IoT cyberattacks have been on the rise, and recently attacks have increased on a massive scale. According to Kaspersky, in the first six months of this year alone, more than 1.5 billion attacks on smart devices have been recorded. The main motive behind targeting IoT devices is to steal data, mine cryptocurrencies, and / or develop botnets.
What has happened?
Kaspersky telemetry revealed that the first six months of this year have shown 100% growth in cyberattacks targeting IoT devices compared to previous trends. • Attackers are still monetizing the work-from-home situation. They are attacking corporate resources by targeting home networks and smart home devices connected to these corporate resources. • The infected devices are used to steal personal or corporate information and extract cryptocurrencies. The infected devices are added to a botnet to carry out DDoS attacks. • Attackers use weak passwords to infect IoT targets. Also, vulnerabilities are discovered more frequently on smart devices.
According to the report, there is still a lack of incident preparedness as personal devices are used to access resources on corporate networks. It reduces the visibility of the end point and expands the attack surface.
Recent threats on IoT devices
A set of vulnerabilities called BrakTooth has been revealed, affecting the Bluetooth stacks of billions of commonly used devices, including at least 11 vendor chipsets. • Just a week ago, a vulnerability was detected in the Linphone SIP protocol stack from Belledonne Communications. It is one of the first open source applications to use SIP on Linux. It targeted Linphone and other SIP-based products, including popular VoIP mobile apps and IoT firmware. • In May, the Lemon Duck botnet was targeting IoT devices to exploit computing resources to mine cryptocurrencies. In addition, it resulted in more systems being added to the botnet network.
Conclusion IoT devices are used now more than ever and have become an essential part of daily operations. At the same time, the increasing exploitation of smart devices has become a major concern, which could lead to access within corporate networks. Therefore, IoT users are advised to avoid using default passwords and always update devices with the latest firmware.
A group of APTs recently targeted a victim’s Office365 environment Active Directory server extorting secret SAML tokens. These tokens pass information about users, logins, and attributes between the identity and the service providers.
What has happened?
Researchers found that the threat group targeted the Office 365 environment that is believed to have a hybrid authentication model configured or fully functional on a cloud network. The threat actor hijacked the AD FS server probably using stolen credentials and gained access to the server exploiting the SAML token. The attackers specifically targeted the token signing certificates and private keys used to indicate SAML tokens, within the servers. This certificate has a default validity of one year. Allows cybercriminals to log into Azure or Office365 as any existing user within AD, regardless of any password reset or MFA requirement.
A hot target for a reason.
Attackers can access Azure / Azure AD, Office365, Azure Applications, and Defender Security Center by abusing the Golden SAML token. Attackers can filter database files using proxy logs, NetFlow, EDR, and command line parsing. They can perform lateral ADFS movements through the PTH attack. They can use credential dump tools through the command line registry in the Sysmon or EDR tools. Furthermore, they can perform DKM access using Powershell and also spoof SAML requests.
Conclusion The recent attack is tricky and is carried out with the aim of getting the token signing certificate to gain access to a specific target network. Therefore, experts suggest implementing additional layers of protection for SAML certificates and, in case of compromise, reissuing certificates in ADFS twice and force re-authentication for all users.
Barlow Respiratory Hospital in California escaped the worst of a recent ransomware attack, but still had patient data posted on a leak site.
Ransomware groups have shown no signs of slowing down their assault on hospitals, apparently increasing attacks on healthcare institutions as dozens of countries face a new wave of COVID-19 infections thanks to the powerful Delta variant.
One of the newer ransomware groups, Vice Society, debuted in June and made a name for itself by attacking various hospitals and leaking patient information. Cybersecurity researchers at Cisco Talos said the Vice Society has been known to “be quick to exploit new security vulnerabilities to aid ransomware attacks” and frequently exploit vulnerabilities in Windows PrintNightmare during attacks.
“As with other threat actors operating in the big game space, the Vice Society operates a data breach site, which they use to publish data extracted from victims who do not choose to pay their extortion lawsuits,” explained Cisco Talos on last month. Cybersecurity firm Dark Owl added that Vice Society “is considered a possible derivative of the Hello Kitty ransomware variant based on similarities in techniques used for Linux system encryption.” According to Black Fog, they were implicated in a ransomware attack in the Swiss town of Rolle in August.
