Cyber Security news
An ambitious hacking campaign was detected last weekend. Specialists from a malware analysis course detected an attack that would have compromised around 2,000 websites around the world operating with Magento, the popular open source software for e-commerce sites.
Preliminary reports indicate that the incident brings together all the characteristics of Magecart attacks, in which threat actors inject malicious code into a website to extract financial information from inadvertent users; this campaign has been identified as “CardBleed Attack”. It should be noted that the affected websites operated Magento 1, a version that stopped receiving updates for a few months now.
A Sansec report mentions that at least 1904 different e-commerce sites were infected with a sophisticated keylogger in their payment sections; the attack began this Friday with the infection of 10 websites, and spread throughout the weekend, infecting 1058 more websites on Saturday and 839 more between Sunday and Wednesday, mention specialists from the malware analysis course.
The security firm had detected a similar campaign in 2005, although on that occasion hackers only managed to attack 960 online stores, indicating that the operators of the attack have managed to advance the development of more sophisticated methods of skimming. This incident could have compromised the financial information of tens of thousands of people.
Another interesting fact about this incident is that many of the affected websites had not been attacked before, suggesting that a new method of attack was used to access the servers of the affected sites. Although the incident is still under investigation, experts from the malware analysis course mention that the campaign could be related to a zero-day exploit that was released a couple of weeks ago on a hacking forum.
A seller on dark web, self-called z3r0day, announced the sale of a remote code execution exploit of functional code in Magento 1 for $5,000 USD, a payment that includes a manual to carry out the attack. In a video posted by the allegedly Russian hacker, it can be seen that a Magento administrator account is not even required to complete the attack.
Finally, Adobe disclosed that it does not plan to release fixes for these vulnerabilities since Magento 1 is in the final stretch of its lifetime, although this seems like an unreasonable decision due to the large number of e-commerce sites that still operate with this version of the software.
From the advent of instant messaging apps, a few taps are enough on the screen of our phones to get in touch with family, friends and acquaintances. While they have facilitated many things these platforms have their own security issues, although potential attack vectors are not always in sight, as mentioned by network penetration testing experts.
One of the most popular attack vectors for researchers recently is Mobile Contact Discovery (MCD), the messaging app feature that allows you to find other users a list of contacts without needing more information in addition to their phone number.
The most popular messaging apps, including WhatsApp, feature MCD, constantly accessing users’ contact list to find other users registered on the same platform. On the other hand, services with a greater focus on privacy, such as Signal, depend on a brief hashing of the user’s phone number, although network penetration testing experts point out that this is not a much more secure method than other services.
The most recent research on this feature, conducted by the University of Würzburg, shows that MCD services can pose a serious security threat to users of messaging apps.
The main risk in implementing MCD is the potential leak of a user’s contacts due to security incidents; as such an incident would present the ideal opportunity for threat actors to deploy phishing attacks or identity fraud for all kinds of malicious purposes. Another risk comes from the actions of governments around the world, which could begin to put pressure on messaging platforms to deliver information from a user under investigation or suspected of a crime.
FINDING A USER THROUGH METADATA
Metadata is also not safe from the activity of malicious hackers, the worst thing is that millions of users are not even consenting to the existence of these particles of information; Profile picture, statuses, last connection and username are some of the data that can be very useful to criminals, even if they don’t seem like important information.
It is incredibly easy for a malicious user to collect metadata from messaging apps to find a person’s social media profiles, which can be useful for profiling users for criminal purposes.
Another risk that users might be exposed to is enumeration attacks, impossible to prevent on these platforms given the limited requirements to register for these services.
CASE STUDIES: WHATSAPP, TELEGRAM AND SIGNAL
Network penetration testing experts analyzed these messaging apps by discovering that in all three cases it is completely possible to carry out attacks such as those described in previous paragraphs at an unusual scale. Another interesting finding has to do with user practices, who rarely change the default privacy settings in the service of their choice, exposing themselves to much greater security risks than those related only to the use of MCD.
Finally, hash-based contact discovery protocols (such as the one used in Signal) can be easily breached by comparing three methods for hashing phone numbers, becoming a very unsafe mechanism.
This research has shown that it is possible to compromise the security of billions of users who rely on these platforms to manage their day-to-day communications; the researchers’ findings were shared with WhatsApp, Signal and Telegram in order for companies to find the mechanisms needed to implement improvements in MCD usage.
In addition to analyzing security risks in MCD, researchers propose some measures to mitigate the risks involved in this practice, with a focus on using highly secure encryption protocols that can prevent any information leakage.
