This article looks at data to discover that manufacturing as a segment gets a lot more cyber attacks that other industries. The article poses a few hypothesis, but doesn’t really provide an answer. The answers are not easily found in the data. As someone that works in the manufacturing industry, it is interesting to me that even the experts don’t see a clear correlation between the level of vulnerability and the number of attacks. My personal hypothesis is that industry is perhaps not technically vulnerable, it is culturally vulnerable. The manufacturing industry does not have a strong security culture and is very susceptible to downtime as a lever for attacker to extract quick ransoms
Interplanetary File System is a notable system that has emerged in recent years. It is a decentralized storage and delivery network based on peer-to-peer (P2P) networking and belonging to the emerging “Web3 technologies.” IPFS allows users to host or share content on the internet at a more affordable price, with availability and resiliency capabilities. Unfortunately, it also provides opportunities for another part of the population: cybercriminals.
The majority of IPFS threats researchers analyzed were phishing threats, reaching 98.78% in September 2022. Cybercriminals often need to share files, cybercrime methods/tutorials, or even just screenshots on the underground forums. There has been an increase in the use of IPFS for storing such content by cybercriminals.
Ecommerce looks to be growing in the IPFS environment and this has definitely been exploited by the cybercriminals. They have set up stores selling illegal goods, and in the event that one node is down, another will take its place, providing resiliency. Other threat actors are also using the system to host malware. It is expected that some threat actors may create their own IPFS gateways and run nodes to keep their content online as much as possible
It is common for new tools and technology intended for general use to be co-opted by criminals and malicious individuals. In the modern IT environment, anything that allows for distributed resilience is going to be of interest to criminals as well as IT professionals. Another tool that cyber criminals have been abusing are distributed messaging applications. These tools were intended to ensure that messages could get our of places with damaged or disrupted communications networks, like disaster areas, war zones, and wilderness or uninhabited areas. The idea being that no matter what happens to a part of the system, the message will still get out another way and provide and very high level of redundancy and resilience. Cyber criminals find this appealing for a different reason, it means that if part of their network is seized, taken down by authorities, or not longer under their control, key data and messages can still flow.
ChatGPT Browser Extension Hijacks Facebook Business Accounts
With the increase craze of ChatGPT these days, the attackers are getting active. Between March 3 and March 9, at least 2,000 people a day downloaded the malicious “Quick access to ChatGPT” Chrome extension from the Google Play app store. The malicious “Quick access to Chat GPT” extension promised users a quick way to interact with the hugely popular AI chatbot. In reality, it also surreptitiously harvested a wide range of information from the browser, stole cookies of all authorized active sessions, and installed a backdoor that gave the malware author super-admin permissions to the user’s Facebook account.
US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
The article I have chosen to highlight this week is yet again another ransomware article. This article speaks to LockBit’s newest version LockBit 3.0 aka LockBit Black. LockBit is ransomware-as-a-service aka RaaS. The malware is hard to detect as it’s encrypted, and its payload only activated upon a password being supplied. Once activated, “The malware then attempts to escalate privileges, gathers system information, terminates specific processes and services, launches commands, enables automatic logon for persistence, and deletes logs, recycled files, and system volume information copies.” As it reaches each new host “LockBit 3.0 then encrypts all files on local and remote devices, drops a ransom note, and changes the wallpaper and icons to its branding. After the process is completed, the malware may delete itself from the machine.”
Critical Microsoft Outlook/365 bug CVE-2023-23397 under attack (thestack.technology)
Urgent: Microsoft 365 Apps being exploited in wild via CVSS 9.8 bug
From
The article is about the new vulnerability in the Microsoft Outlook 365 product, known as the CVSS9.8 bug. The bug lets a remote and unauthenticated attacker breach system by sending a specially crafted email that allows them to steal the recipient’s credentials. “The victim doesn’t even need to open the malicious email. The email triggers automatically when it is retrieved and processed by the Outlook client”. This could be before the email is viewed in the preview pane.
