Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
  • Security

    80 stories in this category


      Splunk Enterprise deployment servers security issue - CVE-2022-32158

      nvd.nist.gov - Splunk Enterprise deployment servers in versions before 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server.

      Australia's cyber laws potentially harmful to security: Critical Infrastructure community

      zdnet.com - Image: Shutterstock A slew of Australia's critical infrastructure service providers and union groups have lambasted the federal government's critical infrastructure cyber laws due to it requiring organisations to install third-party software onto their systems if they are deemed to not be "technically capable" of managing cyberthreats.
      Roger Somerville, Amazon Web Services' (AWS) ANZ public policy head, said the need for new cybersecurity laws was apparent, but he remained critical of the software installation scheme contained within the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022.
      The Bill contains outstanding elements of cyber laws passed by the Parliament last year, per recommendations from the parliamentary committee that is currently reviewing the laws. Among these outstanding elements are requirements for entities deemed "most important to the nation" to adhere to enhanced cybersecurity obligations, such as potentially installing third-party software.
      Addressing the parliamentary committee that is reviewing the Bill, Somerville said there is a lack of clarity on how the software installation scheme would operate, and that the federal government saying it would only be used as a "last resort" is not sufficient.
      "We do acknowledge that the Australian government has told us that those sorts of powers would be more relevant for less sophisticated cyber security entities than ourselves. But from our perspective, I think we're very concerned that we still do need to see clear, practical guidance on how this would work," Somerville said.
      Somerville added that if the federal government was adamant in pushing ahead with establishing the software installation scheme, a technical support body that exists as an independent statutory office holder should be created to oversee the scheme's operation.
      "This body would also perhaps create an avenue for contestability of those decisions, particularly on the questions of technical feasibility," he said.
      AWS was not alone in sharing its concerns, as Palo Alto Networks ANZ public policy head Sarah Sloan, who also appeared before the committee, said the software installation scheme introduces unnecessary security risks into critical infrastructure environments.
      This security concern was echoed by Communications Alliance CEO John Stanton, who provided an example of how the scheme could be dangerous.
      "The danger is probably more when information is combined with other information sources, so we don't necessarily hold a list of the people's names behind IP addresses, but other organisations do. So if you combine data [from critical infrastructure entities] with telecommunications service providers data, because they know who the service providers are of those IP addresses then you're able to effectively put together personal information," Stanton said.
      Software Alliance COO Jared Ragland, meanwhile, noted that the security issues with the scheme did not stop there as the installation of the software could lead to more issues across critical infrastructure supply chains.
      "In addition to concerns about what kind of information might have legitimate access to the software, a real concern is that if the software is installed at each stage along this chain and it operates improperly, then there could be accidental problems. Perhaps it could be data leakage, but it could also be operational interruptions of other sorts," Ragland explained.
      For each of these organisations, trust appeared to be a core issue in their opposition to the software installation scheme. To address this lack of trust, not-for-profit advocacy group Internet Association of Australia (IAA) said the federal government should amend the proposed cyber laws to allow critical infrastructure entities to heavily test code.
      "It's highly, highly important that we need to have to trust the type of software that goes on to manage this. And we need the opportunity to be able to read the code, assess the code, test the code against other things," IAA CEO Narelle Clark said.
      The federal government's critical infrastructure reforms sit alongside the ransomware action plan as being its primary regulatory efforts for bolstering Australia's cybersecurity posture.
      Labelled by Home Affairs Secretary Mike Pezzullo last month as the government's defence against cyber threats, the federal government is hoping the second trance of cyber laws will create a standardised critical infrastructure framework for Australia's intelligence agencies.
      Related Coverage
      Pezzullo frames Critical Infrastructure Bills as 'defence' and ransomware plan as 'offence'
      Home Affairs believes the second critical infrastructure Bill would create a common framework for preventing cyber attacks.
      MacTel warns critical infrastructure reforms create gaps in government data protection
      The cloud and data provider also sees a potential future where critical infrastructure providers and their suppliers shift data stores and processing functions offshore to avoid being regulated.
      Home Affairs releases second Critical Infrastructure Bill with leftover obligations
      This new Bill contains obligations that were excluded from the Security Legislation Amendment (Critical Infrastructure) Act 2021.

