Archive for March 14, 2023

Investment Fraud is Now Top Cybercrime Earner: Internet Crime Report

Posted in Commentary with tags on March 14, 2023 by itnerd

According to the 2022 Internet Crime Report compiled by the IC3, at $3.3 billion, Investment Fraud is now the top-earning cybercrime category, surpassing business email compromises in 2022, according to the FBI. Furthermore, the Bureau said the increase was mainly a result of criminals spoofing legitimate business phone numbers to confirm fraudulent banking details with their victims.

Global consumers and businesses filed throughout 2022:

•    $10.3bn total cybercrime losses (up 49% yoy)
•    801,000 complaints (down 46,000 yoy)
•    $3.31bn total Investment fraud (up 127% yoy)
•    $806.6m total Tech support fraud (up 132% yoy)
•    $2.7bn total BEC fraud (up 14% yoy)
•    300,000 phishing complaints (down 7% yoy but still the most popular form)

The report also noted that while 2,385 complaints about ransomware were reported last year, estimating losses at $34.4m, the loss figures do not represent the full scale of the financial burden placed on organizations. Also, many ransomware breaches go unreported and loss estimates do not include lost business, time, wages, files, equipment or third-party remediation services used by victims.

Monti Knode, Director of Customer Success, Horizon3.ai had this to say:  

   “The SVB collapse is a perfect storm for both Investment fraud and BEC — the top two losses categories from the IC3.

   “Right now, thousands of tech companies are moving their money, but even more fragile is the fact that they are messaging with their customers and reestablishing invoicing and payments. This is creating confusion and opens up opportunity for attackers to pose and prey on unwitting customers.

   “Tech companies caught up in the SVB collapse will need to be extremely diligent and get personal with their customer base to maintain trust during this tough time, or a customer may quickly attribute the moniker of “threat” to their vendor, and that’s nowhere anyone wants to be.”

This dovetails into a story that I put up yesterday saying that I expect attacks that are leveraging the failure of SVB. Given the numbers in this report, we could start seeing those attacks at any time. Never mind all the usual cybercrime that we see now. And that’s going to cost us all a lot of money.

New Fortinet FortiOS bug used to attack government networks

Posted in Commentary with tags on March 14, 2023 by itnerd

Sophisticated attackers are using a recent CVE vulnerability patched by FortiOS earlier this month to target government and large organizations. The patch for CVE-2022-41328 was released by Fortinet on March 7th for what FortiOS called a high-severity security vulnerability (CVE-2022-41328) that allows attackers to execute unauthorized code or commands.

In a report last week Fortinet revealed that a hack on one of its customers caused all of their FortiGate devices to begin shutting down at the same time, with “System enters error-mode due to FIPS error: Firmware Integrity self-test failed” messages and they failed to boot again. The FIPS-enabled devices verify the integrity of system components and if an integrity breach is detected, the device will shut down and refuse to boot to protect the integrity of the network.

The FortiGate firewalls were breached via a FortiManager device on the victim’s network and appeared to have been hacked using the same tactics. The investigation showed that the attackers modified the device firmware image (/sbin/init) to launch a payload (/bin/fgfm) before the boot process began.

“The attack is highly targeted, with some hints of preferred governmental or government-related targets,” the company said.

The attackers have also demonstrated “advanced capabilities,” including reverse-engineering parts of the FortiGate devices’ operating system.

“The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS.”

Horizon3.ai Exploit Developer James Horseman had this to say:

   “The level of sophistication demonstrated in this attack indicates that the attackers have a deep understanding of FortiOS, which suggests that they have considerable resources and expertise at their disposal. This is likely a targeted attack, as indicated by Fortinet’s statement that there are “hints of preferred governmental or government-related targets.”

   “It is worth noting that the writeup from Fortinet does not provide information on how the attackers gained initial access, which is a crucial part of understanding the full scope of the attack. While CVE-2022-41328 allows for the execution of unauthorized code or commands, it requires privileged access. This suggests that the attackers either obtained credentials for the FortiGate/FortiManager devices or used another exploit to gain remote code execution. It is also possible that the attackers used an undisclosed 0-day to gain initial access.

