New Fortinet FortiOS bug used to attack government networks

Posted in Commentary with tags on March 14, 2023 by itnerd

Sophisticated attackers are using a recent CVE vulnerability patched by FortiOS earlier this month to target government and large organizations. The patch for CVE-2022-41328 was released by Fortinet on March 7th for what FortiOS called a high-severity security vulnerability (CVE-2022-41328) that allows attackers to execute unauthorized code or commands.

In a report last week Fortinet revealed that a hack on one of its customers caused all of their FortiGate devices to begin shutting down at the same time, with “System enters error-mode due to FIPS error: Firmware Integrity self-test failed” messages and they failed to boot again. The FIPS-enabled devices verify the integrity of system components and if an integrity breach is detected, the device will shut down and refuse to boot to protect the integrity of the network.

The FortiGate firewalls were breached via a FortiManager device on the victim’s network and appeared to have been hacked using the same tactics. The investigation showed that the attackers modified the device firmware image (/sbin/init) to launch a payload (/bin/fgfm) before the boot process began.

“The attack is highly targeted, with some hints of preferred governmental or government-related targets,” the company said.

The attackers have also demonstrated “advanced capabilities,” including reverse-engineering parts of the FortiGate devices’ operating system.

“The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS.”

Horizon3.ai Exploit Developer James Horseman had this to say:

   “The level of sophistication demonstrated in this attack indicates that the attackers have a deep understanding of FortiOS, which suggests that they have considerable resources and expertise at their disposal. This is likely a targeted attack, as indicated by Fortinet’s statement that there are “hints of preferred governmental or government-related targets.”

   “It is worth noting that the writeup from Fortinet does not provide information on how the attackers gained initial access, which is a crucial part of understanding the full scope of the attack. While CVE-2022-41328 allows for the execution of unauthorized code or commands, it requires privileged access. This suggests that the attackers either obtained credentials for the FortiGate/FortiManager devices or used another exploit to gain remote code execution. It is also possible that the attackers used an undisclosed 0-day to gain initial access.

   “Given the severity of the vulnerability and the potential for the attackers to have gained privileged access to the targeted systems, organizations that use FortiOS should take immediate steps to patch the vulnerability and monitor their systems for any suspicious activity. Additionally, it is important to stay informed about any new developments in this attack to understand its full impact and how the attackers were able to again initial access.”
 

David Maynor, Senior Director of Threat Intelligence, Cybrary follows up with this comment:

   “Fortinet has turned into the Ground Hog Day of vulnerabilities.”

What he’s referencing is that this isn’t the first go round with vulnerabilities related to Fortinet products:

In January, Fortinet disclosed a very similar series of incidents where a FortiOS SSL-VPN vulnerability patched in December 2022 and tracked as CVE-2022-42475 was also used as a zero-day bug to target government organizations and government-related entities.

Thus I suspect that enterprises that own Fortinet gear may be thinking twice about having it on their networks.

Leave a comment »

This Month’s Patch Tuesday Drop Has A Ton Of Fixes That Should Make You Patch Everything Immediately

Posted in Commentary with tags on March 14, 2023 by itnerd

As I type this I am installing this month’s Patch Tuesday updates on all of my hardware and VMs that run Microsoft software. And according to Bleeping Computer, it’s a good thing that I am:

Today is Microsoft’s March 2023 Patch Tuesday, and security updates fix two actively exploited zero-day vulnerabilities and a total of 83 flaws.

Nine vulnerabilities have been classified as ‘Critical’ for allowing remote code execution, denial of service, or elevation of privileges attacks.

The number of bugs in each vulnerability category is listed below:

  • 21 Elevation of Privilege Vulnerabilities
  • 2 Security Feature Bypass Vulnerabilities
  • 27 Remote Code Execution Vulnerabilities
  • 15 Information Disclosure Vulnerabilities
  • 4 Denial of Service Vulnerabilities
  • 10 Spoofing Vulnerabilities
  • 1 Edge – Chromium Vulnerability

This count does not include twenty-one Microsoft Edge vulnerabilities fixed yesterday.