Using encryption protocols for the intersection of private sets is probably the most prominent approach to improving security in future MCD deployment. These protocols would allow users and providers to find contacts without exposing unavailable information outside of the simple phone number, although their actual effectiveness remains to be seen.
Proofpoint security firm specialists have revealed the finding of multiple critical vulnerabilities in multi-factor authentication of cloud environments where WS-Trust is enabled. According to network security course experts, flaws could allow threat actors to bypass multi-factor authentication and access applications like Microsoft 365, committing all kinds of sensitive information.
As if that weren’t enough, flaws could also be exploited to access other Microsoft cloud services, including Azure and Visual Studio, among others.
In their presentation, the researchers mentioned that flaws are likely to have existed for some time, although this has not been entirely proven. They also mention that these flaws exist due to the combination of multiple errors in the implementation of the WS-Trust protocol. In some of the scenarios described, malicious hackers could forge the IP address of a target user to bypass multi-factor authentication using request header manipulation.
Although encountering these faults is complicated, their operation can be very simple and can even be carried out in an automated way. Investigating a potential attack is also complicated, since malicious activities do not appear in the logs or leave traces of activity, as mentioned by network security course specialists.
With regard to the deployment of attacks, it is possible for threat actors to use widely resorted methods, such as phishing or channel hijacking, as described below.
Real-time phishing attacks
Real-time phishing is a much more aggressive variant since threat actors can capture users’ login credentials with automated tools. A popular variant of real-time phishing is the one known as Challenge Mirroring, in which users are asked to complete their login credentials on a malicious website, distributing a real-time attack.
This scenario requires a malware variant that can be injected into the victim’s system via Man-in-The-Browser attacks or with web injection to obtain target user information.
Malware variants used in these attacks can extract your phone’s login credentials, as well as intercept text messages and hack an answering machine.
These are not the only methods used by threat actors. A more economical and less complex variant abuses legacy protocols present in disused devices or accounts; According to network security course experts, legacy email protocols (POP, IMAP) do not support multi-factor authentication in non-interactive applications, so it is not applied correctly. While multiple organizations have blocked legacy protocols as a security measure, this remains a general problem.
Applicable security mechanisms
The threat is real, so Proofpoint experts recommend implementing the following measures to improve the security of your cloud infrastructure:
- Automatically block access from locations and risky networks
- Implement people-centered policies
- Apply more aggressive controls: multi-factor authentication, access through browser isolation, use of virtual private network (VPN), among others
Implementing these measures will positively impact your organization’s security.
Although when buying a new smartphone most users focus on material quality, number of cameras or design, experts from a cyber security audit firm ensure that device security should be their main concern.https://www.youtube.com/embed/9YCvndaBr90?feature=oembed
Mobile security is a real problem, so some manufacturers have options available to users concerned about protecting sensitive information stored on their devices.
Many of the most popular smartphone models are highly vulnerable to hacking, which should be reason enough for users to at least consider purchasing a safer computer without stopping to think about whether the design is good enough. Below are some high-security device options that deliver great performance to users. These equipments were tested by experts from the cyber security audit firm.
Bittium Tough Mobile 2
This is an ultra-secure device designed and built for professionals with the highest security requirements, as it is virtually impossible to hack. Its high standards have made it one of the most widely used tools by security agencies in more than 30 countries.
Bittium Tough Mobile
Although it is a version prior to Bittium Tough Mobile 2, this device has the most advanced security features, ensuring that sensitive user data will always be out of reach of threat actors.
Finney U1. Developed by Swiss-based Sirin Labs, this smartphone operates with military-grade blockchain technology at the hardware and software level. In addition, experts from the cyber security audit firm mention that the phone has an internet-free Bitcoin wallet ideal for cryptocurrency investors.
Silent Circle Blackphone 2
This is a smartphone designed to isolate user conversations, ensuring that no intruder will be able to intercept their communications. The device is fully encrypted, so no unauthorized party will be able to hear anything, including text messages, calls, location data, files and more.
This device will help users protect their privacy comprehensively at an affordable price, in what means BlackBerry’s return to the mobile market.
While most of these devices are intended for law enforcement agencies, politicians, entrepreneurs, and activists, this does not mean that any other user can purchase one, although they should remember that some features are limited in favor of privacy.
Information security managers at the Vatican are working overtime. Specialists in data destruction report that a group of hackers allegedly backed by the Chinese Communist Party have embarked on a new hacking campaign with the intention of compromising the email servers at the Vatican for espionage purposes. This campaign is presented at a delicate moment in relations between China and the Catholic Church.
