All posts by rocco

Advisories

Multiple Agency Announcement on APT Actors Exploiting Zoho ManageEngine ADSelfService Plus (AA21-259A)

Read Time:1 Minute, 49 Second

On September 16th, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and United States Coast Guard Cyber Command (CGCYBER) released a new joint advisory titled – Alert (AA21-259A) APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus. Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to a REST API authentication bypass, which ultimately allows for remote code execution. The vulnerability has been assigned CVE-2021-40539.What Are the Technical Details of the Vulnerability?An authentication bypass vulnerability exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. Remote code execution is possible via affected REST API URL(s) that could allow for remote code execution. Successful exploitation of the vulnerability allows an attacker to place webshells within the victim environment. Once inside the victim environment, an adversary can conduct the following – Lateral movement, compromising administrator credentials, post exploitation, and exfiltrating registry hives and Active Directory files from a domain controller.Is this Being Exploited in the Wild?Yes. According to US-CERT, this is limited to targeted attacks by a sophisticated unnamed APT group.What Verticals are Being Targeted?According to the US-CERT alert, the following list of verticals have been observed to be targeted – academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors including transportation, IT, manufacturing, communications, logistics, and finance. What is the CVSS score?9.8 CRITICALHas the Vendor Issued a Patch?Yes, patches were released on September 6th, 2021 by the vendor. Please refer to the APPENDIX “ADSelfService Plus 6114 Security Fix Release” for details.What is the Status of Coverage? FortiGuard Labs provides the following IPS signature for CVE-2021-40539:Zoho.ManageEngine.ADSelfService.Plus.Authentication.BypassAny Mitigation and or Workarounds?It is strongly recommended to update to ADSelfService Plus build 6114. This update is located on the vendor homepage “ADSelfService Plus 6114 Security Fix Release” within the APPENDIX. It is also highly suggested to keep all affected devices from being publicly accessible or being placed behind a physical security appliance/firewall, such as a FortiGate. For further mitigation and workarounds, please refer to the US-CERT Alert and the Zoho Advisory in the APPENDIX.

Read More

Advisories

A Vulnerability in Polkit’s pkexec Component Could Allow For Local Privilege Escalation

Read Time:20 Second

A vulnerability in Polkit’s pkexec component could allow for local privilege escalation. Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. Polkit is installed by default on all major Linux distributions. Successful exploitation of this vulnerability could result in privilege escalation to root privileges.

Read More

Advisories

A Vulnerability in F5Networks BIG-IP Could Allow for Denial of Service

Read Time:19 Second

A vulnerability has been discovered in F5Networks BIG-IP, which could result in a denial-of-service (DoS). BIG-IP is a family of products covering software and hardware designed around application availability, access control, and security solutions. Successful exploitation of this vulnerability could allow an attacker to cause a denial of service to all servers sitting behind the BIG-IP system.

Read More

Advisories

A Backdoor in WordPress AccessPress Plugins and Themes Could Allow an Attacker Access to a Targeted Website

Read Time:18 Second

A backdoor has been discovered in WordPress AccessPress plugins and themes, which could allow an attacker access to a targeted website. AccessPress plugins and themes are used to provide website functionality and design options to website administrators. Successful exploitation of this backdoor could allow an attacker to redirect users to malicious sites as well as access to the vulnerable website.

Read More

Advisories

Multiple Vulnerabilities in Cisco Products Could Allow for Arbitrary Code Execution

Read Time:27 Second

Multiple vulnerabilities have been discovered in Cisco Products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow an unauthenticated, remote attacker to execute code on the affected systems. Depending on the privileges associated with the targeted user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users configured to have fewer privileges on the system could be less impacted than those who operate with elevated privileges.

Read More

News

Two-Fifths of Ransomware Victims Still Paying Up

Read Time:1 Minute, 55 Second

Two-Fifths of Ransomware Victims Still Paying Up

Two-fifths (39%) of ransomware victims paid their extorters over the past three years, with the majority of these spending at least $100,000, according to new Anomali research.

The security vendor hired The Harris Poll to complete its Cyber Resiliency Survey  interviewing 800 security decision-makers in the US, Canada, the UK, Australia, Singapore, Hong Kong, India, New Zealand, the UAE, Mexico and Brazil.

Some 87% said their organization had been the victim of a successful attack resulting in damage, disruption, or a breach since 2019. However, 83% said they’d experienced more attacks since the start of the pandemic.

Over half (52%) were ransomware victims, with 39% paying up. Of these, 58% gave their attackers between $100,000 and $1m, while 7% handed over more than $1m.

This will have helped increase the total figure for cybercrime losses over the period. In 2019, just 15% of responding organizations reported losses of $500,000 or more, but this figure almost doubled to 28% by the following year. Figures for 2021 weren’t available.