Gal Sadeh, Head of Data and Security Research, Silverfort has this view of some of the vulnerabilities fixed in this dump:


     “A critical RCE vulnerability in Remote Procedure Call Runtime, CVE-2023-21708, should be a priority for security teams as it allows unauthenticated attackers to run remote commands on a target machine. Threat actors could use this to attack Domain Controllers, which are open by default. To mitigate this, we recommend Domain Controllers only allow RPC from authorized networks and RPC traffic to unnecessary endpoints and servers is limited.

Being exploited in the wild, a vulnerability in Windows Defender SmartScreen (CVE-2023-24880) allows attackers to subvert in-built Windows protections blocking untrustworthy files.  The usual checks on reputation and source of files are bypassed, allowing malicious programs to run. This new threat is similar to another actively exploited SmartScreen vulnerability, patched by Microsoft in December 2022.

Another critical vulnerability, CVE-2023-23415, poses a serious risk as it allows attackers to exploit a flaw in Internet Control Message Protocol – which is often not restricted by firewalls – to gain remote code execution on exposed servers using a malicious packet. Requiring the targeting of a raw socket – any organization using such infrastructure should either patch or block ICMP packets at the firewall.”

Clearly it’s time to patch all the things. While the zero days are the most concerning, there are clearly other things here that you need to worry about.

Leave a comment »

A New #Phishing Email Targets Metamask Users

Posted in Commentary with tags on March 14, 2023 by itnerd

I admit that I had to look this up, but Metmask as defined by Wikipedia as follows:

MetaMask is a software cryptocurrency wallet used to interact with the Ethereum blockchain. It allows users to access their Ethereum wallet through a browser extension or mobile app, which can then be used to interact with decentralized applications. MetaMask is developed by ConsenSys Software Inc., a blockchain software company focusing on Ethereum-based tools and infrastructure.

And it seems that there’s a phishing email that is targeting Metamask users that looks like this:

Now unlike most phishing emails that I come across, the English is actually decent and may pull you in. But if you look at the email address that this phishing email, it should make you think twice:

This clearly didn’t come from Metamask as I would expect their email addresses to be from metamask.io. Speaking of which, there’s a link below from metamask.io. That’s legit right? Actually it’s not. It’s hiding another URL which you can see here:

Now this is a technique that’s used by the more sophisticated email phishing operators to fool you into thinking that this email is legitimate. I am guessing that the operator behind this felt that they had to up their game as people who hold crypto are more likely to be tech savvy. Thus they’re less likely to fall for the sort of phishing emails that grab the average person. So you’re given the option of using a secret recovery phrase or a private key to “keep your wallet secure”. Both provide a vector for accessing your blockchain assets. This article describes the differences between the two, but here’s the thing to remember: Nobody can get access to your crypto without one or the other. That’s what this #phishing email is about which is to steal your crypto. I’m going to stop here because it’s pretty clear what the operator’s game is. But I will be warning Metamask about this so that they can keep users of their crypto wallets safe.

Leave a comment »

Has SpaceX Been Indirectly Pwned By Lockbit?

Posted in Commentary with tags on March 14, 2023 by itnerd

Based on this, Elon Musk may have more to worry about than the gong show which is his leadership of Twitter:

Remember, you’re only as secure as the people you work with. And clearly someone within the SpaceX supply chain isn’t secure. Which is bad for Elon. If this is true, SpaceX has been pwned by Lockbit. And the data is about to go up for sale. This is sure to freak out US Government types who rely on SpaceX. And if this turns out to be true, SpaceX is about to have a very, very bad time having to explain this.

I guess we will find out in a few days which way this will go.