Several hospitals, Eskenazi Health, Waikato DHB, and Center Hospitalier D’Arles, have appeared on the criminal group’s leak site. The group caused a sensation this week by publishing data from the Barlow Respiratory Hospital in California.
The hospital was attacked on August 27 but managed to avoid the worst, noting in a statement that “no patient was at risk of harm” and that “hospital operations continued without interruption.”
Barlow Respiratory Hospital told ZDNet that the police were immediately notified once the hospital noticed that the ransomware affected some of its IT systems.
“Although we have gone to great lengths to protect the privacy of our information, we learned that some data was removed from certain backup systems without authorization and posted on a website where criminals post stolen data, also known as the ‘dark web ‘Our investigation into the incident and the data involved is ongoing, “the hospital said in a statement.
“We will continue to work with law enforcement agencies to assist in their investigation, and we are working diligently, with the help of a cybersecurity firm, to assess what information may have been involved in the incident. If necessary, we will notify the individuals whose information may have been involved, in accordance with applicable laws and regulations, in due course. “ The attack on Barlow caused considerable outrage online considering the importance of the hospital during the COVID-19 pandemic. But dozens of hospitals continue to come forward to say they have been targeted by ransomware attacks. Vice Society is far from the only ransomware group targeting hospitals and healthcare institutions.
The FBI issued an alert about Hive ransomware two weeks ago after the group brought down a hospital system in Ohio and West Virginia last month, noting that it typically corrupts backups as well.
So far, Hive has targeted at least 28 organizations, including Memorial Health System, which was targeted with ransomware on August 15. Ransomware groups are also increasingly targeting hospitals because of the confidential information they carry, including social security numbers and other personal data. In recent months, several hospitals have had to send letters to patients admitting that sensitive data was accessed during the attacks.
Simon Jelley, CEO of Veritas Technologies, said that targeting healthcare organizations is “particularly despicable.” “These criminals are literally putting people’s lives in danger for profit. The elderly, children and anyone else who requires medical attention will probably not be able to get it as quickly and effectively as they need. At the same time, the pirates Computer scientists hold hospital systems and data prisoner, “Jelley said.
“Not to mention, healthcare facilities are already struggling to keep up as COVID-19 cases rise once again in many parts of the country. Preventing ransomware attacks is a noble endeavor, but as the attack illustrates to Memorial Health System and as many others as In recent months, preparation to deal with the aftermath of a successful attack is more important than ever. “
The hackers have stolen information from the sportswear manufacturer Puma and are currently trying to extort money from the German company into paying a ransom demand, threatening to release the stolen files on a dark web portal specializing in the leakage and sale of stolen information.
The entry announcing the Puma data was added to the site more than two weeks ago, in late August, The Record learned. “It was a PUMA source code for an internal application, which was leaked,” Robert-Jan Bartunek, Puma’s head of corporate communications, told The Record last week.
“No consumer or employee data was affected,” added Bartunek.
Hackers claim to be in possession of more than 1GB of Puma data. To test their claims, the threat actors leaked some sample files that, based on their structure, suggest that the attackers might have obtained Puma’s data from a Git source code repository.
The data is currently listed on a dark web portal called Marketo. Launched in April of this year, the site works in a simplistic way.
At first, the site administrators list the next victims and then add some kind of proof (usually a small downloadable file) that they violated their network.
If the victim company does not cooperate with the hackers, their data is leaked on the site, either as a free download or for exclusive VIP members.
The site claims to list the data provided by multiple hacking groups and that it does not work with ransomware gangs. “At this point, I can say that Puma has not yet contacted us,” the administrator of the dark web leak portal told The Record in a conversation last week.
“The rest of the data will be released if Puma declines the negotiations,” they added.
Other names currently listed on the site include names like Siemens Gamesa, Kawasaki, Fujitsu, and more than 20 others. In a statement to ZDNet’s Jonathan Greig, Fujitsu said last week that the data listed on Marketo was not connected to a cyberattack on its network, suggesting that it may have been obtained from a third party.
Aamir Lakhani, a researcher at FortiGuard Labs, explains why organizations should extend cyber awareness training across the enterprise, from Luddites to executives.
These days, ransomware is seemingly ubiquitous. It’s no longer just a topic of discussion for cybersecurity professionals and researchers, these days it seems like rarely a week goes by without it being in the mainstream media.
