A vulnerability in Google’s web application firewall (WAF) makes it possible to bypass the company’s defenses. Kloudle, a security consultancy, identified that they were able to bypass Google Cloud Platform (GCP) and Amazon Web Services (AWS) web application firewalls by making a POST request more than 8KB in size. This allowed researchers to bypass the WAF and reach the underlying application. Users can block this attack by configuring a custom rule to block HTTP requests where the request body is larger than 8192 bytes.
Web application firewalls (WAF) help protect against various attacks such as SQL injection and cross-site scripting. Bypassing a WAF allows attackers increased access to the application allowing them to send targeted requests that could exploit a vulnerability. Kloudle noted that Google should be highlighting this issue more and promoting additional user education around the issue. It’s likely the default settings allow them to process other WAF rules which is why they were enabled by default.
CISA and FBI warning: Hackers used these tricks to dodge multi-factor authentication and steal email from NGO
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory regarding Russian state-sponsored hackers. The organizations say the hackers have found a way to disable multi-factor authentication (MFA) and exploit a Windows 10 printer spooler flaw to compromise networks and high-value domain accounts. According to the advisory, the actors “exploited a critical Windows Print Spooler vulnerability, ‘PrintNightmare’ (CVE-2021-34527) to run arbitrary code with system privileges.”
Israel was impacted on Monday by a Distributed Denial of Service (DDoS) attack that took some government sites offline temporarily. A statement issued by Israel’s National Cyber Directorate said that services were back online within a few hours, though observers such as NetBlocks reported that some government websites were inaccessible outside of the country. Unconfirmed reports allege that Iran’s Islamic Revolutionary Guard Corp was behind the attack.
The National security agency (NSA) and Cybersecurity and Infrastructure Agency (CISA) release Kubernetes hardening guidance. In today’s environment cloud has become the most usable platform for easy and safe management of information. After introducing containerization, it has become one of the best solutions for managing heavy loads. The biggest advantage of containerization is running applications platforms independently, containers already contain all dependencies required to run applications. To manage containers various tools launch to manage containers like docker, podman or docker swarm, Kubernetes, etc. which provide flexible ways to handle containers, such as vertical and horizontal scaling options.
Kubernetes clusters provide a cloud environment with increased flexibility from traditional software platforms. However, based on the research discovered Kubernetes is targeted by attackers for data theft, computational power theft, and denial of service. Recently an incident occurred where it was found that the attacker used computational power for the purpose of the cryptocurrency mining process.
Containers are very useful in this computing era but with proper security mechanisms and advanced challenges and threats management for application security.
This article is about luxury hotels in Macau, China that have been targeted and hacked. It was targeted by malicious spear-phishing campaign from the second half of November 2021 and through mid-January 2022. “The attack chains involved distributing email messages directed to individuals in executive roles in the hotel, such as the vice president of human resources, assistant manager, and front office manager, indicating that the intrusions were aimed at staff who were in possession of access to the hotel’s network”
https://www.imperva.com/learn/application-security/buffer-overflow/
“Buffer Overflow Attack” explained what buffer overflow attack was, how many types of buffer Overflow attacks were, what programing languages were more vulnerable to buffer overflow attack, and how to prevent buffer overflow attack. In this reading, there are 3 common protections to prevent buffer overflows. First, address space randomization (ASLR), this protection will move around the address space locations of data regions randomly to prevent buffer overflow attacks because buffer overflow attacks need to know the locality of executable code. Second, data execution prevention, this protection will flag certain areas of memory as non-executable or executable that will stop an attack from running code in a non-executable region. Last, structured exception handler overwrite protection (SEHOP), this protection will help stop malicious code from attacking SEH because SEH is a built-in system for managing hardware and software exceptions.