      Australia's big four banks tackling cybersecurity with a team sport mentality

      zdnet.com - The chief security officers of Australia's big four banks have likened combating cybersecurity attacks to playing a team sport.
      "I think I'm not alone in saying that we see cyber as very much a team sport," Commonwealth Bank of Australia CISO Keith Howard said during the virtual Cyber Live event on Wednesday.
      "The competitors, from my perspective, is not [the other banks], it's the attackers … at the end of the day, we're stronger when we work across industry, across education, and also work across government as well."
      This joint security effort between the big four occurs regularly, according to National Australia Bank CSO Sandro Bucchianeri.
      "What we typically do is we would talk about indicators of compromise and share our threat intelligence so that we can better defend ourselves because something I see at NAB, Richard may not have seen it at Westpac, or Lynwen [at ANZ] may have also seen it, so we try to compare notes essentially -- and that helps us protect the wider Australian community as a whole," he said.

      Special feature
      Cyberwar and the Future of Cybersecurity
      Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.
      Read More
      Bucchianeri also emphasised the importance of having diverse skill sets to make up a strong cybersecurity team.
      "Just like soccer, where you have strikers, defenders, midfielders, goalkeepers, doctors, coaches, nutritionists, and the list goes on, we are looking for new diverse talent that will help us better defend the organisation. Something that I'm personally very excited about is training visually impaired students to become cybersecurity professionals," he said.
      From ANZ CISO Lynwen Connick's perspective, diversifying the cybersecurity sector is not only just about gender, but also bringing in people from other fields like psychology, media, and fashion.
      "People come from all different walks of life, and that's really important from a diversity point of view as well because you get that diversity of thought," she said.
      "People have had different training, different experiences coming into cybersecurity because cybersecurity is really part of everything we do, so we need all sorts of different people."  
      The need to boost Australia's cybersecurity skills comes at a time where cyber attacks are no longer synonymous with a specific sector or enterprise -- rather it's hurting all sectors. A prime example was when global meatpacker JBS last year paid $11 million in Bitcoin to cyber attackers that encrypted its files and disrupted operations in the US and Australia with ransomware.
      As BT Australasia cybersecurity head Luke Barker puts it, compared to a decade ago, there was nowhere near as many targeted activities towards organisations that run operational networks, such as manufacturing, mining, energy, and water, as there are today.
      "Ten years ago, I don't think the adversaries were targeting those types of industries as much," he said.
      "Whereas I look now and most of the organisations we work with, we're seeing a significant rise in cybercrime against organisations that run those types of environments because the impact is so big.
      "If you're having to take down an organisation's manufacturing facility, that is the number one source of revenue, so the impact of their business and the likelihood of them potentially paying a ransom is going to be more so than say their website goes down, when their core business is manufacturing.
      "We're seeing that shift towards what's going to create the biggest impact and where are the crown jewels for that organisation." 
      Related Coverage

      Brakeman – A Code Security Auditing Tool for Ruby

      latesthackingnews.com - What is a Brakeman?
      in the 1800s a brakeman was a rail worker responsible for keeping the rail roads safe by applying the brakes to each individual car. In this case Brakeman is a security scanner for programs written in the Rails framework.  Brakeman works by analyzing the source code of Ruby on Rails programs and highlighting vulnerabilities.
      Installation is a breeze using rubygems, alternatively you can build it with the latest and greatest from GitHub. The project is really popular and being used by top companies such as Groupon, Twitter and GitHub itself
      gem install brakeman git clone https://github.com/presidentbeef/brakeman.git cd brakeman docker build . -t brakeman How is it used?
      The main advantages of Brakeman is that it can run anytime during the development cycle because all it needs is the source code and it requires zero setup or configuration once installed. It comes with 3 different warning levels [high, medium, low] and they provide an estimation on the certainty of the program in question. Brakeman is also much faster than black box scanners but can only scan statically not dynamically.

      Brakeman comes with many scanning options such as scanning a specified path, enabling each scan to run in a single thread or forcing brakeman to run in Rails 3 or 4. To run Brakeman locally just use the brakeman command. To run outside of rails use the same command followed by the path to the application. Brakeman will work with any version of rails from version 2.4 until 6.x and can analyze code written in Ruby 1.8 syntax and beyond but needs at least ruby 2.4.0 to run efficiently.