The hacking group, identified as RedDelta, began its first attacks on the Vatican last May, although they interrupted their activities after being mentioned in some intelligence reports published by the American firm Recorded Future. More recent reports indicate that further attacks have been detected, although this time hackers are also attacking the Catholic Diocese of Hong Kong.
RedDelta has advanced techniques used to address the priorities of the Chinese government, including strict surveillance of Catholicism groups within China, which involves espionage, phishing and hacking campaigns, as mentioned by experts in data destruction. It should be remembered that the Vatican and China are in the process of renewing an agreement by which the Catholic authorities will be able to appoint bishops to the Asian giant.
After the breakup of diplomatic relations between China and the Vatican in 1951, the Communist Party was reluctant to reach agreements with the church. This is therefore a sign of diplomatic capacity, considering that Xi Jinping’s government has undertaken fierce policies of repression against minority ethnic groups in China, including believers; the demolition of temples and the arrest of priests are clear evidence of the Communist Party’s stance on Catholicism.
A Vatican spokesman expressed the intention of both sides to extend the agreement, which expires in October, although there are serious impediments. Thanks to recent leaks, data destruction experts were able to know that one of China’s conditions is for the Vatican to cut off any relationship with Taiwan.
In this regard, China’s Ministry of Foreign Affairs has repeatedly denies its relationship to this alleged hacking campaign, calling these reports “simple speculation”. For their part, the researchers support their version and claim that RedDelta will follow the attack, albeit more discreetly since its recent actions have attracted unwanted attention.
The Nintendo Switch handheld console has become very popular, emulating sales of consoles like the PlayStation 4. However, there is a problem with this device: video game crackers have deciphered possible methods of hacking the console, affecting Nintendo’s profits, mentioning information security awareness experts.
Team-Xecuter hackers, jailbroken in the first generation of Switch in 2018, have just announced the development of SX Core and SX Lite, tools to crack all versions of Switch.
According to information security awareness researchers, a cracked switch can be used by downloading network resources and does not require players to purchase authentic games, either in their physical or digital version. After Nintendo announced the correction of exploited vulnerabilities, Team-Xecuter hackers followed their investigation into the console code, putting various cracking tools up for sale through its website.
What has Nintendo done about it? There is currently a legal procedure to prevent Team-Xecuter from further selling these cracking tools. However, given the nature of cracking developed by this group, Nintendo cannot do much to stop users using pirated software, so only new versions of the console remain to be released: “Team-Xecuter illegally designs and manufactures an unauthorized operating system, in addition to the hacking tools that complement it,” Nintendo’s demand mentions.
The company has also managed to shut down some hacking websites, although video game crackers do not stop. In the event that things don’t change, information security awareness specialists anticipate that Nintendo will start reporting ever-increasing economic losses, so it will be difficult to develop quality video games without the fear of loss.
A team of cybersecurity awareness specialists published information describing a theoretical attack on the Transport Layer Security (TLS) encryption protocol that could lead to the decryption of HTTPS connections between users and servers, exposing potentially sensitive communications.
This scenario, dubbed the Raccoon Attack, was described as “a highly difficult security risk to exploit”, due to its “abnormal” conditions, the experts mentioned.
Broadly speaking, cybersecurity awareness specialists describe the Raccoon attack as “timing”-dependent scenario in which a threat actor must consider the time required to perform encryption operations in order to determine some parts of the algorithm.
The main object of attack in Raccoon is the Diffie-Hellman key exchange process, from which hackers will try to obtain some bytes of information: “This helps threat actors define a set of equations and employ a solver for the hidden number problem (HNP), in order to calculate the premaster original secret established between the client and the server”, as mentioned by one of the researchers.
The report specifies that all servers that use Diffie-Hellman key exchange to configure TLS connections are vulnerable to such attacks, and that it is a server-side attack and cannot be performed on a client, such as in a browser. The attack must also run for each client-server connection in part, and cannot be used to retrieve the private key from the server and decrypt all connections at once. Any version of TLS earlier than 1.2 could be considered vulnerable, cybersecurity awareness experts mention.
While this is a significant risk scenario, the researchers emphasize the difficulty that its execution would entail: “This attack requires that certain very rare conditions be met, in addition to requiring a specific server configuration, so we consider the vulnerability to be highly difficult to exploit,” one of the researchers says.
In additional comments, experts point out that an attacker would need to be located near the target server for very accurate measurements, which is very impractical.
