Kernel Level Rat “Daxin” Discovered

Read Time:1 Minute, 42 Second

FortiGuard Labs is aware of a newly discovered backdoor dubbed Daxin. Discovered by Symantec, this backdoor allows an attacker to gather and perform various command and control actions and data exfiltration on victim machines. Because of our partnership with the Cyber Threat Alliance, we were provided with IOCs to create Fortinet protections in advance so that it would be ready for today’s announcement.What separates this backdoor from many others is that Daxin is a Windows kernel level driver, also referred to as rootkits. Kernel level rootkits operate at ring 0, which allows them to operate at
the highest privileges of the operating system with impunity. What makes this threat dangerous and very effective is that it is able to leverage existing services and utilize them to perform whatever is needed without raising any suspicion by network administrators and or endpoint security software. Daxin does not contain any unique capabilities from other backdoors; however, besides its ability to run at kernel level, Daxin can also intercept TCP/IP connections in real time for further evasion. Further communications noted were the use of a custom TCP/IP stack to communicate in multiple nodes on highly secured networks.This backdoor has been attributed to state sponsored threat actors of China where targets are organizations that are of interest to the Chinese government.What Operating Systems Were Targeted?Windows operating systems.What is the Likelihood of Exploitation?Low. This is due to the attacks observed being focused on the specific interests by the threat actors behind Daxin, and not as part of a widespread attack.Is this Limited to Targeted Attacks?Yes, all attacks observed were limited to state sponsored targets. This included governmental organizations of interest, telecommunications, transportation, and manufacturing sectors as well.What is the Status of Coverage?Customers running the latest AV definitions are protected by the following signatures:W32/Agent.FF56!tr.bdrW32/Backdoor.DAXIN!trW32/PossibleThreatW64/Agent.FF56!tr.bdrW64/Backdoor.DAXIN!trW64/Agent.QWHWSZ!trMalicious_Behavior.SBW32/Exforel.B!tr.bdrDx.BG3D!trW64/Agent.WT!trW32/PossibleThreat

Read More

USN-5310-1: GNU C Library vulnerabilities

Read Time:1 Minute, 45 Second

Jan Engelhardt, Tavis Ormandy, and others discovered that the GNU C Library
iconv feature incorrectly handled certain input sequences. An attacker
could possibly use this issue to cause the GNU C Library to hang or crash,
resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS
and Ubuntu 20.04 LTS. (CVE-2016-10228, CVE-2019-25013, CVE-2020-27618,
CVE-2020-29562, CVE-2021-3326)

Jason Royes and Samuel Dytrych discovered that the GNU C Library
incorrectly handled signed comparisons on ARMv7 targets. A remote attacker
could use this issue to cause the GNU C Library to crash, resulting in a
denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-6096)

It was discovered that the GNU C Library nscd daemon incorrectly handled
certain netgroup lookups. An attacker could possibly use this issue to
cause the GNU C Library to crash, resulting in a denial of service. This
issue only affected Ubuntu 20.04 LTS. (CVE-2021-27645)

It was discovered that the GNU C Library wordexp function incorrectly
handled certain patterns. An attacker could use this issue to cause the
GNU C Library to crash, resulting in a denial of service, or possibly
obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-35942)

It was discovered that the GNU C Library realpath function incorrectly
handled return values. An attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 21.10.
(CVE-2021-3998)

It was discovered that the GNU C library getcwd function incorrectly
handled buffers. An attacker could use this issue to cause the GNU C
Library to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2021-3999)

It was discovered that the GNU C Library sunrpc module incorrectly handled
buffer lengths. An attacker could possibly use this issue to cause the GNU
C Library to crash, resulting in a denial of service. (CVE-2022-23218,
CVE-2022-23219)

Read More

Rash of hacktivism incidents accompany Russia’s invasion of Ukraine

Read Time:3 Minute, 42 Second

In keeping with the hybrid nature of Russia’s invasion of Ukraine, several hacktivist groups and hackers have joined the fight in the embattled nation, including some hacktivists encouraged by the government of Ukraine itself. Although the hacktivists have been waging their version of cyber warfare mostly against Russian organizations, hacktivists sympathetic to Russia are also turning their weapons against Ukraine.