Part of the challenge appears to be the inability of organizations to quickly detect and respond to any suspicious activity on their networks. Less than half (46%) said they strongly agree current solutions can evolve to detect new globally identified threats.

This is born out in response times: organizations take several days to detect known attacks from adversaries, including cybercrime organizations (3.6 days), individual hackers (3.5 days), APTs (3.3 days) and nation-states (2.9 days), the research claimed.

“We’ve known that cyberattacks have been increasing over the course of the pandemic, but we didn’t know to what degree global enterprises as a whole were being impacted,” said Anomali president Hugh Njemanze.

“This research reveals that adversaries have not only stepped up the number of attacks they have started launching since COVID-19 first struck the world, but have also greatly improved their success rates.”

It will remain frustrating for industry watchers that many organizations are still paying their extorters.

Research has revealed that even those who do so find their stolen data is leaked or monetized by their attackers in any case. A separate study claimed that paying might actually double the cost of recovery.

Read More

News

#COVID19 Phishing Emails Surge 500% on Omicron Concerns

Read Time:2 Minute, 4 Second

#COVID19 Phishing Emails Surge 500% on Omicron Concerns

The latest COVID-19 variant has led to a 521% increase in phishing attacks using the virus as a lure to trick users into clicking, according to Barracuda Networks.

Cyber-criminals often use newsworthy events in their social engineering attacks, and COVID-19 provided a bumper opportunity when it emerged in 2020.

The security vendor observed a 667% month-on-month surge in COVID-19 phishing emails from February to March that year. It recorded another significant increase when new vaccines were released at the start of 2021.

Now public concern over the highly transmissible Omicron variant is catching the eye of phishers.

Among the tactics used to trick users into clicking on malicious links and/or entering personal details are offers of counterfeit or unauthorized COVID-19 tests and protective equipment such as masks or gloves.

Some impersonate testing labs and providers, or even employees sharing their results, said Barracuda.

In other phishing emails, the user may receive a fake notification for an unpaid order of tests and is urged to provide their PayPal details to complete delivery of the kit, the vendor claimed.

Barracuda Networks CTO, Fleming Shi, said the answer lies in improving employee phishing awareness training and plugging in advanced email security.

“Capitalizing on the chaos of the pandemic is not a new trend in the world of cybercrime. Yet with constantly evolving tactics, and new trends to latch on to, it’s easy to see why scammers are not giving up on this trick,” he added.

“Just like the threat of COVID-19, pandemic-themed scams are not going to disappear overnight, but fortunately, there are a number of tactics that businesses and consumers can employ to ensure they remain protected.”

In related news, a Comparitech study this week claimed that unscrupulous healthcare workers are enabling a massive black market in COVID-19 digital vaccination certificates and passes.

The researchers found dark web adverts looking for any such workers who empathize with the anti-vaxxers buying these passes.

“When someone buys a fraudulent certificate, they must first sign up for their country’s respective COVID vaccination database. They send their name, PIN number and other necessary info to the vendor,” Comparitech explained.

“A doctor or other healthcare worker marks that person’s record with confirmed vaccination. The buyer’s QR code then becomes valid. It takes just a few hours for the process to complete once a purchase is made.”

Read More

News

Merck Wins $1.4bn NotPetya Payout from Insurer

Read Time:1 Minute, 57 Second

Merck Wins $1.4bn NotPetya Payout from Insurer

Merck has won a long-running legal battle to force its insurer to cover the costs of damages caused by the NotPetya ‘ransomware’ attacks.

The pharma giant was one of many big-name multinationals hit by the destructive malware, disguised as ransomware by Russian attackers targeting Ukrainian organizations back in 2017, as they are again today.

However, the malware soon spread globally, causing potentially billions of dollars of damage.

Many companies, including Merck and confectionary giant Mondelez, found their insurer refusing to pay because of an exclusion in their policy for “acts of war.”

However, a New Jersey superior court judge has now ruled that the language therein implies armed conflict rather than the cyber kind.

Although Merck was claiming under an “all-risk” property insurance policy, both these and more specific cyber policies often contain such exclusions.

However, the ruling may not be beneficial to other policyholders in the long run, as insurers are in general becoming much more prescriptive about coverage for cyber-incidents.

Lloyds of London last November released a new set of clauses that broadened act of war exclusions to “cyber-operations between states which are not excluded by the definition of war, cyber-war or cyber-operations which have a major detrimental impact on a state.”

Peter Groucutt, co-founder of Databarracks, said the new clauses would favor insurers going forward.

“Attribution is another challenge because it is not always clear who was responsible for an attack. There is understandably a lot of deception in cyber-warfare, with attackers leaving misleading breadcrumbs pointing to different attackers or nations. These clauses allow the insurer to determine attribution if the government does not or ‘takes an unreasonable length of time to.’ That seems to be a dangerous case of checking one’s own homework,” he argued.