In the article, Microsoft offers that adding users to the “protected users security group” as helpful mitigation, specifically for domain admins when possible. Also, it was suggested that admins block TCP 445/SMB outbound from the network by using a perimeter firewall, local firewall and via the VPN settings.
The article also addressed that about 15 European government, military, energy, and transportation organizations were targeted using this exploit between April thru December 2022. Also, stated they attribute the attacks to the Russian military intelligence and that more widespread attacks are likely to follow as the patch is reverse engineered.
Telegram, WhatsApp Trojanized to Target Cryptocurrency Wallets
They are all pursuing the bitcoin funds of their victims, with several of them focusing on cryptocurrency wallets. This was the first time we had observed Android clippers concentrating solely on instant messaging, according to a Thursday advisory from ESET malware researchers Lukas Stefanko and Peter Strek.
A malevolent use of screen reading technology was demonstrated by some of the cutters, who employed OCR (optical character recognition) to extract mnemonic phrases from photographs saved on the victims’ smartphones.
Experts Warn of RambleOn Android Malware Targeting South Korean Journalists
Suspected North Korean nation-state actors targeted a journalist in South Korea with a malware-laced Android app as part of a social engineering campaign.
The findings come from South Korea-based non-profit Interlab, which coined the new malware RambleOn.
The malicious functionalities include the “ability to read and leak target’s contact list, SMS, voice call content, location and others from the time of compromise on the target,” Interlab threat researcher Ovi Liber said in a report published this week.
ChatGPT has more accurate ways to filter out spam and emails and it is better than other applications that are out there. The language model to simply the search for malicious activity in datasets from security software. The community has focused on the fact that there should be more security since technology is advancing. They have been working on three projects that ChatGPT can be assistance to to cybersecurity defenders. They use technique called few-short learning to train the AI model with just a few samples.
Sportswear chain JD Sports has said stored data relating to 10 million customers might be at risk after it was hit by a cyber-attack.
The company said information that “may have been accessed” by hackers included names, addresses, email accounts, phone numbers, order details and the final four digits of bank cards. Although the data related to online orders between November 2018 and October 2020.
Accusations from the Electronic Frontier Foundation (EFF) say the National Telecommunications Agency (Anatel) in Brazil has flagged Flipper Zero as a tool used for criminal purposes, making its clearance complicated and preventing it from reaching its final destination.
Flipper Zero is a portable multi-function cybersecurity tool that allows pen-testers to fiddle with a wide range of hardware by supporting Radio Frequency Identification (RFID) emulation, digital access key cloning, radio communications, Near field communication (NFC), infrared, and Bluetooth.
Reports from users claim Flipper Zero has demonstrated some hacking capabilities on social media in performing illegal activities such as unlocking cars, changing gas pump prices, opening garage doors, and more.
I find the article interesting because “EFF argues that the Brazilian authorities outright banning Flipper Zero in the country will limit the security researchers’ access to powerful portable cybersecurity tools, harming their work and negatively impacting the field”.
CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organization’s cyber posture.
Actions to take today to harden your local environment:
Establish a security baseline of normal network activity; tune network and host-based appliances to detect anomalous behavior.
Conduct regular assessments to ensure appropriate procedures are created and can be followed by security staff and end users.
Enforce phishing-resistant MFA to the greatest extent possible.
In 2022, CISA conducted a red team assessment (RTA) at the request of a large critical infrastructure organization with multiple geographically separated sites. The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs). Multifactor authentication (MFA) prompts prevented the team from achieving access to one SBS, and the team was unable to complete its viable plan to compromise a second SBSs within the assessment period.
Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response.
Multiple cybercriminal gangs and hacking groups exploited a four-year-old software vulnerability to compromise a U.S. federal government IIS server. A joint alert issued Wednesday by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) disclosed information about a .NET deserialization vulnerability (CVE-2019-18935) in the Progress Telerik user interface (UI) for ASP.NET AJAX. The vulnerability also affects Microsoft Internet Information Services (IIS) web servers at Federal Civil Executive Branch (FCEB) agencies between November 2022 and January 2023. The vulnerability allows malicious attackers to “successfully execute remote code” on the organization’s web server, exposing access to the server’s internal network. The vulnerability was difficult to detect with regular server vulnerability scans as the Telerik UI software was installed on a file path it would not normally scan. In the case of CVE-2019-18935, CISA said entities using Progress Telerik software should implement a patch management solution to ensure compliance with the latest security patches. Server operators should also validate the output of patch management and vulnerability scans against running services to check for any discrepancies and limit service accounts to the minimum privileges necessary.