The following are notable hacktivist events that have occurred so far related to the Russian invasion of Ukraine.

IT Army of Ukraine emerges: Developers in Ukraine are joining an “IT army,” the IT Army of Ukraine, which has assigned them specific challenges. Announced on February 26, the group already has nearly 200,000 users on its main Telegram channel that it uses to hand out assignments and coordinate operations. The group was ostensibly responsible for shutting down the API for Sberbank, one of Russia’s major banks and Kremlin-aligned Belarus’s official information policy site. It’s not clear if the Ukraine government is behind the IT Army of Ukraine, even though Ukrainian officials have endorsed the effort.
Anonymous claims credit for website take-downs. Late last week, a Twitter account purporting to represent Anonymous wrote that “The #Anonymous collective has taken down the website of the #Russian propaganda station RT News.” The Russian state-run TV channel RT website said it was a victim of a hacker attack, which it attributed to Anonymous.
Cyber Partisans of Belarus claim train hacks. Activist hackers in Belarus called the Cyber Partisans allegedly breached computers that control that country’s trains and brought some to a halt in the cities of Minsk and Orsha and the town of Osipovichi. The hackers purportedly compromised the railway system’s routing and switching devices and rendered them inoperable by encrypting data stored on them.
AgainstTheWest targeted Russian interests. Another hacktivist group known as AgainstTheWest claims to have hacked a steady stream of Russian websites and corporations, including Russian Government contractor promen48.ru, Russian Railways, the State University Dubna, and the Joint Institute for Nuclear Research.
The Anon Leaks says it messed with Putin’s yacht information. The Anon Leaks, a group purportedly an offshoot of Anonymous, said it changed the callsign of Russian President Vladimir Putin’s superyacht Graceful on MarineTraffic.com to FCKPTN. The hackers also found a way to alter the yacht’s tracking data, making it look as if it had crashed into Ukraine’s Snake Island and changing its destination to “hell.”
Presumed hacktivists hacked Russian EV charging stations. Hackers, presumably activists, hacked electric vehicle charging stations along Russia’s M11 motorway to display anti-Russian messages. The hackers likely gained access through a Ukrainian parts supplier called AutoEnterprise.
“Patriotic Russian hackers” helped hit Ukraine websites with DDoS attacks: Last week, some independent Russian hackers, so-called “patriotic Russian hackers,” or vigilantes who operate in a hacktivist-like mode, claim they helped bring down Ukrainian websites during the second round of DDoS attacks that hit the country.
Russian media outlets hacked to display anti-Russian messages. The websites of several Russian media outlets were hacked to display anti-Russian messages, with some of the sites going offline. The sites affected were TASS rbc.ru, kommersant.ru, fontanka.ru, and iz.ru of the Izvestia outlet. Some Russian media sources say anonymous was the source of these hacks.
Researcher leaked Conti gang’s messages: A Ukrainian security researcher leaked over 60,000 internal messages belonging to the Conti ransomware operation after the gang publicly sided with Russia over the invasion of Ukraine. (Conti backpedaled from its robust support of Russia after its Ukrainian affiliates objected). The leaked messages were taken by a Ukrainian security researcher who reportedly had access to Conti’s backend XMPP server from a log server for the Jabber communication system used by the ransomware gang.

Hacktivism isn’t necessarily a good idea

The main question surrounding the hacktivism accompanying Russia’s invasion of Ukraine is whether this kind of hacking is a healthy development in defense of Ukraine. “It’s worth noting that the situation is really quite unprecedented,” Brett Callow, threat analyst at Emsisoft, tells CSO. “I don’t recall anything like this having happened before. We obviously have multiple activist groups operating on behalf of both sides, as well as certain cybercrime groups taking sides, as well as intelligence services invariably doing the things they normally do.”

