Posts

Showing posts from September, 2022

Rapid 7 - Metasploit Weekly Wrap-Up

Image
Veritas Backup Exec Agent RCE This module kindly provided by c0rs targets the Veritas Backup Exec Agent in order to gain RCE as the system/root user. The exploit itself is actually a chain of 3 separate CVEs (CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878) which only makes it more impressive. While you're patching, why not take the time to test your backups too. Hikvision IP Camera user impersonation This vulnerability has been present in Hikvision products since 2014 and comes to us courtesy of h00die-gr3y . The main culprit here is in Hikvisions authentication mechanism which allows you to login as any valid user using only their username and from that point this module allows you to set a new password for your chosen username so now you can log in "legitimately". New module content (6) Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic by Monte Crypto and h00die-gr3y, which exploits CVE-2017-7921 - A new module has bee...

Krebs - Microsoft: Two New 0-Day Flaws in Exchange Server

Image
Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server , a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks. In customer guidance released Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019.  CVE-2022-41040 , is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability — CVE-2022-41082 — which allows remote code execution (RCE) when PowerShell is accessible to the attacker. Microsoft said Exchange Online has detections and mitigation in place to protect customers. Customers using on-premises Microsoft Exchange server...

Schneier - Security Vulnerabilities in Covert CIA Websites

Back in 2018, we learned that covert system of websites that the CIA used for communications was compromised by —at least—China and Iran, and that the blunder caused a bunch of arrests, imprisonments, and executions. We’re now learning that the CIA is still “using an irresponsibly secured system for asset communication.” Citizen Lab did the research : Using only a single website, as well as publicly available material such as historical internet scanning results and the Internet Archive’s Wayback Machine, we identified a network of 885 websites and have high confidence that the United States (US) Central Intelligence Agency (CIA) used these sites for covert communication. The websites included similar Java, JavaScript, Adobe Flash, and CGI artifacts that implemented or apparently loaded covert communications apps. In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have fac...

The Hacker News - Cyber Attacks Against Middle East Governments Hide Malware in Windows logo

An espionage-focused threat actor has been observed using a steganographic trick to conceal a previously undocumented backdoor in a Windows logo in its attacks against Middle Eastern governments. Broadcom's Symantec Threat Hunter Team attributed the updated tooling to a hacking group it tracks under the name Witchetty, which is also known as LookingFrog, a subgroup operating under the TA410 from The Hacker News https://thehackernews.com/2022/09/cyber-attacks-against-middle-east.html

KnowBe4 - Response-Based Phishing Scams Targeting Corporate Inboxes Hit New Records

Image
Setting a record for both highest count and share in volume with other types of phishing scams, response-based attacks are at their highest since 2020 and are continuing to grow. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/response-based-phishing-scams-targeting-corporate-inboxes-hit-new-records

KnowBe4 - Your KnowBe4 Fresh Content Updates from September 2022

Image
Check out the 35 new pieces of training content added in September, alongside the always fresh content update highlights and new features. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/your-knowbe4-fresh-content-updates-from-september-2022

The Hacker News - North Korean Hackers Weaponizing Open-Source Software in Latest Cyber Attacks

A "highly operational, destructive, and sophisticated nation-state activity group" with ties to North Korea has been weaponizing open source software in their social engineering campaigns aimed at companies around the world since June 2022. Microsoft's threat intelligence teams, alongside LinkedIn Threat Prevention and Defense, attributed the intrusions with high confidence to Zinc, which is from The Hacker News https://thehackernews.com/2022/09/north-korean-hackers-weaponizing-open.html

The Hacker News - Microsoft Confirms 2 New Exchange Zero-Day Flaws Being Used in the Wild

Microsoft officially disclosed it investigating two zero-day security vulnerabilities impacting Exchange Server 2013, 2016, and 2019 following reports of in-the-wild exploitation. "The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is from The Hacker News https://thehackernews.com/2022/09/microsoft-confirms-2-new-exchange-zero.html

The Hacker News - WARNING: New Unpatched Microsoft Exchange Zero-Day Under Active Exploitation

Security researchers are warning of previously undisclosed flaws in fully patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to achieve remote code execution on affected systems. That's according to Vietnamese cybersecurity company GTSC, which discovered the shortcomings as part of its security monitoring and incident response efforts in August 2022. The from The Hacker News https://thehackernews.com/2022/09/warning-new-unpatched-microsoft.html

Krebs - Fake CISO Profiles on LinkedIn Target Fortune 500s

Image
Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. It’s not clear who’s behind this network of fake CISOs or what their intentions may be. But the fabricated LinkedIn identities are confusing search engine results for CISO roles at major companies, and they are being indexed as gospel by various downstream data-scraping sources. If one searches LinkedIn for the CISO of the energy giant Chevron , one might find the profile for a Victor Sites , who says he’s from Westerville, Ohio and is a graduate of Texas A&M University. The LinkedIn profile for Victor Sites, who is most certainly NOT the CISO of Chevron. Of course, Sites is not the real CISO of Chevron. That role is currently occupied by Christopher Lukas of Danville, Calif. If you were confused at this point, you might ask Google who it thinks is the current Chief Information Security Officer of Chevron. Whe...

