Firewall vendor Juniper Networks is introducing a cloud firewall FWaaS (firewall-as-a-service) to its product line. The product is attempting to address security gaps created by the remote workforce, shadow IT and overall adoption/migration to cloud apps. Juniper’s Security Director Cloud platform automatically pushes policies to devices exhibiting anomalies allowing for dynamic response and visibility where blind spots may have previously existed within a distributed/hybrid network.
I came across this article that describes a form of social engineering attack that I found particular interesting: SIM Swapping.
In this situation, a criminal may socially engineer a mobile carrier operative to switch the victim’s mobile number to a SIM card in their possession. This allows them to receive the victim’s calls, texts, and other data. Criminals can then send ‘Forgot Password’ or ‘Account Recovery’ requests and have the authentication mechanism diverted to their phone instead of the victims.
The article also mentions an incident where a Canadian teenager was able to steal $36.5 million dollars worth of cryptocurrency from an unnamed victim in the U.S.
To not surprise, ransomware attacks are continuing to evolve and become more sophisticated. They have grown so much in 2021 alone that the FBI, CISA, and NSA in the US, as well as other joint global cybersecurity officials have issued an advisory warning of the increase in ransomware attacks, which are targeting more sectors than ever. including “defense, emergency services, agriculture, government facilities, IT, healthcare, financial services, education, energy, charities, legal institutions, and public services.” With the prevalence of nations actively taking down threat actors lately, they have overall shifted from attacking major companies, like the colonial pipeline, JBS, and Kaseya in 2021, and they are now choosing to target mid-level companies instead. In the last three years, over 150 terabytes of data have been stolen, with 44 TB being from just one threat actor, REvil, according to SyHunt.
Security Research had found a five vulnerability within Microsoft Teams. That could allow an attacker to spoof the link previews, leak IP address, and even access the internal services of the companies. Four of the vulnerability were being discovered within the video conferencing app and the fifth vulnerability was in the Android OS. The four vulnerabilities identify were vulnerable to a server-side request forgery attack. The Android vulnerability allowed the attacker to get an IP address detail of the users. The Microsoft has patched the Android vulnerability as far and still working on remediating the other four vulnerabilities.
“50% of malicious office documents were downloaded via Google Drive in 2021.”
Cybercriminals use legitimate companies’ applications to carry out attacks. The widely used Google and Microsoft products often serve as attacker tools for spreading malware because it has a large user base and trusted services, making it easier to fall for hackers’ tricks. 50% of all malware downloaded by users from Google Drive in 2021 were malicious office documents. In addition, 37 percent of malware downloads are malicious office documents.
A plug-in that allows for the use of PHP code on a site contains a vulnerability that allows for full site control on thousands of WordPress sites. One of the bugs makes it possible for any user of any authorization level including subscribers and customers to run code that will completely take over the website that has the plug-in installed. Luckily the vulnerability has been fixed, once the researchers at Wordfence notified the developers.
From this week’s news, I read an article about Spanish police arresting SIM card exchangers for stealing money from victims’ bank accounts. The suspects in the crime ring masquerade as trusted representatives of banks and other organizations and use traditional phishing to obtain victims’ personal information and bank data and then withdraw funds from their accounts. The Federal Bureau of Investigation (FBI) said that from January 2021 through December 2021, it received 1,611 SIM card exchange complaints with adjusted losses of more than $68 million.
“More companies are using multi-factor authentication. Hackers are looking for a way to beat it.”
Multi-factor authentication is an extra layer of security to prevent hackers successfully getting into our device. Now, cybercriminals are trying to find a way to surpass multi-factor identification. According to the article, cybersecurity researchers at Proofpoint have detailed how there’s been a rise in phishing kits designed to bypass MFA.
Phishing kits only cost several dollars and help push attacks to be successful. However, phishing kits are advancing and allow attackers to steal multi-factor authentication tokens.
Gamaredon, led by Russian Federal Security Service officers, has been targeting critical infrastructure, acquiring data to include theft and collection of intelligence, gaining informational and psychological influence, and blocking information systems. Gamaredon has been targeting EU countries using spear-phishing techniques.
