Archive for Security

Twillio Phishing Attack Hits Cloudflare Employees

Posted in Commentary with tags on August 10, 2022 by itnerd


Cloudflare yesterday disclosed that at least 76 employees and their family members have been targeted by the Twilio phishing attack. The recipients received texts on personal and work phones, originating from four numbers associated with T-Mobile-issued SIM cards and was ultimately unsuccessful. The messages pointed to a seemingly legitimate domain containing keywords including ‘Cloudflare’ and ‘Okta’ in a campaign designed to get employees to hand over their credentials. 

Sidebar: If you need some advice about how to not be a victim of a phishing scam, Microsoft has some good advice.

Mark Bower, VP of Product Management of Anjuna Security had this comment:

     “Turning trusted employees into oblivious insiders is the perfect vector to bypass traditional controls and we can expect many more attacks of this nature. They are cheap, and effective. Once inside with high levels of privilege, coordinated attackers can launch mayhem and theft – manipulating data, stealing even highly sensitive data like keys from running applications. The most effective defense is to force attackers into attempting to break modern CPU-level hardware controls around sensitive data in the cloud, massively delaying impact and keeping blast radius to the absolute minimum, ultimately frustrating attackers who will move on to unprotected lower hanging fruit.”

I will also add that companies really need to step up the training of their employees as well as running phishing simulators to ensure that their employees aren’t unwitting participants in threat actors trying to gain access to a company’s resources.

New Report Finds Hackers Host Phishing Pages By Exploiting Intelligent Diagramming App/Visual Collab Platform

Posted in Commentary with tags on August 4, 2022 by itnerd

Avanan, A Check Point Company, has published an analysis of its latest findings revealing how threat actors are using the site’s legitimacy, of Lucidchart, an intelligent diagramming application for visual communication and cross-platform collaboration, to embed phishing links into shareable documents for users to render personal credentials. 

In this attack, users are presented with an email requesting to verify an invoice that has been submitted for payment. The user is encouraged to follow a series of instructions that will direct them to open a Lucidchart document containing a fake phishing link leading to a credential harvesting website.

You can read the full analysis here.

TSA Releases Revised Cybersecurity Requirements For Oil And Gas Pipelines

Posted in Commentary with tags on July 25, 2022 by itnerd

The Transportation Security Administration on Thursday issued revised cybersecurity directives for oil and gas providers more focused on performance-based measures. This following extensive input from federal regulators and private industry stakeholders in the wake of the May 2021 ransomware attack on Colonial Pipeline.

Chris Clymer, Director & CISO, Inversion6 had this comment:

When a cyberattack took the Colonial Pipeline offline and caused gas shortages all up and down the east coast of the US, an inevitable question was “How can this happen?”  Even more perplexing for cybersecurity professionals was learning that rather than following under the well-established NERC-CIP security framework which covers most of the energy sector, the pipelines had actually been related to the authority of the TSA.  This is far from TSA’s area of expertise, but to their credit they had put some guidelines out before the incident…unfortunately, these were simply guidelines, not required.

It is extremely welcome news to see that the US’s most competent cybersecurity agency, CISA, has dove into the fray and helped TSA to establish new requirements…and that they have been made just that:  requirements.  As we’ve seen over and over unfortunately, cybersecurity investments are neglected in virtually every vertical without outside pressure.  Pipelines should be in better shape because of this attack.  The question now:  what other important infrastructure is sitting out there, falling into the political cracks and being neglected as a result?

Companies beyond the oil and gas sector should look at this guidance as it will provide a roadmap as to how they can protect themselves from attacks of all sorts. Because everyone these days is a target of cybercrime and cyberattacks.

Red-Teaming Tool Abused by Malicious Actors

Posted in Commentary with tags on July 7, 2022 by itnerd

In a new report from Palo Alto’s Unit 42, researchers have spotted threat actors moving away from Cobalt Strike to using Brute Ratel as their post-exploitation toolkit of choice. The post-exploitation toolkit, which evades detection by EDR and antivirus solutions, has been used for red team penetration testing since 2020. This change in tactics is significant as BRc4 is designed to evade detection by EDR and antivirus solutions, with almost all security software not detecting it as malicious when first spotted in the wild.

