Network Security News Summary for Thursday June 3rd, 2021

Realtek WPA2 Vuln; Huawei LTE Vuln; NortonLifeLock Crypto; OpenPGP RNP Patch

Realtek RTL8170C Vulnerabilities
https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day

Huawei LTE USB Stick E3372 Vulnerablity
https://www.theregister.com/2021/06/02/huawei_lte_usb_stick_vulnerability/

NortonLifeLock Crypto
https://investor.nortonlifelock.com/About/Investors/press-releases/press-release-details/2021/NortonLifeLock-Unveils-Norton-Crypto/default.aspx

OpenPGP RNP Patch
https://www.rnpgp.org/advisories/ri-2021-001/

keywords: openpgp; nortonlifelock; crypt miner; norton; symantec; huawei; realtek

The post Network Security News Summary for Thursday June 3rd, 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/06/03/network-security-news-summary-for-thursday-june-3rd-2021/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-thursday-june-3rd-2021

ESB-2021.1898 – GitLab Community and Enterprise Editions: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1898
GitLab Security Release: 13.12.2, 13.11.5, and 13.10.5
2 June 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: GitLab Community Edition
GitLab Enterprise Edition
Publisher: GitLab
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Virtualisation
Impact/Access: Cross-site Scripting — Remote with User Interaction
Provide Misleading Information — Remote/Unauthenticated
Denial of Service — Existing Account
Access Confidential Data — Remote/Unauthenticated
Reduced Security — Remote/Unauthenticated
Unauthorised Access — Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-22181

Original Bulletin:
https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/

– ————————–BEGIN INCLUDED TEXT——————–

GitLab Security Release: 13.12.2, 13.11.5, and 13.10.5

Learn more about GitLab Security Release: 13.12.2, 13.11.5, and 13.10.5 for
GitLab Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 13.12.2, 13.11.5, and 13.10.5 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that
all GitLab installations be upgraded to one of these versions immediately.

GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd
of each month), and ad-hoc security releases for critical vulnerabilities. For
more information, you can visit our security FAQ. You can see all of our
regular and security release blog posts here. In addition, the issues detailing
each vulnerability are made public on our issue tracker 30 days after the
release in which they were patched.

We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.

Additional note

In GitLab 13.10 the CI Lint API started requiring authentication for GitLab
instances where registration is disabled. Starting with this release, the CI
Lint API endpoint will also require authentication when registration is limited
(for example where an email domain allowlist is configured).

Table of Fixes

Title Severity
Stealing GitLab OAuth access tokens using XSLeaks in Safari high
Denial of service through recursive triggered pipelines high
Unauthenticated CI lint API may lead to information disclosure and medium
SSRF
Server-side DoS through rendering crafted Markdown documents medium
Issue and merge request length limit is not being enforced medium
Insufficient Expired Password Validation medium
XSS in blob viewer of notebooks medium
Logging of Sensitive Information medium
On-call rotation information exposed when removing a member low
Spoofing commit author for signed commits low

Stealing GitLab OAuth access tokens using XSLeaks in Safari

A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/
EE since 7.10 allowed an attacker to leak an OAuth access token by getting the
victim to visit a malicious page with Safari. This is a high severity issue
(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, 8.8). We have requested a CVE ID
and will update this blog post when it is assigned.

Thanks hubblebubble for reporting this vulnerability through our HackerOne bug
bounty program.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Denial of service through recursive triggered pipelines

A denial of service vulnerability in GitLab CE/EE affecting all versions since
11.8 allows an attacker to create a recursive pipeline relationship and exhaust
resources. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/
I:N/A:H, 7.7). It is now mitigated in the latest release and is assigned
CVE-2021-22181.

This vulnerability has been discovered internally by the GitLab team.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Unauthenticated CI lint API may lead to information disclosure and SSRF

When requests to the internal network for webhooks are enabled, a server-side
request forgery vulnerability in GitLab CE/EE affecting all versions starting
from 10.5 was possible to exploit for an unauthenticated attacker even on a
GitLab instance where registration is limited. This is a medium severity issue
(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N, 6.8). We have requested a CVE ID
and will update this blog post when it is assigned.

Thanks @myster for reporting this vulnerability through our HackerOne bug
bounty program.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Server-side DoS through rendering crafted Markdown documents

A denial of service vulnerability in all versions of GitLab CE/EE before
13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource
consumption with a specially crafted issue or merge request. This is a medium
severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). We have
requested a CVE ID and will update this blog post when it is assigned.

Thanks phli for reporting this vulnerability through our HackerOne bug bounty
program.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Issue and merge request length limit is not being enforced

A denial of service vulnerability in all versions of GitLab CE/EE before
13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource
consumption with a very long issue or merge request description. This is a
medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). We
have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability has been discovered internally by the GitLab team.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Insufficient Expired Password Validation

An issue has been discovered in GitLab affecting all versions starting from
12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all
versions starting from 13.12.0 before 13.12.2. Insufficient expired password
validation in various operations allow user to maintain limited access after
their password expired. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/
PR:N/UI:N/S:U/C:L/I:L/A:N, 6.5). We have requested a CVE ID and will update
this blog post when it is assigned.