The NBA has announced a data breach after a third-party company providing a newsletter service was breached. The NBA launched an investigation into the security breach with the support of external cybersecurity experts to determine the extent of the incident. The NBA pointed out that its systems were not impacted, according to the data breach notification sent to the fans, the incident affected an unknown number of individuals. Bleeping Computer confirmed that some fans personal information was stolen, according to the association, an unauthorized third party accessed and created copies of the names and email addresses of some of its fan-s. The data breach did not compromise usernames, passwords, and other information.
On March 14, OpenAI released its large multimodal model GPT-4 to a frenzy of anticipation among techies. Microsoft even announced it would be built into the office family bucket under the name “Copilot.” OpenAI claims that GPT-4 is on par with, and above, most humans on a variety of professional and academic benchmarks. GPT-4 can not only process and understand the image content, but also increase the accepted length of text to 24,000 words. Word with “copilot” can call all the files of the user’s project to customize the text content; The PPT with a “copilot” can be automatically generated based on the text information entered and the style chosen by the user.
This week I picked a podcast from SANS Internet Storm Center (ISC). There were several vulnerabilities discussed, but I chose to pay more attention to Patches for Zoom discussion, because we use it often. Zoom users are highly recommended to download the latest Zoom software, because it provides all current security updates from https://zoom.us/downloadLinks to an external site. . Improper trust boundary implementation for SMB in Zoom Clients is one of the vulnerability. It affects users who happen to save local recordings to an SMB location and then opens it through Zoom’s web portal link. According to the article, “if an an attackers positioned on an adjacent network to the victim client could set up a malicious SMB server to respond to client requests, causing the client to execute attacker controlled executables”. Attacker will be in a perfect position to gain access to user’s machine and data, and remote code execution.
Affected Products:
Zoom (for Android, iOS, Linux, macOS, and Windows) clients before version 5.13.5
Zoom Rooms (for Android, iOS, Linux, macOS, and Windows) clients before version 5.13.5
Zoom VDI Windows Meeting clients before version 5.13.10
During the ongoing war between Russia and Ukraine, government, agriculture, and transportation located in parts of Ukraine and have been attacked as a part of an active campaign that drops a previously unseen modular framework dubbed CommonMagic. A russian cybersecurity company which detected the attach in October of 2022 id tracking the activity cluster under the name “Bad Magic”. Attack chains entail the use of booby-trapped URLS pointing to a ZIP archive hosted on a malicious web server. The file, when opened, contains a decoy document and a malicious LNK file that culminates in the deployment of a backdoor named PowerMagic. Written in PowerShell, PowerMagic establishes contact with a remote server and executes arbitrary commands. Two of the plugins discovered so far come with capabilities to capture screenshots every three seconds and gather files of interest from connected USB devices. Kaspersky said it found no evidence linking the operation and its tooling to any known threat actor or group.
https://thehackernews.com/2023/03/whats-wrong-with-manufacturing.html
This article looks at data to discover that manufacturing as a segment gets a lot more cyber attacks that other industries. The article poses a few hypothesis, but doesn’t really provide an answer. The answers are not easily found in the data. As someone that works in the manufacturing industry, it is interesting to me that even the experts don’t see a clear correlation between the level of vulnerability and the number of attacks. My personal hypothesis is that industry is perhaps not technically vulnerable, it is culturally vulnerable. The manufacturing industry does not have a strong security culture and is very susceptible to downtime as a lever for attacker to extract quick ransoms
IPFS: A New Data Frontier or a New Cybercriminal Hideout?
