXPLOIT Netgear DGN2200 dnslookup.cgi Lookup – Possible Command Injection (CVE-2017-6334)

2027094: ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in an Alien Labs Open Threat Exchange™ (OTX™) pulse. You can access the OTX pulse here. If you are not an OTX member, it is free to join our global, open-source threat intelligence community of more than 200,000.

TYPE

INDICATOR

DESCRIPTION

IP ADDRESS

[86].110.32.167:80

BotenaGo C&C

IP ADDRESS

[179].43.187.197

Malware payload server

IP ADDRESS

[2].56.56.78

Malware payload server

IP ADDRESS

[209].141.59.56

Malware payload server

SHA1

cca00b32d610becf3c5ae9e99ce86a320d5dac87

 

BotenaGo malware hash

SHA1

eb6bbfe8d2860f1ee1b269157d00bfa0c0808932

BotenaGo malware hash

SHA1

01dc59199691ce32fd9ae77e90dad70647337c25

BotenaGo malware hash

SHA1

97d5d30a4591df308fd62fa7ffd30ff4e7e4fab9 

BotenaGo Payload

SHA1

e9aa2ce4923dd9e68b796b914a12ef298bff7fe9

BotenaGo Payload

SHA1

251b02ea2a61b3e167253546f01f37b837ad8cda

BotenaGo Payload

SHA1

fa10e8b6047fa309a73d99ec139627fd6e1debe1

BotenaGo Payload

SHA1

154fc9ea3b0156fbcdcb6e7f5ba849c544a4adfd

BotenaGo Payload

SHA1

0c9ddad09cf02c72435a76066de1b85a2f5cf479

BotenaGo Payload

SHA1

b4af080ad590470eefaadc41f777a2d196c5b0ba

BotenaGo Payload

SHA1

87ef2fd66fdce6f6dcf3f96a7146f44836c7215d

BotenaGo Payload

SHA1

3c2f4fcd66ca59568f89eb9300bb3aa528015e1c

BotenaGo Payload

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

TA0008: Lateral Movement

T1210: Exploitation of Remote Services
T1570: Lateral Tool Transfer

TA0011: Command and Control

T1571: Non-Standard port

*Current as of the publishing of this article.

Read More

Experts Reveals 29% Surge in Bugs Used by Ransomware Actors

Read Time:2 Minute, 7 Second

Experts Reveals 29% Surge in Bugs Used by Ransomware Actors

There’s been a 29% increase in the number of vulnerabilities exploited by ransomware groups to compromise their targets over the past year, according to a new industry report.

The Ransomware Spotlight Year End Report was written by security vendors Ivanti and Cyware alongside CVE numbering authority Cyber Security Works. It’s compiled from multiple data sources, including Ivanti and CSW, publicly available threat databases and threat researchers and pen-testing teams.

The analysis revealed 65 new bugs associated with ransomware in 2021, totaling 288. Over a third (37%) of the newly added vulnerabilities were found trending on dark websites and subject to repeated exploitation as a result. Plus, over half (56%) of the older CVEs are still being regularly exploited, it said.

The report also highlighted that many zero-day vulnerabilities are being exploited before they’ve even had time to be published in the US National Vulnerability Database (NVD). These include ones used to compromise Kaseya (CVE-2021-30116) and the infamous Log4Shell bug (CVE-2021-44228).

The ransomware-as-a-service (RaaS) model is helping to democratize this kind of activity across the cybercrime underground. Particularly dangerous are exploit-as-a-service offerings, which allow threat actors to rent zero-day exploits from developers, the report said.

Despite recent arrests in Russia, many of these cybercrime gangs continue to be sheltered by hostile states.

Illustrating just how thriving the industry still is, the report identified 32 new ransomware variants in 2021, a 26% year-on-year increase, which brings the total to 157.

“Ransomware groups are becoming more sophisticated, and their attacks more impactful. These threat actors are increasingly leveraging automated tool kits to exploit vulnerabilities and penetrate deeper into compromised networks. They are also expanding their targets and waging more attacks on critical sectors, disrupting daily lives and causing unprecedented damage,” argued Ivanti SVP of security products, Srinivas Mukkamala.

“Organizations need to be extra vigilant and patch weaponized vulnerabilities without delays. This requires leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence to identify and prioritize vulnerability weaknesses and then accelerate remediation.”

However, vulnerabilities are still not the number one threat vector for ransomware, according to Coveware.

As of Q3 2021, RDP compromise stemming from misconfiguration, and email phishing, remained the main ways to penetrate victim networks, the vendor claimed.