To read this article in full, please click here

Read More

Decrypting Hive Ransomware Data

Read Time:1 Minute, 42 Second

Nice piece of research:

Abstract: Among the many types of malicious codes, ransomware poses a major threat. Ransomware encrypts data and demands a ransom in exchange for decryption. As data recovery is impossible if the encryption key is not obtained, some companies suffer from considerable damage, such as the payment of huge amounts of money or the loss of important data. In this paper, we analyzed Hive ransomware, which appeared in June 2021. Hive ransomware has caused immense harm, leading the FBI to issue an alert about it. To minimize the damage caused by Hive Ransomware and to help victims recover their files, we analyzed Hive Ransomware and studied recovery methods. By analyzing the encryption process of Hive ransomware, we confirmed that vulnerabilities exist by using their own encryption algorithm. We have recovered the master key for generating the file encryption key partially, to enable the decryption of data encrypted by Hive ransomware. We recovered 95% of the master key without the attacker’s RSA private key and decrypted the actual infected data. To the best of our knowledge, this is the first successful attempt at decrypting Hive ransomware. It is expected that our method can be used to reduce the damage caused by Hive ransomware.

Here’s the flaw:

The cryptographic vulnerability identified by the researchers concerns the mechanism by which the master keys are generated and stored, with the ransomware strain only encrypting select portions of the file as opposed to the entire contents using two keystreams derived from the master key.

The encryption keystream, which is created from an XOR operation of the two keystreams, is then XORed with the data in alternate blocks to generate the encrypted file. But this technique also makes it possible to guess the keystreams and restore the master key, in turn enabling the decode of encrypted files sans the attacker’s private key.

The researchers said that they were able to weaponize the flaw to devise a method to reliably recover more than 95% of the keys employed during encryption.

Read More

Why client-side web application security is critical to protecting from Magecart and other similar attacks

Read Time:4 Minute, 51 Second

What can’t you buy on the internet? Last-minute birthday gifts. Check. A new refrigerator. Check. An engagement ring. Check. Groceries. Check. Travel to foreign lands. Check.

Internet-driven consumerism is a critical component of our economy. But it has its dark side filled with demons. And the demons—more commonly known as cybercriminals—who live in the murky, cesspit-ridden areas of the internet—more commonly known as the dark web—love to take advantage of the vulnerabilities and bugs that exist in the web application programming used to drive websites.

With their demon-torture tools in hand (called Magecart or e-skimming attacks), these demons target vulnerabilities in web application code, injecting malicious scripts designed to steal personally identifiable information (PII), which they then resell to their legions of devil-spawned minions.

Data breaches cost more than just money

Data breaches like these are expensive for companies. Recent 2020 research suggests that the global average price of a data breach is around $3.85 million. Not surprisingly, the cost more than doubles if the attack happens in the United States, with the total average around $8.64 million. And those numbers only reflect the costs associated with things like investigation, legal fees, and customer services, such as credit monitoring. What it doesn’t include is the cost to a business’s reputation because, when a business is breached, you can pretty much guarantee that the customer-victims are going to first say: “What the @#?!!. Didn’t those bleepity-bleep-bleep-bleeps running the company have any cybersecurity in place?” And the next thing the customer-victim will do is research a better, safer, competitor solution.

Traditional security just doesn’t protect the client side

In all fairness to the business, they probably did have cybersecurity in place, just not the right cybersecurity. Traditional, but only partially effective, tools that are sometimes used to prevent script attacks include things like web application firewalls (WAFs), policy controls, and threat intelligence. These cybersecurity solutions are absolutely critical and necessary to protect the ‘server-side’ of the business, but they don’t protect against malicious attacks targeting the client side.