“There is another challenge of attribution in that cyber groups are often loosely affiliated with a government. It is not always clear if they are directly controlled by or sponsored by the government. Previously, that distinction would be more important. Again, these new clauses widen the net with ‘those acting on its behalf’ working as a catch-all for these kinds of relationships.”

Ultimately the “parameters for payout” are narrowing, shifting more emphasis onto organizations to improve baseline protections, Groucutt concluded.

Read More

Education

Footprinting

Read Time:3 Minute, 40 Second

The first step in a cyberattack, or a penetration test, is footprinting. The attacker/analyst tries to get information about the targeted infrastructure. Thanks to footprinting techniques, attackers can obtain information such as:

  • personal data, skills, experience and interests of company’s employees;
  • company headquarters;
  • technologies in use (middleware, operating systems);
  • suppliers and consultants who collaborate periodically with the company;
  • blocks and network topology;
  • DNS records.

We can divide footprinting techniques into two macro areas:

  • active: it involves the collection of information with direct interaction with the target. It is a more risky practice than the passive one, as it could leave traces. The systems of the attacked organization could (should) detect the information gathering attempt. Some examples of active footprinting are the use of web spiders, email tracking, traceroute and social engineering techniques.
  • passive: involves the collection of information without direct interaction with the target. Some examples are the usage of search engines, social networks, job posting sites, analysis of data received from providers that monitor website’s traffic, commercial performance or deliver reports about future commercial operations of the target.

Identifying the technologies adopted by the target drastically simplifies attackers’ jobs. The awareness about the usage of certain technologies, the lack of good security practices, or of a bad security posture increases the attacker’s chances of success.

When we perform a penetration test in which the company aims to identify chances of an attacker completely unrelated to the organization, footprinting activities heavily influence the success of the test.

Footprinting with search engines and social networks

Search engines offer a myriad of information to the attacker. The advanced functions available in Google, Bing and other search engines offer information that companies are not even aware to expose to the public.

The technique, combined with the most used search engine, has taken the name of Google Hacking. For more information, you can consult our article about the Google Hacking Database.

Thanks to search engines, an attacker gets to know technologies in use (web servers, firewalls, IDS, WAF, third-party applications), IoT devices, applications for internal use only and many other information about the target.

Like search engines, social networks provide an enormous quantity of information to attackers.

An attacker can dig LinkedIn to understand who the key people of the organization are, their experience and knowledge. You can get to know their interests, their religious and political beliefs, their weaknesses. Afterwards, attacker can exploit gathered information to perform a social engineering attack.

Tools like theHarvester and sublist3r simplify attackers’ job, reducing the manual work.

Footprinting through job posting sites

The following image shows the information revealed on a job advertisement post. The job post is real. I found it on the platform indeed.com.

The company is looking for an IT System Administrator with knowledge of Linux and Solaris. They even mention the Linux distribution names and the Solaris release version. You can bet they have got some LAMP servers, that they probably monitor their infrastructure using Nagios and are using Oracle and DB2 as RDBMS. Their infrastructure may include J2EE Containers like Glassfish and JBoss and servlet containers like Tomcat. Even if they reached the EOL over 5 and 2 years ago, they are still asking for people with experience on Windows XP and 7.

You are getting information not only about the used technologies but you are also outlining the security posture of the company.

Job posts can tell you a lot more. Are they searching for IT security specialists? Besides tools and countermeasures adopted, they may even tell you how big is their security team. Are they even trying to cover important roles like CIO or CISO?

Tools and services:

We suggest looking at the following tools. We wrote a brief description of them: Sublist3r, theHarvester, Shodan, Sherlock, Burp Suite, Metagofofil, Exitftool, DNSRecon, traceroute.

Contermeasures

Your employees/colleagues’ awareness about attackers’ behaviour and techniques is fundamental for your company’s safety. Every company must adopt a security awareness policy to inform its employees about the security risks they are exposed inside and outside the office.

The adoption of security policies (hardening of the systems, analysis and reviews of IDS/IPS and other monitoring tools, etc.), the definition of roles and responsibilities will allow a company to quickly detect and react to attackers’ attempts to gather information or to exploit the knowledge they previously gained through passive footprinting techniques.

News

Cyberbullying: Words do Hurt When it Comes to Social Media

Read Time:5 Minute, 13 Second

Most parents may find it difficult to relate to today’s form of cyberbullying. That’s because, for many of us, bullying might have come in a series of isolated, fleeting moments such as an overheard rumor, a nasty note passed in class, or a few brief hallway confrontations. 

Fast forward a few dozen decades, and the picture is spectacularly different and a world few adults today would eagerly step into.  