This vulnerability has been discovered internally by the GitLab team.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

XSS in blob viewer of notebooks

An issue has been discovered in GitLab affecting all versions starting with
13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks. This
is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, 6.1).
We have requested a CVE ID and will update this blog post when it is assigned.

Thanks (@yvvdwf)[https://hackerone.com/yvvdwf] for reporting this vulnerability
through our HackerOne bug bounty program.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Logging of Sensitive Information

GitLab CE/EE since version 9.5 allows a high privilege user to obtain sensitive
information from log files because the sensitive information was not correctly
registered for log masking. This is a medium severity issue (CVSS:3.0/AV:N/AC:H
/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4). We have requested a CVE ID and will update
this blog post when it is assigned.

This vulnerability has been discovered internally by the GitLab team https://
gitlab.com/dcouture.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

On-call rotation information exposed when removing a member

An information disclosure vulnerability in GitLab EE versions 13.11 and later
allowed a project owner to leak information about the members’ on-call
rotations in other projects. This is a low severity issue (CVSS:3.0/AV:N/AC:L/
PR:H/UI:N/S:U/C:L/I:N/A:N, 2.7). We have requested a CVE ID and will update
this blog post when it is assigned.

This vulnerability has been discovered internally by the GitLab team.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Spoofing commit author for signed commits

All versions of GitLab CE/EE starting with 12.8 were affected by an issue in
the handling of x509 certificates that could be used to spoof author of signed
commits. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L
/A:N, 2.6). We have requested a CVE ID and will update this blog post when it
is assigned.

Thanks subbotin for reporting this vulnerability through our HackerOne bug
bounty program.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Enable qsh verification for Atlassian Connect

qsh verification has been enabled for Atlassian Connect to address a breaking
change in the Atlassian Connect API.

If you are using Jira Connect with a self-managed instance you need to update
to these latest security releases before June 7th. If you are on GitLab.com,
you do not need to do anything. For more details see this GitLab issue.

Versions affected

Affects all versions of GitLab.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Update bindata dependency

The dependency on bindata has been upgraded to 2.4.10 in order to mitigate
security concerns.

Versions affected

Affects versions 12.0 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Update grafana dependency

The dependency on Grafana has been upgraded to 7.5.4 in order to mitigate
security concerns.

Versions affected

Affects versions 13.11, 13.10 and 13.9.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the
Updating the Runner page.

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYLb8juNLKJtyKPYoAQimDhAAkLOW3/MuuPlKP5c6Xc1A6xJpXraaPzvI
52PQibPJmgolk3D1WUR06SxoTMO/16c3o2eR6Z1tiwrqUTfOKbStiV1parCxWtrW
oDZWlnp/tCSx9ngOJDYr//0uSTku3NLKpr+6Tnw+gv7cLnfXzeTmT4g3nJeVgCX3
WdwUpUe2sePcLJJpqK3ZMKgTlq5WD6kiKdjGU/+Ms0VZ6duSCpeSVQsElFBxPjjh
V07NCxemgQzE03mnBf2qBdxsvVvdgGu053diI5oqlYXAvVVHrlP5pWn9e0ack5Qq
WS3CebhSTdbfYOQ6PhABvsHFNiML9OKxfNm+tXXbeGoSIVMi/lY9bjfkbT7DFSSt
5hjDPhN/aVf9VcI0mxx+qhlq3frnRtkKITN7Xcn8gu8Xvndra/HE1fgYKfvAog/W
t0j5f90+R/tJiXD4EPA3qDImLdfm0ZEKYEEJs4XMnGzOfzl0z7QMxefTVvdk3KD5
sicZJgcOf+iG9bYK50mjXkvjxLMEK7fcquXMdxswhsqUsCJx9ntpMPEO0ROkCT1k
8Ippz3l5AdrcJjVvIWoOPoub07u/6r9fZzr7NEVUFF8qhAOzzBqMv98r8/RdhGJT
k/X244kPh6JZPbDfkLlqlTtGw18L9kHRv32hVgMhbGzGh9OyiNlp0oUGNoz2yO+5
HZS69Nmepsc=
=Zwr3
—–END PGP SIGNATURE—–

Read More

The post ESB-2021.1898 – GitLab Community and Enterprise Editions: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/06/02/esb-2021-1898-gitlab-community-and-enterprise-editions-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1898-gitlab-community-and-enterprise-editions-multiple-vulnerabilities

“Have I Been Pwned” breach site partners with… the FBI!

