Horizon3.ai Revisits Fortinet FortiClient EMS to Exploit 7.2.X (CVE-2023-48788)

Posted in Commentary with tags on June 5, 2024 by itnerd

The Horizon3.ai Attack Research team has just published “CVE-2023-48788: Revisiting Fortinet FortiClient EMS to Exploit 7.2.X” which discusses the differences in exploitation between FortiClient EMS’s two mainline versions: 7.0.x and 7.2.x. Today’s post updates an SQL injection exploit analysis for Fortinet FortiClient EMS.   

Horizon3.ai Senior N-Day Vulnerability Researcher Luke Harding details exploitation obstacles and payload crafting between the two mainline versions of the software. It is an update to Horizon3.ai’s March 21, 2024 post “CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive” and POC which as it turns out only worked on 7.0.x versions.

Harding notes “When writing exploits for different versions of vulnerable software, the differences in the exploit are usually small, such as different offsets, renamed parameters, or changed endpoints. Exploitation of the 7.2.x attack path for CVE-2023-48788 was an interesting challenge, because the core vulnerability and endpoint being attacked were the same, but the code path traversed was largely different.”

Harding walks through the updated exploit in the post which is online now. 

Leave a comment »

New Appdome SDK Protection and Threat Streaming Service to End Third-Party Mobile Supply Chain Risk

Posted in Commentary with tags on June 4, 2024 by itnerd

Appdome, the mobile app economy’s one-stop shop for mobile app defense, today released a new mobile SDK protection and mobile threat streaming service, called Appdome SDKProtect™. Appdome SDKProtect is designed to end third-party, mobile supply chain risk and democratize mobile threat intelligence and telemetry data among mobile SDK developers. The new service enables mobile SDK developers to quickly and easily create protected and threat-aware versions of their mobile SDKs, reducing fraud and ensuring compliance.

Mobile SDKs play a critical role in the mobile app economy, enabling Android & iOS developers to integrate essential functions into their applications, such as payment and banking services, digital identity verification, analytics, advertising, and more. The widespread use of mobile SDKs also makes them a prime target for malicious actors seeking to exploit SDKs to create supply chain risks inside mobile apps or compromise mobile app security to perform identity fraud, account takeovers, SDK spoofing, data breaches or other attacks.

The new Appdome SDKProtect service provides mobile SDK vendors and developers with multiple options for mobile SDK protection. Appdome SDKProtect strengthens the security posture of third-party software development kits (SDKs) used in mobile app development against static and dynamic attacks, reverse engineering, IP loss and exploits. The service also makes Appdome platform’s rich mobile attack and intelligence data intelligence framework available to SDK providers to enhance the value of their SDK-based mobile services.

Appdome SDKProtect™ offers several levels of mobile SDK protection:

  • Threat-Shielding: Used to protect mobile SDK against reverse engineering and tampering by obfuscating and encrypting SDK data, strings, resources and preferences.
  • Mobile Risk Evaluation: Comprehensive coverage of SDK attacks, such as facial recognition bypass, root and Jailbreak detection, emulator detection, hooking frameworks, debuggers, Android debug bridge and more.
  • Threat Intelligence: Takes the power of Threat-Shielding and Mobile Risk Evaluation and combines it with two visibility and control options.
    • Threat-Streaming, which takes Threat Intelligence to the next level by providing real-time telemetry data that can be streamed to the SDK maker’s back-end to create specific outcomes when attacks happen.
    • Threat-Monitoring, which combines the protections with real-time attack monitoring and enterprise-grade intelligence via Appdome ThreatScope™ Mobile XDR.

The mobile Threat Intelligence packages leverage the power of Appdome Threat-Events™ in-app attack intelligence framework. The framework that empowers mobile developers with real-time event data and control for mobile SDKs.

Using the Appdome SDKProtect service is easy. Mobile SDK developers present the Appdome platform with a version of the mobile SDK (in Android .aar or .jar and iOS framework files), choose the level of protection to apply to the SDK and initiate the build command. Once selected, the Appdome platform builds the chosen protections into the mobile SDK. In just minutes, the protected mobile SDK is available for download and distribution by the mobile SDK developer to its customers.

Appdome SDKProtect is fully compatible with all mobile platforms, frameworks, and development languages. It seamlessly integrates with existing app development workflows and tools, requiring no changes to the SDK source code or development environment.