“New Dell BIOS Bugs Affect Millions of Inspiron, Vostro, XPS, Alienware Systems”
Five new security weaknesses have been disclosed in Dell BIOS that, if successfully exploited, could lead to code execution on vulnerable systems, joining the likes of firmware vulnerabilities recently uncovered in Insyde Software’s InsydeH2O and HP Unified Extensible Firmware Interface (UEFI).
Tracked as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421, the high-severity vulnerabilities are rated 8.2 out of 10 on the CVSS scoring system.
On Tuesday March 15th Google released an official blog post where they identified 11 new threats which could impact Windows, macOS and Linux chrome users. Google is urging users to upgrade/patch their systems in order to keep their systems safe. ‘Use-After-Free’ (UAF) exploits were identified as the most commonly exploited vulnerability within the chrome browser. However, a heap buffer overflow exploit was also heavily exploited. The attack was described as, “Also referred to as ‘Heap Smashing’, memory on the heap is dynamically allocated and typically contains program data. With an overflow, critical data structures can be overwritten which makes it an ideal target for hackers”.
The US has received intelligence that Russia is exploring options for some retaliation cyber attacks against US companies. The threat is significant enough that several hundred US companies have been given classified briefings, specifically ones in critical infrastructure. President Joe Biden is urging companies in the private sector to get their cyber security defenses in order as the threat of attacks grow increasingly likely. Biden has also stated that if attacked the US does plan to respond.
This article talks about how there is a phishing technique a called browser in the browser (BitB) This attack is able to be exploited to simulate a browser window within the browser to spoof a legitimate domain. It then makes it possible to create a convincing phishing attack. This type of attack takes advantage of 3rd party single sign on (SSO). Normally, a pop up window will be created to complete the sign on process and the BitB creates a fabrication browser window to replicate the process. By doing this, it becomes undetectable. https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html
Facestealer Trojan Hidden in Google Play Plunders Facebook Accounts
A popular mobile app in the official Google Play store called “Craftsart Cartoon Photo Tools” contains the Facestealer Android malware. The app pretends to be a legitimate photo editor, but it hides a malicious piece of code. When the app first launches, it directs the user to the legitimate Facebook main login page and requires the user to log in before using the app. The “injected malicious JavaScript then steals the login credentials and sends them to the command and control server. The malicious code can extract information from the victim’s Facebook account, including email and IP addresses, phone numbers, conversations and message history. records, credit card details, friend lists, and more.
USAHERDS is a web application that U.S. state governments use to track and trace diseases in livestock. The USAHERDS application’s servers were all using the same hardcoded static key for encryption. The hacking group APT41 got ahold of the key when doing reconnaissance for a different network and used this as their first step into the USAHERDS hack. This is still being investigated but it appears that the hacking group may have used this vulnerability to access the government network of multiple U.S. states.,
Title: This browser-in-browser attack is perfect for phishing
Link: https://www.theregister.com/2022/03/18/browser_in_browser_phishing/
Recently, browser-in-browser (BitB) attacks have raised concern among researchers as a way to exploit the insecurity of the ad ecosystem. Said novel phishing techniques are used to harvest login credentials by simulating browsers in order to spoof a legitimate domain. This method takes advantage of third-party single sign-on (SSO) options embedded on websites such as Google and Facebook. Once victims are redirected to the malicious popup window to complete the authentication process, it makes it possible to stage convincing phishing attacks. It is not uncommon for people to fall for these attacks since malicious individuals combine the window design with an iframe and use a mix of HTML and CSS code to fabricate the browser window, while the URL appears to be trustworthy. Researchers suggest that BitB attacks operate in similar ways in which attackers have tried to obtain access to cryptocurrency wallets. Ultimately, it is an understatement to say that ad ecosystem security is lacking.
Russia Lays Groundwork for Cyberattacks on US Infrastructure – White House
Russia is considering “options for potential cyberattacks” on important infrastructure in the United States. It seems that Russia is doing this in retaliation for sanctions and other punishments imposed on them due to their invasion of Ukraine. Cyber-related “preparatory activity” from President Putin’s government has been found by U.S. intelligence, but the White House Deputy National Security Adviser for Cyber and Emerging Technology, Anne Neuberger, stated that no real threat has been identified. There is no evidence of any specific cyberattack that is being anticipated, but the activity was shared in a classified context with companies who intelligence thought may be affected by this attack.