If your password gets stolen as part of a data breach, you’ll probably be told. But what if your password gets pwned some other way?
Read More

The post “Have I Been Pwned” breach site partners with… the FBI! appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/have-i-been-pwned-breach-site-partners-with-the-fbi/?utm_source=rss&utm_medium=rss&utm_campaign=have-i-been-pwned-breach-site-partners-with-the-fbi

Network Security News Summary for Wednesday June 2nd, 2021

LOLBAS with finger.exe; Bypassing Ransomware Protections; Firefox Patches; Edge https by default coming

Guildma is now using Finger and Signed Binary Proxy Execution to Evade Defenses
https://isc.sans.edu/forums/diary/Guildma+is+now+using+Finger+and+Signed+Binary+Proxy+Execution+to+evade+defenses/27482/

Bypassing Protected Folders Protections
https://dl.acm.org/doi/10.1145/3431286

Firefox 89 Released
https://www.mozilla.org/en-US/security/advisories/mfsa2021-23/

Microsoft Edge Will make https default
https://blogs.windows.com/msedgedev/2021/06/01/available-for-preview-automatic-https-helps-keep-your-browsing-more-secure/

keywords: microsoft edge; firefox; edge; protected folders; ransomware; guildma; finger;

The post Network Security News Summary for Wednesday June 2nd, 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/network-security-news-summary-for-wednesday-june-2nd-2021/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-wednesday-june-2nd-2021

2021-06-01 – Hancitor infection with Cobalt Strike and netping tool activity

Read More

The post 2021-06-01 – Hancitor infection with Cobalt Strike and netping tool activity appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/2021-06-01-hancitor-infection-with-cobalt-strike-and-netping-tool-activity-2/?utm_source=rss&utm_medium=rss&utm_campaign=2021-06-01-hancitor-infection-with-cobalt-strike-and-netping-tool-activity-2

US Seizes Attacker Domains Used in USAID Phishing Campaign

The United States has seized two command-and-control (C2) and malware distribution domains used in a recently disclosed spearphishing campaign that impersonated email communications from the US Agency for International Development (USAID), the Department of Justice reports.

Microsoft and Volexity disclosed the attack late last week. This operation has been attributed to a group Microsoft calls Nobelium, the Russian group behind the SolarWinds supply chain attack. It has been operating and evolving this emailed campaign since early 2021, Microsoft reports. The ongoing attack has targeted approximately 350 organizations across industries, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) confirmed in a May 28 statement.

Attackers gained access to USAID’s account for Constant Contact, a legitimate platform used for email marketing. Their access allowed them to send seemingly authentic emails from USAID containing a “special alert” to thousands of target accounts and hide malicious links behind the mailing service’s URL.

Victims who clicked this link were prompted to download malware from a subdomain of theyardservice[.]com, the DoJ reports. With this foothold, attackers downloaded a Cobalt Strike tool to remain persistent and possibly deploy additional tools or malware to a target network.

Officials note the attackers’ instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com and the domain worldhomeoutlet[.]com. These two domains were seized following the court-ordered seizure.

The court-authorized seizure of these two domains was intended to disrupt attackers’ follow-on exploitation of victims and identify compromised machines, officials write in a release. They note attackers may have deployed “additional backdoor accesses” between the time of initial compromise and last week’s seizure.

Security researchers have been taking a closer look at the tools used in this campaign to learn more about how these attackers operate. Each of these tools is designed for flexibility, letting attackers adapt to operational challenges they might face, the Microsoft Threat Intelligence Center (MSTIC) explains in a blog post. Its researchers identify four of these tools in Nobelium’s infection chain: EnvyScout, BoomBox, NativeZone, and VaporRage.

“While its technical specifics are not unprecedented, Nobelium’s operational security priorities have likely influenced the design of this toolset, which demonstrate preferable features for an actor operating in potentially high-risk and high-visibility environments,” researchers wrote.

For Nobelium, these priorities include the use of trusted channels. For example, attackers rely on Boombox, a downloader used to obtain a later-stage payload from a Dropbox account they control. All initial communications use the Dropbox API via HTTPS, researchers noted.

They also value the opportunity for restraint. Like other tools used by this group, Boombox, VaporRage, and some variants of NativeZone do some profiling on a target’s environment. It’s plausible, researchers said, that this design allows Nobelium to choose its targets and learn if they could be discovered if the implant is deployed in environments unfamiliar to attackers.

And finally, the attackers value ambiguity. VaporRage is a “unique shellcode loader” seen as the third-stage payload, MSTIC reported, and it can download, decode, and execute an arbitrary payload fully in-memory.

“Such design and deployment patterns, which also include staging of payloads on a compromised website, hamper traditional artifacts and forensic investigations, allowing for unique payloads to remain undiscovered,” researchers wrote.

Of course, these aren’t the only tools Nobelium relies on. Since December, security researchers across the industry have identified a growing pool of payloads the group uses. These include Teardrop, Sunspot, Raindrop, FlipFlop, GoldMax, GoldFinder, and Sibot malware.

Research into the attackers’ tools is still ongoing. The team with SentinelLabs, which refers to the group as NobleBaron, has found one of the NativeZone downloaders is being used as part of a “clever poisoned installer” targeting Ukrainian government security applications. As Juan Andres Guerrero-Saade wrote in a blog post, a malicious DLL was designed to impersonate a legitimate component of the Ukrainian Institute Technology’s cryptographic keys.

The post US Seizes Attacker Domains Used in USAID Phishing Campaign appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/us-seizes-attacker-domains-used-in-usaid-phishing-campaign-2/?utm_source=rss&utm_medium=rss&utm_campaign=us-seizes-attacker-domains-used-in-usaid-phishing-campaign-2

US Seizes Attacker Domains Used in USAID Phishing Campaign

The move follows last week’s disclosure of an ongoing attack designed to mimic emails from the US Agency for International Development.