To learn more about Appdome SDKProtect, please visit https://www.appdome.com/sdkprotect/.

Leave a comment »

Ransomware Resurged In 2023 With 50 New Variants: Mandiant

Posted in Commentary with tags on June 4, 2024 by itnerd

In a report published by Mandiant on Monday, despite law enforcement operations against prolific ransomware groups such as ALPHV/BlackCat, ransomware activity increased in 2023 compared to 2022 with researchers observing 50 new ransomware variants and a third branching off of existing malware.

Researchers also saw a 75% increase in posts on ransomware groups’ data leak sites. This is consistent with a Chainalysis report stating that a record breaking $1bn was paid to ransomware attackers in 2023.

Code reuse, actor overlaps and rebrands have become common in the modern ransomware threat landscape. According to Mandiant, the increase in extortion activities is likely driven by factors including:

  • New entrants
  • New partnerships between groups
  • Ransomware services by actors previously associated with disrupted, prolific groups

Finally, Mandiant found that threat actors increased their reliance on remote management tools in ransomware operations, 41% in 2023 compared to 23% of intrusions in 2022.

Emily Phelps, Director, Cyware had this to say:

   “The proliferation of new ransomware variants and the surge in extortion activities reinforce the urgent need for a collective defense strategy. To get ahead of these threats, organizations must be enabled to share threat intelligence and defensive strategies. By adopting integrated solutions that facilitate seamless information sharing and collaboration, organizations can better defend against these sophisticated attacks and minimize the impact of ransomware on their operations.”

Given that I reported on an apparent ransomware attack as recently as this morning, this is something that requires a lot of focus. Because we’re on the edge of having ransomware get out of control. If it hasn’t already.

UPDATE: BullWall Executive, Carol Volk had this to say:

   “In promptly shutting down affected systems and reporting the incident to the SEC, Frontier demonstrated a solid response strategy. This approach, focused on containment and transparency, likely minimized the impact of the attack despite the sensitive data involved.

   “If the “containment they had in place was in fact a ransomware containment system, it would account for their quick turnaround in dealing with the breach.

   “This incident underscores the need for all organizations to have well-defined ransomware containment strategies. Frontier’s handling of the situation serves as a reminder of the critical importance of preparation and quick action in the face of cyber threats.”

Dave Ratner, CEO, HYAS adds this:

   “Preparation for this rise in ransomware requires more than confirming backups and checking configurations — without the implementation of cyber resiliency solutions, as suggested by everyone from CISA to the White House — organizations will remain vulnerable and susceptible.  The deployment of solutions like PDNS and others can be accomplished in short order, rapidly shift the tide, and should be done immediately.”

Leave a comment »

NIST Hires Outside Firm To Clear The Backlog In The NVD

Posted in Commentary with tags on June 4, 2024 by itnerd

Facing a growing backlog of reported flaws, NIST has announced a commercial contract with an outside firm to clear the backlog in its National Vulnerability Database (NVD). This was reported in a status update that was posted on May 29th:

NIST has awarded a contract for additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database. We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months.

In addition, a backlog of unprocessed CVEs has developed since February. NIST is working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the addition of these unprocessed CVEs to the NVD. We anticipate that that this backlog will be cleared by the end of the fiscal year. 

Mike Walters, President and Co-Founder of Action1 has provided some insight on what resources the NVD would need to keep up with the number of vulnerabilities being reported:

“The National Vulnerability Database (NVD) plays a critical role in the cybersecurity landscape by cataloging and enriching vulnerability information. To keep up with the backlog, which now exceeds 10,000 vulnerabilities, NVD needs to address several issues and improve its operations.

First, the NVD must form a consortium to improve the program and, more importantly now, secure additional funding from federal agencies, the private sector, or public grants to cover the costs associated with scaling infrastructure, hiring additional staff, and purchasing necessary software tools. It is also important for them to obtain grants for AI and machine learning research to develop cutting-edge tools that can be integrated into the NVD workflow. Implementing advanced machine learning models and AI can help automate the initial triage and enrichment process of vulnerability reports. 

Second, NVD will need to hire a highly skilled team of security analysts, data scientists, and threat intelligence experts to operate and enhance the new AI tools that will help handle the growing backlog of vulnerabilities. These professionals can oversee automated processes, validate AI-generated insights, and handle more complex cases that require human intervention. 