Cyberbullying includes targeting that is non-stop. It’s delivered digitally in an environment that is often anonymous. It’s a far-reaching, esteem-shattering, emotional assault. And the most traumatic component? The perpetual nature of the internet adds the ever-present threat of unlimited accessibility—kids know bullying can happen to anyone, at any time, and spread like wildfire.   

The nature of cyberbullying can make a young victim feel hopeless and powerless. Skipping school doesn’t stop it. Summer vacation doesn’t diminish it. That’s because the internet is ever-present.   

According to a 2020 Ditch the Label Cyberbullying Study, youth today reveal that carrying the emotional weight of being “connected all the time” is anything but fun and games. Here’s a snapshot. 

Bullying has increased by 25% each year since the survey’s inception in 2006.   
46 % of the respondents reported being bullied more than once, and 20% reported bullying others on social networking sites. 
33% of young people surveyed said that they believe the behavior of politicians influences how people treat each other at school. 
25% of those surveyed say they feel “lonely all of the time.” (Executive commentary added that since the onset of the pandemic onset, those numbers have increased).  
50% of those bullied felt targeted because of attitudes towards their physical appearance.  
14% of respondents said they never like themselves; 24% said they do but rarely. 
42% of youth respondents revealed they have battled with anxiety. 
25% said they deal with depression; 21% with suicidal thoughts. 
Leading mental health stressors include school pressures, exams, body image, feelings of loneliness, and grief.  

Who Is Most Vulnerable? 

While all kids are at risk for cyberbullying, studies reveal that some are more vulnerable than others.  

According to the Pew Research Center, females experience more cyberbullying than their male counterparts; 38% of girls compared to 26% of boys. Those most likely to receive a threatening or aggressive text, IM, or email: Girls ages 15-17.  

More data from the CDC and American University reveals that more than 28.1 % of LGBTQ teens were cyberbullied in 2019, compared to 14.1% of their heterosexual peers. In addition, Black LGTBQ youth are more likely to face mental health issues linked to cyberbullying and other forms of bullying as compared to non-Black LGTBQ and heterosexual youth.  

Another community that can experience high cyberbullying is gamers. If your child spends a lot of time playing online games, consider paying close attention to the tone of conversations, the language used, your child’s demeanor during and after gaming, and, as always, stay aware of the risks. In a competitive gaming environment that often includes a variety of age groups, cyberbullying can quickly get out of control.  

Lastly, the reality no parent wants to confront—but one that is critical to the conversation—is that cyberbullying and suicide may be linked in some ways. According to JAMA Pediatrics, approximately 80% of young people who commit suicide have depressive thoughts, and in today’s online environment, cyberbullying often leads to more suicidal thoughts than traditional bullying.  

5 Things Parents Can Do 

Be a Plugged-In Parent. If you haven’t already, make 2022 the year you double up your attention to your kids’ online activities and how they might be impacting them emotionally. Kids connect with new people online all the time through gaming platforms, group chats, and apps. Engage them. Understand what they like to do online and why. Be aware of shifts in behavior, grades, and sleeping patterns. Know the signs that they may be experiencing online bullying.   
Layer Up Your Power. Kids need help with limits in a world of unlimited content and parents get busy. One remedy for that? Consider allowing technology to be your parenting partner—additional eyes and ears if your will—to help reduce the risk your kids face online. Parental controls on family devices can help you pay closer attention to your child’s social media use and assist you in filtering the content that’s rolling across their screens. Having the insight to connect your child’s mood to the time they spend on specific apps may provide a critical shortcut to improving their overall wellbeing.  
Prioritize Community. Feeling supported and part of a solid offline community can make a significant difference in a child’s life. One survey of teens aged 12-17 found that social connectedness played a substantial role in reducing the impact of cyberbullying. 
Don’t prohibit, limit. If you know your child is having a tough time online, it’s important not to overreact and restrict device use. They need peer connection. It’s their culture. Consider helping them balance their time and content online. Please talk about the pros and cons of specific apps, role play, teach them how to handle conflict, and encourage hobbies and meetups that are not technology dependent.  
Provide Mental Health Support. We are living in unique times. The digital, cultural, social, political, and health concerns encircling our kids remain unmatched. Not all signs of emotional distress will be outward; some will be subtle, and some, even non-existent. That’s why it’s essential to consistently take the time to assess how your child is doing. Talk with your kids daily, and when you notice they may need additional help, be prepared to find resources to help 

Conclusion 

Each new year represents 365 new days and 365 new chances to do things a little bit better than we’ve done them in the past. And while it’s impossible to stop our kids from wandering into the crossfire of hurtful words online, we can do everything possible to reduce their vulnerability and protect their self-esteem.  

The post Cyberbullying: Words do Hurt When it Comes to Social Media appeared first on McAfee Blogs.

Read More