The post US Seizes Attacker Domains Used in USAID Phishing Campaign appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/us-seizes-attacker-domains-used-in-usaid-phishing-campaign/?utm_source=rss&utm_medium=rss&utm_campaign=us-seizes-attacker-domains-used-in-usaid-phishing-campaign

New Barebones Ransomware Strain Surfaces

The authors of Epsilon Red have offloaded many tasks that are usually integrated into the ransomware — such as Volume Shadow Copy deletion — to PowerShell scripts.

Researchers at Sophos Labs have spotted a new ransomware strain that they say is notable for its pared-down functionality and heavy use instead of PowerShell scripts to carry out a variety of its malicious functions.

In a new report, Sophos describes recently observing the ransomware — called Epsilon Red — being delivered as a final executable in a hands-on attack against a US-based organization in the hospitality sector. Available data suggests that at least one Epsilon Red victim paid a ransom of around $210,000 in Bitcoin in mid-May.

According to Sophos, Epsilon Red is notable for the fact that most of its early-stage components are PowerShell scripts. The ransomware component itself is a bare-bones 64-bit executable written in the Go programming language. Its only function is to encrypt files on the target system. The ransomware component makes no network connections and neither does it execute functions that are often integrated into other ransomware strains. For example, functions such as deleting Volume Shadow Copies and killing processes have been offloaded to PowerShell scripts.

Andrew Brandt, principal researcher at Sophos, says the attacker’s goal is to make Epsilon Red and its activities harder to detect. “If you break the ransomware activity down into a bunch of regular benign tasks, it becomes harder for defenders to identify them as being connected to each other and to malicious activity,” he says. “When they offload the context of things like ‘delete Volume Shadow Copies’ into bits and pieces, it becomes less suspicious to behavior-based endpoint security tools.” For example, a malware detection tool might simply treat the Volume Shadow Copy activity as benign because it isn’t specifically tied to other malicious behaviors.

The attack on the US-based organization that Sophos observed appears to have begun with a vulnerable Microsoft Exchange Server. It’s unclear whether the attackers exploited the recently disclosed ProxyLogon vulnerabilities in Exchange Server to gain unauthenticated access or if they took advantage of other flaws, Sophos says.

From their initial entry point, the attackers used Windows Management Instrumentation (WMI) to install additional software for downloading the ransomware on all other systems they could access from the Exchange Server. During the attack, the threat actors used over a dozen PowerShell scripts — including those for deleting Volume Shadow Copies and for copying the Windows Security Account Management (SAM) so they could retrieve passwords stored on the computer.

Sophos’ analysis of Epsilon Red showed the ransomware binary itself doesn’t include a list of targeted files and extensions. Instead, it appears designed to encrypt everything on a target system, including crucial dynamic link libraries (DLLs) and extensions required to keep the system functional. That’s very different from most mature ransomware families where the ransomware binary explicitly contains logic for excluding DLLs and executable files from encryption.

“Ransomware threat actors know they aren’t likely to get paid if nobody can see their ransom note — because the computer is unbootable,” he says. “There’s been a general consensus that encrypting executables and DLLs is bad for business.” Since Epsilon Red doesn’t appear to make that distinction, there’s a possibility the malware could render an infected system unbootable. In these situations, even if the attacker were to deliver a decryption tool, it’s likely the victim would not be able to run it on that computer, Brandt says.

An Evolving Trend
The Epsilon Red ransomware campaign is typical of many others recently in which attackers have heavily relied on script and command interpreters such as Windows Command Shell and PowerShell to execute scripts, commands, and binaries. A recent analysis of threat data from customer networks that Red Canary conducted showed that 48.7% of customers experienced an attack where PowerShell was used and 38.4% an attack that involved Windows Command Shell. Red Canary found that attackers typically used PowerShell for tasks such as malware obfuscation, malicious command execution, and downloading additional payloads.

“We’ve certainly seen PowerShell being used with WMIC [WMI command-line] and potentially unwanted apps, like penetration testing tools,” Brandt says, “or remote access software to stitch together an attack and pivot strategy with multiple attackers over the past year.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

4 Practical Tips for Building a Data Lake

More Webcasts

White Papers

The State of Endpoint Security

Tech Insights: Detecting and Preventing Insider Data Leaks

More White Papers

Reports

Tech Insights: Detecting and Preventing Insider Data Leaks

Assessing Cybersecurity Risk in Today’s Enterprises

More Reports

The post New Barebones Ransomware Strain Surfaces appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/new-barebones-ransomware-strain-surfaces-2/?utm_source=rss&utm_medium=rss&utm_campaign=new-barebones-ransomware-strain-surfaces-2

New Barebones Ransomware Strain Surfaces

The authors of Epsilon Red have offloaded many tasks that are usually integrated into the ransomware — such as Volume Shadow Copy deletion — to PowerShell scripts.

