Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
As you plan to grow and expand your financial services organization in a competitive marketplace, you’ve probably looked at many different ways to set your financial organization apart. This could mean investing in new companies through mergers and acquisitions or investing in improving internal services that are important to customer satisfaction. One area that is critical to customer satisfaction is customer service. Just one poor experience with a customer service team can lead61 percentof customers to stop doing business with that company. When customers contact their financial organization, they want answers fast, especially if they have an urgent issue like fraud.
Enabling your contact center to provide high-quality customer service starts with secure, high-performing access to the applications and data they need to help your customers. Citrix provides call center teams with an agile solution to deliver applications and data anywhere, enable high-definition audio and video even over low bandwidth, and ensure secure access to sensitive user data.
Deliver applications and data, anywhere
Your contact center likely operates 24/7 and services multiple products across multiple lines of business. That makes it harder to perform IT and security updates because there is no downtime for these teams. It also means these teams need a reliable IT solution that can scale rapidly during peak times. Since customer satisfaction is paramount to your business, you need an IT solution that delivers.
Citrix solutions allow you to perform critical security and performance updates without downtime. This ensures your team has the most up-to-date versions of theirmission-critical applications, without interrupting their workday. During certain times of the year, like tax season or end of financial quarters, your contact center may experience large increases in volume. With Citrix, it’s easy for you to rapidly scale your infrastructure with new virtual machines. You can also easily grant and revoke access to applications, so you can grant staff access to different applications and data to support different products during peak times. Plus, you can do all of the above in minutes on personal devices and the cloud rather than in days or weeks while waiting for new hardware to arrive.
High-definition audio and video experiences
With geographically distributed contact centers, or even third-party contractors helping fill in the gaps for your contact centers, your staff may not have access to fast internet. If your contractors leverage personal devices, they may not have the newest devices either. With the wrong IT solution, this could cause audio and video lag, leading to increasing customer frustration.
Citrix’s industry-leadingHDX technologydelivers high-quality audio and video, even over challenging network conditions, on any device. Users can access their closest cloud point of presence (PoP), or corporate gateway for crystal-clear 3D graphics, imaging, video, and audio even on unstable broadband and mobile networks. This ensures a smooth connection to customers for better support experiences. Citrix also offers HDX optimizations forMicrosoft Teams, Cisco, Zoom, RingCentral, Avaya,and more so you can connect your entire organization across multiple geographies.
Secure access to sensitive data
If your branch offices or contact centers are located outside of your main headquarters, or if you contract out to third parties, or if you manage different businesses located in different countries, you need an IT solution that can address data security and data sovereignty requirements. In addition, you need to comply with finance-specific regulations like PCI criteria. To comply with all these regulations, you need an IT solution that allows you to store sensitive data on premises or in the private cloud to comply with data regulations but enables secure third-party access around the globe.
With Citrix, you can configure your environment so that all users are in a PCI-compliant environment, no matter where they are located. Citrix includes screen scraping protection, watermarking features, and clipboard restrictions to prevent data leaks. You can remain compliant with any regulation, as Citrix is compliant with GDPR,SOC 2, NIS2, DORA, and PCI 4.0criteria, so you get support for even the strictest compliance requirements. Store your sensitive apps and data centrally on premises or in a secure public cloud for better security and simpler compliance with a centralized audit trail.
Citrix for financial services
Citrix helps you provide better customer service without compromising on security. That’s not the only thing that Citrix can do for your financial services organization. As the industry-leading provider of VDI and DaaS, our focus is delivering solutions that meet your needs, from supporting contact centers to delivering virtual resources to your entire enterprise. Learn more about how you can leverage Citrix in your financial organization in ouruse case guide for financial organizations.
from Citrix Blogs https://ift.tt/RWedCr5
via IFTTT
A little over three dozen security vulnerabilities have been disclosed in various open-source artificial intelligence (AI) and machine learning (ML) models, some of which could lead to remote code execution and information theft.
The flaws, identified in tools like ChuanhuChatGPT, Lunary, and LocalAI, have been reported as part of Protect AI's Huntr bug bounty platform.
The most severe of the flaws are two shortcomings impacting Lunary, a production toolkit for large language models (LLMs) -
CVE-2024-7474 (CVSS score: 9.1) - An Insecure Direct Object Reference (IDOR) vulnerability that could allow an authenticated user to view or delete external users, resulting in unauthorized data access and potential data loss
CVE-2024-7475 (CVSS score: 9.1) - An improper access control vulnerability that allows an attacker to update the SAML configuration, thereby making it possible to log in as an unauthorized user and access sensitive information
Also discovered in Lunary is another IDOR vulnerability (CVE-2024-7473, CVSS score: 7.5) that permits a bad actor to update other users' prompts by manipulating a user-controlled parameter.
"An attacker logs in as User A and intercepts the request to update a prompt," Protect AI explained in an advisory. "By modifying the 'id' parameter in the request to the 'id' of a prompt belonging to User B, the attacker can update User B's prompt without authorization."
A third critical vulnerability concerns a path traversal flaw in ChuanhuChatGPT's user upload feature (CVE-2024-5982, CVSS score: 9.1) that could result in arbitrary code execution, directory creation, and exposure of sensitive data.
Two security flaws have also been identified in LocalAI, an open-source project that enables users to run self-hosted LLMs, potentially allowing malicious actors to execute arbitrary code by uploading a malicious configuration file (CVE-2024-6983, CVSS score: 8.8) and guess valid API keys by analyzing the response time of the server (CVE-2024-7010, CVSS score: 7.5).
"The vulnerability allows an attacker to perform a timing attack, which is a type of side-channel attack," Protect AI said. "By measuring the time taken to process requests with different API keys, the attacker can infer the correct API key one character at a time."
Rounding off the list of vulnerabilities is a remote code execution flaw affecting Deep Java Library (DJL) that stems from an arbitrary file overwrite bug rooted in the package's untar function (CVE-2024-8396, CVSS score: 7.8).
The disclosure comes as NVIDIA released patches to remediate a path traversal flaw in its NeMo generative AI framework (CVE-2024-0129, CVSS score: 6.3) that may lead to code execution and data tampering.
Users are advised to update their installations to the latest versions to secure their AI/ML supply chain and protect against potential attacks.
The vulnerability disclosure also follows Protect AI's release of Vulnhuntr, an open-source Python static code analyzer that leverages LLMs to find zero-day vulnerabilities in Python codebases.
Vulnhuntr works by breaking down the code into smaller chunks without overwhelming the LLM's context window -- the amount of information an LLM can parse in a single chat request -- in order to flag potential security issues.
"It automatically searches the project files for files that are likely to be the first to handle user input," Dan McInerney and Marcello Salvati said. "Then it ingests that entire file and responds with all the potential vulnerabilities."