Since their breakthrough in the market, dating apps have become a highly popular tool for people looking for a partner, open relationships or simply interested in socializing, ensuring information security awareness experts. Among the different options available, Tinder is probably the most popular app, with millions of active users per month, and it is precisely this popularity that has made this platform the center of operations of multiple malicious users, who create fake profiles for malicious purposes.
In addition to fake profiles, there are Tinder bots, which are a simple software variant with the ability to reply messages much like legitimate users, which can go completely unnoticed.
For frequent users of these platforms, information security experts have developed a number of helpful recommendations to help them identify potential malicious users or bot accounts on Tinder.
The timeline is probably the most important element of a Tinder profile, even more than the user’s photos, so it would be suspicious if an account did not provide further details in this section. For many information security researchers this is the main sign of suspicion.
Response time is always the same
When interacting with another account in Tinder the response time may vary. However, users should consider a bot to be an automated program that does not take into account variables, so the response time will be invariably fast; you have to take things realistically, no user immediately responds to all their messages.
Meaningless and out-of-context responses
Bots don’t understand concepts like context in a conversation, so users will often find answers without a clear sense, an indication that they are interacting with a software tool.
No one is perfect, even though bots appear to be perfect
In Tinder we can find all kinds of profiles showing their photos as they are. With regard to fake profiles, it is a very common practice for bot operators to steal photos of models or influencers with great physical appeal to engage unsuspecting users. Remember, a profile with overly elaborate or perfect photos is surely a fake profile.
Malicious users can ask for things in return
Users should be careful if a Tinder profile asks them for money, gifts or anything in exchange for this interaction, as it could be a scam. Under no circumstances should they deliver any financial details to strangers on these platforms.
For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to visit the International Institute of Cyber Security (IICS) website, as well as the official platforms of technology companies.
Information security is no longer an issue where only experts need to stay updated. The New York State Bar Association (NYSBA) House of Delegates approved a proposal for attorneys in this region to complete cybersecurity training courses as part of the Continuing Legal Education (CLE) requirements they must meet.
This proposal originates after the Technology and Legal Profession Committee submitted a report on the cybersecurity risks that legal firms currently face.
Approval of this proposal could take place before October, which would be a good sign of New York lawyers’ commitment to the safety of legal service users. It should be remembered that legal firms that store confidential information of their customers and employees in electronic means must ensure adequate protection of this data, which involves the constant training of their IT staff, for compliance with the New York State Stop Hacks and Improve Electronic Data Security (SHIELD) Act.
Experts say cybersecurity threats to legal firms have increased considerably. In an investigation published in the New York Law Journal, the Committee notes that the number of computer security incidents affecting law firms has increased by 100% compared to 2018.
Security incidents could increase due to the pandemic, as multiple firms have turned to work from home, largely depending on remote communication platforms and making their employees more vulnerable to cyberattacks.
In addition to applying for legal firms and law firms, the SHIELD Act also applies to any individual or company that owns or licenses computerized data from New York residents. To comply with the Act, companies and individuals must develop, implement and maintain reasonable security mechanisms to protect the safety of their users.
Legal professionals are in continuous work with sensitive and even confidential information, which is why the guild has begun to consider cybersecurity training as a way to protect private information from any incident that could compromise its integrity. In addition, under the New York Professional Conduct Rule, attorneys must make any reasonable effort to prevent inadvertent or unauthorized disclosure or use or unauthorized access to the information they work with, so this proposal is, in practice, a new way to enforce state law.
Ironically, cybersecurity companies are the organizations most exposed to hacking incidents. Such is the case of Cygilant, a signature dedicated to detecting cybersecurity threats that has been the victim of a ransomware infection. Through a statement, Chief Financial Director Christina Lattuca acknowledged that the firm was aware of a recent encryption malware infection affecting some of the company’s systems.
In the document, the company mentions: “Our Cyber Response and Defense Center has already taken appropriate steps to stop the infection. We are working in conjunction with external specialists and relevant authorities to determine the impact of that attack.”
Nothing is yet known about those responsible for the attack or the ransomware variant used, although some members of the cybersecurity community attribute the incident to NetWalker, a ransomware-as-a-service group that makes its tools and capabilities available to anyone willing to pay the price.
It has become customary that threat actors are not limited to encrypting compromised information, as they now also steal data and publish it on hacking forums, so company executives feared this would be the case. Cygilant’s fears were confirmed soon after, when some screenshots of files and directories of the company’s internal network were posted on a dark web site. At the time of publication the data had been deleted from that forum, although it is ignored whether the company paid the ransom.