The post New Barebones Ransomware Strain Surfaces appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/new-barebones-ransomware-strain-surfaces/?utm_source=rss&utm_medium=rss&utm_campaign=new-barebones-ransomware-strain-surfaces

GRAVITAS: Graphical Reticulated Attack Vectors for Internet-of-Things Aggregate Security

Read More

The post GRAVITAS: Graphical Reticulated Attack Vectors for Internet-of-Things Aggregate Security appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/gravitas-graphical-reticulated-attack-vectors-for-internet-of-things-aggregate-security/?utm_source=rss&utm_medium=rss&utm_campaign=gravitas-graphical-reticulated-attack-vectors-for-internet-of-things-aggregate-security

Cyber-Insurance Fuels Ransomware Payment Surge

Companies relying on their cyber-insurance policies to pay off ransomware criminals are being blamed for a recent uptick in ransomware attacks.
Read More

The post Cyber-Insurance Fuels Ransomware Payment Surge appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/cyber-insurance-fuels-ransomware-payment-surge/?utm_source=rss&utm_medium=rss&utm_campaign=cyber-insurance-fuels-ransomware-payment-surge

Veracode Named a Leader in 2021 Gartner Magic Quadrant for Application Security Testing

Veracode has been named a Leader in the 2021 Gartner Magic Quadrant for Application Security Testing (AST) for the eighth consecutive year. Gartner evaluates vendors based on their completeness of vision and ability to execute in the application security testing (AST) market. This recognition comes just months after we were named Gartner Peer Insights Customers??? Choice for AST, proving, in our opinion, the strength of our AST offerings according to both experts and users.

???

In addition, we received the highest score for the Enterprise and Public-Facing Web Applications Use Cases in the 2021 Gartner Critical Capabilities for Application Security Testing report.

We???re thrilled to be recognized as a Leader in the Magic Quadrant once again. Committed to helping organizations in every industry code with confidence in our increasingly digital world, we spent the last year striving to enable developers to code securely, and security teams to easily measure and report on the security posture of their organizations.

Veracode has increased its focus and investment in DevSecOps and developer enablement and education, with expanded integrations into developer ecosystems, including AWS CodeStar, secure coding best practices, and expert consultations. The platform offers support for GitHub Actions and GitHub Security Console and issues and pipelines, as well as a pipeline approach that optimizes scan times throughout the software development process. Through the introduction of Veracode Security Labs in early 2020, the company also offers hands-on, interactive security training to developers that aims to enable developers to code securely. As the director of engineering at OneLogin recently remarked, ???Veracode [Security Labs] has significantly reduced the number of defects introduced during the development process and has ingrained security best practices as a primary pillar of creating production-quality code.???

A true enterprise offering includes a comprehensive approach to application security. Veracode credits its high scores for Enterprise and Public-Facing Web Applications in the Critical Capabilities report to a single platform that scans for vulnerabilities in both first-party and open source code with multiple testing types, quick time to deployment without absorbing infrastructure costs, constant updates, and machine learning that facilitates remediation. Unique in the market, Veracode SCA doesn???t rely solely on the National Vulnerability Database (NVD) but also uses machine learning, data mining, and natural language processing to identify potential vulnerabilities inﾂ?open sourceﾂ?libraries from commit messages and bug reports.

Software security will be increasingly critical as the world becomes even more connected and digital, and as high-profile cyberattacks prompt more stringent regulations. In fact, nearly a quarter of the Biden administration???s newly launched executive order on cybersecurity is focused on securing the software supply chain, and the 2021 Gartner Magic Quadrant authors highlight that ???Gartner estimates end-user spending in the AST market reached $2.2 billion worldwide in 2020. We have also increased our growth rate projections, to 18% for 2021, resulting in a forecast spend of $2.6 billion for 2021.???

Whether you???re looking for guidance on launching or maturing your AppSec program, the 2021 Gartner Magic Quadrant for Application Security Testing report can serve as a helpful resource to understand what good looks like when it comes to securing your own software. Download the report to explore the current market landscape alongside emerging threats and trends and see how Veracode???s AppSec solutions are evaluated against key application security vendors. ﾂ?

ﾂ?

Gartner, Magic Quadrant for Application Security Testing, Dale Gardner, Mark Horvath, Dionisio Zumerle, 27 May 2021

Critical Capabilities for Application Security Testing, Mark Horvath, Dale Gardner, Dionisio Zumerle, 26 May 2021

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner???s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Veracode Named a Leader in 2021 Gartner Magic Quadrant for Application Security Testing appeared first on Security Boulevard.

Read More

The post Veracode Named a Leader in 2021 Gartner Magic Quadrant for Application Security Testing appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/veracode-named-a-leader-in-2021-gartner-magic-quadrant-for-application-security-testing/?utm_source=rss&utm_medium=rss&utm_campaign=veracode-named-a-leader-in-2021-gartner-magic-quadrant-for-application-security-testing

Rationalisez la gestion de projet grâce à des analyses avancées pour le logiciel Jira

La gestion de projets n’est pas une tâche facile, surtout si vous gérez des projets parallèles avec des dépendances entre équipes. En raison d’un manque de visibilité et de la difficulté à obtenir les bonnes mesures en temps voulu, il …

The post Rationalisez la gestion de projet grâce à des analyses avancées pour le logiciel Jira appeared first on ManageEngine Blog.