“While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated,” explains Unit 42’s report.

“Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal.”

Dr. Darren Williams, CEO and Founder of BlackFog:

     “It has been known for several years now that AV software provides limited protection from modern ransomware and malware. New attack variants focus on techniques that are very difficult to detect with basic fingerprinting techniques these older solutions rely upon. State sponsored attacks are increasing at a rapid rate during 2022 and continue to focus on ways of launching custom payloads by traditional software and modified DLL’s.”

This report illustrates the need to have a layered defence to ransomware and malware. Thus if you’re responsible for defending against these sorts of attacks, this report from Unit 42 should be required reading.

External Exposure Was The Root Cause Of 82% Of Incidents

Posted in Commentary with tags on June 30, 2022 by itnerd

According to a new report from Tetra Defense, the Root Point of Compromise (RPOC) for attacks against U.S. companies was external exposure.  Patchable and preventable external vulnerabilities were found to be responsible for the bulk of attacks:

In Q1 2022, the vast majority — 82% — of total incidents happened through external exposure of either a known vulnerability on the victim’s network or a Remote Desktop Protocol (RDP). Taking a deeper look into these external exposures, they are classified in two ways:

1. External Vulnerabilities” which could have been mitigated through publicly available security patches and software updates. In these instances, a threat actor utilized a known vulnerability to gain access to the network before the internal organization was able to patch the system. In Q1 57% of total incidents were caused by the exploitation of external vulnerabilities.

2. “Risky External Exposures” which are IT practices such as leaving a Remote Desktop Protocol (RDP) port open to the public internet. These behaviors are considered “risky” because the mitigation relies on an organization’s continued security vigilance and willingness to enforce consistent standards over long periods of time. In Q1, 25% of total incidents Tetra Defense handled were caused by risky external exposures.

That’s not good at all. Mark Bower, VP of Product Management of Anjuna Security had this comment:

     “The report once again highlights the simple fact that in an ideal world, enterprises would patch and monitor untrusted compute and networks to keep data safe from leakage, but in truth it’s impossible to continuously down tools and close all risk gaps that affect modern business success. Vulnerabilities exist because they are discovered – but until that point, they are also exploitable holes in systems or processes. However, modern computing today is beginning to provide fresh new approaches to address risks like this, and we will start to see that at scale and in short order with compute ecosystems that shrink attack surfaces inherently for data at rest, in motion and in use.”

Hopefully enterprises of all sizes read this report and take action to secure themselves. Otherwise, they are prime targets for threat actors who are out to make them the next headline.

UPDATE: Aimei Wei, CTO and Co-founder of Stellar Cyber adds this:

     “External vulnerabilities and risky external exposures accounted for 82% of the incidents responded by Tetra Defense in Q1 2022. This highlights the critical need for having a threat detection and response system that continuously detect the vulnerabilities and exposed risks (such as RDP port open to the public) and respond automatically. Patching definitely pays off for known vulnerabilities. It greatly reduces the attack surface. However, it is hard to guarantee that the patch is always immediately available for the software version you are using and can be applied in time. Organization’s continued security vigilance and enforcement of standards can dramatically reduce the chances for exploitation from exposed risks. However, the exposed risk, even for a short period of time, may still be exploited. Having a detection and response system that can continuously monitor the environment, detect the exploitation and stops the attack from progression to an incident covers the cases missed by not in-time patch or not consistent enforcement or short period of time for exposed risks.”

Google Says Italian Spyware Vendor Worked With ISPs To Infect iOS And Android Users With Spyware…. WTF??

Posted in Commentary with tags , on June 25, 2022 by itnerd

I truly hope that someone within the European Union is aware of this, because this is just a mind blowing story. Google’s Threat Analysis Group (TAG) revealed that RCS Labs which an Italian spyware vendor similar to notorious Israeli spyware vendor The NSO Group , has received help from some Internet service providers (ISPs) to infect Android and iOS users in Italy and Kazakhstan with commercial surveillance tools:

All campaigns TAG observed originated with a unique link sent to the target. Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS. In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP involvement is not possible, applications are masqueraded as messaging applications.