Brett Callow, of security firm Emsisoft, claims that these hacking groups usually delete the information exposed after companies pay the ransom, although there are other scenarios: “Sometimes criminals delete this information temporarily in order to negotiate a ransom, so it is not yet possible to confirm whether Cylantgi has already made any payments.
Information security specialists consider the most dangerous security threats to be those that receive constant updates. An example of this is the Qbot banking Trojan (also known as Qakbot and Pinkslipbot), which has been wreaked havoc for more than ten years thanks to its developers continually updating it. Qbot has multiple malicious features, among which are:
- Theft of information from infected systems (email addresses, passwords, bank details, etc.)
- Installing other malware variants
- Connecting to malware drivers to bank transactions from the victim’s IP
- Hijacking legitimate email conversations to spread the infection to other users
Last March, Check Point Research specialists detected an attack campaign using Qbot that ran until June; as the experts anticipated, the operators of this campaign paused their activities (allegedly to carry out subsequent attacks), however, these hackers reappeared unexpectedly less than a month after the hiatus.
At the end of July, experts detected the return of Emotet, one of today’s most dangerous Trojans, with which they managed to infect about 5% of the companies worldwide. In some of these infections experts also detected an updated version of Qbot, which contained a new command and control infrastructure, as well as updated techniques for malware spreading. Most of these infections were detected in the United States and Europe, mainly affecting public organizations, militia, manufacturing, among others, mentioned Check Point Research experts.
Despite the multiple updates received by this Trojan, specialists consider that the most important stage of the infection process remains the use of malicious emails. The following is a diagram describing the infection process detected on the new Qbot update:
Although at first glance the use of malicious emails does not seem to show something innovative, experts detected that the operators of this campaign were able to hijack email conversations (as mentioned at the beginning). Apparently, conversations can be hijacked using “Email Collector“, a module recently added to Qbot. The following images show examples of malicious emails:
As you can see, these messages contain a URL that redirects users to a ZIP with a malicious Virtual Basics Script (VBS) file. Experts detected hundreds of different URLs used in this campaign, most of them redirecting to compromised WordPress sites or created specifically for these purposes.
Although it didn’t look like a sophisticated hacking campaign, the new version of Qbot has dangerous capabilities that could put any organization’s IT infrastructure at risk, so companies will have to remain alert to any attempted attack.
A new finding on dark web has put the security teams of hundreds of companies in alert. Specialists report that an unidentified user is selling access to more than 900 Citrix Systems deployments. Affected organizations include a U.S.-based cooperative bank, as well as government organizations, telecommunications and IT services companies around the world.
Citrix Systems is an American company dedicated to the development of software solutions for virtualization, computer network construction, and cloud computing services, including open source developer Xen. Today, more than 230,000 organizations around the world use some of Citrix’s solutions, mentioning the company’s latest reports. The following are some screenshots shared by the seller:
The company has yet to comment on this, although it is highly probable that this information will be confirmed in the coming days, in the same way that it has happened in similar incidents. Neither is known any detail about the vendor or about the method used to compromise the accesses of the affected organizations.
A few weeks ago, another user of hacking forums on darknet disclosed the sale of a database allegedly owned by Citrix that contained about 2 million records of the company’s customers. The database, identified as citrix_leads_vivo, was on sale for 2.15 Bitcoin (about $20,000 USD at the current exchange rate).
Technological implementations can show security flaws that no one would expect, as mentioned by specialists from an ethical hacking course. An example of this is recent research that shows that it is possible to copy the key of a lock by simply listening to the sound it produces when inserting into the lock.
According to specialists, this only requires a smart doorbell (or failing that a smartphone) and a 3D printer.
Although this looks like a sci-fi story, hackers claim that it is possible to use signal processing software to capture the sounds produced by the key and determine its exact shape. Subsequently, using the 3D printer, it will be possible to create an identical key, mentioned by the specialists of the ethical hacking course.
After conducting research, Sounadrya Ramesh, a computer specialist at the National University of Singapore, and her team found a way to bring this to reality. The first thing that is required is to record the sound that produces a key when entering the lock. For obvious reasons, this requires being close to the target.
Once this sound is recorded the SpiKey interference software is used, which filters the signal to decipher each strong metal click as the key ridges hit with the lock mechanisms. According to the experts of the ethical hacking course, these clicks are essential to determine the shape of the lock, since the time spent between each of them allows the software to calculate the distances between the edges of the key, something known to the locksmiths as “bit depth”.