Third, to collect and analyze data, the NVD will need to build stronger relationships with cybersecurity communities, including CVE Numbering Authorities (CNAs), private cybersecurity firms, academic institutions, and other threat intelligence platforms that can lead to more holistic and timely data sharing. 

Implementing a crowdsourcing model where verified contributors can submit and enrich vulnerability data could also help spread the workload and speed up the process. 

These are the key resources that NVD needs to manage the crisis.”

Hopefully NIST can get on top of this quickly. But with the amount of flaws that are and have been reported, that won’t be easy. But it is something that needs to be done.

UPDATE: Emily Phelps, Director, Cyware adds this comment:

   “It’s encouraging to see NIST taking proactive steps to address the backlog in the National Vulnerability Database. The current backlog highlights the increasing complexity and volume of vulnerabilities that organizations face today. Effective and timely vulnerability management is crucial for maintaining robust cybersecurity defenses.”

Leave a comment »

TELUS Launches Fifth And Largest #StandWithOwners Contest

Posted in Commentary with tags on June 4, 2024 by itnerd

TELUS is announcing the return of its #StandWithOwners contest for its fifth consecutive year with over $1 million in prizing, the largest prize pool in the program’s history. With Small Businesses accounting for 98% of all employers in Canada, TELUS is continuing its commitment to support and recognize the outsized impact business owners have on our communities and our economy.

Starting today through September 4, 2024, businesses are invited to apply at telus.com/StandWithOwners for their chance to win one of five grand prize packages. Each package is valued at over $200,000, including $50,000 in cash, $115,000 in advertising and national recognition, $25,000 in TELUS technology and a $10,000 TELUS Health well-being package. Additionally, 15 finalists will each receive $20,000 in funding and technology.

TELUS is seeking applicants that will demonstrate what makes their business unique, their use of technology to drive innovation, and a proven track record of growth. Additionally, applicants will be asked to show how the success of their business has made a meaningful impact on their local economies and communities.

The 2024 #StandWithOwners contest highlights TELUS’ continued dedication to championing Canadian businesses. Since 2020, TELUS has committed $5 million to #StandWithOwners, providing funding, advertising and technology to help businesses thrive in a digital world. As part of TELUS’ greater commitment to the growth of Canadian business, over $300 million has been invested to support owners, start-ups and leaders of tomorrow through the TELUS Pollinator Fund for Good and TELUS Ventures.

For more information and to apply for this year’s contest, visit telus.com/StandWithOwners.

Leave a comment »

BREAKING: London Hospitals Pwned In Cyberattack

Posted in Commentary with tags on June 4, 2024 by itnerd

This isn’t good.

In another example of health care being easy targets for threat actors, a number of London hospitals have apparently been pwned in a cyberattack. Sky News has the details:

King’s College Hospital, Guy’s and St Thomas’, including the Royal Brompton and the Evelina London Children’s Hospital, and primary care services were hit by the “major IT incident” involving pathology partner Synnovis, letters sent to NHS staff said.

Trusts reported the incident was having a “major impact” on the delivery of services, with blood transfusions particularly affected.

Some procedures and operations have been cancelled or have been redirected to other NHS providers as hospital bosses continue to establish what work can be carried out safely.

And:

The cyber incident is thought to have occurred on Monday, meaning some departments could not connect to their main server.

Several senior sources have told the Health Service Journal (HSJ) the system has been the victim of a ransomware attack.

This is why I keep saying that the health care sector needs to do better to protect itself. But on top of that, they need better funding to do so. The UK is in the middle of a general election so I am sure that this incident will come up on the campaign trail. But in the meantime, this is a devastating cyberattack that will have far reaching implications for weeks.

1 Comment »

Twitter Is Now Officially Home To Porn

Posted in Commentary with tags on June 4, 2024 by itnerd

TechCrunch has spotted that Twitter has updated their terms of service to now allow porn until the platform:

Over the weekend, X added clauses to its rules, formally allowing users to post adult and graphic content on the platform — with a few caveats. Users can now post consensually produced NSFW content as long as it is prominently labeled as such. The new rules also cover AI-generated videos and images.

The tweak to the rules is not a complete surprise, since X, under Elon Musk, has already experimented with formally hosting adult content with NSFW communities.