1 Comment »

Thousands of hijacked websites in East Asia are redirecting to adult-themed sites

Posted in Commentary with tags on March 14, 2023 by itnerd

From the “this is different” file comes this report by Wiz on thousands of hijacked websites in East Asia which are redirecting visitors to adult-themed sites:

The compromised websites include many owned by small companies and several operated by multinational corporations. They are diverse in terms of their tech stacks and hosting services, making it difficult to pinpoint any specific vulnerability, misconfiguration, or source of leaked credentials this threat actor may be abusing. In several cases, including a honeypot we set up to investigate this activity, the threat actor connected to the target web server using legitimate FTP credentials they somehow obtained previously.

While we were not able to determine how this threat actor has been gaining initial access to the affected web servers or where they are sourcing their stolen credentials from, we’ve decided to publish our findings regardless, in order to bring more awareness to this ongoing activity. Given the nature of the destination websites, we believe the threat actor’s motivations are most likely financial, and perhaps they intend to merely increase traffic to these websites from specific countries and nothing more. However, the impact to the compromised websites and their user experience is equivalent to defacement, and whatever weaknesses this actor is exploiting to gain initial access to these websites could be utilized by other actors to inflict greater harm.

Rui Ribeiro, CEO and Cofounder of Jscrambler had this comment:

     “This attack, which has compromised tens of thousands of websites aimed primarily at East Asian audiences and redirecting them to adult-themed content, highlights an often-overlooked security issue: securing the client-side experience at the moment the visitor is interacting with the website. In this case, the hacker injected malicious code into customer-facing web pages, collected information about the visitor, and hijacked their journey. This one incident underscores how important it is to understand the third-party JavaScript running on your browser and what data it is accessing. Not only is the customer experience tainted, but the compromised websites can face issues around data privacy, loss of revenue and reputation. Companies need visibility and control over the JavaScript that’s loaded into their web pages, whatever the source. Whether it’s a hijacking attack, data skimming or a simple configuration error, we must protect the interaction with each visitor.”

Now I just did a check my corporate website and I have FTP enabled. So I will be turning that off so that I am not a victim of this sort of attack. If you have a website, you might want to do the same thing to avoid being a victim as well.

Leave a comment »

Google Cloud & Workspace announce new AI apps and features

Posted in Commentary with tags on March 14, 2023 by itnerd

Today Google Cloud announced the next step in their AI journey, bringing generative AI benefits to individuals, businesses, and communities. 

Among the updates comes new Google Workspace features, with AI supporting everyday tasks like: 

  • draft, reply, summarize, and prioritize your Gmail
  • brainstorm, proofread, write, and rewrite in Docs
  • bring your creative vision to life with auto-generated images, audio, and video in Slides

Other highlights in Google’s new generative AI capabilities include:

  • Empowering all developers through PaLM API, a new developer offering that makes it easy and safe to experiment with Google’s large language models. Alongside the API, Google Cloud is releasing MakerSuite, a tool that lets developers start prototyping quickly and easily. 
  • Generative AI support in Vertex AI to offer a simple way for data science teams to take advantage of foundation models like PaLM. This includes the ability for businesses to address use cases such as content generation and chat summarization all with enterprise-level safety, security, and privacy.
  • Generative AI App Builder which allows organizations to build their own AI-powered chat interfaces and digital assistants.
  • As part of Google’s commitment to openness, they’re unveiling new partnerships, programs, and resources for each segment of theAI Ecosystem. 

For an overview of the news, check out the blog post from Google Cloud CEO Thomas.

Leave a comment »

Guest Post: Google, Fedora Project, and Microsoft products had the most vulnerabilities in 2022

Posted in Commentary with tags on March 14, 2023 by itnerd

In today’s world, where technology is embedded in every aspect of our lives, it is essential to understand the risks of using different software and devices.

According to the data presented by the Atlas VPN team, Google, Fedora Project, and Microsoft products had the most vulnerabilities in 2022. If we look into the specific products, security researchers found the most exploits in Fedora, Android, and Windows operating systems.

More vulnerabilities in a product do not necessarily mean it is less secure. Popular and open-source products tend to have more vulnerabilities due to the larger number of users discovering exploits.