Using this information, SpiKey creates the three most likely key designs. It is worth mentioning that the initial combinations yield more than 300 thousand possible results, so this is highly efficient software. In a recently released video, Ramesh details this procedure.
This is another finding in a field where there has been no major research, although they represent a significant risk vector. For example, a high-speed video of plant top objects or fry bags can be used to extract vibrations and reconstruct the sound around these objects.
The most dangerous malware variants are those that receive constant updates, improving their capabilities to compromise attacked systems, as mentioned by experts from a computer security course. Mimikatz is an open source post-exploit tool used in Windows credential-based attacks. A couple of years ago its developers included DCShadow, a feature of the lsadump module that allows threat actors to gain persistent privileged access in Windows Server Active Directory (AD), as well as cover traces of the attack.
AD attacks are very common, as AD controls security on most systems where it is deployed. When malicious hackers gain privileged access to AD, they can also compromise servers and devices joined to the AD domain.
When it comes to DCShadow attacks, any Windows device joined to the AD domain is registered as a domain controller (DC) by creating two new objects in the domain configuration partition. This attack can be performed from Windows 10 and, although Windows 10 cannot be a DC, DCShadow tricks the AD implementation into thinking that Windows 10 is actually a DC, the experts of the computer security course mention.
While these attacks are a growing trend in the cybercrime world, it is possible to implement some measures to prevent them. Security firm Petri researchers mention that the best way to prevent these attacks is to prevent malicious hackers from gaining privileged access to the target system, which is possible by some methods described below.
Workstations with privileged access
It is highly recommended that you use only domain administrator credentials (and other high-privileged accounts) on workstations with the necessary security measures. These Privileged Access Workstations (PAWs) are isolated from the public Internet.
Delegation of privileges for minor tasks
User and group management can be easily performed by other users besides the administrator; the best thing is that it is not necessary to grant privileged access to the domain, according to experts in the IT security course.
Protecting accounts with Windows tools
Credential Guard, a Windows Defender tool, provides additional protection for domain accounts, isolating credentials in an area that the system kernel cannot access. Other tools such as Credential Guard require a device to support virtualization-based security (VBS).
A privileged identity management (PIM) solution can help organizations monitor and control privileged access to AD. Windows Server 2016 Shadow Directors and short-lived AD groups help enterprises take control of Active Directory when used with a specially reinforced AD forest for management.
These mechanisms, in conjunction with activity logging and appropriate security monitoring, should allow domain administrators to mitigate the risk of attack.
IN 2020 HARD-CODED USERNAMES & PASSWORDS FOUND IN CISCO VIRTUAL WIDE AREA APPLICATION SERVICES (VWAAS). PATCH NOW
Cloud security course specialists revealed the finding of a critical vulnerability in Cisco Virtual Wide Area Application Services (vWAAS), a virtual deployment for both enterprise and service provider, that accelerates commercial applications delivered from virtual and private private cloud infrastructure. According to the report, the successful exploitation of these flaws would allow threat actors to gain full control of the target system.
Below is a brief overview of the reported flaw, in addition to its identification key and score according to the Common Vulnerability Scoring System (CVSS).
CVE-2020-3446: The presence of hard-coded credentials in Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS) would allow unauthenticated remote malicious hackers to access the affected system.
According to cloud security course experts, successful exploitation of this flaw could compromise the vulnerable system altogether.
Vulnerable Cisco Wide Area Application Services versions are: 6.0(1), 6.1(1), 6.2(1), 6.2(3), 6.2 (3a), 6.2(3b), 6.2(3c), 6.2(3e) 31, 6.2(3e) 40, 6.3(1), 6.4(1), 6.4(3d). This vulnerability affects Cisco ENCS 5400-W and CSP 5000-W series devices if you are running Cisco vWAAS with versions 6.4.5 or 6.4.3d of images packaged with NFVIS and earlier.
This is considered a critical vulnerability and received a CVSS score of 8.5/10.
While cloud security course specialists mention that the flaw can be exploited by remote threat actors over the Internet, attempts to exploit actively or any malware related to the attack have not yet been detected. Updates are ready, so administrators of affected deployments are encouraged to update as soon as possible.
The absence of authentication mechanisms on some online platforms can pose serious problems for your users. Experts from an ethical hacking course detail how an entrepreneur from Volusia County, Florida, was the victim of a fraud variant due to the few security measures on a government website.
Blair Burk, owner of Medical Facilities Construction Group, a company that builds and provides maintenance service to medical practices, claims that a hacker entered his company’s state records, modifying the information and removing his name from these records. “This man came in and said he was the president of my company. I can’t even understand what happened,” the victim says.