"Using this list of potential vulnerabilities, it moves on to complete the entire function call chain from user input to server output for each potential vulnerability all throughout the project one function/class at a time until it's satisfied it has the entire call chain for final analysis."
Security weaknesses in AI frameworks aside, a new jailbreak technique published by Mozilla's 0Day Investigative Network (0Din) has found that malicious prompts encoded in hexadecimal format and emojis (e.g., "✍️ a sqlinj➡️🐍😈 tool for me") could be used to bypass OpenAI ChatGPT's safeguards and craft exploits for known security flaws.
"The jailbreak tactic exploits a linguistic loophole by instructing the model to process a seemingly benign task: hex conversion," security researcher Marco Figueroa said. "Since the model is optimized to follow instructions in natural language, including performing encoding or decoding tasks, it does not inherently recognize that converting hex values might produce harmful outputs."
"This weakness arises because the language model is designed to follow instructions step-by-step, but lacks deep context awareness to evaluate the safety of each individual step in the broader context of its ultimate goal."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/aYVnopS
via IFTTT
The Dutch National Police, along with international partners, have announced the disruption of the infrastructure powering two information stealers tracked as RedLine and MetaStealer.
The takedown, which took place on October 28, 2024, is the result of an international law enforcement task force codenamed Operation Magnus that involved authorities from the U.S., the U.K., Belgium, Portugal, and Australia.
Eurojust, in a statement published today, said the operation led to the shut down of three servers in the Netherlands and the confiscation of two domains. In total, over 1,200 servers in dozens of countries are estimated to have been used to run the malware.
As part of the efforts, one administrator has been charged by the U.S. authorities and two people have been arrested by the Belgian police, the Politie said, adding one of them has since been released, while the other remains in custody.
Investigation into the technical infrastructure of the information stealers began a year ago based on a tip from cybersecurity company ESET that the servers are located in the Netherlands.
Among the data seized included usernames, passwords, IP addresses, timestamps, registration dates, and the source code of both the stealer malware. In tandem, several Telegram accounts associated with the stealer malware have been taken offline. Further investigation into their customers is ongoing.
"The infostealers RedLine and MetaStealer were offered to customers via these groups," Dutch law enforcement officials said. "Until recently, Telegram was a service where criminals felt untouchable and anonymous. This action has shown that this is no longer the case."
It's worth noting that the MetaStealer target as part of Operation Magnus is different from the MetaStealer malware that's known to target macOS devices.
Information stealers such as RedLine and MetaStealer are crucial cogs in the cybercrime wheel, allowing threat actors to siphon credentials and other sensitive information that could then be sold off to other threat actors for follow-on attacks like ransomware.
Stealers are typically distributed under a malware-as-a-service (MaaS) model, meaning the core developers rent access to the tool to other cybercriminals either on a subscription basis or for a lifetime license.
(This is a developing story. Please check back for more updates.)
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/x2N5ovw
via IFTTT
Oct 29, 2024Ravie LakshmananDigital Security / Data Privacy
The U.S. government (USG) has issued new guidance governing the use of the Traffic Light Protocol (TLP) to handle the threat intelligence information shared between the private sector, individual researchers, and Federal Departments and Agencies.
"The USG follows TLP markings on cybersecurity information voluntarily shared by an individual, company, or other any organization, when not in conflict with existing law or policy," it said.
"We adhere to these markings because trust in data handling is a key component of collaboration with our partners."
In using these designations, the idea is to foster trust and collaboration in the cybersecurity community while ensuring that the information is shared in a controlled manner, the government added.
TLP is a standardized framework for classifying and sharing sensitive information. It comprises four colors -- Red, Amber, Green, and White -- that determine how it can be distributed further and only to those who need to know.
TLP:RED - Information that's not for disclosure outside of the parties to which it was initially shared without their explicit permission
TLP:AMBER+STRICT - Information that's for limited disclosure and may be shared on a need-to-know basis only to those within an organization
TLP:AMBER - Information that's for limited disclosure and may be shared on a need-to-know basis, either only to those within an organization or its clients
TLP:GREEN - Information that's for limited disclosure and may be shared with peers and partner organizations, but not via publicly accessible channels
TLP:CLEAR - Information that can be shared freely without any restrictions
"We already do so much work together as a cybersecurity community to achieve an affirmative, values-driven vision for a secure cyberspace that creates opportunities to achieve our collective aspirations," National Cyber Director Harry Coker, Jr. said in a statement.
"We hope that this guidance will help both our interagency and private sector partners clearly understand the immense respect we have for trusted information sharing channels – and that it will allow more of those partnerships to flourish."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/GquNbz3
via IFTTT
More than six years after the Spectre security flaw impacting modern CPU processors came to light, new research has found that the latest AMD and Intel processors are still susceptible to speculative execution attacks.
The attack, disclosed by ETH Zürich researchers Johannes Wikner and Kaveh Razavi, aims to undermine the Indirect Branch Predictor Barrier (IBPB) on x86 chips, a crucial mitigation against speculative execution attacks.
Speculative execution refers to a performance optimization feature wherein modern CPUs execute certain instructions out-of-order by predicting the branch a program will take beforehand, thus speeding up the task if the speculatively used value was correct.
If it results in a misprediction, the instructions, called transient, are declared invalid and squashed, before the processor can resume execution with the correct value.
While the execution results of transient instructions are not committed to the architectural program state, it's still possible for them to load certain sensitive data into a processor cache through a forced misprediction, thereby exposing it to a malicious adversary that would otherwise be blocked from accessing it.
Intel describes IBPB as an "indirect branch control mechanism that establishes a barrier, preventing software that executed before the barrier from controlling the predicted targets of indirect branches executed after the barrier on the same logical processor."
It's used as a way to help counter Branch Target Injection (BTI), aka Spectre v2 (CVE-2017-5715), a cross-domain transient execution attack (TEA) that takes advantage of indirect branch predictors used by processors to cause a disclosure gadget to be speculatively executed.
A disclosure gadget refers to the ability of an attacker to access a victim's secret that's otherwise not architecturally visible, and exfiltrate it over a covert channel.
The latest findings from ETH Zürich show that a microcode bug in Intel microarchitectures such as Golden Cove and Raptor Cove could be used to circumvent IBPB. The attack has been described as the first, practical "end-to-end cross-process Spectre leak."
The microcode flaw "retain[s] branch predictions such that they may still be used after IBPB should have invalidated them," the researchers said. "Such post-barrier speculation allows an attacker to bypass security boundaries imposed by process contexts and virtual machines."
AMD's variant of IBPB, the study discovered, can be similarly bypassed due to how IBPB is applied by the Linux kernel, resulting in an attack – codenamed Post-Barrier Inception (aka PB-Inception) – that enables an unprivileged adversary to leak privileged memory on AMD Zen 1(+) and Zen 2 processors.