      How much do we like it?
      All in all this tool and all of its advantages make me want to give it a 3/5 bunny rating. The fact that you can run this tool at any stage in development is very convenient as well as being able to scan individual paths. This tool seems like it could be every ruby developers dream tool

      Want to learn more about ethical hacking?
      We have a  networking hacking course that is of a similar level to OSCP, get an exclusive discount HERE
      Do you know of another GitHub related hacking tool?
      Get in touch with us via the contact form if you would like us to look at any other GitHub ethical hacking tools.


      Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm

      thehackernews.com - Researchers have detailed what they call the "first successful attempt" at decrypting data infected with Hive ransomware without relying on the private key used to lock access to the content.
      "We were able to recover the master key for generating the file encryption key without the attacker's private key, by using a cryptographic vulnerability identified through analysis," a group of academics from South Korea's Kookmin University said in a new paper analyzing its encryption process.
      Hive, like other cybercriminals groups, operates a ransomware-as-a-service that uses different mechanisms to compromise business networks, exfiltrate data, and encrypt data on the networks, and attempt to collect a ransom in exchange for access to the decryption software.
      It was first observed in June 2021, when it struck a company called Altus Group. Hive leverages a variety of initial compromise methods, including vulnerable RDP servers, compromised VPN credentials, as well as phishing emails with malicious attachments.
      The group also practices the increasingly lucrative scheme of double extortion, wherein the actors go beyond just encryption by also exfiltrating sensitive victim data and threatening to leak the information on their Tor site, "HiveLeaks."
      As of October 16, 2021, the Hive RaaS program has victimized at least 355 companies, with the group securing the eighth spot among the top 10 ransomware strains by revenue in 2021, according to blockchain analytics company Chainalysis.
      The malicious activities associated with the group have also prompted the U.S. Federal Bureau of Investigation (FBI) to release a Flash report detailing the attacks' modus operandi, noting how the ransomware terminates processes related to backups, anti-virus, and file copying to facilitate encryption.
      The cryptographic vulnerability identified by the researchers concerns the mechanism by which the master keys are generated and stored, with the ransomware strain only encrypting select portions of the file as opposed to the entire contents using two keystreams derived from the master key.
      "For each file encryption process, two keystreams from the master key are needed," the researchers explained. "Two keystreams are created by selecting two random offsets from the master key and extracting 0x100000 bytes (1MiB) and 0x400 bytes (1KiB) from the selected offset, respectively."
      The encryption keystream, which is created from an XOR operation of the two keystreams, is then XORed with the data in alternate blocks to generate the encrypted file. But this technique also makes it possible to guess the keystreams and restore the master key, in turn enabling the decode of encrypted files sans the attacker's private key.
      The researchers said that they were able to weaponize the flaw to devise a method to reliably recover more than 95% of the keys employed during encryption.
      "The master key recovered 92% succeeded in decrypting approximately 72% of the files, the master key restored 96% succeeded in decrypting approximately 82% of the files, and the master key restored 98% succeeded in decrypting approximately 98% of the files," the researchers said.

      Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

      U.S. Cybersecurity Agency Publishes List of Free Security Tools and Services

      thehackernews.com - The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday published a repository of free tools and services to enable organizations to mitigate, detect, and respond effectively to malicious attacks and further improve their security posture.
      The "Free Cybersecurity Services and Tools" resource hub comprises a mix of services provided by CISA, open-source utilities, and other implements offered by private and public sector organizations across the cybersecurity community.
      "Many organizations, both public and private, are target rich and resource poor," CISA Director, Jen Easterly, said in a statement. "The resources on this list will help such organizations improve their security posture, which is particularly critical in the current heightened threat environment."
      The tools catalog is the latest in a string of initiatives launched by CISA to combat cyber threats and help organizations adopt foundational measures to maximize resilience by patching security flaws in software, enforcing multi-factor authentication, and halting bad practices.
      To that end, the agency has launched dedicated portals documenting Known Exploited Vulnerabilities, "exceptionally risky" cybersecurity procedures, guidance for resisting ransomware infections as well as threats associated with nefarious information and influence operations.
      Earlier this week, it also launched a "Shields Up" campaign notifying organizations in the U.S. of potential risks arising from cyber threats that can disrupt access to essential services and potentially result in impacts to public safety.
      The development also comes as the agency released an alert detailing proactive steps that critical infrastructure entities can take to assess and mitigate threats related to information manipulation, while noting that the advancements in communications and networked systems have created new vectors for exploitation.
      "Malicious actors may use tactics — such as misinformation, disinformation, and malinformation — to shape public opinion, undermine trust, and amplify division, which can lead to impacts to critical functions and services across multiple sectors," CISA said.

      Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

      Critical Bug Found in WordPress Plugin for Elementor with Over a Million Installations

      thehackernews.com - A WordPress plugin with over one million installs has been found to contain a critical vulnerability that could result in the execution of arbitrary code on compromised websites.
      The plugin in question is Essential Addons for Elementor, which provides WordPress site owners with a library of over 80 elements and extensions to help design and customize pages and posts.
      "This vulnerability allows any user, regardless of their authentication or authorization status, to perform a local file inclusion attack," Patchstack said in a report. "This attack can be used to include local files on the filesystem of the website, such as /etc/passwd. This can also be used to perform RCE by including a file with malicious PHP code that normally cannot be executed."
      That said, the vulnerability only exists if widgets like dynamic gallery and product gallery are used, which utilize the vulnerable function, resulting in local file inclusion – an attack technique in which a web application is tricked into exposing or running arbitrary files on the webserver.
      The flaw impacts all versions of the addon from 5.0.4 and below, and credited with discovering the vulnerability is researcher Wai Yan Myo Thet. Following responsible disclosure, the security hole was finally plugged in version 5.0.5 released on January 28 "after several insufficient patches."
      The development comes weeks after it emerged that unidentified actors tampered with dozens of WordPress themes and plugins hosted on a developer's website to inject a backdoor with the goal of infecting further sites.

      Found this article interesting? Follow THN on
      Twitter and
      LinkedIn to read more exclusive content we post.

      Dozens of Security Flaws Discovered in UEFI Firmware Used by Several Vendors

      thehackernews.com - As many as 23 new high severity security vulnerabilities have been disclosed in different implementations of Unified Extensible Firmware Interface (UEFI) firmware used by numerous vendors, including Bull Atos, Fujitsu, HP, Juniper Networks, Lenovo, among others.
      The vulnerabilities reside in Insyde Software's InsydeH2O UEFI firmware, according to enterprise firmware security company Binarly, with a majority of the anomalies diagnosed in the System Management Mode (SMM).
      UEFI is a software specification that provides a standard programming interface connecting a computer's firmware to its operating system during the booting process. In x86 systems, the UEFI firmware is usually stored in the flash memory chip of the motherboard.
      "By exploiting these vulnerabilities, attackers can successfully install malware that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot, and Virtualization-Based Security isolation," the researchers said.
      Successful exploitation of the flaws (CVSS scores: 7.5 - 8.2), could allow a malicious actor to run arbitrary code with SMM permissions, a special-purpose execution mode in x86-based processors that handles power management, hardware configuration, thermal monitoring, and other functions.
      "SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity," Microsoft notes in its documentation, adding the SMM attack vector could be abused by a piece of nefarious code to trick another code with higher privileges into performing unauthorized activities.
      Worse, the weaknesses can also be chained together to bypass security features and install malware in a manner that survives operating system re-installations and achieve long-term persistence on compromised systems — as observed in the case of MoonBounce — while stealthily creating a communications channel to exfiltrate sensitive data.
      Insyde has released firmware patches that address these shortcomings as part of the coordinated disclosure process. But the fact that the software is used in several OEM implementations means it could take a considerable amount of time before the fixes actually trickle down to affected devices.

      Found this article interesting? Follow THN on
      Twitter and
      LinkedIn to read more exclusive content we post.

      Konni remote access Trojan receives 'significant' upgrades

      zdnet.com - The Konni Remote Access Trojan (RAT) has recently received "significant" updates, researchers say, who also urge the community to keep a close eye on the malware.  