Google products had 1372 exploits in 2022, the most of all vendors. The Android operating system had 897 vulnerabilities, which was the most of all Google products. In addition, security researchers found 283 exploits in the Chrome browser, but it did not make our top 10 list of products.

The Fedora Project was the second vendor with 945 discovered vulnerabilities. Its product Fedora Linux had the most, 944 exploits, of all products.

Security researchers discovered 939 vulnerabilities in Microsoft products in 2022. Windows 10 and 11 both had over 500 exploits, while in Windows Server OS, from 2012 to 2022, the number of vulnerabilities ranged from 414 to 553.

Debian products had 887 exploits, and their Linux OS had 884 vulnerabilities, taking 3rd place among all products. Furthermore, Apple had 456 exploits in their products, one of which, macOS, had 379 vulnerabilities in 2022.

​​Cybersecurity writer at Atlas VPN, Vilius Kardelis, shares his thoughts on vulnerabilities: 

“As the reliance on technology continues to increase, so does the threat of cyberattacks. Individuals and organizations must remain vigilant about updating their software and taking proactive steps to protect against cyber threats.”

Severity of vulnerabilities

The Common Vulnerability Scoring System (CVSS) assesses the severity of vulnerabilities in computer systems and networks. It assigns them a numerical score based on a set of criteria such as exploitability, impact, and complexity.

Over a fifth (23%) of vulnerabilities found in Microsoft products are rated 9+. In addition, 20% of exploits are given a score of 7-8.

Apple product exploits with a score of 9+ account for 17% of all vulnerabilities. In addition, 26% of vulnerabilities are rated 6-7.

Google occupies the third spot on the list regarding severe exploits valued at 9+. They constitute 14% of all vulnerabilities.

Only 2% of vulnerabilities are scored as the most severe in the Fedora Project, while those rated 6-7 make up 21% of all exploits.

To read the full article, head over to:https://atlasvpn.com/blog/google-fedora-project-and-microsoft-products-had-the-most-vulnerabilities-in-2022

google-fedora-project-and-microsoft-products-had-the-most-vulnerabilities-in-2022

Leave a comment »

Guest Post: Tick cyberespionage group compromises data-loss prevention software developer in East Asia

Posted in Commentary with tags on March 14, 2023 by itnerd

ESET researchers have uncovered a compromise of an East Asian data-loss prevention (DLP) company. During the intrusion, the attackers deployed at least three malware families and compromised internal update servers and third-party tools used by the affected company. As a result, two customers of the company were subsequently compromised. ESET attributes the campaign with high confidence to the Tick APT group. Based on Tick’s profile, the objective of the attack was most likely cyberespionage. The customer portfolio of the DLP company includes government and military entities, making the compromised company an especially attractive target for an APT group such as Tick.

“The attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanized installers of legitimate third-party tools used by the company, which eventually resulted in the execution of malware on the computers of its customers,” says ESET researcher Facundo Muñoz, who discovered Tick’s latest operation. “During the intrusion, the attackers deployed a previously undocumented downloader, which we’ve named ShadowPy, and also deployed the Netboy backdoor (aka Invader) as well as the Ghostdown downloader,” adds Muñoz.

The initial attack happened in March 2021, and ESET notified the company of the compromise. In 2022, ESET telemetry registered the execution of malicious code in the networks of two of the compromised company’s customers. Since trojanized installers were transferred via remote support software, ESET Research hypothesizes that this took place while the DLP company was providing technical support. The attackers also compromised two internal update servers, which delivered malicious updates for the software developed by this DLP company on two occasions to machines inside the network of the DLP company.

The previously undocumented downloader ShadowPy was developed in Python and  is loaded through a customized version of the open source project py2exe. ShadowPy contacts a remote server from where it receives new Python scripts that are decrypted and executed. The older Netboy backdoor supports 34 commands, including collecting system information, deleting a file downloading and executing programs, performing screen capture, and performing mouse and keyboard events requested by its controller.