Intel has made available a microcode patch to address the problem (CVE-2023-38575, CVSS score: 5.5). AMD, for its part, is tracking the vulnerability as CVE-2022-23824, according to an advisory released in November 2022.
"Intel users should make sure their intel-microcode is up to date," the researchers said. "AMD users should make sure to install kernel updates."
The disclosure comes months after ETH Zürich researchers detailed new RowHammer attack techniques codenamed ZenHammer and SpyHammer, the latter of which uses RowHammer to infer DRAM temperature with high accuracy.
"RowHammer is very sensitive to temperature variations, even if the variations are very small (e.g., ±1 °C)," the study said. "RowHammer-induced bit error rate consistently increases (or decreases) as the temperature increases, and some DRAM cells that are vulnerable to RowHammer exhibit bit errors only at a particular temperature."
By taking advantage of the correlation between RowHammer and temperature, an attacker could identify the utilization of a computer system and measure the ambient temperature. The attack could also compromise privacy by using temperature measurements to determine a person's habits within their home and the times when they enter or leave a room.
"SpyHammer is a simple and effective attack that can spy on temperature of critical systems with no modifications or prior knowledge about the victim system," the researchers noted.
"SpyHammer can be a potential threat to the security and privacy of systems until a definitive and completely-secure RowHammer defense mechanism is adopted, which is a large challenge given that RowHammer vulnerability continues to worsen with technology scaling."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/SlBfETG
via IFTTT
A government entity and a religious organization in Taiwan were the target of a China-linked threat actor known as Evasive Panda that infected them with a previously undocumented post-compromise toolset codenamed CloudScout.
"The CloudScout toolset is capable of retrieving data from various cloud services by leveraging stolen web session cookies," ESET security researcher Anh Ho said. "Through a plugin, CloudScout works seamlessly with MgBot, Evasive Panda's signature malware framework."
The use of the .NET-based malware tool, per the Slovak cybersecurity company, was detected between May 2022 and February 2023. It incorporates 10 different modules, written in C#, out of which three are meant for stealing data from Google Drive, Gmail, and Outlook. The purpose of the remaining modules remains unknown.
Evasive Panda, also tracked as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group that has a track record of striking various entities across Taiwan and Hong Kong. It's also known for orchestrating watering hole and supply chain attacks targeting the Tibetan diaspora.
What sets the threat actor apart from the rest is the use of several initial access vectors, ranging from newly disclosed security flaws to compromising the supply chain by means of DNS poisoning, to breach victim networks and deploy MgBot and Nightdoor.
ESET said the CloudScout modules are designed to hijack authenticated sessions in the web browser by stealing the cookies and using them to gain unauthorized access to Google Drive, Gmail, and Outlook. Each of these modules is deployed by an MgBot plugin, programmed in C++.
"At the heart of CloudScout is the CommonUtilities package, which provides all necessary low-level libraries for the modules to run," Ho explained.
"CommonUtilities contains quite a few custom-implemented libraries despite the abundant availability of similar open-source libraries online. These custom libraries give the developers more flexibility and control over the inner workings of their implant, compared to open-source alternatives."
This includes -
HTTPAccess, which provides functions to handle HTTP communications
ManagedCookie, which provides functions to manage cookies for web requests between CloudScout and the targeted service
Logger
SimpleJSON
The information gathered by the three modules – mail folder listings, email messages (including attachments), and files matching certain extensions (.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, and .txt) – is compressed into a ZIP archive for subsequent exfiltration by either MgBot or Nightdoor.
That said, new security mechanisms introduced by Google such as Device Bound Session Credentials (DBSC) and App-Bound Encryption are bound to render cookie-theft malware obsolete.
"CloudScout is a .NET toolset used by Evasive Panda to steal data stored in cloud services," Ho said. "It is implemented as an extension to MgBot and uses the pass-the-cookie technique to hijack authenticated sessions from web browsers."
The development comes as the Government of Canada accused a "sophisticated state-sponsored threat actor" from China of conducting broad reconnaissance efforts spanning several months against numerous domains in Canada.
"The majority of affected organizations targeted were Government of Canada departments and agencies, and includes federal political parties, the House of Commons, and Senate," it said in a statement.
"They also targeted dozens of organizations, including democratic institutions, critical infrastructure , the defense sector, media organizations, think tanks, and NGOs."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/nYCjqrR
via IFTTT
A suspected Russian hybrid espionage and influence operation has been observed delivering a mix of Windows and Android malware to target the Ukrainian military under the Telegram persona Civil Defense.
Google's Threat Analysis Group (TAG) and Mandiant are tracking the activity under the name UNC5812. The threat group, which operates a Telegram channel named civildefense_com_ua, was created on September 10, 2024. As of writing, the channel has 184 subscribers. It also maintains a website at civildefense.com[.]ua that was registered on April 24, 2024.
"'Civil Defense' claims to be a provider of free software programs designed to enable potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters," the company said in a report shared with The Hacker News.
Should these programs be installed on Android devices that have Google Play Protect disabled, they are engineered to deploy an operating system-specific commodity malware along with a decoy mapping application dubbed SUNSPINNER.
UNC5812 is also said to be actively engaged in influence operations, disseminating narratives and soliciting content intended to undermine support for Ukraine's mobilization and military recruitment efforts.
"UNC5812's campaign is highly characteristic of the emphasis Russia places on achieving cognitive effect via its cyber capabilities, and highlights the prominent role that messaging apps continue to play in malware delivery and other cyber dimensions of Russia's war in Ukraine," Google Threat Intelligence Group said.
Civil Defense, which has had its Telegram channel and website promoted by other legitimate, established Ukrainian-language Telegram channels, aims to direct victims to its website from where malicious software is downloaded depending on the operating system.
For Windows users, the ZIP archive leads to the deployment of a newly discovered PHP-based malware loader named Pronsis that's used to distribute SUNSPINNER and an off-the-shelf stealer malware known as PureStealer that's advertised for anywhere between $150 for a monthly subscription to $699 for a lifetime license.
SUNSPINNER, for its part, displays to users a map that renders purported locations of Ukrainian military recruits from an actor-controlled command-and-control (C2) server.
For those who are navigating to the website from Android devices, the attack chain deploys a malicious APK file (package name: "com.http.masters") that embeds a remote access trojan referred to as CraxsRAT.
The website also includes instructions that guide victims on how to disable Google Play Protect and grant it all the requested permissions, allowing the malware to function unimpeded.
CraxsRAT is a notorious Android malware family that comes with capabilities for remote device control and advanced spyware functions such as keylogging, gesture manipulation, and recording of cameras, screens, and calls.