KnowBe4 - Social Engineering and Bogus Job Offers

Image
Researchers at SentinelOne have warned that North Korea’s Lazarus Group is using phony Crypto.com job offers to distribute macOS malware. The researchers aren’t sure how the lures are being distributed, but they suspect the attackers are sending spear phishing messages on LinkedIn. SentinelOne notes that this campaign “appears to be extending the targets from users of crypto exchange platforms to their employees in what may be a combined effort to conduct both espionage and cryptocurrency theft.” from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/social-engineering-and-bogus-job-offers

The Hacker News - Researchers Uncover Covert Attack Campaign Targeting Military Contractors

A new covert attack campaign singled out multiple military and weapons contractor companies with spear-phishing emails to trigger a multi-stage infection process designed to deploy an unknown payload on compromised machines. The highly-targeted intrusions, dubbed STEEP#MAVERICK by Securonix, also targeted a strategic supplier to the F-35 Lightning II fighter aircraft. "The attack was carried out from The Hacker News https://thehackernews.com/2022/09/researchers-uncover-covert-attack.html

The Hacker News - Five Steps to Mitigate the Risk of Credential Exposure

Every year, billions of credentials appear online, be it on the dark web, clear web, paste sites, or in data dumps shared by cybercriminals. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, and data theft.  While CISOs are aware of growing identity threats and have multiple tools in their arsenal to help reduce the potential risk, the from The Hacker News https://thehackernews.com/2022/09/five-steps-to-mitigate-risk-of.html

TrustedSec - Hardening Backups Against Ransomware

Human-operated ransomware represents a unique challenge to backup infrastructures. Unlike in other scenarios, ransomware attackers specifically target and attempt to destroy backup systems to increase the likelihood that a victimized organization will pay the ransom. This threat requires a different approach to securing backup infrastructure. The Old Ways Are Not Enough Traditionally, enterprise backup infrastructures were designed to address one or more of the following scenarios: Small-scale restorations of a single endpoint, server, database, or application in response to an isolated incident (e.g., database corruption, hardware failure, limited security compromise of endpoint, user error, etc.) Recovery from physical disaster affecting a single datacenter or cluster of proximate datacenters (e.g., due to fire, natural disaster, etc.) Long-term data retention based on legal or regulatory requirements Protection approaches for these scenarios can be summarized by the ubiquito...

Schneier - Differences in App Security/Privacy Based on Country

Depending on where you are when you download your Android apps, it might collect more or less data about you. The apps we downloaded from Google Play also showed differences based on country in their security and privacy capabilities. One hundred twenty-seven apps varied in what the apps were allowed to access on users’ mobile phones, 49 of which had additional permissions deemed “dangerous” by Google. Apps in Bahrain, Tunisia and Canada requested the most additional dangerous permissions. Three VPN apps enable clear text communication in some countries, which allows unauthorized access to users’ communications. One hundred and eighteen apps varied in the number of ad trackers included in an app in some countries, with the categories Games, Entertainment and Social, with Iran and Ukraine having the most increases in the number of ad trackers compared to the baseline number common to all countries. One hundred and three apps have differences based on country in their privacy polici...

The Hacker News - Hackers Aid Protests Against Iranian Government with Proxies, Leaks and Hacks

Several hacktivist groups are using Telegram and other tools to aid anti-government protests in Iran to bypass regime censorship restrictions amid ongoing unrest in the country following the death of Mahsa Amini in custody. "Key activities are data leaking and selling, including officials' phone numbers and emails, and maps of sensitive locations," Israeli cybersecurity firm Check Point said in from The Hacker News https://thehackernews.com/2022/09/hackers-aid-protests-against-iranian.html

Black Hills InfoSec - Why You Really Need to Stop Disabling UAC

Noah Heckman // Windows Vista didn’t have many fans in the Windows community (to put it lightly). It beaconed in a new user interface, file structure, and a bunch of […] The post Why You Really Need to Stop Disabling UAC appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/why-you-really-need-to-stop-disabling-uac/

KnowBe4 - A Master Class on Cybersecurity: Roger Grimes Teaches Password Best Practices

Image
What really makes a “strong” password? And why are you and your end-users continually tortured by them? How do hackers crack your passwords with ease? And what can/should you do to improve your organization’s authentication methods? from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/roger-grimes-password-best-practices-master-class

Rapid 7 - [Security Nation] Taki Uchiyama of Panasonic on Product Security and Incident Response