The US is collaborating with the EU and NATO to enhance national and alliance resilience in cyberspace. The goal is to foster collaboration and support to implement cyber contingency plans in the event that Gamaredon launches an attack on Ukraine or other member countries.
The article talks about growing complications of networks, and the need to make them more open due to the increasing demand on and attractiveness of the Internet as a means for business transactions, mean that networks are becoming more and more exposed to attacks, both from without and from within. The article went on by saying that the increased complexity and openness of the network thus caused makes the question of security appears to be more difficult than hitherto, and brings the development of modern security technologies at the interface between networks of different security domains, such as between Intranet and internet or Extranet. and best way of ensuring interface security is the use of a firewall. https://www.researchgate.net/publication/2371491_An_Overview_of_Firewall_Technologies
“Russian APT Hackers Used COVID-19 Lures to Target European Diplomats”
This article discusses the Russia-linked threat actor known as “APT29” which targeted European diplomatic missions and Ministries of Foreign Affairs as part of a series of spear-phishing attacks in October and November 2021. The emails impersonated the Iranian Ministry of Foreign Affairs and contained an attachment that prompted the recipients to open or save what appears to be an ISO disk image file (“Covid.iso”). When the victim downloads the file, code within the file would run a piece of PowerShell code that ultimately loads a Cobalt Strike Beacon onto the infected system.
The article I am summarizing for this weeks in-the-news submission is about a zero-day vulnerability within WebKit. WebKit is the web browser engine used by Safari, Mail, the App Store, and many other apps on macOS, iOS, and Linux. On Thursday February 10th, Apple released security updates for iOS, iPadOS, macOS, and the Safari app. Apple also acknowledged that they were aware that the flaw may have been actively exploited in the wild, and it is also known that this vulnerability was exploited by a piece of specially crafted web content that gained arbitrary code execution privileges. This vulnerability was discovered and reported by an anonymous researcher, and Apple remediated it by improving memory management.
On February 13th 2022 The San Francisco 49ers were hit with a ransomware attack that compromised the team’s financial information. The financial information was stolen and posted to the dark web. At this time there are no public demand about the specific of the ransome including how much data was stolen. The 49ers said they’d notified law enforcement and hired cybersecurity firms to assist. The Threat Actor behind this attack is BlackByte. BlackByte is a ransomware-as-a-service (RaaS) gang that leases its ransomware to affiliates who cut it in on a share of ransom profits. BlackByte’s malware, like many ransomware variants, is hardcoded to not encrypt systems that use Russian or languages used by certain Russian allies. Whoever is behind the attack on the 49ers is in Russia or is one of its neighbors.
In line with the ongoing hostilities between Russia and the west, I came across this dated February 16, 2022, and believe it would be a good read for the class. The Ministry of Defense and the Armed Forces of Ukraine and two of the country’s state-owned banks, PrivatBank (Ukraine’s largest bank) and Oschadbank (the State Savings Bank), are being hammered by Distributed Denial-of-Service (DDoS) attacks.
Ukraine’s Cyberpolice also reported that bank customers received text messages claiming that bank ATMs were down, adding that they were “part of an information attack and did not correspond to reality.”
The Kremlin on Wednesday denied responsibility for a cyberattack on Ukraine a day earlier that hit websites at the country’s defense ministry and armed forces and two state banks.
Kyiv had suggested that the attack came from Russia as fears persist that Moscow plans to invade its neighboring Western-backed neighbor Ukraine.
Source:
Firewall vendor Juniper Networks is introducing a cloud firewall FWaaS (firewall-as-a-service) to its product line. The product is attempting to address security gaps created by the remote workforce, shadow IT and overall adoption/migration to cloud apps. Juniper’s Security Director Cloud platform automatically pushes policies to devices exhibiting anomalies allowing for dynamic response and visibility where blind spots may have previously existed within a distributed/hybrid network.
https://www.zdnet.com/article/juniper-networks-adds-cloud-firewall-to-its-sase-stack/
I came across this article that describes a form of social engineering attack that I found particular interesting: SIM Swapping.
In this situation, a criminal may socially engineer a mobile carrier operative to switch the victim’s mobile number to a SIM card in their possession. This allows them to receive the victim’s calls, texts, and other data. Criminals can then send ‘Forgot Password’ or ‘Account Recovery’ requests and have the authentication mechanism diverted to their phone instead of the victims.