After the malware was publicly exposed by Cyfirma in late August 2023, EVLF, the threat actor behind the project, decided to cease activity, but not before selling their Telegram channel to a Chinese-speaking threat actor.
As of May 2024, EVLF is said to have stopped development on the malware due to scammers and cracked versions, but said they are working on a new web-based version that can be accessed from any machine.
"While the Civil Defense website also advertises support for macOS and iPhones, only Windows and Android payloads were available at the time of analysis," Google said.
"The website's FAQ contains a strained justification for the Android application being hosted outside the App Store, suggesting it is an effort to 'protect the anonymity and security' of its users, and directing them to a set of accompanying video instructions."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/JAtW57x
via IFTTT
Three malicious packages published to the npm registry in September 2024 have been found to contain a known malware called BeaverTail, a JavaScript downloader and information stealer linked to an ongoing North Korean campaign tracked as Contagious Interview.
The Datadog Security Research team is monitoring the activity under the name Tenacious Pungsan, which is also known by the monikers CL-STA-0240 and Famous Chollima.
The names of the malicious packages, which are no longer available for download from the package registry, are listed below -
passports-js, a backdoored copy of the passport (118 downloads)
bcrypts-js, a backdoored copy of bcryptjs (81 downloads)
blockscan-api, a backdoored copy of etherscan-api (124 downloads)
Contagious Interview refers to a yearlong-campaign undertaken by the Democratic People's Republic of Korea (DPRK) that involves tricking developers into downloading malicious pages or seemingly innocuous video conferencing applications as part of a coding test. It first came to light in November 2023.
This is not the first time the threat actors have used npm packages to distribute BeaverTail. In August 2024, software supply chain security firm Phylum disclosed another bunch of npm packages that paved the way for the deployment of BeaverTail and a Python backdoor named InvisibleFerret.
The names of the malicious packages identified at the time were temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. One aspect that's common to the two sets of packages is the continued effort on the part of the threat actors to mimic the etherscan-api package, signaling that the cryptocurrency sector is a persistent target.
Then last month, Stacklok said it detected a new wave of counterfeit packages – eslint-module-conf and eslint-scope-util – that are designed to harvest cryptocurrencies and establish persistent access to compromised developer machines.
Palo Alto Networks Unit 42 told The Hacker News earlier this month the campaign has proven to be an effective way to distribute malware by exploiting a job seeker's trust and urgency when applying for opportunities online.
The findings highlight how threat actors are increasingly misusing the open-source software supply chain as an attack vector to infect downstream targets.
"Copying and backdooring legitimate npm packages continues to be a common tactic of threat actors in this ecosystem," Datadog said. "These campaigns, along with Contagious Interview more broadly, highlight that individual developers remain valuable targets for these DPRK-linked threat actors."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/dhEG3l2
via IFTTT
In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named "Civil Defense". "Civil Defense" claims to be a provider of free software programs designed to enable potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters. If installed with Google Play Protect disabled, these programs deliver an operating system-specific commodity malware variant to the victim alongside a decoy mapping application we track as SUNSPINNER. In addition to using its Telegram channel and website for malware delivery, UNC5812 is also actively engaged in influence activity, delivering narratives and soliciting content intended to undermine support for Ukraine's mobilization efforts.
Figure 1: UNC5812’s "Civil Defense" persona
Targeting Users on Telegram
UNC5812’s malware delivery operations are conducted both via an actor-controlled Telegram channel@civildefense_com_uaand website hosted atcivildefense[.]com.ua. The associated website was registered in April 2024, but the Telegram channel was not created until early September 2024, which we judge to be when UNC5812’s campaign became fully operational. To drive potential victims towards these actor-controlled resources, we assess that UNC5812 is likely purchasing promoted posts in legitimate, established Ukrainian-language Telegram channels.
On September 18th 2024, a legitimate channel with over 80,000 subscribers dedicated to missile alerts was observed promoting the "Civil Defense" Telegram channel and website to its subscribers.
An additional Ukrainian-language news channel promoting Civil Defense’s posts as recently as October 8th, indicating the campaign is probably still actively seeking new Ukrainian-language communities for targeted engagement.
Channels where "Civil Defense" posts have been promoted advertise the ability to reach out to their administrations for sponsorship opportunities. We suspect this is the likely vector that UNC5812 is using to approach the respective legitimate channels to increase the operation’s reach.
Figure 2: Civil Defense promoted in Ukrainian-language missile alert and news communities
The ultimate aim of the campaign is to have victims navigate to the UNC5812-controlled "Civil Defense" website, which advertises several different software programs for different operating systems. When installed, these programs result in the download of various commodity malware families.
For Windows users, the website delivers a downloader tracked publicly asPronsis Loaderthat is written in PHP that is compiled into Java Virtual machine (JVM) bytecode using the open sourceJPHP project. When executed, Prosnis Loader initiates a convoluted malware delivery chain, ultimately delivering SUNSPINNER and a commodity information stealer commonly known as PURESTEALER.
For Android users, the malicious APK file attempts to install a variant of the commercially available Android backdoor CRAXSRAT. Different versions of this payload were observed, including a variant containing SUNSPINNER in addition to the CRAXSRAT payload.
While the Civil Defense website also advertises support for macOS and iPhones, only Windows and Android payloads were available at the time of analysis.
Figure 3: Download page, translated from Ukrainian
Notably, the Civil Defense website also contains an unconventional form of social engineering designed to preempt user suspicions about APK delivery outside of the App Store and justify the extensive permissions required for the CRAXSRAT installation.
The website’s FAQ contains a strained justification for the Android application being hosted outside the App Store, suggesting it is an effort to "protect the anonymity and security" of its users, and directing them to a set of accompanying video instructions.
The Ukrainian-language video instructions then guide victims on how to disable Google Play Protect, the service used to check applications for harmful functionality when they are installed on Android devices, as well as to manually enable all permissions once the malware is successfully installed.
Figure 4: Screenshots of video instructions to turn off Google Play Protect and manually enable CRAXSRAT permissions
Anti-Mobilization Influence Operation
In parallel to its efforts to deliver malware and gain access to the devices of potential military recruits, UNC5812 is also engaged in influence activity to undermine Ukraine's wider mobilization and military recruitment efforts. The group's Telegram channel is actively used to solicit visitors and subscribers to upload videos of "unfair actions from territorial recruitment centers," content that we judge likely to be intended for follow-on exposure to reinforce UNC5812's anti-mobilization narratives and discredit the Ukrainian military. Clicking on the "Send Material" (Ukrainian: Надіслати матеріал) button opens a chat thread with an attacker-controlledhttps://t[.]me/UAcivildefenseUAaccount.
The Civil Defense website is also interspersed with Ukrainian-language anti-mobilization imagery and content, including a dedicated news section to highlight purported cases of unjust mobilization practices.