“We believe that users should be able to create, distribute, and consume material related to sexual themes as long as it is consensually produced and distributed. Sexual expression, visual or written, can be a legitimate form of artistic expression,” X’s page on “adult content” policies reads.

“We believe in the autonomy of adults to engage with and create content that reflects their own beliefs, desires, and experiences, including those related to sexuality. We balance this freedom by restricting exposure to Adult Content for children or adult users who choose not to see it,” the page reads.

My guess in terms of Twitter making this move is that Elon Musk is now going to use porn as a revenue source. Seeing as Twitter is now a private company, we don’t know how much Elon is hurting for cash. But seeing as he’s let racists, insurrectionists, and other low life scumbags back onto Twitter in a seemingly desperate attempt to make a few bucks, it’s not a shock that he’s letting porn officially onto Twitter. At least not to me.

Good luck with that Elon.

Leave a comment »

New Survey from Abnormal Security Highlights Account Takeover Attacks as the Leading Threat for Today’s Organizations

Posted in Commentary with tags on June 4, 2024 by itnerd

Abnormal Security, the leader in AI-native human behavior security, today announced the launch of a new research report—the 2024 State of Cloud Account Takeover Attacks. The report reveals how security stakeholders view the growing threat of account takeovers, how they are currently approaching prevention, and what they are looking for in next-generation defenses against these attacks. 

Based on a survey of over 300 security professionals across a variety of global industries and organization sizes, Abnormal’s research found that 77% of security leaders cited account takeover attacks as one of their top four most concerning cyber threats. Combined, this makes account takeovers the leading worry for security leaders—even ahead of news-headlining attacks like ransomware and spear phishing. 

These worries are justified, given that 83% of survey participants reported that their organization had been impacted by an account takeover attack at least once over the past year. Worse still, nearly half of organizations (45.5%) were impacted by account takeover attacks more than five times over the past year, while nearly one in five had experienced more than 10 significant account takeover attacks.

The cloud applications that security stakeholders are most concerned about being compromised include file storage and sharing services, such as Dropbox and Box, and cloud infrastructure services, including Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Also near the top of the list are business email accounts, such as Microsoft Outlook and Gmail, and document and contract management software like Docusign. Each of these applications have the potential to expose troves of sensitive company data, while a compromised cloud infrastructure application can also enable lateral movement across the corporate network. 

Despite their concerns, the majority of security stakeholders appear unprepared to protect against account takeovers. Commonly used strategies to protect against this threat include implementing fraud detection mechanisms such as multi-factor authentication (MFA) and strong password use. Yet, the majority of survey participants are skeptical of both MFA (63%) and single sign on (65%) as effective tools to prevent account takeover attacks. 

Other frequently mentioned solutions included identity and access management (IAM), cloud access security brokers (CASB), and web application firewalls (WAF), which were all cited by more than 50% of respondents, but none of which are explicitly designed to counter the account takeover threat. Similarly, many survey participants (87%) expect their individual cloud services to supply native protections against account takeovers. But most application providers aren’t security companies, and while they may offer some security features, these tend to be safeguards against misconfiguration or elevated privileges rather than real-time protection against account takeover.   

Security stakeholders are eager for alternative solutions, and 99% believe implementing a solution for detecting and automatically remediating compromised accounts in cloud services would greatly improve their defenses. Reiser continued, “It’s clear that there is a need for a new approach to not only detect account takeovers but also remediate them automatically before attackers have a chance to exfiltrate sensitive data or infiltrate connected applications. Cross-platform visibility and automated remediation capabilities, with uniform coverage for all the applications that enterprises use, will be critical as organizations seek to protect their entire attack surface.”

Leave a comment »

Security Researcher Finds That Microsoft Recall Is A Bigger Disaster Than We All Thought

Posted in Commentary with tags , on June 3, 2024 by itnerd

Along with the release of Windows laptops using the Snapdragon X Elite processor, Microsoft released a bunch of new AI features for Windows 11. Including something called Microsoft Recall which literally takes snapshots of everything that you do on the PC. At the time, I said this:

Here’s where things get sketchy. While Recall apparently encrypts everything that it is taking a picture of, Recall with the default settings is taking pictures of everything. So if you do online banking, enter your SIN number online, or do anything else that is sensitive, Recall will likely know about it. Think of the fun a threat actor could have if they somehow managed to pwn the PC and got access to that data. And don’t think that threat actors aren’t thinking about giving that a shot as they know that it’s a potential gold mine of information that they can sell on the dark web. Never mind use against you. Now at this point a threat actor would likely have to have physical access to the device as this info is stored locally. But the one thing that I have learned over the years is that threat actors are creative and crafty individuals. So if there’s another attack vector out there that will allow them to grab this data, they will find it. And exploit it. 