The post Rationalisez la gestion de projet grâce à des analyses avancées pour le logiciel Jira appeared first on Security Boulevard.

Read More

The post Rationalisez la gestion de projet grâce à des analyses avancées pour le logiciel Jira appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/rationalisez-la-gestion-de-projet-grace-a-des-analyses-avancees-pour-le-logiciel-jira/?utm_source=rss&utm_medium=rss&utm_campaign=rationalisez-la-gestion-de-projet-grace-a-des-analyses-avancees-pour-le-logiciel-jira

Meat Producer JBS USA Hit By Ransomware Attack

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database
CVE-2021-32656
PUBLISHED: 2021-06-01

Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate server user added as a…

CVE-2021-32657
PUBLISHED: 2021-06-01

Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud instance. The vulner…

CVE-2020-22044
PUBLISHED: 2021-06-01

A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the url_open_dyn_buf_internal function in libavformat/aviobuf.c.

CVE-2021-32654
PUBLISHED: 2021-06-01

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public li…

CVE-2021-32655
PUBLISHED: 2021-06-01

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and trie…

The post Meat Producer JBS USA Hit By Ransomware Attack appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/meat-producer-jbs-usa-hit-by-ransomware-attack-2/?utm_source=rss&utm_medium=rss&utm_campaign=meat-producer-jbs-usa-hit-by-ransomware-attack-2

Meat Producer JBS USA Hit By Ransomware Attack

The company says recovery from the attack may delay transactions with customers and suppliers.

The post Meat Producer JBS USA Hit By Ransomware Attack appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/meat-producer-jbs-usa-hit-by-ransomware-attack/?utm_source=rss&utm_medium=rss&utm_campaign=meat-producer-jbs-usa-hit-by-ransomware-attack

Benefits of SOAR From ESW #229

Asset management is key to your SOAR implementation. The way Paul used to do it was, well, one approach…Featuring Nathan Hunstad – Principal Security Engineer & Researcher at Code42.

The post Benefits of SOAR From ESW #229 appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/benefits-of-soar-from-esw-229/?utm_source=rss&utm_medium=rss&utm_campaign=benefits-of-soar-from-esw-229

WhatsApp reverses course, will not limit app functionality

WhatsApp, the end-to-end encrypted messaging service that has lost users, its founders, and a large amount of public goodwill, issued a reversal on its recent privacy policy enforcement measures, clarifying that it will no longer punish users who refuse to share some of their data with the company’s owner, Facebook.

Previously, the company said it would restrict some users from accessing chat logs and even turn off the ability for users to receive calls and messages through the app. But in a statement to the news outlet The Next Web last week, WhatsApp said:

“Given recent discussions with various authorities and privacy experts, we want to make clear that we currently have no plans to limit the functionality of how WhatsApp works for those who have not yet accepted the update. Instead, we will continue to remind users from time to time about the update as well as when people choose to use relevant optional features, like communicating with a business that is receiving support from Facebook.”

The reversal comes after a confusing and difficult five months for WhatsApp, which, in January, began notifying users about a new privacy policy that would include additional data sharing with Facebook. Users immediately balked at the policy request, though they misconstrued old data sharing practices that WhatsApp rolled out in 2016 with new practices from WhatsApp that would go into effect in 2021.

Never included in WhatsApp’s data sharing practices was the content of users’ messages, and it remains that way today. WhatsApp has held firm on the end-to-end encryption enabled by default for all users, and it has never hinted at breaking that encryption to allow its parent company to increase targeted advertising efforts. Instead, WhatsApp’s current privacy policy will allow the company to share certain data with Facebook about business interactions–like when a user contacts a business over WhatsApp.

Still, the confusion led to a reported exodus of users, to which WhatsApp responded by extending the initial deadline for users to agree to its privacy policy to May 15. But for users who chose not to agree to the new privacy policy, the eventual, planned consequences appeared rather extreme.

For users who refused the privacy policy, WhatsApp previously said that “after a period of several weeks,” those users would see a notification to accept the new privacy policy become persistent. Users with the persistent notification would then see limitations.

The company previously said:

“At that time, you’ll encounter limited functionality on WhatsApp until you accept the updates. This will not happen to all users at the same time.

You won’t be able to access your chat list, but you can still answer incoming phone and video calls. If you have notifications enabled, you can tap on them to read or respond to a message or call back a missed phone or video call.

After a few weeks of limited functionality, you won’t be able to receive incoming calls or notifications and WhatsApp will stop sending messages and calls to your phone.”

That language is no longer present on WhatsApp’s FAQ, but when it was first revealed, it presented a stark image to users who had perhaps chosen WhatsApp entirely because of its earlier, pro-privacy slant.

Instead, those users who chose to protect one small aspect of their online privacy were being punished. As we wrote previously:

“A private messaging app that cannot receive messages is useless, and it is ludicrous that the reason it is useless is because the company has chosen to make it that way.