Anti-mobilization content cross-posted to the group's website and Telegram channel appears to be sourced from wider pro-Russian social media ecosystems. In at least one instance, a video shared by UNC5812 was shared a day later by the Russian Embassy on South Africa's X account.
Figure 5: UNC5812's Telegram and a Russian government X account sharing the same video in close proximity, highlighting their shared focus on anti-mobilization narratives
Malware Analysis
UNC5812 operates two unique malware delivery chains for Windows and Android devices that are delivered from the group's website hosted at civildefense[.]com[.]ua. Common between these distinct delivery chains is the parallel delivery of a decoy mapping application tracked as SUNSPINNER, which displays to users a map that renders purported locations of Ukrainian military recruits from an actor-controlled command-and-control (C2) server.
SUNSPINNER
SUNSPINNER (MD5: 4ca65a7efe2e4502e2031548ae588cb8) is a decoy graphical user interface (GUI) application written using the Flutter framework and compiled for both Windows and Android environments. When executed, SUNSPINNER attempts to resolve a new "backend server" hostname fromhttp://h315225216.nichost[.]ru/itmo2020/Student/map_markers/mainurl.json, followed by a request for map markers fromhttps://fu-laravel.onrender[.]com/api/markersthat are then rendered on the app's GUI.
Consistent with the functionality advertised on the Civil Defense website, SUNSPINNER is capable of displaying crowdsourced markers with the locations of the Ukrainian military recruiters, with an option for users to add their own markers. However, despite possessing the limited functionality required for users to register and add markers, the displayed map does not appear to have any genuine user inputs. All markers present in the JSON file pulled from SUNSPINNER's C2 infrastructure were added on the same day by the same user.
Figure 6: Decoy application for monitoring the locations of Ukrainian military recruitment staff
Windows — Pronsis Loader to PURESTEALER
The Windows payload downloaded from the Civil Defense website,CivilDefense.exe(MD5: 7ef871a86d076dac67c2036d1bb24c39), is a custom build ofPronsis Loader, a recently discovered commodity malware being operated primarily by financially motivated threat actors.
Pronsis Loader is used to retrieve both the decoy SUNSPINNER binary and a second-stage downloader "civildefensestarter.exe" (MD5: d36d303d2954cb4309d34c613747ce58), initiating a multi-stage delivery chain using a series self-extracting archives, which ultimately executes PURESTEALER on the victim device. The second-stage downloader is written in PHP and is compiled into Java Virtual machine (JVM) bytecode using the open-sourceJPHP projectand then built as a Windows executable file. This file is automatically executed by the CivilDefense installer.
The final payload is PURESTEALER (MD5: b3cf993d918c2c61c7138b4b8a98b6bf), a heavily obfuscated commodity infostealer written in .NET that is designed to steal browser data, such as passwords and cookies, cryptocurrency wallets, and from various other applications such as messaging and email clients. PURESTEALER is offered for sale by "Pure Coder Team" with prices ranging from $150 for a monthly subscription to $699 for a lifetime license.
Android — CraxsRAT
The Android Package (APK) file downloaded from the Civil Defense website "CivilDefensse.apk" (MD5: 31cdae71f21e1fad7581b5f305a9d185) is a variant of the commercially available Android backdoor CRAXSRAT. CRAXSRAT provides functionality typical of a standard Android backdoor, to include file management, SMS management, contact and credential harvesting, and a series of monitoring capabilities for location, audio, and keystrokes. Similar to PURESTEALER, it's also available for sale on underground forums.
The Android sample being distributed at the time of analysis only displayed a splash screen with the "Civil Defense" logo. However, an additional identified sample (MD5: aab597cdc5bc02f6c9d0d36ddeb7e624) was found to contain the same SUNSPINNER decoy application as in the Windows delivery chain. When opened, this version requests the Android REQUEST_INSTALL_PACKAGES permission from the user, which if granted, downloads the CRAXSRAT payload fromhttp://h315225216.nichost[.]ru/itmo2020/Student/map_markers/CivilDefense.apk.
Figure 7: Error message displayed if the user doesn’t grantREQUEST_INSTALL_PACKAGESpermission
Protecting Our Users
As part of our efforts to combat serious threat actors, we use the results of our research to improve the safety and security of Google’s products. Upon discovery, all identified websites, domains and files are added toSafe Browsingto protect users from further exploitation.
Google also continuously monitors for Android spyware, and we deploy and constantly update protections inGoogle Play Protect, which offers users protection in and outside of Google Play, checking devices for potentially harmful apps regardless of the install source. Notably, UNC5812's Civil Defense website specifically included social engineering content and detailed video instructions on how the targeted user should turn off Google Play Protect and manually enable Android permissions required by CRAXSRAT in order to function. Safe Browsing also protects Chrome users on Android by showing them warnings before they visit dangerous sites. App scanning infrastructure protects Google Play and powers Verify Apps to additionally protect users who install apps from outside Google Play.
We have also shared our findings with Ukraine's national authorities who have taken action to disrupt the campaign's reach by blocking resolution of the actor-controlled "Civil Defense" website nationally.
Summary
UNC5812's hybrid espionage and information operation against potential Ukrainian military recruits is part of a wider spike in operational interest from Russian threat actors following changes made to Ukraine's national mobilization laws in 2024. In particular, we have seen the targeting of potential military recruits rise in prominence following the launch of Ukraine's national digital military ID used to manage the details of those liable for military service and boost recruitment. Consistent with research fromEUvsDisinfo, we also continue to observe persistent efforts by pro-Russia influence actors to promote messaging undermining Ukraine's mobilization drive and sowing public distrust in the officials carrying it out.
From a tradecraft perspective, UNC5812's campaign is highly characteristic of the emphasis Russia places on achieving cognitive effect via its cyber capabilities, and highlights the prominent role that messaging apps continue to play in malware delivery and other cyber dimensions of Russia's war in Ukraine. We judge that as long as Telegram continues to be a critical source of information during the war, it is almost certain to remain a primary vector for cyber-enabled activity for a range of Russian-linked espionage and influence activity.
Indicators of Compromise
Indicators of Compromise
Context
civildefense[.]com[.]ua
UNC5812 landing page
t[.]me/civildefense_com_ua
UNC5812 Telegram channel
t[.]me/UAcivildefenseUA
UNC5812 Telegram account
e98ee33466a270edc47fdd9faf67d82e
SUNSPINNER decoy
h315225216.nichost[.]ru
Resolver used in SUNSPINNER decoy
fu-laravel.onrender[.]com
Hostname used in SUNSPINNER decoy
206.71.149[.]194
C2 used to resolve distribution URLs
185.169.107[.]44
Open directory used for malware distribution
d36d303d2954cb4309d34c613747ce58
Pronsis Loader dropper
b3cf993d918c2c61c7138b4b8a98b6bf
PURESTEALER
31cdae71f21e1fad7581b5f305a9d185
CRAXSRAT
aab597cdc5bc02f6c9d0d36ddeb7e624
CRAXSRAT w/ SUNSPINNER decoy
from Threat Intelligence https://ift.tt/UBNP5hy
via IFTTT
Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows.