Tick (also known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group thought to have been active since at least 2006 and that mainly targets countries in the APAC region. This group is of interest for its cyberespionage operations, which focus on stealing classified information and intellectual property. Tick employs an exclusive custom malware toolset designed for persistent access to compromised machines, reconnaissance, data exfiltration, and download of tools.

For more technical information about the latest Tick campaign, check out the blogpost “The slow Tick-ing time bomb: Tick APT group compromise of a DLP software developer in East Asia” on WeLiveSecurity.

Leave a comment »

Meta/Facebook To Do Another Round Of Layoffs

Posted in Commentary with tags on March 14, 2023 by itnerd

News is filtering out that Facebook’s parent company Meta is planning to lay off thousands people. Keep in mind that Meta has already laid off thousands of people not too long ago, which means the following:

It’s uncommon for a company to conduct multiple rounds of layoffs, according to data from Crunchbase. Last year, around 9% of the 433 tech companies it tracked laid off workers more than once. 

That might be because it’s generally considered bad practice to do multiple rounds, said Kerry Sulkowicz, the managing principal of the Boswell Group, which advises CEOs and boards on people and culture issues. “Doing layoffs in dribs and drabs creates instability,” he told Insider. 

“When a CEO does this, it’s important to communicate that this is a difficult decision, and to the extent possible, to do it one fell swoop.”

One bout of layoffs can leave a dent in employee morale; a second round can be devastating. Surviving employees often mourn the loss of their colleagues and feel guilty they were spared. 

They’re also likely to feel extra nervous about their job security: Instead of focusing on the work at hand, they’re looking over their shoulders, which is not good for their productivity or sanity, said Sulkowicz.

“They’re constantly wondering, ‘Is there another round coming? Am I next?'”

If I were working for Meta, I’d be mass emailing my CV right now as one could argue that Meta is not a great place to work right now. The problem is what with the failure of SVB right now, it could be really difficult to find a safe landing spot. But you have to try I suppose as anything is better than the stress of wondering what the lifespan of your career at Meta is going to be.

1 Comment »

How To Protect Yourself From Having A Scammer Lock Your Computer

Posted in Commentary with tags on March 14, 2023 by itnerd

If you’re unlucky enough to encounter a telephone scammer who manages to take control of your computer, it is likely that a scammer will try to lock it. The way that this scam works is that scammer will call you claiming to be from Microsoft, Amazon, Google or some other company. They will give you some sort of excuse to get access to your computer via some remote access software. Such as your computer is infected by viruses, or that they want to refund money that was stolen from you. Once they have access to the computer, they will lock it and hold it hostage as only they know the password. This scam is effective because a surprising number of people don’t do backups of their computer, and as a result are more likely to pay to get access to their computer.

So with that out of the way, let’s go down the rabbit hole of how this is done by the scammers. And the first way they do this is by using a little known Windows utility called syskey. This Windows utility used to encrypt system data, such as user account password hashes. But it also functions to prohibit you from booting the system directly to the desktop. Instead the system will ask for a password which is difficult, if not impossible for the average person to bypass. Which is why scammers love to use this method to your to lock a computer. Syskey exists in Windows NT 4, Windows XP, Windows 7 and 8, Windows 10 versions prior to version 1709 which is also known as the Fall Creators Update. After that version, syskey wasn’t included in any version of Windows. But the tool can still be copied to a computer and used by a scammer if they have remote access to said computer.

How to protect yourself: Given that syskey can still be copied and used on any version of Windows that’s currently out there, any sort of proactive protection is impossible to implement. While I have heard of people using the group policy editor on Windows to stop syskey from running, that’s a very rudimentary way of protection as all the scammer has to do is to change the name of the syskey.exe to something like “syskeyscam.exe” to get around that. Plus once a system has had syskey run on it, it’s extremely difficult to recover from that. Often it requires the computer to be reformatted which means you lose your data if you haven’t backed it up.cam

Thus given the fact that this is difficult to remediate after the fact, and that there’s really no way to protect yourself up front, education is the best way to deal with this way of locking your computer. In other words, you understand what as scam looks like so that you don’t fall for it. Making this a non issue. I’ll have some words of wisdom on that front later in this article.