For this week’s ‘in the news’ I found a very interesting article about cloud based security risks. The title of this article is “97% of security findings are related to cloud, study finds”. The study that is being referenced is fairly new and was conducted by JupiterOne (a cybersecurity management automation startup). Today, many organizations’ cloud asset inventory has grown exponentially, to the point that “nearly 90% of all assets are cloud-based”. Moreover, security practitioners now realize that this exponential growth has impacted their workload and security posture.
In the past, information security personnel are used to physical devices being of main concern. This conditioning and way of thinking has hindered cloud-specific security policies, and is still the traditional approach to IT asset inventory, policy, and best practices. This isn’t to suggest that physical devices and human behaviors no longer pose a grave threat to organizations, however times have changed, and in turn it is imperative to change the way we traditionally approach these topics.
“Cybercriminals made $7bn in pure profit in 2021, says FBI”
Author – Brandon Vigliarolo
3/23/22
The article I read this week is as the title descries, cyber crimincals have again reached a record-breaking number of pure profit in 2021. This data is based on the FBI’s IC3 (Internet Crime Complaint Center) annual report which is compiled from 847,376 complaints it received in 2021, with businesses recording over $6.9 billion in losses. These complaints were a 7% increase from 2020, where 791,700 complaints were filed, and the year prior where 467,361 complaints were filed. The report also credits that this huge increase is due to COVID-19 factors such as remote work & schooling, which have introduced a whole new realm of attack vectors. The IC3 report goes on to break down the most popular scams of 2021 into five areas sorted by total estimated loss.
1. Business email compromise – BEC resulted in 19,954 complaints totaling $2.4 billion in losses. Fortunately, the IC3 RAT group is designed to freeze funds as soon as compromise is reported, and they have to date recovered #328.32 million and have success in 74% of cases.
2. Cryptocurrency scams – Cryptocurrency use has been on the decline when compared to its legitimate user base, but still accounts for $1.6 billion of illicit funds being moved in 2021, which is an increase over 2020 despite less claims being reported.
3. Confidence & romance scams – These type of scams, which are usually achieved by feigning romantic intentions towards the victim in order to commit fraud, earned $956 million in 2021 as a result of extortion, Confidence/romance tricksters appear to have utilized cryptocurrency scams more frequently in 2021.
4. Tech support scams – With 29,903 reports in 2021, these types of scams are designed to target older people who are not tech savvy, and cyber criminals earned $347 million off these activities in 2021, which was a 136% increase from 2020. The victim in these cases is over the age of 60, 60% of the time.
5. Ransomware only accounted for 3,279 complaints in 2021 which totaled just 49.2 million in losses. Critical infrastructure sectors, mainly healthcare, were the most hit sector in 2021, followed by financial service, IT, critical manufacturing, & government.
Matthew Bryan says
Article: Google WAF bypassed via oversized POST requests
Author: John Leyden
Published: 08 March 2022
Link: https://portswigger.net/daily-swig/google-waf-bypassed-via-oversized-post-requests
A vulnerability in Google’s web application firewall (WAF) makes it possible to bypass the company’s defenses. Kloudle, a security consultancy, identified that they were able to bypass Google Cloud Platform (GCP) and Amazon Web Services (AWS) web application firewalls by making a POST request more than 8KB in size. This allowed researchers to bypass the WAF and reach the underlying application. Users can block this attack by configuring a custom rule to block HTTP requests where the request body is larger than 8192 bytes.