This is an anti-privacy choice. It is also an anti-user choice, as users are being punished for their refusal to share data.”

Thankfully, this scenario has been avoided, but it is still frustrating that it took this level of public outrage for WhatsApp to correct course. Protecting users and protecting their choices should not be this hard.

The post WhatsApp reverses course, will not limit app functionality appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/whatsapp-reverses-course-will-not-limit-app-functionality-2/?utm_source=rss&utm_medium=rss&utm_campaign=whatsapp-reverses-course-will-not-limit-app-functionality-2

WhatsApp reverses course, will not limit app functionality

WhatsApp, the end-to-end encrypted messaging service that has lost users, its founders, and a large amount of public goodwill, issued a reversal on its recent privacy policy enforcement measures, clarifying that it will no longer punish users who refuse to share some of their data with the company’s owner, Facebook.

Previously, the company said it would restrict some users from accessing chat logs and even turn off the ability for users to receive calls and messages through the app. But in a statement to the news outlet The Next Web last week, WhatsApp said:

“Given recent discussions with various authorities and privacy experts, we want to make clear that we currently have no plans to limit the functionality of how WhatsApp works for those who have not yet accepted the update. Instead, we will continue to remind users from time to time about the update as well as when people choose to use relevant optional features, like communicating with a business that is receiving support from Facebook.”

The reversal comes after a confusing and difficult five months for WhatsApp, which, in January, began notifying users about a new privacy policy that would include additional data sharing with Facebook. Users immediately balked at the policy request, though they misconstrued old data sharing practices that WhatsApp rolled out in 2016 with new practices from WhatsApp that would go into effect in 2021.

Never included in WhatsApp’s data sharing practices was the content of users’ messages, and it remains that way today. WhatsApp has held firm on the end-to-end encryption enabled by default for all users, and it has never hinted at breaking that encryption to allow its parent company to increase targeted advertising efforts. Instead, WhatsApp’s current privacy policy will allow the company to share certain data with Facebook about business interactions—like when a user contacts a business over WhatsApp.

Still, the confusion led to a reported exodus of users, to which WhatsApp responded by extending the initial deadline for users to agree to its privacy policy to May 15. But for users who chose not to agree to the new privacy policy, the eventual, planned consequences appeared rather extreme.

For users who refused the privacy policy, WhatsApp previously said that “after a period of several weeks,” those users would see a notification to accept the new privacy policy become persistent. Users with the persistent notification would then see limitations.

The company previously said:

“At that time, you’ll encounter limited functionality on WhatsApp until you accept the updates. This will not happen to all users at the same time.

You won’t be able to access your chat list, but you can still answer incoming phone and video calls. If you have notifications enabled, you can tap on them to read or respond to a message or call back a missed phone or video call.

After a few weeks of limited functionality, you won’t be able to receive incoming calls or notifications and WhatsApp will stop sending messages and calls to your phone.”

That language is no longer present on WhatsApp’s FAQ, but when it was first revealed, it presented a stark image to users who had perhaps chosen WhatsApp entirely because of its earlier, pro-privacy slant.

Instead, those users who chose to protect one small aspect of their online privacy were being punished. As we wrote previously:

“A private messaging app that cannot receive messages is useless, and it is ludicrous that the reason it is useless is because the company has chosen to make it that way.

This is an anti-privacy choice. It is also an anti-user choice, as users are being punished for their refusal to share data.”

Thankfully, this scenario has been avoided, but it is still frustrating that it took this level of public outrage for WhatsApp to correct course. Protecting users and protecting their choices should not be this hard.

The post WhatsApp reverses course, will not limit app functionality appeared first on Malwarebytes Labs.

The post WhatsApp reverses course, will not limit app functionality appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/whatsapp-reverses-course-will-not-limit-app-functionality/?utm_source=rss&utm_medium=rss&utm_campaign=whatsapp-reverses-course-will-not-limit-app-functionality

The Security Digest: #63

Chaos unfolded for a meat producer over the weekend, likely from what else but ransomware. Suspected Solar Winds hackers are back, VPN breaches from state …

The post The Security Digest: #63 appeared first on Cyral.

The post The Security Digest: #63 appeared first on Security Boulevard.

Read More

The post The Security Digest: #63 appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/the-security-digest-63/?utm_source=rss&utm_medium=rss&utm_campaign=the-security-digest-63

Cobalt Strike, a penetration testing tool abused by criminals

If you were to compose a list of tools and software developed by security and privacy defenders that ended up being abused by the bad guys, then Cobalt Strike would unfortunately be near the top of the list. Maybe only Metasploit could give it a run for the first place ranking.

Metasploit–probably the best known project for penetration testing–is an exploit framework, designed to make it easy for someone to launch an exploit against a particular vulnerable target. Metasploit is notorious for being abused, yet modules are still being developed for it so that it continues to evolve. Cobalt Strike is in the same basket. Cobalt Strike offers a post-exploitation agent and covert channels, intended to emulate a quiet long-term embedded actor in the target’s network.

What is Cobalt Strike?