This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the knowledge you need to stay safe.
So grab your popcorn (and maybe a firewall), and let's dive into the latest cybersecurity drama!
⚡ Threat of the Week
Critical Fortinet Flaw Comes Under Exploitation: Fortinet revealed that a critical security flaw impacting FortiManager (CVE-2024-47575, CVSS score: 9.8), which allows for unauthenticated remote code execution, has come under active exploitation in the wild. Exactly who is behind it is currently not known. Google-owned Mandiant is tracking the activity under the name UNC5820.
Severe Cryptographic Flaws in 5 Cloud Storage Providers: Cybersecurity researchers have discovered severe cryptographic issues in end-to-end encrypted (E2EE) cloud storage platforms Sync, pCloud, Icedrive, Seafile, and Tresorit that could be exploited to inject files, tamper with file data, and even gain direct access to plaintext. The attacks, however, hinge on an attacker gaining access to a server in order to pull off the attacks.
Lazarus Exploits Chrome Flaw: The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome (CVE-2024-4947) to seize control of infected devices. The vulnerability was addressed by Google in mid-May 2024. The campaign, which is said to have commenced in February 2024, involved tricking users into visiting a website advertising a multiplayer online battle arena (MOBA) tank game, but incorporated malicious JavaScript to trigger the exploit and grant attackers remote access to the machines. The website was also used to deliver a fully-functional game, but packed in code to deliver additional payloads. In May 2024, Microsoft attributed the activity to a cluster it tracks as Moonstone Sleet.
AWS Cloud Development Kit (CDK) Account Takeover Flaw Fixed: A now-patched security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) could have allowed an attacker to gain administrative access to a target AWS account, resulting in a full account takeover. Following responsible disclosure on June 27, 2024, the issue was addressed by Amazon in CDK version 2.149.0 released in July 2024.
SEC Fines 4 Companies for Misleading SolarWinds Disclosures: The U.S. Securities and Exchange Commission (SEC) charged four public companies, Avaya, Check Point, Mimecast, and Unisys, for making "materially misleading disclosures" related to the large-scale cyber attack that stemmed from the hack of SolarWinds in 2020. The federal agency accused the companies of downplaying the severity of the breach in their public statements.
4 REvil Members Sentenced in Russia: Four members of the now-defunct REvil ransomware operation, Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov, have been sentenced to several years in prison in Russia. They were originally arrested in January 2022 following a law enforcement operation by Russian authorities.
📰 Around the Cyber World
Delta Air Lines Sues CrowdStrike for July Outage: Delta Air Lines filed a lawsuit against CrowdStrike in the U.S. state of Georgia, accusing the cybersecurity vendor of breach of contract and negligence after a major outage in July caused 7,000 flight cancellations, disrupted travel plans of 1.3 million customers, and cost the carrier over $500 million. "CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised, for its own benefit and profit," it said. "If CrowdStrike had tested the Faulty Update on even one computer before deployment, the computer would have crashed." CrowdStrike said "Delta's claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure."
Meta Announces Secure Way to Store WhatsApp Contacts: Meta has announced a new encrypted storage system for WhatsApp contacts called Identity Proof Linked Storage (IPLS), allowing users to create and save contacts along with their usernames directly within the messaging platform by leveraging key transparency and hardware security module (HSM). Until now, WhatsApp relied on a phone's contact book for syncing purposes. NCC Group, which carried out a security assessment of the new framework and uncovered 13 issues, said IPLS "aims to store a WhatsApp user's in-app contacts on WhatsApp servers in a privacy-friendly way" and that "WhatsApp servers do not have visibility into the content of a user's contact metadata." All the identified shortcomings have been fully fixed as of September 2024.
CISA, FBI Investigating Salt Typhoon Attacks: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the U.S. government is investigating "the unauthorized access to commercial telecommunications infrastructure" by threat actors linked to China. The development comes amid reports that the Salt Typhoon hacking group broke into the networks of AT&T, Verizon, and Lumen. The affected companies have been notified after the "malicious activity" was identified, CISA said. The breadth of the campaign and the nature of information compromised, if any, is unclear. Recent reports from The New York Times, The Wall Street Journal, Reuters, and CBS News have claimed that Salt Typhoon used their access to telecommunications giants to tap into phones or networks used by Democratic and Republican presidential campaigns.
Fraudulent IT Worker Scheme Becomes a Bigger Problem: While North Korea has been in the news recently for its attempts to gain employment at Western companies, and even demanding ransom in some cases, a new report from identity security company HYPR shows that the employee fraud scheme isn't just limited to the country. The company said it recently offered a contract to a software engineer claiming to be from Eastern Europe. But subsequent onboarding and video verification process raised a number of red flags about their true identity and location, prompting the unnamed individual to pursue another opportunity. There is currently no evidence tying the fraudulent hire to North Korea, and it's not clear what they were after. "Implement a multi-factor verification process to tie real world identity to the digital identity during the provisioning process," HYPR said. "Video-based verification is a critical identity control, and not just at onboarding."
Novel Attacks on AI Tools: Researchers have uncovered a way to manipulate digital watermarks generated by AWS Bedrock Titan Image Generator, making it possible for threat actors to not only apply watermarks to any image, but also remove watermarks from images generated by the tool. The issue has been patched by AWS as of September 13, 2024. The development also follows the discovery of prompt injection flaws in Google Gemini for Workspace, allowing the AI assistant to produce misleading or unintended responses, and even distribute malicious documents and emails to target accounts when users ask for content related to their email messages or document summaries. New research has also found a form of LLM hijacking attack wherein threat actors are capitalizing on exposed AWS credentials to interact with large language models (LLMs) available on Bedrock, in one instance using them to fuel a Sexual Roleplaying chat application that jailbreaks the AI model to "accept and respond with content that would normally be blocked" by it. Earlier this year, Sysdig detailed a similar campaign called LLMjacking that employs stolen cloud credentials to target LLM services with the goal of selling the access to other threat actors. But in an interesting twist, attackers are now also attempting to use the stolen cloud credentials to enable the models, instead of just abusing those that were already available.