Web application firewalls (WAF) help protect against various attacks such as SQL injection and cross-site scripting. Bypassing a WAF allows attackers increased access to the application allowing them to send targeted requests that could exploit a vulnerability. Kloudle noted that Google should be highlighting this issue more and promoting additional user education around the issue. It’s likely the default settings allow them to process other WAF rules which is why they were enabled by default.
Oluwaseun Soyomokun says
CISA and FBI warning: Hackers used these tricks to dodge multi-factor authentication and steal email from NGO
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory regarding Russian state-sponsored hackers. The organizations say the hackers have found a way to disable multi-factor authentication (MFA) and exploit a Windows 10 printer spooler flaw to compromise networks and high-value domain accounts. According to the advisory, the actors “exploited a critical Windows Print Spooler vulnerability, ‘PrintNightmare’ (CVE-2021-34527) to run arbitrary code with system privileges.”
Israel was impacted on Monday by a Distributed Denial of Service (DDoS) attack that took some government sites offline temporarily. A statement issued by Israel’s National Cyber Directorate said that services were back online within a few hours, though observers such as NetBlocks reported that some government websites were inaccessible outside of the country. Unconfirmed reports allege that Iran’s Islamic Revolutionary Guard Corp was behind the attack.
https://securityboulevard.com/2022/03/cybersecurity-news-round-up-week-of-march-14-2022/
Mohammed Syed says
https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/
The National security agency (NSA) and Cybersecurity and Infrastructure Agency (CISA) release Kubernetes hardening guidance. In today’s environment cloud has become the most usable platform for easy and safe management of information. After introducing containerization, it has become one of the best solutions for managing heavy loads. The biggest advantage of containerization is running applications platforms independently, containers already contain all dependencies required to run applications. To manage containers various tools launch to manage containers like docker, podman or docker swarm, Kubernetes, etc. which provide flexible ways to handle containers, such as vertical and horizontal scaling options.
Kubernetes clusters provide a cloud environment with increased flexibility from traditional software platforms. However, based on the research discovered Kubernetes is targeted by attackers for data theft, computational power theft, and denial of service. Recently an incident occurred where it was found that the attacker used computational power for the purpose of the cryptocurrency mining process.
Containers are very useful in this computing era but with proper security mechanisms and advanced challenges and threats management for application security.
Ornella Rhyne says
This article is about luxury hotels in Macau, China that have been targeted and hacked. It was targeted by malicious spear-phishing campaign from the second half of November 2021 and through mid-January 2022. “The attack chains involved distributing email messages directed to individuals in executive roles in the hotel, such as the vice president of human resources, assistant manager, and front office manager, indicating that the intrusions were aimed at staff who were in possession of access to the hotel’s network”
https://thehackernews.com/2022/03/south-korean-darkhotel-hackers-targeted.html?&web_view=true
Hang Nu Song Nguyen says
https://www.imperva.com/learn/application-security/buffer-overflow/
“Buffer Overflow Attack” explained what buffer overflow attack was, how many types of buffer Overflow attacks were, what programing languages were more vulnerable to buffer overflow attack, and how to prevent buffer overflow attack. In this reading, there are 3 common protections to prevent buffer overflows. First, address space randomization (ASLR), this protection will move around the address space locations of data regions randomly to prevent buffer overflow attacks because buffer overflow attacks need to know the locality of executable code. Second, data execution prevention, this protection will flag certain areas of memory as non-executable or executable that will stop an attack from running code in a non-executable region. Last, structured exception handler overwrite protection (SEHOP), this protection will help stop malicious code from attacking SEH because SEH is a built-in system for managing hardware and software exceptions.
Jason Burwell says
“New Dell BIOS Bugs Affect Millions of Inspiron, Vostro, XPS, Alienware Systems”
Five new security weaknesses have been disclosed in Dell BIOS that, if successfully exploited, could lead to code execution on vulnerable systems, joining the likes of firmware vulnerabilities recently uncovered in Insyde Software’s InsydeH2O and HP Unified Extensible Firmware Interface (UEFI).