However, it added that vulnerability exploits were gaining popularity as an initial threat vector “as common peripheral applications get targeted, and patching cadence by enterprises lags.”

Read More

Experts Reveals 29% Surge in Bugs Used by Ransomware Actors

Read Time:2 Minute, 7 Second

Experts Reveals 29% Surge in Bugs Used by Ransomware Actors

There’s been a 29% increase in the number of vulnerabilities exploited by ransomware groups to compromise their targets over the past year, according to a new industry report.

The Ransomware Spotlight Year End Report was written by security vendors Ivanti and Cyware alongside CVE numbering authority Cyber Security Works. It’s compiled from multiple data sources, including Ivanti and CSW, publicly available threat databases and threat researchers and pen-testing teams.

The analysis revealed 65 new bugs associated with ransomware in 2021, totaling 288. Over a third (37%) of the newly added vulnerabilities were found trending on dark websites and subject to repeated exploitation as a result. Plus, over half (56%) of the older CVEs are still being regularly exploited, it said.

The report also highlighted that many zero-day vulnerabilities are being exploited before they’ve even had time to be published in the US National Vulnerability Database (NVD). These include ones used to compromise Kaseya (CVE-2021-30116) and the infamous Log4Shell bug (CVE-2021-44228).

The ransomware-as-a-service (RaaS) model is helping to democratize this kind of activity across the cybercrime underground. Particularly dangerous are exploit-as-a-service offerings, which allow threat actors to rent zero-day exploits from developers, the report said.

Despite recent arrests in Russia, many of these cybercrime gangs continue to be sheltered by hostile states.

Illustrating just how thriving the industry still is, the report identified 32 new ransomware variants in 2021, a 26% year-on-year increase, which brings the total to 157.

“Ransomware groups are becoming more sophisticated, and their attacks more impactful. These threat actors are increasingly leveraging automated tool kits to exploit vulnerabilities and penetrate deeper into compromised networks. They are also expanding their targets and waging more attacks on critical sectors, disrupting daily lives and causing unprecedented damage,” argued Ivanti SVP of security products, Srinivas Mukkamala.

“Organizations need to be extra vigilant and patch weaponized vulnerabilities without delays. This requires leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence to identify and prioritize vulnerability weaknesses and then accelerate remediation.”

However, vulnerabilities are still not the number one threat vector for ransomware, according to Coveware.

As of Q3 2021, RDP compromise stemming from misconfiguration, and email phishing, remained the main ways to penetrate victim networks, the vendor claimed.

However, it added that vulnerability exploits were gaining popularity as an initial threat vector “as common peripheral applications get targeted, and patching cadence by enterprises lags.”

Read More

Government Trials Effort to Make Bug Scanning Easier

Read Time:2 Minute, 1 Second

Government Trials Effort to Make Bug Scanning Easier

The UK’s leading cybersecurity agency has revealed details of a new initiative designed to make it easier for system administrators to root out vulnerabilities across their IT environment.

Scanning Made Easy (SME) is the work of GCHQ spin-off the National Cyber Security Centre (NCSC) and its industry collaboration initiative known as i100.

“When a software vulnerability is disclosed, it is often easier to find proof-of-concept code to exploit it, than it is to find tools that will help defend your network. To make matters worse, even when there is a scanning script available, it can be difficult to know if it is safe to run, let alone whether it returns valid scan results,” wrote the NCSC’s vulnerability management lead, “Ollie N.”

“Scanning Made Easy (SME) was born out of our frustration with this problem and our desire to help network defenders find vulnerable systems, so they can protect them.”

It’s designed to be as reliable and straightforward as possible, minimizing the false positives, which can be a significant inconvenience for time-poor IT teams.

To do so, SME is based on a collection of scripts written using the NMAP Scripting Engine (NSE), which is based on the industry-standard NMAP network mapping tool.

“The scripts are authored by our i100 partners and conform to the NCSC Scanning Made Easy Script Developer Guidelines. These set out how the scripts should be developed, as well as what they should and should not do. A summary is included with each script that describes how it will verify the vulnerability,” the NCSC continued.

“It is important that anyone running the scripts knows what they do. Thankfully, NSE makes this transparent as the script syntax is easy to read and understand.”

The tool offers far from comprehensive coverage, but the idea is that industry collaborators will write new scripts for critical and frequently exploited vulnerabilities.

The first SME script to be released scans for several Exim message transfer agent (MTA) remote code execution vulnerabilities known as “21Nails” (CVE-2020-28017 to CVE-2020-28026).