🔥 Resources & Insights
🎥 Infosec Expert Webinar
Master Data Security in the Cloud with DSPM: Struggling to keep up with data security in the cloud? Don't let your sensitive data become a liability. Join our webinar and learn how Global-e, a leading e-commerce enabler, dramatically improved their data security posture with DSPM. CISO Benny Bloch reveals their journey, including the challenges, mistakes, and critical lessons learned. Get actionable insights on implementing DSPM, reducing risk, and optimizing cloud costs. Register now and gain a competitive edge in today's data-driven world.
🛡️Ask the Expert
Q: What is the most overlooked vulnerability in enterprise systems that attackers tend to exploit?
A: The most overlooked vulnerabilities in enterprise systems often lie in IAM misconfigurations like over-permissioned accounts, lax API security, unmanaged shadow IT, and poorly secured cloud federations. Tools like Azure PIM or SailPoint help enforce least privilege by managing access reviews, while Kong or Auth0 secure APIs through token rotation and WAF monitoring. Shadow IT risks can be reduced with Cisco Umbrella for app discovery, and Netskope CASB for enforcing access control. To secure federations, use Prisma Cloud or Orca to scan settings and tighten configurations, while Cisco Duo enables adaptive MFA for stronger authentication. Finally, safeguard service accounts with automated credential management through HashiCorp Vault or AWS Secrets Manager, ensuring secure, just-in-time access.
🔒 Tip of the Week
Level Up Your DNS Security: While most people focus on securing their devices and networks, the Domain Name System (DNS)—which translates human-readable domain names (like example.com) into machine-readable IP addresses—is often overlooked. Imagine the internet as a vast library and DNS as its card catalog; to find the book (website) you want, you need the right card (address). But if someone tampered with the catalog, you could be misled to fake websites to steal your information. To enhance DNS security, use a privacy-focused resolver that doesn't track your searches (a private catalog), block malicious sites using a "hosts" file (rip out the cards for dangerous books), and employ a browser extension with DNS filtering (hire a librarian to keep an eye out). Additionally, enable DNSSEC to verify the authenticity of DNS records (verify the card's authenticity) and encrypt your DNS requests using DoH or DoT (whisper your requests so no one else can hear).
Conclusion
And there you have it – another week's worth of cybersecurity challenges to ponder. Remember, in this digital age, vigilance is key. Stay informed, stay alert, and stay safe in the ever-evolving cyber world. We'll be back next Monday with more news and insights to help you navigate the digital landscape.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/3iUgz20
via IFTTT
Operational Technology (OT) security has affected marine vessel and port operators, since both ships and industrial cranes are being digitalized and automated at a rapid pace, ushering in new types of security challenges.
Ships come to shore every six months on average. Container cranes are mostly automated. Diagnostics, maintenance, upgrade and adjustments to these critical systems are done remotely, often by third-party vendor technicians. This highlights the importance of proper secure remote access management for industrial control systems (ICS).
We at SSH Communications Security (SSH) have been pioneering security solutions that bridge the gap between IT and OT in privileged access management. Let's investigate how we helped two customers solve their critical access control needs with us.
Secure Remote Access Around the Globe to 1000s of Ships
In the maritime industry, ensuring secure and efficient remote access to OT systems is vital for maintaining vessel operations and safety. A prominent marine vessel operator, managing a fleet of advanced ships, faced significant challenges in this area. With operations spanning across the globe and an ever-expanding fleet of ships to manage, the company needed a robust solution to secure remote access for their engineers and vendor technicians.
The Challenge
The customer's existing security measures were inadequate for the complex and dynamic nature of their operations. The connections to ships were always on, it was hard to link an identity to each session, the lack of both granular access controls and comprehensive auditing capabilities posed a risk to both security and compliance, and the customer had scalability challenges with their existing solution.
The Solution: PrivX OT Edition
To overcome these challenges, the company implemented SSH's PrivX OT Edition. This solution provides a centralized, scalable, and user-friendly platform for managing remote access. Key features include:
Enabling the customer to connect to their customers' 1000s of container ships globally over satellite links to perform maintenance, monitoring and diagnostics.
Just-in-Time (JIT) and Just Enough Access (JEA): Ensuring that engineers have the appropriate level of access only when needed and only for the duration required.
Comprehensive auditing: Offering detailed insights into access management.
Centralized access: Both internal and external technicians log into one centralized gateway regardless of the location of the ship or the technician.
Automation: The solution was deployed in the AWS cloud for satellite connections and automatic linking of an identity to a role for high performance.
As a result, the customer can now ensure the safety of the crew, prevent unscheduled and costly dock time, mitigate the risk of disruptions to ship operations, and fulfill the requirements and recommendations by the NIS2 Directive and IEC 62442 standards. All this while modernizing their operations to gain a competitive edge in the global maritime industry.
Vendor Technician Access to Industrial Cranes Restricted and Secured
This customer is a leading global manufacturer of industrial equipment, with over a century of experience. Operating in around 50 countries, the company needed a robust solution to secure remote access to automated industrial cranes for their maintenance engineers.
The Challenge
The company's existing point solution based security controls were insufficient. They lacked the necessary granularity, functionality, and transparency, increasing the risk of cyberattacks and data breaches. As an example, the customer had difficulties in restricting access to cranes in a specific port, meaning that a maintenance engineer from Asia could access a port in Europe - and vice versa.
Additionally, the previous solution did not provide adequate auditing capabilities, making compliance and security regulation adherence difficult.
The Solution: PrivX OT Edition
To address these challenges, the company adopted SSH's PrivX OT Edition. This solution offers a centralized, scalable, and user-friendly platform to manage remote access. Key features include:
Regional restrictions on vendor technicians to access cranes at maritime ports.
Just-in-Time (JIT) and Just Enough Access (JEA): Ensuring that engineers have the right level of access at the right time for the right crane only.
Comprehensive Auditing: Audit trail of activities, session monitoring and recording.
Non-disruptive deployment: Adding granular access control with minimal changes to existing VPN/Firewall/technology infrastructure.
As a result, the customer can now restrict access per region and per crane for proper segregation of duties. Both ad-hoc and scheduled technician access is secure and available within minutes - and with automatic off-boarding. What's more, this more granular access control was achieved with minimal disruption to the existing infrastructure.
With PrivX OT Edition, companies can centralize access to all critical targets in IT and OT, regardless of the location of the user or the target. The solution removes the need for point solutions for access and offers a uniform, scalable, and coherent access for security needs at industrial scale.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/HinksSN
via IFTTT
A new attack technique could be used to bypass Microsoft's Driver Signature Enforcement (DSE) on fully patched Windows systems, leading to operating system (OS) downgrade attacks.
"This bypass allows loading unsigned kernel drivers, enabling attackers to deploy custom rootkits that can neutralize security controls, hide processes and network activity, maintain stealth, and much more," SafeBreach researcher Alon Leviev said in a report shared with The Hacker News.