   “Given the severity of the vulnerability and the potential for the attackers to have gained privileged access to the targeted systems, organizations that use FortiOS should take immediate steps to patch the vulnerability and monitor their systems for any suspicious activity. Additionally, it is important to stay informed about any new developments in this attack to understand its full impact and how the attackers were able to again initial access.”
 

David Maynor, Senior Director of Threat Intelligence, Cybrary follows up with this comment:

   “Fortinet has turned into the Ground Hog Day of vulnerabilities.”

What he’s referencing is that this isn’t the first go round with vulnerabilities related to Fortinet products:

In January, Fortinet disclosed a very similar series of incidents where a FortiOS SSL-VPN vulnerability patched in December 2022 and tracked as CVE-2022-42475 was also used as a zero-day bug to target government organizations and government-related entities.

Thus I suspect that enterprises that own Fortinet gear may be thinking twice about having it on their networks.

This Month’s Patch Tuesday Drop Has A Ton Of Fixes That Should Make You Patch Everything Immediately

Posted in Commentary with tags on March 14, 2023 by itnerd

As I type this I am installing this month’s Patch Tuesday updates on all of my hardware and VMs that run Microsoft software. And according to Bleeping Computer, it’s a good thing that I am:

Today is Microsoft’s March 2023 Patch Tuesday, and security updates fix two actively exploited zero-day vulnerabilities and a total of 83 flaws.

Nine vulnerabilities have been classified as ‘Critical’ for allowing remote code execution, denial of service, or elevation of privileges attacks.

The number of bugs in each vulnerability category is listed below:

  • 21 Elevation of Privilege Vulnerabilities
  • 2 Security Feature Bypass Vulnerabilities
  • 27 Remote Code Execution Vulnerabilities
  • 15 Information Disclosure Vulnerabilities
  • 4 Denial of Service Vulnerabilities
  • 10 Spoofing Vulnerabilities
  • 1 Edge – Chromium Vulnerability

This count does not include twenty-one Microsoft Edge vulnerabilities fixed yesterday.

Gal Sadeh, Head of Data and Security Research, Silverfort has this view of some of the vulnerabilities fixed in this dump:


     “A critical RCE vulnerability in Remote Procedure Call Runtime, CVE-2023-21708, should be a priority for security teams as it allows unauthenticated attackers to run remote commands on a target machine. Threat actors could use this to attack Domain Controllers, which are open by default. To mitigate this, we recommend Domain Controllers only allow RPC from authorized networks and RPC traffic to unnecessary endpoints and servers is limited.

Being exploited in the wild, a vulnerability in Windows Defender SmartScreen (CVE-2023-24880) allows attackers to subvert in-built Windows protections blocking untrustworthy files.  The usual checks on reputation and source of files are bypassed, allowing malicious programs to run. This new threat is similar to another actively exploited SmartScreen vulnerability, patched by Microsoft in December 2022.

Another critical vulnerability, CVE-2023-23415, poses a serious risk as it allows attackers to exploit a flaw in Internet Control Message Protocol – which is often not restricted by firewalls – to gain remote code execution on exposed servers using a malicious packet. Requiring the targeting of a raw socket – any organization using such infrastructure should either patch or block ICMP packets at the firewall.”

Clearly it’s time to patch all the things. While the zero days are the most concerning, there are clearly other things here that you need to worry about.

A New #Phishing Email Targets Metamask Users

Posted in Commentary with tags on March 14, 2023 by itnerd

I admit that I had to look this up, but Metmask as defined by Wikipedia as follows:

MetaMask is a software cryptocurrency wallet used to interact with the Ethereum blockchain. It allows users to access their Ethereum wallet through a browser extension or mobile app, which can then be used to interact with decentralized applications. MetaMask is developed by ConsenSys Software Inc., a blockchain software company focusing on Ethereum-based tools and infrastructure.