Tracked as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421, the high-severity vulnerabilities are rated 8.2 out of 10 on the CVSS scoring system.
https://thehackernews.com/2022/03/new-dell-bios-bugs-affect-millions-of.html
Bryan Garrahan says
https://www.forbes.com/sites/gordonkelly/2022/03/16/google-issues-warning-for-millions-of-chrome-users/?sh=843f5466668e
On Tuesday March 15th Google released an official blog post where they identified 11 new threats which could impact Windows, macOS and Linux chrome users. Google is urging users to upgrade/patch their systems in order to keep their systems safe. ‘Use-After-Free’ (UAF) exploits were identified as the most commonly exploited vulnerability within the chrome browser. However, a heap buffer overflow exploit was also heavily exploited. The attack was described as, “Also referred to as ‘Heap Smashing’, memory on the heap is dynamically allocated and typically contains program data. With an overflow, critical data structures can be overwritten which makes it an ideal target for hackers”.
Ryan Trapp says
Biden says Russia exploring revenge cyberattacks
The US has received intelligence that Russia is exploring options for some retaliation cyber attacks against US companies. The threat is significant enough that several hundred US companies have been given classified briefings, specifically ones in critical infrastructure. President Joe Biden is urging companies in the private sector to get their cyber security defenses in order as the threat of attacks grow increasingly likely. Biden has also stated that if attacked the US does plan to respond.
https://www.theregister.com/2022/03/22/biden_cybersecurity_statement_warning/
Corey Arana says
This article talks about how there is a phishing technique a called browser in the browser (BitB) This attack is able to be exploited to simulate a browser window within the browser to spoof a legitimate domain. It then makes it possible to create a convincing phishing attack. This type of attack takes advantage of 3rd party single sign on (SSO). Normally, a pop up window will be created to complete the sign on process and the BitB creates a fabrication browser window to replicate the process. By doing this, it becomes undetectable.
https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html
Yangyuan Lin says
Facestealer Trojan Hidden in Google Play Plunders Facebook Accounts
A popular mobile app in the official Google Play store called “Craftsart Cartoon Photo Tools” contains the Facestealer Android malware. The app pretends to be a legitimate photo editor, but it hides a malicious piece of code. When the app first launches, it directs the user to the legitimate Facebook main login page and requires the user to log in before using the app. The “injected malicious JavaScript then steals the login credentials and sends them to the command and control server. The malicious code can extract information from the victim’s Facebook account, including email and IP addresses, phone numbers, conversations and message history. records, credit card details, friend lists, and more.
Link: https://threatpost.com/facestealer-trojan-google-play-facebook/179015/?web_view=true
Amelia Safirstein says
USAHERDS is a web application that U.S. state governments use to track and trace diseases in livestock. The USAHERDS application’s servers were all using the same hardcoded static key for encryption. The hacking group APT41 got ahold of the key when doing reconnaissance for a different network and used this as their first step into the USAHERDS hack. This is still being investigated but it appears that the hacking group may have used this vulnerability to access the government network of multiple U.S. states.,
https://www.wired.com/story/china-apt41-hacking-usaherds-log4j/
Elizabeth Gutierrez says
Title: This browser-in-browser attack is perfect for phishing
Link: https://www.theregister.com/2022/03/18/browser_in_browser_phishing/
Recently, browser-in-browser (BitB) attacks have raised concern among researchers as a way to exploit the insecurity of the ad ecosystem. Said novel phishing techniques are used to harvest login credentials by simulating browsers in order to spoof a legitimate domain. This method takes advantage of third-party single sign-on (SSO) options embedded on websites such as Google and Facebook. Once victims are redirected to the malicious popup window to complete the authentication process, it makes it possible to stage convincing phishing attacks. It is not uncommon for people to fall for these attacks since malicious individuals combine the window design with an iframe and use a mix of HTML and CSS code to fabricate the browser window, while the URL appears to be trustworthy. Researchers suggest that BitB attacks operate in similar ways in which attackers have tried to obtain access to cryptocurrency wallets. Ultimately, it is an understatement to say that ad ecosystem security is lacking.