Beyond that as I mentioned earlier, having a backup of the contents of your computer and doing regular backups either manually or automatically via a backup application is another way to deal with this situation. Because if a scammer gets in and locks the computer using syskey, you simply do a Windows reset, reinstall your applications, and restore your files. Or reformat your computer, reinstall Windows and your applications, and restore your files. While there is some work in doing some sort or restore or reinstall of your computer, it’s a far better option than paying a scammer. And having a backup has the bonus of protecting you from other catastrophic events such as hardware failure for example.

A second option that scammers use is to simply change the password of the account that is currently logged into Windows. Unfortunately many people don’t put a password in place to protect themselves when they set up a computer. They do that under the mistaken belief that it is more convenient to run a computer with no password as it’s one less thing to remember. And that combined with setting up the computer to automatically log in allows them to get into the computer faster. But that’s the sort of thing that a scammer will leverage to force you to pay them as they simply can add a password to the account and hold the computer hostage.

How to protect yourself: While I understand that many of you out there want to be able to flip on your computer and bang out that email, you should never, ever compromise your security or it may not end well for you. You should always add a password to the user account that you set up, and you should never set it up to auto login. That way if you come across dirtbags like these, they can’t change your password because they would have to know your password to do it. Which they won’t. You can look at a tutorial like this to walk you through how best to set a password on your computer.

Finally, here’s some words of wisdom to stop you from becoming a victim of a scam of any sort:

  • Fact: A legitimate company such as Microsoft, Apple, Amazon, Visa or Google would never call you on the phone saying things like “your computer is infected with viruses” or “you ordered items from Amazon and it looks like fraud”. If you get a call from any company saying things like that, hang up.
  • FACT: No company (again, Amazon, Google, Microsoft, Apple to name a few) would call you and require remote access to your computer for any reason. If you get a call from someone asking if they can connect to your computer, hang up. 
  • Fact: Companies don’t use call out technology that has robotic sounding voices that don’t reference you directly by name or by some other means of identification. If you get a call from any company using this sort of technology that fits that description, hang up.
  • FACT: If you get an invoice from Norton, McAfee, Netflix or any other company that doesn’t have your name on it, it’s fake and you should delete it. And you should not click on any links or attachments. And you should not phone any number that is on the invoice.
  • Fact: Companies don’t ask to be paid in gift cards. If you get a call asking you to buy gift cards, hang up. You can copy and paste that for crypto currency as well. 
  • Fact: The police don’t call you saying that you’re going to get arrested. If the police wanted to arrest you, they’d just arrest you. So if you get anyone saying that if you don’t co-operate with them, you will be arrested, hang up.

In other words, if you don’t fall for the scam because you spot that it’s a scam up front, you don’t have to worry about getting your computer locked. But if the worst does happen and you do get your computer locked by a scammer, and you don’t have a backup, I would advise that you call a computer professional for assistance. And by computer professional, I mean someone who has experience in dealing with situations related to scams as they are best suited to assist you in this situation. But be advised that there may be nothing that they can do other than erase the computer and set you up from scratch, which is another reason why having a backup is important. But under no circumstances should you pay the scammers to unlock your computer. Scumbags should never be rewarded for doing evil things. Thus paying them should be off the table by default. Not to mention that there is zero guarantee that they will follow through with unlocking your computer even if you do pay them. Plus you’ll still have to get a computer professional to look at your computer as who knows what they did to it.

These days you have to be really careful as scammers are becoming increasingly sophisticated. And the second you let your guard down, it can really come back to bite you. Thus I hope that this article helps you to avoid this specific scam. And if you want other tips on avoiding scams, check out this article which provides advice on how to stop seniors from being scammed.

Leave a comment »

« Older Entries
Newer Entries »