The article also mentions an incident where a Canadian teenager was able to steal $36.5 million dollars worth of cryptocurrency from an unnamed victim in the U.S.
https://www.infosecurity-magazine.com/news/fbi-sim-swapping-attacks-surged/
To not surprise, ransomware attacks are continuing to evolve and become more sophisticated. They have grown so much in 2021 alone that the FBI, CISA, and NSA in the US, as well as other joint global cybersecurity officials have issued an advisory warning of the increase in ransomware attacks, which are targeting more sectors than ever. including “defense, emergency services, agriculture, government facilities, IT, healthcare, financial services, education, energy, charities, legal institutions, and public services.” With the prevalence of nations actively taking down threat actors lately, they have overall shifted from attacking major companies, like the colonial pipeline, JBS, and Kaseya in 2021, and they are now choosing to target mid-level companies instead. In the last three years, over 150 terabytes of data have been stolen, with 44 TB being from just one threat actor, REvil, according to SyHunt.
https://thehackernews.com/2022/02/cisa-fbi-nsa-issue-advisory-on-severe.html
Security Research had found a five vulnerability within Microsoft Teams. That could allow an attacker to spoof the link previews, leak IP address, and even access the internal services of the companies. Four of the vulnerability were being discovered within the video conferencing app and the fifth vulnerability was in the Android OS. The four vulnerabilities identify were vulnerable to a server-side request forgery attack. The Android vulnerability allowed the attacker to get an IP address detail of the users. The Microsoft has patched the Android vulnerability as far and still working on remediating the other four vulnerabilities.
https://portswigger.net/daily-swig/multiple-vulnerabilities-in-microsoft-teams-could-spoof-urls-leak-ip-addresses
“50% of malicious office documents were downloaded via Google Drive in 2021.”
Cybercriminals use legitimate companies’ applications to carry out attacks. The widely used Google and Microsoft products often serve as attacker tools for spreading malware because it has a large user base and trusted services, making it easier to fall for hackers’ tricks. 50% of all malware downloaded by users from Google Drive in 2021 were malicious office documents. In addition, 37 percent of malware downloads are malicious office documents.
https://atlasvpn.com/blog/50-of-malicious-office-documents-were-downloaded-via-google-drive-in-2021?&web_view=true
A plug-in that allows for the use of PHP code on a site contains a vulnerability that allows for full site control on thousands of WordPress sites. One of the bugs makes it possible for any user of any authorization level including subscribers and customers to run code that will completely take over the website that has the plug-in installed. Luckily the vulnerability has been fixed, once the researchers at Wordfence notified the developers.
https://threatpost.com/php-everywhere-bugs-wordpress-rce/178338/
From this week’s news, I read an article about Spanish police arresting SIM card exchangers for stealing money from victims’ bank accounts. The suspects in the crime ring masquerade as trusted representatives of banks and other organizations and use traditional phishing to obtain victims’ personal information and bank data and then withdraw funds from their accounts. The Federal Bureau of Investigation (FBI) said that from January 2021 through December 2021, it received 1,611 SIM card exchange complaints with adjusted losses of more than $68 million.
https://thehackernews.com/2022/02/spanish-police-arrest-sim-swappers-who.html
“More companies are using multi-factor authentication. Hackers are looking for a way to beat it.”
Multi-factor authentication is an extra layer of security to prevent hackers successfully getting into our device. Now, cybercriminals are trying to find a way to surpass multi-factor identification. According to the article, cybersecurity researchers at Proofpoint have detailed how there’s been a rise in phishing kits designed to bypass MFA.
Phishing kits only cost several dollars and help push attacks to be successful. However, phishing kits are advancing and allow attackers to steal multi-factor authentication tokens.
Reference:
https://www.zdnet.com/article/more-companies-are-using-multi-factor-authentication-hackers-are-looking-for-a-way-to-beat-it/
https://www.csoonline.com/article/3650011/russia-s-offensive-cyber-actions-should-be-a-cause-for-concern-for-cisos.html
Gamaredon, led by Russian Federal Security Service officers, has been targeting critical infrastructure, acquiring data to include theft and collection of intelligence, gaining informational and psychological influence, and blocking information systems. Gamaredon has been targeting EU countries using spear-phishing techniques.