      On Wednesday, cybersecurity firm Malwarebytes published an advisory on the malware's latest developments, noting that the Trojan is under active development resulting in "major" changes. 
      Konni has been detected in the wild for roughly eight years. A report on the malware published by BlackBerry in 2017 said that the malware made use of "basic" anti-analysis techniques and was employed for surveillance purposes, rather than the typical financial attacks often linked to RATs. 
      Past campaigns have hinted strongly at a link with North Korea. Phishing documents used to spread the Trojan tend to have themes connected to the Hermit Kingdom, including content relating to missile capabilities, hydrogen bombs, and articles copied from the Yonhap news agency that talked about the country.
      The attached documents contained the payload, and once executed on a vulnerable Windows machine, Konni would gather data through file grabs, keystroke logs, and screen capturing. 
      Konni is believed to be the work of the Kimsuky threat group, which has attacked South Korean think tanks, political groups in Russia, and entities in both Japan and the United States. 
      According to Malwarebytes, the old Trojan has now evolved into a "stealthier" version of itself. New samples show that the phishing attack vector has primarily stayed the same – with the payload deployed through malicious Office documents – but the Trojan, a .DLL file linked to an .ini file, now contains revised functionality.
      Older versions of the RAT relied on two branches to execute using a Windows service: svchost.exe and rundll32.exe strings. Malwarebytes explained:
      "New samples will not show these strings. In fact, rundll is no longer a valid way to execute the sample. Instead, when an execution attempt occurs using rundll, an exception is thrown in the early stages."
      The malware has also transitioned from base64 encoding to AES encryption to protect its strings and for obfuscation purposes. In addition, Konni now utilizes AES when configuration and support files are dropped – such as the .ini file that contains the command-and-control (C2) server address – as well as when files are sent to the C2.
      A previously-unknown packer was also used by some recent Konni samples, but threat data collected by the cybersecurity firm suggests it may have been left out of real-world scenarios. 
      "As we have seen, Konni is far from being abandoned," Malwarebytes commented. "The authors are constantly making code improvements. In our point of view, their efforts are aimed at breaking the typical flow recorded by sandboxes and making detection harder, especially via regular signatures as critical parts of the executable are now encrypted."
      Earlier this month, Cisco Talos documented a recent campaign in which cloud infrastructure provided by vendors including Microsoft Azure and Amazon Web Services (AWS) was being abused to spread commercial RATs. 
      Strains including Nanocore, Netwire, and AsyncRAT were being deployed by the operators, who also abused DuckDNS to facilitate the download of malicious packages. 
      Previous and related coverage
      Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

      QNAP Warns NAS Users of DeadBolt Ransomware Attacks

      securityweek.com - Network-attached storage (NAS) solutions manufacturer QNAP on Wednesday warned users of a DeadBolt ransomware campaign targeting their devices, encouraging them to correctly secure any Internet-facing NAS and routers.
      The attacks started only recently, but they already made multiple victims, with many of them heading to QNAP’s forums and Reddit over the past several days to disclose that DeadBolt has locked them out of their NAS device.
      After successfully infecting an appliance, the ransomware appends the .deadbolt extension to the encrypted files and hijacks the device’s login page to display a note informing the victim they have been infected and asking for a 0.03 Bitcoin (roughly $1,100) payment in exchange for the decryption key.

      DeadBolt’s operators claim they are exploiting a new zero-day vulnerability in QNAP’s NAS devices, and are asking 5 Bitcoin (worth roughly $180,000) in exchange for information on the security bug.
      They also say they are willing to sell the master decryption key for the ransomware (paired with full details on the exploited zero-day), for 50 Bitcoin (approximately $1.8 million).
      On Wednesday, the Taiwan-based manufacturer issued an alert to remind users to correctly secure their NAS devices that are directly accessible from the Internet.
      “QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP NAS and routers, and immediately update QTS to the latest available version,” the company says.
      First, users should check if their NAS is Internet-facing and also verify which ports on their routers are exposed to the Internet. Next, they should disable port forwarding on the router, as well as the UPnP function on the NAS, the company says.
      QNAP’s products have long been targeted in ransomware and brute-force attacks and the company has issued numerous warnings of compromise attempts, yet many users continue to leave their devices exposed to the Internet.
      Related: QNAP Warns of New Crypto-Mining Malware Targeting NAS Devices
      Related: QNAP Patches Critical Vulnerabilities in QVR Software
      Related: QNAP Urges Users to Secure Devices Against Brute-Force Attacks
      Ionut Arghire is an international correspondent for SecurityWeek.
      Previous Columns by Ionut Arghire:
  • Create New...