And it seems that there’s a phishing email that is targeting Metamask users that looks like this:

Now unlike most phishing emails that I come across, the English is actually decent and may pull you in. But if you look at the email address that this phishing email, it should make you think twice:

This clearly didn’t come from Metamask as I would expect their email addresses to be from metamask.io. Speaking of which, there’s a link below from metamask.io. That’s legit right? Actually it’s not. It’s hiding another URL which you can see here:

Now this is a technique that’s used by the more sophisticated email phishing operators to fool you into thinking that this email is legitimate. I am guessing that the operator behind this felt that they had to up their game as people who hold crypto are more likely to be tech savvy. Thus they’re less likely to fall for the sort of phishing emails that grab the average person. So you’re given the option of using a secret recovery phrase or a private key to “keep your wallet secure”. Both provide a vector for accessing your blockchain assets. This article describes the differences between the two, but here’s the thing to remember: Nobody can get access to your crypto without one or the other. That’s what this #phishing email is about which is to steal your crypto. I’m going to stop here because it’s pretty clear what the operator’s game is. But I will be warning Metamask about this so that they can keep users of their crypto wallets safe.

Has SpaceX Been Indirectly Pwned By Lockbit?

Posted in Commentary with tags on March 14, 2023 by itnerd

Based on this, Elon Musk may have more to worry about than the gong show which is his leadership of Twitter:

Remember, you’re only as secure as the people you work with. And clearly someone within the SpaceX supply chain isn’t secure. Which is bad for Elon. If this is true, SpaceX has been pwned by Lockbit. And the data is about to go up for sale. This is sure to freak out US Government types who rely on SpaceX. And if this turns out to be true, SpaceX is about to have a very, very bad time having to explain this.

I guess we will find out in a few days which way this will go.

Thousands of hijacked websites in East Asia are redirecting to adult-themed sites

Posted in Commentary with tags on March 14, 2023 by itnerd

From the “this is different” file comes this report by Wiz on thousands of hijacked websites in East Asia which are redirecting visitors to adult-themed sites:

The compromised websites include many owned by small companies and several operated by multinational corporations. They are diverse in terms of their tech stacks and hosting services, making it difficult to pinpoint any specific vulnerability, misconfiguration, or source of leaked credentials this threat actor may be abusing. In several cases, including a honeypot we set up to investigate this activity, the threat actor connected to the target web server using legitimate FTP credentials they somehow obtained previously.

While we were not able to determine how this threat actor has been gaining initial access to the affected web servers or where they are sourcing their stolen credentials from, we’ve decided to publish our findings regardless, in order to bring more awareness to this ongoing activity. Given the nature of the destination websites, we believe the threat actor’s motivations are most likely financial, and perhaps they intend to merely increase traffic to these websites from specific countries and nothing more. However, the impact to the compromised websites and their user experience is equivalent to defacement, and whatever weaknesses this actor is exploiting to gain initial access to these websites could be utilized by other actors to inflict greater harm.

Rui Ribeiro, CEO and Cofounder of Jscrambler had this comment:

     “This attack, which has compromised tens of thousands of websites aimed primarily at East Asian audiences and redirecting them to adult-themed content, highlights an often-overlooked security issue: securing the client-side experience at the moment the visitor is interacting with the website. In this case, the hacker injected malicious code into customer-facing web pages, collected information about the visitor, and hijacked their journey. This one incident underscores how important it is to understand the third-party JavaScript running on your browser and what data it is accessing. Not only is the customer experience tainted, but the compromised websites can face issues around data privacy, loss of revenue and reputation. Companies need visibility and control over the JavaScript that’s loaded into their web pages, whatever the source. Whether it’s a hijacking attack, data skimming or a simple configuration error, we must protect the interaction with each visitor.”

Now I just did a check my corporate website and I have FTP enabled. So I will be turning that off so that I am not a victim of this sort of attack. If you have a website, you might want to do the same thing to avoid being a victim as well.