Google has notified Android victims that their devices were hacked and infected with spyware, dubbed Hermit by security researchers at Lookout in a detailed analysis of this implant published last week.

According to Lookout, Hermit is “modular surveillanceware” that “can record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.”

Google has also disabled the Firebase projects used by the threat actors to set up a command-and-control infrastructure for this campaign.

What’s even more scary is this: While a lot of attention has been placed on the activities of The NSO Group, spyware as a business is clearly thriving. This needs to change and these companies need to face some sort of consequences for their actions as this can’t be seen as acceptable in a civilized world. And the ISPs who helped this company carry this attack out needs to face some sort of punishment as well as that is also not acceptable in a civilized world.

New APT Group Targets Exchange Servers in Asia & Europe

Posted in Commentary with tags on June 21, 2022 by itnerd

An APT group has been actively targeting Microsoft Exchange servers since at least December 2020, according the researchers at Kaspersky’s Global Research & Analysis Team (GReAT). Security researchers have also found a previously unknown passive backdoor they named Samurai and a new trojan malware dubbed Ninja Trojan. Both malware strains allow the attackers to take control of infected systems and move laterally within the victims’ network. Which of course means that these malware strains are very dangerous.

Christopher Prewitt, CTO of Inversion6 had this commentary:

In March of 2020, Microsoft released patches to fix the Exchange exploit. It was thought that Chinese nation state actors were the ones who uncovered this vulnerability and were exploiting prior to discovery and disclosure. ToddyCat, likely linked to Chinese espionage activities, has been focused on Europe and Asia using the familiar China Chopper web shell.

The Samurai backdoor, in some cases has been used to deploy a post-exploitation toolkit dubbed Ninja. Ninja allows for full control of a system including shell access, and appears to have been developed by ToddyCat.

My thoughts go something like this. While these attacks are presently targeted towards high-profile entities in Europe and Asia, I can see this branching out to North America. Assuming that it hasn’t already. Thus I would make sure that your Exchange servers have all the patches needed to defend against this exploit.

UPDATE: Aimei Wei, CTO and Founder, Stellar Cyber added this commentary:

“When a vulnerability is discovered, it takes time for the patch to be available for all the impacted software releases. Usually, the newer releases get patched faster than older ones. It could take more than a year for patches to be available to earlier releases. The New ToddyCat APT group that has been actively targeting Microsoft Exchange servers since at least Dec. 2020 are still exploiting the vulnerability to attack even more entities from more countries. While actively patching the systems is critical to be protected from the attacks, it can’t always be achieved within short period of time, having a threat detection and response system that can effectively detect lateral movement and help to stop the attacks at the early stage is an important catch all mechanism.”

And Jake Williams, Executive Director of Cyber Threat Intelligence for SCYTHE had this to say:

The Samurai backdoor is a textbook example of a tool used to expand a beachhead access to an internal network. After the backdoor is deployed on an Internet facing Exchange server, network redirection modules are deployed that facilitate access by the threat actors to the internal network. Network redirection isn’t new, is especially useful when deployed on a server that is expected to communicate with many external and internal destinations. While zero-trust networking principles could limit some communication, threat actors will always execute actions on objectives on endpoints inside the network. A combination of network and endpoint controls, configured in alignment with the organization’s specific operational model, will be required to detect stealthy actors like ToddyCat after they gain access to a network.

 730K WordPress Sites Force-Updated To Patch Critical Plugin Bug

Posted in Commentary with tags , on June 17, 2022 by itnerd

WordPress sites using Ninja Forms, a forms builder plugin with more than 1 million installations, have been force-updated en masse this week to a new build that addresses a critical security vulnerability likely exploited in the wild. The vulnerability is a code injection vulnerability affecting multiple Ninja Forms releases, starting with version 3.0 and up.