Interplanetary File System is a notable system that has emerged in recent years. It is a decentralized storage and delivery network based on peer-to-peer (P2P) networking and belonging to the emerging “Web3 technologies.” IPFS allows users to host or share content on the internet at a more affordable price, with availability and resiliency capabilities. Unfortunately, it also provides opportunities for another part of the population: cybercriminals.
The majority of IPFS threats researchers analyzed were phishing threats, reaching 98.78% in September 2022. Cybercriminals often need to share files, cybercrime methods/tutorials, or even just screenshots on the underground forums. There has been an increase in the use of IPFS for storing such content by cybercriminals.
Ecommerce looks to be growing in the IPFS environment and this has definitely been exploited by the cybercriminals. They have set up stores selling illegal goods, and in the event that one node is down, another will take its place, providing resiliency. Other threat actors are also using the system to host malware. It is expected that some threat actors may create their own IPFS gateways and run nodes to keep their content online as much as possible
It is common for new tools and technology intended for general use to be co-opted by criminals and malicious individuals. In the modern IT environment, anything that allows for distributed resilience is going to be of interest to criminals as well as IT professionals. Another tool that cyber criminals have been abusing are distributed messaging applications. These tools were intended to ensure that messages could get our of places with damaged or disrupted communications networks, like disaster areas, war zones, and wilderness or uninhabited areas. The idea being that no matter what happens to a part of the system, the message will still get out another way and provide and very high level of redundancy and resilience. Cyber criminals find this appealing for a different reason, it means that if part of their network is seized, taken down by authorities, or not longer under their control, key data and messages can still flow.
ChatGPT Browser Extension Hijacks Facebook Business Accounts
With the increase craze of ChatGPT these days, the attackers are getting active. Between March 3 and March 9, at least 2,000 people a day downloaded the malicious “Quick access to ChatGPT” Chrome extension from the Google Play app store. The malicious “Quick access to Chat GPT” extension promised users a quick way to interact with the hugely popular AI chatbot. In reality, it also surreptitiously harvested a wide range of information from the browser, stole cookies of all authorized active sessions, and installed a backdoor that gave the malware author super-admin permissions to the user’s Facebook account.
https://www.darkreading.com/application-security/chatgpt-browser-extension-hijacks-facebook-business-accounts
US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
The article I have chosen to highlight this week is yet again another ransomware article. This article speaks to LockBit’s newest version LockBit 3.0 aka LockBit Black. LockBit is ransomware-as-a-service aka RaaS. The malware is hard to detect as it’s encrypted, and its payload only activated upon a password being supplied. Once activated, “The malware then attempts to escalate privileges, gathers system information, terminates specific processes and services, launches commands, enables automatic logon for persistence, and deletes logs, recycled files, and system volume information copies.” As it reaches each new host “LockBit 3.0 then encrypts all files on local and remote devices, drops a ransom note, and changes the wallpaper and icons to its branding. After the process is completed, the malware may delete itself from the machine.”
https://www.securityweek.com/us-government-warns-organizations-of-lockbit-3-0-ransomware-attacks/
Critical Microsoft Outlook/365 bug CVE-2023-23397 under attack (thestack.technology)
Urgent: Microsoft 365 Apps being exploited in wild via CVSS 9.8 bug
From
The article is about the new vulnerability in the Microsoft Outlook 365 product, known as the CVSS9.8 bug. The bug lets a remote and unauthenticated attacker breach system by sending a specially crafted email that allows them to steal the recipient’s credentials. “The victim doesn’t even need to open the malicious email. The email triggers automatically when it is retrieved and processed by the Outlook client”. This could be before the email is viewed in the preview pane.
In the article, Microsoft offers that adding users to the “protected users security group” as helpful mitigation, specifically for domain admins when possible. Also, it was suggested that admins block TCP 445/SMB outbound from the network by using a perimeter firewall, local firewall and via the VPN settings.
The article also addressed that about 15 European government, military, energy, and transportation organizations were targeted using this exploit between April thru December 2022. Also, stated they attribute the attacks to the Russian military intelligence and that more widespread attacks are likely to follow as the patch is reverse engineered.