The latest findings build on an earlier analysis that uncovered two privilege escalation flaws in the Windows update process (CVE-2024-21302 and CVE-2024-38202) that could be weaponized to rollback an up-to-date Windows software to an older version containing unpatched security vulnerabilities.
The exploit materialized in the form of a tool dubbed Windows Downdate, which, per Leviev, could be used to hijack the Windows Update process to craft fully undetectable, persistent, and irreversible downgrades on critical OS components.
This can have severe ramifications, as it offers attackers a better alternative to Bring Your Own Vulnerable Driver (BYOVD) attacks, permitting them to downgrade first-party modules, including the OS kernel itself.
Microsoft subsequently addressed CVE-2024-21302 and CVE-2024-38202 on August 13 and October 8, 2024, respectively, as part of Patch Tuesday updates.
The latest approach devised by Leviev leverages the downgrade tool to downgrade the "ItsNotASecurityBoundary" DSE bypass patch on a fully updated Windows 11 system.
ItsNotASecurityBoundary was first documented by Elastic Security Labs researcher Gabriel Landau in July 2024 alongside PPLFault, describing them as a new bug class codenamed False File Immutability. Microsoft remediated it earlier this May.
In a nutshell, it exploits a race condition to replace a verified security catalog file with a malicious version containing authenticode signature for an unsigned kernel driver, following which the attacker prompts the kernel to load the driver.
Microsoft's code integrity mechanism, which is used to authenticate a file using the kernel mode library ci.dll, then parses the rogue security catalog to validate the signature of the driver and load it, effectively granting the attacker the ability to execute arbitrary code in the kernel.
The DSE bypass is achieved by making use of the downgrade tool to replace the "ci.dll" library with an older version (10.0.22621.1376.) to undo the patch put in place by Microsoft.
That having said, there is a security barrier that can prevent such a bypass from being successful. If Virtualization-Based Security (VBS) is running on the targeted host, the catalog scanning is carried out by the Secure Kernel Code Integrity DLL (skci.dll), as opposed to ci.dll.
However, It's worth noting that the default configuration is VBS without a Unified Extensible Firmware Interface (UEFI) Lock. As a result, an attacker could turn it off by tampering with the EnableVirtualizationBasedSecurity and RequirePlatformSecurityFeatures registry keys.
Even in cases where UEFI lock is enabled, the attacker could disable VBS by replacing one of the core files with an invalid counterpart. Ultimately, the exploitation steps an attacker needs to follow are below -
Turning off VBS in the Windows Registry, or invalidating SecureKernel.exe
Downgrading ci.dll to the unpatched version
Restarting the machine
Exploiting ItsNotASecurityBoundary DSE bypass to achieve kernel-level code execution
The only instance where it fails is when VBS is turned on with a UEFI lock and a "Mandatory" flag, the last of which causes boot failure when VBS files are corrupted. The Mandatory mode is enabled manually by means of a registry change.
"The Mandatory setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load," Microsoft notes in its documentation. "Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot."
Thus, in order to fully mitigate the attack, it's essential that VBS is enabled with UEFI lock and the Mandatory flag set. In any other mode, it makes it possible for an adversary to turn the security feature off, perform the DDL downgrade, and achieve a DSE bypass.
"The main takeaway [...] is that security solutions should try to detect and prevent downgrade procedures even for components that do not cross defined security boundaries," Leviev told The Hacker News.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/K38Usip
via IFTTT
Four members of the now-defunct REvil ransomware operation have been sentenced to several years in prison in Russia, marking one of the rare instances where cybercriminals from the country have been convicted of hacking and money laundering charges.
Russian news publication Kommersant reported that a court in St. Petersburg found Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov guilty of illegal circulation of means of payment. Puzyrevsky and Khansvyarov have also been found guilty of using and distributing malware.
To that end, Zaets and Malozemov were sentenced to 4.5 and 5 years in prison. Khansvyarov and Puzyrevsky received a jail term of 5.5 and 6 years, respectively.
The four individuals are part of a group of 14 people who were initially detained in connection with the case. As reported by TASS back in January 2022, eight of them were charged by the court for their malicious activities.
The remaining four members, Andrei Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotaev, are being prosecuted under a new criminal case related to unlawful access to computer information, Kommersant added.
REvil, which was once one of the most prolific ransomware groups, was dismantled after Russia's Federal Security Service (FSB) announced arrests against several members in an unprecedented takedown.
Earlier this year, a 24-year-old Ukrainian national named Yaroslav Vasinskyi was sentenced to 13 years in prison in the U.S. and ordered to pay $16 million in restitution for carrying out more than 2,500 REvil ransomware attacks and demanding ransom payments to the tune of more than $700 million.
The sentencing of REvil members in Russia also comes a month after authorities in the country opened an investigation into Cryptex and UAPS, both of which were sanctioned by the U.S. for offering money laundering services to cybercriminals.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/UygkYI5
via IFTTT
A security flaw impacting the Wi-Fi Test Suite could enable unauthenticated local attackers to execute arbitrary code with elevated privileges.
The CERT Coordination Center (CERT/CC) said the vulnerability, tracked as CVE-2024-41992, said the susceptible code from the Wi-Fi Alliance has been found deployed on Arcadyan FMIMG51AX000J routers.
"This flaw allows an unauthenticated local attacker to exploit the Wi-Fi Test Suite by sending specially crafted packets, enabling the execution of arbitrary commands with root privileges on the affected routers," the CERT/CC said in an advisory released Wednesday.
Wi-Fi Test Suite is an integrated platform developed by the Wi-Fi Alliance that automates testing Wi-Fi components or devices. While open-source components of the toolkit are publicly available, the full package is available only to its members.
SSD Secure Disclosure, which released details of the flaw back in August 2024, described it as a case of command injection that could enable a threat actor to execute commands with root privileges. It was originally reported to the Wi-Fi Alliance in April 2024.
An independent researcher, who goes by the online alias "fj016" has been credited with uncovering and reporting the security shortcomings. The researcher has also made available a proof-of-concept (PoC) exploit for the flaw.
CERT/CC noted that the Wi-Fi Test Suite is not intended for use in production environments, and yet has been discovered in commercial router deployments.
"An attacker who successfully exploits this vulnerability can gain full administrative control over the affected device," it said.
"With this access, the attacker can modify system settings, disrupt critical network services, or reset the device entirely. These actions can result in service interruptions, compromise of network data, and potential loss of service for all users dependent on the affected network."
In the absence of a patch, vendors who have included the Wi-Fi Test Suite are recommended to either remove it completely from production devices or update it to version 9.0 or later to mitigate the risk of exploitation.
The Hacker News has reached out to the Wi-Fi Alliance for further comment, and we will update the story when we hear back.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://ift.tt/fSvMoKj
via IFTTT