Image
In this episode of Security Nation, Jen and Tod chat with Taki Uchiyama about his work on Panasonic’s Product Security Incident Response Team (PSIRT). They chat about educating folks on vulnerabilities associated with smart devices, the challenges of running PSIRT’s training sessions during the pandemic, and the importance of building security into internet-connected products. Stick around for our Rapid Rundown, where Tod and Jen talk about a new white paper that shows how parking and toll apps that read license plates could inadvertently be used as a surveillance system. Taki Uchiyama Taki Uchiyama is a member of Panasonic PSIRT and is in charge of global product security activities. His main roles include the coordination of vulnerabilities, creating and conducting product security training to product developers, and providing assistance to product development teams on product security matters as necessary. Aside from his role in Panasonic, Taki has been a CVE Board Member since...

Schneier - Cold War Bugging of Soviet Facilities

Found documents in Poland detail US spying operations against the former Soviet Union. The file details a number of bugs found at Soviet diplomatic facilities in Washington, D.C., New York, and San Francisco, as well as in a Russian government-owned vacation compound, apartments used by Russia personnel, and even Russian diplomats’ cars. And the bugs were everywhere : encased in plaster in an apartment closet; behind electrical and television outlets; bored into concrete bricks and threaded into window frames; inside wooden beams and baseboards and stashed within a building’s foundation itself; surreptitiously attached to security cameras; wired into ceiling panels and walls; and secretly implanted into the backseat of cars and in their window panels, instrument panels, and dashboards. It’s an impressive—­ and impressively thorough—­ effort by U.S. counterspies. We have long read about sophisticated Russian spying operations—bugging the Moscow embassy , bugging Selectric typewrite...

The Hacker News - Facebook Shuts Down Covert Political 'Influence Operations' from Russia and China

Meta Platforms on Tuesday disclosed it took steps to dismantle two covert influence operations originating from China and Russia for engaging in coordinated inauthentic behavior (CIB) so as to manipulate public debate. While the Chinese operation sets its sights on the U.S. and the Czech Republic, the Russian network primarily targeted Germany, France, Italy, Ukraine and the U.K. with themes from The Hacker News https://thehackernews.com/2022/09/facebook-shuts-down-covert-political.html

The Hacker News - Critical WhatsApp Bugs Could Have Let Attackers Hack Devices Remotely

WhatsApp has released security updates to address two flaws in its messaging app for Android and iOS that could lead to remote code execution on vulnerable devices. One of them concerns CVE-2022-36934 (CVSS score: 9.8), a critical integer overflow vulnerability in WhatsApp that results in the execution of arbitrary code simply by establishing a video call. The issue impacts the WhatsApp and from The Hacker News https://thehackernews.com/2022/09/critical-whatsapp-bugs-could-have-let.html

Black Hills InfoSec - Constrained Language Mode Bypass When __PSLockDownPolicy Is Used

Image
Carrie Roberts // PowerShell’s Constrained Language (CLM) mode limits the functionality available to users to reduce the attack surface. It is meant to be used in conjunction with application control […] The post Constrained Language Mode Bypass When __PSLockDownPolicy Is Used appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/constrained-language-mode-bypass-when-__pslockdownpolicy-is-used/

Rapid 7 - How to Deploy a SIEM That Actually Works

Image
I deployed my SIEM in days, not months – here’s how you can too As an IT administrator at a highly digitized manufacturing company, I spent many sleepless nights with no visibility into the activity and security of our environment before deploying a security information and event management (SIEM) solution. At the company I work for, Schlotterer Sonnenschutz Systeme GmbH , we have a lot of manufacturing machines that rely on internet access and external companies that remotely connect to our company’s environment – and I couldn’t see any of it happening. One of my biggest priorities was to source and implement state-of-the-art security solutions – beginning with a SIEM tool. I asked colleagues and partners in the IT sector about their experience with deploying and leveraging SIEM technology. The majority of the feedback I received was that deploying a SIEM was a lengthy and difficult process. Then, once stood up, SIEMs were often missing information or difficult to pull actionable ...

TrustedSec - Working with data in JSON format

Image
What is JSON? What is JSON? JSON is an acronym for JavaScript Object Notation. For years it has been in use as a common serialization format for APIs across the web. It also has gained favor as a format for logging (particularly for use in structured logging). Now, it has become even more common for command line applications to use JSON to serialize general output. JSON can be used to serialize data into common object and value types. These include key-value pairs, arrays, strings, numbers, Boolean values, and  null . However, it is not without its limitations. The first limitation has drawbacks in the form of parsing. Because of how JSON is structured, an entire JSON object must be loaded completely in order to parse it. In most cases, this means the entire output of a command line or web API must be obtained before processing. The second limitation of JSON is the restriction to the types above (key value, list,  true ,  false ,  null , number, and string). This l...