However, the company’s profile in the Florida Division of Corporations, in charge of the official registration of local companies, mentions that the owner is an individual named Nicolas Carioti, originally from South Florida. Apparently, someone hacked the official records, stored in Sunbiz.org: “I never thought anyone could just get into the system and change this information,” Burk adds.
This is itself a very serious thing, although experts from the ethical hacking course mention that the worst was missing. After consulting with the platform managers, Burk discovered that their information was not protected with passwords or some other authentication requirement, so any user could change their official corporate records: “It’s something that’s allowed, there’s nothing that can prevent it. If you ask those responsible, they say they’re sorry, but that only lawmakers can change the situation.”
Burk only received a government alert via his email informing him of the change in corporate records. The employer fears that the individual who modified this information will try to make a profit at the expense of his company, such as applying for a bank loan, drafting a contract, or some other variant of bank fraud.
Tommy Orndorf, expert in an ethical hacking course, analyzed what happened to Burk, mentioning that it is possible to make changes to these profiles without the use of passwords or any other form of verification: “These platforms must have some verification mechanism, not use only an email,” the specialist says.
Upon consultation, the Florida Division of Corporations mentioned that Burke’s complaint had already been addressed and the flaws on its website were corrected. However, the affected user is still afraid that someone might infiltrate these records: “It took me three days to fix this and I don’t want to go through a similar situation again,” Burke concludes.
The Common Weakness Enumeration (CWE) vulnerability categorization system has released its TOP 25, where the most common and dangerous security flaws of the past two years meet. According to information security training specialists, CWE considers listed flaws to be highly dangerous due to their ease of operation, their ability to operate, and how often a related attack occurs.
For the creation of this list, CWE considered the information available on systems such as Common Vulnerabilities and Exposures (CVE), the Common Vulnerability Scoring System (CVSS), as well as the information available in the National Vulnerability Database (NVD).
Below is a brief description of the reported flaws, as mentioned by the information security training specialists:
Experts mention that the main difference between this TOP 25 and the previous one is the move to exploiting specific flaws instead of class-level flaws. Although these class-level flaws can still be seen in the list, their rankings dropped considerably. Specialists believe that this trend will continue in the near future.
In the list, flaws at class level CWE-119 (inadequate restriction of operations within buffer limits), CWE-20 (incorrect input validation), and CWE-200 (sensitive information exposure) lowered some points. On the other hand, specific errors such as CWE-79 (incorrect disable entry in the generation of web pages) have shown a noticeable increase, as mentioned by the specialists of the information security training.
The flaws that increased your scores the most in the most recent list are:
- CWE-522 (Inadequately Protected Credentials): from #27 to #18
- CWE-306 (Lack of Critical Function Authentication): from #36 to #24
- CWE-862 (Lack of authorization mechanisms): from #34 to #25
- CWE-863 (Incorrect Authorization): from #33 to #29
As you can see, these flaws reside in some of the most difficult areas to analyze in a computer system. On the other hand, specialists believe that the user community has improved their analytics and protection capabilities, significantly reducing the incidence of multiple security flaws.
The flaws that lowered your chart scores the most are:
- CWE-426 (Unreliable Search Path): from #22 to #26
- CWE-295 (Incorrect Certificate Validation): from #25 to #28
- CWE-835 (Loop with unreachable output condition): from #26 to #36
- CWE-704 (Wrong type conversion): from #28 to #37
This TOP 25 can be very useful for developers, researchers and users, as it represents an ideal report of the most consistently encountered flaws, in other words, it is a representation of cybercriminal trends.
The Southeastern Philadelphia Transportation Authority (SEPTA) has confirmed the detection of a malware attack on its servers. According to pentesting course specialists, the incident has prevented SEPTA from sharing relevant information about the trips since Monday. The report was published by The Philadelphia Inquirer.
Local authorities began an investigation after SEPTA reported some technical problems over the weekend, although they eventually had to turn to the Federal Bureau of Investigation (FBI) and outside cybersecurity experts. As an incident handling method, SEPTA shut down multiple systems that operate in real time, in addition to its payroll and remote timing systems.
SEPTA announced that SEPTA Key, the user’s card to enter the transport system, was not compromised during the incident: “We are doing our best to address this situation, we hope we will not have to close our systems again,” the authority says. Specialists from the pentesting course assure that SEPTA is not the only organization affected, although additional details have not been revealed.