The US is collaborating with the EU and NATO to enhance national and alliance resilience in cyberspace. The goal is to foster collaboration and support to implement cyber contingency plans in the event that Gamaredon launches an attack on Ukraine or other member countries.
The article talks about growing complications of networks, and the need to make them more open due to the increasing demand on and attractiveness of the Internet as a means for business transactions, mean that networks are becoming more and more exposed to attacks, both from without and from within. The article went on by saying that the increased complexity and openness of the network thus caused makes the question of security appears to be more difficult than hitherto, and brings the development of modern security technologies at the interface between networks of different security domains, such as between Intranet and internet or Extranet. and best way of ensuring interface security is the use of a firewall.
https://www.researchgate.net/publication/2371491_An_Overview_of_Firewall_Technologies
“Russian APT Hackers Used COVID-19 Lures to Target European Diplomats”
This article discusses the Russia-linked threat actor known as “APT29” which targeted European diplomatic missions and Ministries of Foreign Affairs as part of a series of spear-phishing attacks in October and November 2021. The emails impersonated the Iranian Ministry of Foreign Affairs and contained an attachment that prompted the recipients to open or save what appears to be an ISO disk image file (“Covid.iso”). When the victim downloads the file, code within the file would run a piece of PowerShell code that ultimately loads a Cobalt Strike Beacon onto the infected system.
https://thehackernews.com/2022/02/russian-apt-hackers-used-covid-19-lures.html
The article I am summarizing for this weeks in-the-news submission is about a zero-day vulnerability within WebKit. WebKit is the web browser engine used by Safari, Mail, the App Store, and many other apps on macOS, iOS, and Linux. On Thursday February 10th, Apple released security updates for iOS, iPadOS, macOS, and the Safari app. Apple also acknowledged that they were aware that the flaw may have been actively exploited in the wild, and it is also known that this vulnerability was exploited by a piece of specially crafted web content that gained arbitrary code execution privileges. This vulnerability was discovered and reported by an anonymous researcher, and Apple remediated it by improving memory management.
Lakshmanan, R. (2022, February 10). Apple Releases iOS, iPadOS, macOS Updates to Patch Actively Exploited Zero-Day Flaw. thehackernews.com. Retrieved from https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html
On February 13th 2022 The San Francisco 49ers were hit with a ransomware attack that compromised the team’s financial information. The financial information was stolen and posted to the dark web. At this time there are no public demand about the specific of the ransome including how much data was stolen. The 49ers said they’d notified law enforcement and hired cybersecurity firms to assist. The Threat Actor behind this attack is BlackByte. BlackByte is a ransomware-as-a-service (RaaS) gang that leases its ransomware to affiliates who cut it in on a share of ransom profits. BlackByte’s malware, like many ransomware variants, is hardcoded to not encrypt systems that use Russian or languages used by certain Russian allies. Whoever is behind the attack on the 49ers is in Russia or is one of its neighbors.
https://www.espn.com/nfl/story/_/id/33283115/san-francisco-49ers-network-hit-gang-ransomware-attack-team-notifies-law-enforcement
In line with the ongoing hostilities between Russia and the west, I came across this dated February 16, 2022, and believe it would be a good read for the class. The Ministry of Defense and the Armed Forces of Ukraine and two of the country’s state-owned banks, PrivatBank (Ukraine’s largest bank) and Oschadbank (the State Savings Bank), are being hammered by Distributed Denial-of-Service (DDoS) attacks.
Ukraine’s Cyberpolice also reported that bank customers received text messages claiming that bank ATMs were down, adding that they were “part of an information attack and did not correspond to reality.”
The Kremlin on Wednesday denied responsibility for a cyberattack on Ukraine a day earlier that hit websites at the country’s defense ministry and armed forces and two state banks.
Kyiv had suggested that the attack came from Russia as fears persist that Moscow plans to invade its neighboring Western-backed neighbor Ukraine.
Source:
https://gadgets.ndtv.com/internet/news/russia-denies-ukraine-cyberattack-defence-ministry-state-bank-websites-ddos-hack-2772017