Well, it now seems that this might be worse than previously thought. The Verge has surfaced just how vulnerable Recall actually is:

Despite Microsoft’s promises of a secure and encrypted Recall experience, cybersecurity expert Kevin Beaumont has found that the AI-powered feature has some potential security flaws. Beaumont, who briefly worked at Microsoft in 2020, has been testing out Recall over the past week and discovered that the feature stores data in a database in plain text. That could make it trivial for an attacker to use malware to extract the database and its contents.

“Every few seconds, screenshots are taken. These are automatically OCR’d by Azure AI, running on your device, and written into an SQLite database in the user’s folder,” explains Beaumont in a detailed blog post. “This database file has a record of everything you’ve ever viewed on your PC in plain text.”

Beaumont shared an example of the plain text database on X, scolding Microsoft for telling media outlets that a hacker cannot exfiltrate Recall activity remotely. The database is stored locally on a PC, but it’s accessible from the AppData folder if you’re an admin on a PC. Two Microsoft engineers demonstrated this at Build recently, and Beaumont claims the database is accessible even if you’re not an admin.

Well that’s just incredibly horrible. Because now that we know that pwnage is possible, threat actors around the globe will be figuring out how to pwn anyone who is running this feature. Even if technical details are being withheld.

But I am not done yet. It actually gets worse:

Beaumont has exfiltrated his own Recall database and created a website where you can upload a database and instantly search it. “I am deliberately holding back technical details until Microsoft ship the feature as I want to give them time to do something,” he says.

You would think a company the size of Microsoft would have had a few security researchers try to find vulnerabilities in this feature before even announcing it? But I guess not. It truly sounds like to me that Microsoft needs to do a recall of Recall, because it’s simply not something that users can trust to be secure. Thus it’s not ready for primetime.

1 Comment »

HYAS Experts Warn Of Active Remcos RAT Campaign

Posted in Commentary with tags on June 3, 2024 by itnerd

Examining the trove of data exposed in Autonomous System Numbers (ASNs) can identify and mitigate complex malware campaigns in novel ways. Using these technique, HYAS has just published Tracking An Active Remcos Malware Campaign.

Remcos is a commercially available application used for remotely controlling Windows computers. When used covertly, it operates as a fully functional remote access trojan, able to monitor keystrokes, exfiltrate data, passwords, or screenshots, and monitor cameras.

The campaign HYAS is tracking began on May 14, 2024, and is operated out of Maiduguri, Nigeria. Recent malware detonations have indicated Remcos C2 communication with two domains, taker202.ddns[.]net (port 3017) and taker202.duckdns[.]org (port 5033). Both domains resolve to Lithuania, and are hosted on the ISP “Silent Connection Ltd”.

The report details the threat actor’s use of dynamic DNS services (DDNS and DuckDNS) for Command and Control (C2) communications which — combined with hosting on a Lithuanian ISP — obfuscates the true origin of the attack and also leverages international resources to evade localized law enforcement. The use of DDNS allows for rapid changes in IP addresses, complicating traditional IP-based blocking and tracking methods.

HYAS’ report provides real-time tracking and attribution, the impacts and risks of Remcos, and detection and removal recommendations.

About HYAS’ Novel Research Process: ASNs are unique identifiers of networks participating in the global routing system, and can offer insight into the infrastructure threat actors are using. HYAS collects IOCs such as IP addresses, domain names, file hashes, and other artifacts associated with a suspected malware campaign and uses specialized tools, databases, and techniques to map the collected IP addresses to their corresponding ASNs. This enumeration helps ID the ownership and affiliations of networks involved in the campaign. HYAS then:

  • identifies the origins of malicious traffic, 
  • pinpoints hosting providers associated with malware distribution, 
  • surfaces and traces connections between threats and entities that otherwise seem unaffiliated, and 
  • attributes malware campaigns to specific threat actors or groups, defend against active campaigns and thwart future ones.

Leave a comment »

« Older Entries
Newer Entries »