Cobalt Strike is a collection of threat emulation tools provided by HelpSystems to work in conjunction with the Metasploit Framework. Cobalt Strike, and other penetration testing tools, were originally created for network defenders to train them to understand vulnerabilities and possible avenues of infection by cyber criminals. These tools are meant to simulate intrusions by motivated actors, and they have proven to be very good at this. So, while “white hat” hackers were developing tools to more easily emulate “black hat” activities, few considered how these tools might be turned against someone. (The terms “white hat” and “black hat” are also falling out of favor, as cybersecurity professionals adopt “red team” and “blue team” descriptors to describe offensive and defensive security teams.)

Establishing a foothold

Lately, we have seen targeted attacks by both state-sponsored threat actors and ransomware peddlers. What we mainly see in the ransomware field is an increasing amount of manual infections. For example, by using brute force methods and exploiting vulnerabilities to break into networks. We have seen a significant uptick in these methods in 2020 and beyond. As a follow-up to these more manual types of attacks, as opposed to spray-and-pray phishing attacks, we are seeing threat actors who have compromised a server, loading tools like Cobalt Strike Beacon onto the system. Cobalt Strike Beacon provides encrypted communication with the C&C server to send information and receive commands. Those commands can include instructions to download malware. After doing this, they can use Cobalt Strike to map out the network and identify any vulnerabilities as well as deploy implants, backdoors, and other tools to accomplish lateral movement eventually leading to complete network infection.

Building out grip on the compromised network

So how this usually goes, is an infection occurs, be it phishing, manual breaches by brute forcing a port, or even an exploit. Once an endpoint has been compromised, the actor looks to compromise a server on the network. There are numerous ways to accomplish this, in fact last year we saw the ZeroLogon vulnerability used against domain admin servers, which essentially gave full admin rights to a criminal within seconds! Once the server is infected, Cobalt Strike is installed and it’s at this point, that more advanced network monitoring, vulnerability identification and a bunch of other advanced features, become available to the criminal. Now armed with more capabilities, the attacker can more quickly and completely compromise endpoints across the network, eventually launching ransomware, sometimes after all the juicy data saved on the network has been collected and exfiltrated.

Cobalt Strike is pricey

New Cobalt Strike licenses cost $3,500 per user for a one year license. License renewals cost $2,585 per user, per year. But why would a cybercriminal worry about such costs? Criminals who are using these tools do not just buy them from the vendors anyway. In many cases, leaked and older versions of Cobalt Strike are being used and in some cases, sophisticated threat actors, e.g. the group behind Trickbot, are building their own versions of Cobalt Strike, modified for their special needs and purposes.

The dilemma

This whole situation creates a strange moral grey area when you consider that tools developed by the good guys as a method of defense against the bad guys, are now being used by the bad guys to infect the customers of the good guys. There is a fair amount of discussion among security professionals whether or not it is a good idea to continue the free and unregulated development and release of these penetration testing tools. Especially when some of them are almost indistinguishable from actual black hat tools. As well as a lot of finger pointing about whose responsibility it is to make sure these tools aren’t used for crime. But also how could we do that, or is it already too late?

The need for pen-testing

While we can see why major corporations deploy red teams to perform penetration testing, we also wonder whether it is right to develop the malware for the threat actors. One could argue that using the latest and newest actual forms of malware should be adequate to test whether your defenses are up to par.

As it stands now, we have ended up with a situation where there are paid, dedicated researchers who spend all day working on new tools for penetration testing and intrusion. Which may very well end up being used by the criminals themselves. There are likely far less, if any, full time malware tool developers who have the resources, time, and experience to create something of the same magnitude. So at the end of the day, the weapons created by the white and grey hats, may be causing more harm than good in the long run because of a lack of control.

The problem it causes

Pen-testing is limited to the companies that can afford it and feel the need to do it. By using it they are not only adding to their own protection, which is their prerogative, but as a side-effect they are enabling the development of more advanced penetration software.

Combine that with an industry where some penetration testers prefer the situation where organizations are unable to defend themselves against these tools because it creates more business for penetration testing companies if they can’t defend themselves effectively. If you pass the test every time with flying colors, you will start to doubt the effectiveness of said test.

This is the problem we currently have with penetration tools being hijacked by criminals. The organizations that employ penetration testers are involuntary enablers, who are protected from this threat while also being the main drivers of development and providers of resources. On the other side of the spectrum there are those who aren’t aware of the threat, and will be the biggest victims once these tools fall into the hands of criminals.

As long as the consultants build new, more powerful tools, and don’t pay attention where the outdated and discarded tools end up, your neighbor can end up under attack by the tools you paid to develop. You are probably safe from the attack, but dozens of others, many in industries who can’t afford a consultant to test their security, are not safe, and in fact, are at a greater risk than before you brought in your consultant.

The post Cobalt Strike, a penetration testing tool abused by criminals appeared first on Malware Devil.

https://malwaredevil.com/2021/06/01/cobalt-strike-a-penetration-testing-tool-abused-by-criminals-2/?utm_source=rss&utm_medium=rss&utm_campaign=cobalt-strike-a-penetration-testing-tool-abused-by-criminals-2