The reasons why it is so easy for the wretched ghouls of the dark web to attack businesses via the client side, include:

Vulnerable website tools written in JavaScript.
Lack of attention to web application vulnerabilities.
Multiple, layered (but likely vulnerable) web applications and scripts designed to add website functionality.
Increasing number of third- and fourth-party sources creating and distributing vulnerable applications and scripts.
Misconfigurations and malicious code in open-source tools.

What can businesses do?

There are a few things that businesses can do to protect themselves from the demon spawn of the dark web, including:

Engage in ongoing monitoring & protection—Be vigilant in your ongoing and automated inspection and monitoring of your web assets and JavaScript code. Use a purpose-built solution, like AT&T’s Managed Vulnerability Program’s Client-side Security powered by Feroot, to make you aware of any unauthorized script activity.
Know your assets—Understand what web assets you own and the type of data they hold. In addition, conduct some deep-dive scans to reveal intrusions, behavioral anomalies, and unknown threats.
Practice good patch and update management—Ensure patches and updates are applied regularly.
Compartmentalize web applications—To limit exposure across the application, split your front-end applications up into smaller components, such as public, authenticated, and admin, and to deploy these parts in a separate origin (e.g., https://admin.websitename.com).
Use an SSL certificate for all websites—Certificates enable website authentication and make SSL/TSL encryption possible. They also enable the website to have an HTTPS web address. Many browsers have started tagging websites without an SSL certificate as “not secure.” While an SSL certificate and HTTPS address does not guarantee a website is secure (since SSL certificates are easy to obtain), having that HTTPS web address and encrypting any customer data, does make customers more trustworthy of your site.

What kind of purpose-built solutions are available?

There are purpose-built solutions that safeguard internet users and consumers from the demon spawn of the dark web. Two tools powered by Feroot that are a part of AT&T MVP are:

Feroot Security PageGuard—Based on the Zero Trust model, PageGuard runs continuously in the background to automatically detect unauthorized scripts and anomalous code behavior. If threats are detected, PageGuard blocks all unauthorized and unwanted behavior in real-time across the organization. PageGuard also automatically applies security configurations and permissions for continuous monitoring of and protection from malicious client-side activities and third-party scripts.
Feroot Security Inspector—In just seconds, Inspector automatically discovers all web assets a company utilizes and reports on their data access. Inspector finds all security vulnerabilities on the client-side and provides specific client-side threat remediation advice to application developers and security teams in real-time.

Next steps

Modern web applications are useful, but they can carry potentially dangerous vulnerabilities and bugs. Protect your customers and your websites and applications from client-side security threats, like Magecart and script attacks with security tools like Feroot’s Inspector and PageGuard. These services offered by AT&T’s Managed Vulnerability Program (MVP) allows the MVP team to inspect and monitor customer web applications for malicious JavaScript code that could jeopardize customer and organization security.

AT&T is helping customers strengthen their cybersecurity posture and increase their cyber resiliency by enabling organizations to align cyber risks to business goals, meet compliance and regulatory demands, achieve business outcomes, and be prepared to protect an ever-evolving IT ecosystem.

You can also contact AT&T Cybersecurity Consulting to get your 30-day free trial of MVP including Client-side Application Security powered by Feroot.

Read More

7 mistakes CISOs make when presenting to the board

Read Time:34 Second

Corporate boards are asking their CISOs to inform them more often about cybersecurity risks. This gives security leaders an opportunity to help senior business stakeholders better understand security’s value and makes them more likely to support and strengthen security strategies.

However, talking to the board about cybersecurity in a way that is productive can be a significant challenge, and failing to do so effectively can result in confusion, disillusionment, and a lack of cohesion among directors, the security function, and the rest of the organization. Here are some common mistakes that CISOs make when speaking to the board, along with advice for avoiding them.

To read this article in full, please click here

Read More

News, Advisories and much more

Exit mobile version