Telegram, WhatsApp Trojanized to Target Cryptocurrency Wallets
They are all pursuing the bitcoin funds of their victims, with several of them focusing on cryptocurrency wallets. This was the first time we had observed Android clippers concentrating solely on instant messaging, according to a Thursday advisory from ESET malware researchers Lukas Stefanko and Peter Strek.
A malevolent use of screen reading technology was demonstrated by some of the cutters, who employed OCR (optical character recognition) to extract mnemonic phrases from photographs saved on the victims’ smartphones.
https://www.infosecurity-magazine.com/news/telegram-whatsapp-trojanized/
Experts Warn of RambleOn Android Malware Targeting South Korean Journalists
Suspected North Korean nation-state actors targeted a journalist in South Korea with a malware-laced Android app as part of a social engineering campaign.
The findings come from South Korea-based non-profit Interlab, which coined the new malware RambleOn.
The malicious functionalities include the “ability to read and leak target’s contact list, SMS, voice call content, location and others from the time of compromise on the target,” Interlab threat researcher Ovi Liber said in a report published this week.
https://thehackernews.com/2023/02/experts-warn-of-rambleon-android.html
https://www.helpnetsecurity.com/2023/03/17/chatgpt-cybersecurity-potential/
ChatGPT has more accurate ways to filter out spam and emails and it is better than other applications that are out there. The language model to simply the search for malicious activity in datasets from security software. The community has focused on the fact that there should be more security since technology is advancing. They have been working on three projects that ChatGPT can be assistance to to cybersecurity defenders. They use technique called few-short learning to train the AI model with just a few samples.
Sportswear chain JD Sports has said stored data relating to 10 million customers might be at risk after it was hit by a cyber-attack.
The company said information that “may have been accessed” by hackers included names, addresses, email accounts, phone numbers, order details and the final four digits of bank cards. Although the data related to online orders between November 2018 and October 2020.
https://www.bbc.com/news/business-64452986
Accusations from the Electronic Frontier Foundation (EFF) say the National Telecommunications Agency (Anatel) in Brazil has flagged Flipper Zero as a tool used for criminal purposes, making its clearance complicated and preventing it from reaching its final destination.
Flipper Zero is a portable multi-function cybersecurity tool that allows pen-testers to fiddle with a wide range of hardware by supporting Radio Frequency Identification (RFID) emulation, digital access key cloning, radio communications, Near field communication (NFC), infrared, and Bluetooth.
Reports from users claim Flipper Zero has demonstrated some hacking capabilities on social media in performing illegal activities such as unlocking cars, changing gas pump prices, opening garage doors, and more.
I find the article interesting because “EFF argues that the Brazilian authorities outright banning Flipper Zero in the country will limit the security researchers’ access to powerful portable cybersecurity tools, harming their work and negatively impacting the field”.
Reference
https://www.bleepingcomputer.com/news/security/brazil-seizing-flipper-zero-shipments-to-prevent-use-in-crime/
CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organization’s cyber posture.
Actions to take today to harden your local environment:
Establish a security baseline of normal network activity; tune network and host-based appliances to detect anomalous behavior.
Conduct regular assessments to ensure appropriate procedures are created and can be followed by security staff and end users.
Enforce phishing-resistant MFA to the greatest extent possible.
In 2022, CISA conducted a red team assessment (RTA) at the request of a large critical infrastructure organization with multiple geographically separated sites. The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs). Multifactor authentication (MFA) prompts prevented the team from achieving access to one SBS, and the team was unable to complete its viable plan to compromise a second SBSs within the assessment period.
Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a
Multiple cybercriminal gangs and hacking groups exploited a four-year-old software vulnerability to compromise a U.S. federal government IIS server. A joint alert issued Wednesday by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) disclosed information about a .NET deserialization vulnerability (CVE-2019-18935) in the Progress Telerik user interface (UI) for ASP.NET AJAX. The vulnerability also affects Microsoft Internet Information Services (IIS) web servers at Federal Civil Executive Branch (FCEB) agencies between November 2022 and January 2023. The vulnerability allows malicious attackers to “successfully execute remote code” on the organization’s web server, exposing access to the server’s internal network. The vulnerability was difficult to detect with regular server vulnerability scans as the Telerik UI software was installed on a file path it would not normally scan. In the case of CVE-2019-18935, CISA said entities using Progress Telerik software should implement a patch management solution to ensure compliance with the latest security patches. Server operators should also validate the output of patch management and vulnerability scans against running services to check for any discrepancies and limit service accounts to the minimum privileges necessary.
https://www.infosecurity-magazine.com/news/us-server-breached-via-telerik/
NBA alerts fans of a data breach exposing personal information
https://www.bleepingcomputer.com/news/security/nba-alerts-fans-of-a-data-breach-exposing-personal-information/
The NBA has announced a data breach after a third-party company providing a newsletter service was breached. The NBA launched an investigation into the security breach with the support of external cybersecurity experts to determine the extent of the incident. The NBA pointed out that its systems were not impacted, according to the data breach notification sent to the fans, the incident affected an unknown number of individuals. Bleeping Computer confirmed that some fans personal information was stolen, according to the association, an unauthorized third party accessed and created copies of the names and email addresses of some of its fan-s. The data breach did not compromise usernames, passwords, and other information.
On March 14, OpenAI released its large multimodal model GPT-4 to a frenzy of anticipation among techies. Microsoft even announced it would be built into the office family bucket under the name “Copilot.” OpenAI claims that GPT-4 is on par with, and above, most humans on a variety of professional and academic benchmarks. GPT-4 can not only process and understand the image content, but also increase the accepted length of text to 24,000 words. Word with “copilot” can call all the files of the user’s project to customize the text content; The PPT with a “copilot” can be automatically generated based on the text information entered and the style chosen by the user.
https://www.nytimes.com/2023/03/15/technology/gpt-4-artificial-intelligence-openai.html
Title: Improper trust boundary implementation for SMB in Zoom Clients: https://isc.sans.edu/podcastdetail.html?id=8414Links to an external site.
Severity: High
CVE: 2023-28597
This week I picked a podcast from SANS Internet Storm Center (ISC). There were several vulnerabilities discussed, but I chose to pay more attention to Patches for Zoom discussion, because we use it often. Zoom users are highly recommended to download the latest Zoom software, because it provides all current security updates from https://zoom.us/downloadLinks to an external site. . Improper trust boundary implementation for SMB in Zoom Clients is one of the vulnerability. It affects users who happen to save local recordings to an SMB location and then opens it through Zoom’s web portal link. According to the article, “if an an attackers positioned on an adjacent network to the victim client could set up a malicious SMB server to respond to client requests, causing the client to execute attacker controlled executables”. Attacker will be in a perfect position to gain access to user’s machine and data, and remote code execution.
Affected Products:
Zoom (for Android, iOS, Linux, macOS, and Windows) clients before version 5.13.5
Zoom Rooms (for Android, iOS, Linux, macOS, and Windows) clients before version 5.13.5
Zoom VDI Windows Meeting clients before version 5.13.10
https://thehackernews.com/2023/03/new-bad-magic-cyber-threat-disrupt.html
During the ongoing war between Russia and Ukraine, government, agriculture, and transportation located in parts of Ukraine and have been attacked as a part of an active campaign that drops a previously unseen modular framework dubbed CommonMagic. A russian cybersecurity company which detected the attach in October of 2022 id tracking the activity cluster under the name “Bad Magic”. Attack chains entail the use of booby-trapped URLS pointing to a ZIP archive hosted on a malicious web server. The file, when opened, contains a decoy document and a malicious LNK file that culminates in the deployment of a backdoor named PowerMagic. Written in PowerShell, PowerMagic establishes contact with a remote server and executes arbitrary commands. Two of the plugins discovered so far come with capabilities to capture screenshots every three seconds and gather files of interest from connected USB devices. Kaspersky said it found no evidence linking the operation and its tooling to any known threat actor or group.