Google Cloud & Workspace announce new AI apps and features

Posted in Commentary with tags on March 14, 2023 by itnerd

Today Google Cloud announced the next step in their AI journey, bringing generative AI benefits to individuals, businesses, and communities. 

Among the updates comes new Google Workspace features, with AI supporting everyday tasks like: 

  • draft, reply, summarize, and prioritize your Gmail
  • brainstorm, proofread, write, and rewrite in Docs
  • bring your creative vision to life with auto-generated images, audio, and video in Slides

Other highlights in Google’s new generative AI capabilities include:

  • Empowering all developers through PaLM API, a new developer offering that makes it easy and safe to experiment with Google’s large language models. Alongside the API, Google Cloud is releasing MakerSuite, a tool that lets developers start prototyping quickly and easily. 
  • Generative AI support in Vertex AI to offer a simple way for data science teams to take advantage of foundation models like PaLM. This includes the ability for businesses to address use cases such as content generation and chat summarization all with enterprise-level safety, security, and privacy.
  • Generative AI App Builder which allows organizations to build their own AI-powered chat interfaces and digital assistants.
  • As part of Google’s commitment to openness, they’re unveiling new partnerships, programs, and resources for each segment of theAI Ecosystem. 

For an overview of the news, check out the blog post from Google Cloud CEO Thomas.

Guest Post: Google, Fedora Project, and Microsoft products had the most vulnerabilities in 2022

Posted in Commentary with tags on March 14, 2023 by itnerd

In today’s world, where technology is embedded in every aspect of our lives, it is essential to understand the risks of using different software and devices.

According to the data presented by the Atlas VPN team, Google, Fedora Project, and Microsoft products had the most vulnerabilities in 2022. If we look into the specific products, security researchers found the most exploits in Fedora, Android, and Windows operating systems.

More vulnerabilities in a product do not necessarily mean it is less secure. Popular and open-source products tend to have more vulnerabilities due to the larger number of users discovering exploits.

Google products had 1372 exploits in 2022, the most of all vendors. The Android operating system had 897 vulnerabilities, which was the most of all Google products. In addition, security researchers found 283 exploits in the Chrome browser, but it did not make our top 10 list of products.

The Fedora Project was the second vendor with 945 discovered vulnerabilities. Its product Fedora Linux had the most, 944 exploits, of all products.

Security researchers discovered 939 vulnerabilities in Microsoft products in 2022. Windows 10 and 11 both had over 500 exploits, while in Windows Server OS, from 2012 to 2022, the number of vulnerabilities ranged from 414 to 553.

Debian products had 887 exploits, and their Linux OS had 884 vulnerabilities, taking 3rd place among all products. Furthermore, Apple had 456 exploits in their products, one of which, macOS, had 379 vulnerabilities in 2022.

​​Cybersecurity writer at Atlas VPN, Vilius Kardelis, shares his thoughts on vulnerabilities: 

“As the reliance on technology continues to increase, so does the threat of cyberattacks. Individuals and organizations must remain vigilant about updating their software and taking proactive steps to protect against cyber threats.”

Severity of vulnerabilities

The Common Vulnerability Scoring System (CVSS) assesses the severity of vulnerabilities in computer systems and networks. It assigns them a numerical score based on a set of criteria such as exploitability, impact, and complexity.

Over a fifth (23%) of vulnerabilities found in Microsoft products are rated 9+. In addition, 20% of exploits are given a score of 7-8.

Apple product exploits with a score of 9+ account for 17% of all vulnerabilities. In addition, 26% of vulnerabilities are rated 6-7.

Google occupies the third spot on the list regarding severe exploits valued at 9+. They constitute 14% of all vulnerabilities.

Only 2% of vulnerabilities are scored as the most severe in the Fedora Project, while those rated 6-7 make up 21% of all exploits.