Michael Galdo says
Russia Lays Groundwork for Cyberattacks on US Infrastructure – White House
Russia is considering “options for potential cyberattacks” on important infrastructure in the United States. It seems that Russia is doing this in retaliation for sanctions and other punishments imposed on them due to their invasion of Ukraine. Cyber-related “preparatory activity” from President Putin’s government has been found by U.S. intelligence, but the White House Deputy National Security Adviser for Cyber and Emerging Technology, Anne Neuberger, stated that no real threat has been identified. There is no evidence of any specific cyberattack that is being anticipated, but the activity was shared in a classified context with companies who intelligence thought may be affected by this attack.
https://threatpost.com/russia-cyberattacks-us-infrastructure/179037/
Joshua Moses says
For this week’s ‘in the news’ I found a very interesting article about cloud based security risks. The title of this article is “97% of security findings are related to cloud, study finds”. The study that is being referenced is fairly new and was conducted by JupiterOne (a cybersecurity management automation startup). Today, many organizations’ cloud asset inventory has grown exponentially, to the point that “nearly 90% of all assets are cloud-based”. Moreover, security practitioners now realize that this exponential growth has impacted their workload and security posture.
In the past, information security personnel are used to physical devices being of main concern. This conditioning and way of thinking has hindered cloud-specific security policies, and is still the traditional approach to IT asset inventory, policy, and best practices. This isn’t to suggest that physical devices and human behaviors no longer pose a grave threat to organizations, however times have changed, and in turn it is imperative to change the way we traditionally approach these topics.
https://venturebeat.com/2022/03/22/97-of-security-findings-are-related-to-cloud-study-finds/
Alexander William Knoll says
“Cybercriminals made $7bn in pure profit in 2021, says FBI”
Author – Brandon Vigliarolo
3/23/22
The article I read this week is as the title descries, cyber crimincals have again reached a record-breaking number of pure profit in 2021. This data is based on the FBI’s IC3 (Internet Crime Complaint Center) annual report which is compiled from 847,376 complaints it received in 2021, with businesses recording over $6.9 billion in losses. These complaints were a 7% increase from 2020, where 791,700 complaints were filed, and the year prior where 467,361 complaints were filed. The report also credits that this huge increase is due to COVID-19 factors such as remote work & schooling, which have introduced a whole new realm of attack vectors. The IC3 report goes on to break down the most popular scams of 2021 into five areas sorted by total estimated loss.
1. Business email compromise – BEC resulted in 19,954 complaints totaling $2.4 billion in losses. Fortunately, the IC3 RAT group is designed to freeze funds as soon as compromise is reported, and they have to date recovered #328.32 million and have success in 74% of cases.
2. Cryptocurrency scams – Cryptocurrency use has been on the decline when compared to its legitimate user base, but still accounts for $1.6 billion of illicit funds being moved in 2021, which is an increase over 2020 despite less claims being reported.
3. Confidence & romance scams – These type of scams, which are usually achieved by feigning romantic intentions towards the victim in order to commit fraud, earned $956 million in 2021 as a result of extortion, Confidence/romance tricksters appear to have utilized cryptocurrency scams more frequently in 2021.
4. Tech support scams – With 29,903 reports in 2021, these types of scams are designed to target older people who are not tech savvy, and cyber criminals earned $347 million off these activities in 2021, which was a 136% increase from 2020. The victim in these cases is over the age of 60, 60% of the time.
5. Ransomware only accounted for 3,279 complaints in 2021 which totaled just 49.2 million in losses. Critical infrastructure sectors, mainly healthcare, were the most hit sector in 2021, followed by financial service, IT, critical manufacturing, & government.
https://www.theregister.com/2022/03/23/cybercriminals_made_7bn_2021/