The NCSC encouraged organizations to try SME out and develop and share their own scripts with the community.

The recent travails associated with the Log4j logging utility highlighted the problem many administrators have in finding vulnerable instances of software across their environment, especially those featuring complex open source dependencies.

Read More

Government Trials Effort to Make Bug Scanning Easier

Read Time:2 Minute, 1 Second

Government Trials Effort to Make Bug Scanning Easier

The UK’s leading cybersecurity agency has revealed details of a new initiative designed to make it easier for system administrators to root out vulnerabilities across their IT environment.

Scanning Made Easy (SME) is the work of GCHQ spin-off the National Cyber Security Centre (NCSC) and its industry collaboration initiative known as i100.

“When a software vulnerability is disclosed, it is often easier to find proof-of-concept code to exploit it, than it is to find tools that will help defend your network. To make matters worse, even when there is a scanning script available, it can be difficult to know if it is safe to run, let alone whether it returns valid scan results,” wrote the NCSC’s vulnerability management lead, “Ollie N.”

“Scanning Made Easy (SME) was born out of our frustration with this problem and our desire to help network defenders find vulnerable systems, so they can protect them.”

It’s designed to be as reliable and straightforward as possible, minimizing the false positives, which can be a significant inconvenience for time-poor IT teams.

To do so, SME is based on a collection of scripts written using the NMAP Scripting Engine (NSE), which is based on the industry-standard NMAP network mapping tool.

“The scripts are authored by our i100 partners and conform to the NCSC Scanning Made Easy Script Developer Guidelines. These set out how the scripts should be developed, as well as what they should and should not do. A summary is included with each script that describes how it will verify the vulnerability,” the NCSC continued.

“It is important that anyone running the scripts knows what they do. Thankfully, NSE makes this transparent as the script syntax is easy to read and understand.”

The tool offers far from comprehensive coverage, but the idea is that industry collaborators will write new scripts for critical and frequently exploited vulnerabilities.

The first SME script to be released scans for several Exim message transfer agent (MTA) remote code execution vulnerabilities known as “21Nails” (CVE-2020-28017 to CVE-2020-28026).

The NCSC encouraged organizations to try SME out and develop and share their own scripts with the community.

The recent travails associated with the Log4j logging utility highlighted the problem many administrators have in finding vulnerable instances of software across their environment, especially those featuring complex open source dependencies.

Read More

Home Working Drives 44% Surge in Insider Threats

Read Time:1 Minute, 55 Second

Home Working Drives 44% Surge in Insider Threats

Insider threats cost organizations an average of over $15m annually to remediate last year, with stolen credentials a growing risk, according to Proofpoint.

The security vendor’s 2022 Cost of Insider Threats Global Report was compiled from interviews with over 1000 IT professionals and analysis of more than 6800 incidents across the globe.

It revealed that the cost and frequency of insider incidents are on the rise. Associated costs jumped 34%, from $11.5m in 2020 to $15.4m in 2021, while the overall volume surged by 44% over the period.

The frequency of incidents per company also increased, with 67% of companies experiencing between 21 and more than 40 incidents per year, up from 60% in 2020.

Negligence continues to account for the majority (56%) of insider threats, at the cost of nearly $485,000 per incident.

Failure to ensure devices are properly secured or patched and not following corporate security policy are typical issues that have exposed organizations over the past year. They’re especially prevalent as many employees now work from home, where it’s often harder for IT teams to enforce policy effectively.

That’s resulted in a near-doubling of credential theft incidents since 2020, at a cost to organizations of $804,997 per incident.

However, malicious intent is also a major cause of insider threats, accounting for a quarter (26%) of incidents at an average cost of $648,000 to remediate. Once again, the work-from-home (WFH) mandate has driven this trend, allowing employees more remote access to sensitive data, according to Proofpoint.

Ryan Kalember, EVP of cybersecurity strategy at Proofpoint, described people as the “new perimeter” in the fight against spiraling cyber-risk.

“Months of sustained remote and hybrid working leading up to ‘The Great Resignation’ has resulted in an increased risk around insider threat incidents, as people leave organizations and take data with them,” he argued.

“In addition, organizational insiders, including employees, contractors and third-party vendors, are an attractive attack vector for cyber-criminals due to their far-reaching access to critical systems, data and infrastructure.”

Unfortunately, current efforts to detect insider risk appear to be failing: it now takes an average of 85 days to contain an insider incident, up from 77 days in 2020.

Read More