To read the full article, head over to:https://atlasvpn.com/blog/google-fedora-project-and-microsoft-products-had-the-most-vulnerabilities-in-2022

google-fedora-project-and-microsoft-products-had-the-most-vulnerabilities-in-2022

Guest Post: Tick cyberespionage group compromises data-loss prevention software developer in East Asia

Posted in Commentary with tags on March 14, 2023 by itnerd

ESET researchers have uncovered a compromise of an East Asian data-loss prevention (DLP) company. During the intrusion, the attackers deployed at least three malware families and compromised internal update servers and third-party tools used by the affected company. As a result, two customers of the company were subsequently compromised. ESET attributes the campaign with high confidence to the Tick APT group. Based on Tick’s profile, the objective of the attack was most likely cyberespionage. The customer portfolio of the DLP company includes government and military entities, making the compromised company an especially attractive target for an APT group such as Tick.

“The attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanized installers of legitimate third-party tools used by the company, which eventually resulted in the execution of malware on the computers of its customers,” says ESET researcher Facundo Muñoz, who discovered Tick’s latest operation. “During the intrusion, the attackers deployed a previously undocumented downloader, which we’ve named ShadowPy, and also deployed the Netboy backdoor (aka Invader) as well as the Ghostdown downloader,” adds Muñoz.

The initial attack happened in March 2021, and ESET notified the company of the compromise. In 2022, ESET telemetry registered the execution of malicious code in the networks of two of the compromised company’s customers. Since trojanized installers were transferred via remote support software, ESET Research hypothesizes that this took place while the DLP company was providing technical support. The attackers also compromised two internal update servers, which delivered malicious updates for the software developed by this DLP company on two occasions to machines inside the network of the DLP company.

The previously undocumented downloader ShadowPy was developed in Python and  is loaded through a customized version of the open source project py2exe. ShadowPy contacts a remote server from where it receives new Python scripts that are decrypted and executed. The older Netboy backdoor supports 34 commands, including collecting system information, deleting a file downloading and executing programs, performing screen capture, and performing mouse and keyboard events requested by its controller.

Tick (also known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group thought to have been active since at least 2006 and that mainly targets countries in the APAC region. This group is of interest for its cyberespionage operations, which focus on stealing classified information and intellectual property. Tick employs an exclusive custom malware toolset designed for persistent access to compromised machines, reconnaissance, data exfiltration, and download of tools.

For more technical information about the latest Tick campaign, check out the blogpost “The slow Tick-ing time bomb: Tick APT group compromise of a DLP software developer in East Asia” on WeLiveSecurity.

Meta/Facebook To Do Another Round Of Layoffs

Posted in Commentary with tags on March 14, 2023 by itnerd

News is filtering out that Facebook’s parent company Meta is planning to lay off thousands people. Keep in mind that Meta has already laid off thousands of people not too long ago, which means the following:

It’s uncommon for a company to conduct multiple rounds of layoffs, according to data from Crunchbase. Last year, around 9% of the 433 tech companies it tracked laid off workers more than once. 

That might be because it’s generally considered bad practice to do multiple rounds, said Kerry Sulkowicz, the managing principal of the Boswell Group, which advises CEOs and boards on people and culture issues. “Doing layoffs in dribs and drabs creates instability,” he told Insider. 

“When a CEO does this, it’s important to communicate that this is a difficult decision, and to the extent possible, to do it one fell swoop.”

One bout of layoffs can leave a dent in employee morale; a second round can be devastating. Surviving employees often mourn the loss of their colleagues and feel guilty they were spared. 

They’re also likely to feel extra nervous about their job security: Instead of focusing on the work at hand, they’re looking over their shoulders, which is not good for their productivity or sanity, said Sulkowicz.

“They’re constantly wondering, ‘Is there another round coming? Am I next?'”

If I were working for Meta, I’d be mass emailing my CV right now as one could argue that Meta is not a great place to work right now. The problem is what with the failure of SVB right now, it could be really difficult to find a safe landing spot. But you have to try I suppose as anything is better than the stress of wondering what the lifespan of your career at Meta is going to be.