How long the SEPTA systems will be affected is still unknown, as the variant of malware used by threat actors has not been disclosed, although specialists think it may be a ransomware attack. Users of the public transport system began to detect some failures on Monday morning, reporting the incidents on social networks, a situation that lasted until last Tuesday.
The recommendation for customers is to consult the printed schedules or request reports from the personnel at the affected stations until the information systems can be restored. This incident occurred at an inconvenient time, as people are returning to their daily activities after the period of isolation due to the pandemic, and any damage to public transport systems ends up affecting users.
According to pentesting course experts, last year, cybercriminals led SEPTA to close an online store that sold tickets and merchandise. Hundreds of customers are likely to have been victims.
Phone fraud has more and more variants and more complex resources, specialists from a cyber security consulting company report. A few days ago a reporter recounted how he contacted a special SIM card seller, allegedly of Russian origin, used to impersonate any phone number without the target user being able to identify the fraud.
In the report, published by Motherboard, the researcher mentions that he managed to contact an individual who claims to control a website specialized in the sale of these SIM cards from Russia. The individual phoned the investigator using one of these cards, as mentioned above, this chip allowed him to forge any phone number: “It’s very easy to trick a user into pretending to call from a bank or simply to prevent the caller ID from recording the actual phone number,” the seller states.
These tools are known by various names among the cybercriminal community, whether “Russian SIM cards”, “encrypted chips”, “blank SIM card”, among other names, mention specialists of the cyber security consulting company. While the operation is the same, the researcher states that in some variants of the attack criminals also employ real-time voice manipulation methods or addition of background noise (street ambient sound, offices, among others). In addition, these SIM cards can be acquired in conjunction with data exposed in data breach incidents to deploy targeted attacks.
While these blank SIM cards are not illegal on their own, their use is clearly a crime, as the operators of these campaigns impersonate individuals and organizations, and they use information exposed in security incidents for malicious purposes. The National Crime Agency (NCA) recently reported the confiscation of multiple of these Russian SIM cards as evidence in an investigation.
According to specialists from the cyber security consulting company, encrypted phone vendors (whether legitimate firms or black market vendors) also offer these Russian SIM cards, so users of encrypted devices also have the ability to impersonate the phone numbers of any person or organization they want. According to motherboard researcher, these SIM cards work seamlessly in countries such as Colombia, the United Kingdom, Morocco, Mexico, and the United States.
In a video recently posted on YouTube, a seller showed how to forge phone numbers with these SIM cards. The seller wrote a series of digits on a phone, followed by an asterisk and the number to be impersonated. Soon after, a second phone showed the number impersonated.
The world’s most popular SIM card for cybercrime
Although many vendors mistakenly claim that these kinds of tools provide complete protection against government investigations, they are a widely used resource by cybercriminals in multiple parts of the world. On the other hand, Matt Horne, deputy director of investigations at the NCA, mentions: “Multiple organized crime groups try to evade justice through this kind of tools, which has become an extended and certainly useful practice.
Everyone agrees that spam is one of the most hated things by tech users. No matter how many times we empty the undesirable mail folder, it will be full again in a couple of hours later, the hard drive destruction service specialists mentioned.
There is really no way to avoid spam, although there are ways to deal effectively against this practice. Here’s how to create a disposable email address, which will significantly reduce the level of spam in your actual inbox. The best thing is that users won’t need to use unconventional tools, but you’ll only need to know a Gmail feature.
Google doesn’t have its own disposable email service, although Gmail users have the option to create a custom email address that can be discarded when it’s no longer needed. According to the specialists in hard drive destruction service, here are the steps to take to use this tool:
- When prompted to enter your email into a service with which you would prefer not to share information, write it as usual, but add a specific label. The following example uses the tag “+unwantedemail.gmail.com” (the sign ‘+’ is useful, but is not required). By enabling this feature, emails sent to that address will appear in your inbox along with everyone else, but with that specific tag at the end of the address, which will help get rid of spam more efficiently.
- After adding this tag, users can set up a Gmail filter so that any message that includes this tag is automatically deleted. To do this, type the label used at the top of the inbox and click the arrow on the right side. Then, enter the label in the “From” section in the e-mail form and click “Create Filter”.
- On the next page, select the Delete check box and click Create Filter. This way you will no longer find tagged mail in your inbox, mentioned specialists in hard drive destruction service.
It should be mentioned that it is also possible to use disposable email addresses, which are tools external to Google; however, enabling Gmail filters is the most recommended option for users who simply want to get rid of inappropriate or useless advertising.