Wordfence threat analyst Ramuel Gall discovered when reverse-engineering the patch that unauthenticated attackers can exploit this bug remotely to call various Ninja forms classes using a flaw in the Merge Tags feature:

There is evidence to suggest that this vulnerability is being actively exploited in the wild, and as such we are alerting our users immediately to the presence of this vulnerability.

This flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.WordPress appears to have performed a forced automatic update for this plugin, so your site may already be using one of the patched version. Nonetheless, we strongly recommend ensuring that your site has been updated to one of the patched versions as soon as possible since automatic updates are not always successful.

Christopher Prewitt, CTO MRK Technologies had this to say:

WordPress and WordPress plugins are always under attack. WordPress is the most popular CMS, powering over 43% of websites. Attackers are always looking to leverage their efforts, getting the most results as possible. 

While WordPress appears to have performed a forced automatic update for this plugin, it is always important to validate and ensure your site and plugins are configured to automatically update.

This is good advice for anyone who runs a WordPress site. Which would include yours truly. I run very few plugins for security reasons. But if you run a WordPress site that might not be your use case. Thus Mr. Prewitt’s advice is something that you should keep in mind.

Panchan Peer-To-Peer Botnet Discovered By Researchers

Posted in Commentary with tags , on June 16, 2022 by itnerd

Akamai security researchers have released discovery on Panchan, a new peer-to-peer botnet and SSH worm that emerged in March and has been actively breaching Linux servers since. Panchan, written in Golang, utilizes its built-in concurrency features to maximize spreadability and execute malware modules. The malware also harvests SSH keys to perform lateral movement. That feature is pretty novel. You can read the full report on this botnet here. But Rob Shaughnessy, VP, Federal for GRIMM had this to say:

“Technologically, the recently disclosed Panchan botnet one has one potentially novel feature: harvesting SSH keys locally to facilitate lateral movement in the victim network. This method can increase lateral movement speed and help the botnet spread across connected organizations. The innovative use of harvested credentials helps explain why current victims of Panchan are mainly education institutions and show fairly significant geographic clustering. Research and educational institutions have traditionally favored collaboration and openness over strict security more than industry. Although botnets such as Panchan can be used for many functions, including highly malicious ones, Panchan is currently used for cryptocurrency mining. Using botnets is a way to effectively reduce or remove the most costly part of any cryptomining organization, providing an essentially free cloud computing infrastructure. With the recent collapse of cryptocurrency value globally, we will likely see increased utilization of botnets and similar malware for this purpose. For cyber defenders, this will substantially increase the network noise level and provide additional opportunities for more malicious code to insert itself using lower risk events, like Panchan, as cover.”

Clearly this botnet has a bunch of tricks up its sleeve. Which means that sysadmins and security professionals need to be on the look out for it as it is likely to pop up in a lot of places.

Microsoft Discovers Security Flaws In Android Apps Provided By Canadian Telcos Among Other Telcos

Posted in Commentary with tags , , , , , on May 30, 2022 by itnerd

This isn’t a good look for Rogers, Bell, Freedom Mobile, TELUS and a few other telcos. According to BleepingComputer, Microsoft has found some serious vulnerabilities in Android apps that they distribute:

The researchers found these vulnerabilities (tracked as CVE-2021-42598CVE-2021-42599CVE-2021-42600, and CVE-2021-42601) in a mobile framework owned by mce Systems exposing users to command injection and privilege escalation attacks.

The vulnerable apps have millions of downloads on Google’s Play Store and come pre-installed as system applications on devices bought from affected telecommunications operators, including AT&T, TELUSRogers CommunicationsBell Canada, and Freedom Mobile.

“The apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers,” according to security researchers Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar of the Microsoft 365 Defender Research Team.

“All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues.

“As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device.”

Well, that’s not good. But these apps have been fixed. Sort of. Microsoft reached out to the relevant parties and these vulnerabilities were fixed. But the at-risk framework is likely used by numerous other service providers who may still have apps out there that aren’t fixed. Which means that threat actors can still launch attacks.

To protect yourself, search for the package name com.mce.mceiotraceagent on you Android device. If you find it, delete it ASAP if you can. I say that because you might need root access to delete it.