It has quickly become a common word, and in some respects this increased visibility is a welcome development. While it’s not a good thing for everyone to talk about it in relation to the recent attacks, the good thing is that awareness is (hopefully) increasing as well. Because in today’s world, basically everyone is a potential target for ransomware, and that means security professionals have a lot of work ahead of them.
Greater vulnerability in general. Even the most well-known Luddites among us probably have at least a small fingerprint, whether they know it or not. If you buy food with a debit card, visit a doctor, or pay taxes, there is personal information about you in a digital format somewhere. And that’s just to name a few examples.
That means the “Oh, I don’t have anything cybercriminals care about” mentality should be put aside for good. Yes, you do, and even if you don’t think you’re doing it directly, you’re probably connected to someone else with more valuable digital assets, and bad actors will try to use you as a path. And as security professionals, we must make everyone understand this.
The explosion of attacks is the result of threat actors harvesting the cheapest fruit with incredibly powerful digital “gatherers” and scalable resources, including automated approaches and machine learning. For example, consider how they are using spear-phishing through armed machine learning to target executives. It also means that now low-security IoT devices, unpatched system updates, and more can be detected more easily and efficiently than ever.
Lowest hanging fruit is not always the best target. While not all hackers are out for money, if so, they become particularly adept at plying their trade. What malicious actors are often looking for are the most lucrative and critically important “keys to the realm” – information, passwords, contacts, or accounts, usually found within the C-suite. And top management targets not only have the most valuable organizational data, but they are also the ones making the decisions about whether to pay a ransom.
This creates two situations that put executives under even greater threat. First, it makes a ransomware attack on a decision maker incredibly efficient, achieving the maximum return on investment for threat actors. Second, it makes a senior executive’s personal communications incredibly valuable and particularly vulnerable. The stricter cybercriminals are on shameful commercial and private communications threatened with release, the greater their ability to pay and often the more they can demand.
The sad reality is that most executives, and particularly their direct reports, are incredibly soft targets. Today’s cybercriminals have increasingly sophisticated technology. When using tools like AI-generated deep fake technology, the simplicity of ransomware is deceptive in more ways than one. When threat actors gain access to personal communications, it’s ridiculously easy to use AI to reflect the tone and style of people you’d never suspect – not just another C-suite member or business leader, but a friend. close friend, a spouse or a family member.
More cybersecurity training is needed. Social engineering schemes, such as phishing attacks, continue to be one of the most common vectors for ransomware and other cybersecurity attacks. And while many organizations are supposedly training employees, those workers apparently do not retain what they have been taught.
A recent report by Cloudian found that phishing attacks were successful even though 54 percent of all respondents, and 65 percent of those who reported it as the entry point of a ransomware attack, had taken training. against phishing for employees. Increased awareness is the fundamental principle on which a strong cybersecurity strategy is based. Although many organizations focus on daily cyber awareness cybernetics ethics, they should also consider the value of training their network and security professionals.
To maximize investments and improve cybersecurity, cyber awareness training should ensure that technical security professionals gain the knowledge necessary to optimize solution implementations for enhanced security. By taking steps to prioritize cybersecurity awareness training, organizations and their employees can stay ahead of threats before they can have an impact. At the same time, cybersecurity training must take place across the board, including executives, who cannot be overlooked given the access they have and the huge goals behind them.
Don’t discriminate – Educate. Ransomware does not discriminate. Today, everyone is a potential target. If you have even the smallest fingerprint, you face the risk of ransomware and other types of attacks. That’s even truer for executives, who have access to more sensitive data. Given this reality, organizations must expand cyber awareness training across the enterprise. No employee is too big or too small for this type of education. In a world where everyone is at risk, it makes sense to equip each employee with the information they need to help defeat cybercrime.
Threatpost interviews Wiz CTO about a recently patched vulnerability for Amazon Route53 DNS service and Google Cloud DNS.
LAS VEGAS – Amazon and Google patched a domain name service (DNS) bug that allowed attackers to snoop into companies’ confidential network settings, revealing employee and computer names along with office locations and exposed web resources.
The vulnerability, described in a Black Hat USA 2021 talk last week, is a new class of vulnerabilities affecting major DNS-as-a-service (DNSaaS) providers, according to researchers at cloud security firm Wiz.
Ami Luttwak, co-founder and CTO of Wiz, said the bug allows an adversary to perform unprecedented reconnaissance on a target – that is, any vulnerable corporate network that inadvertently allows such eavesdropping on the network.
Going down the DNS lagoon.
“We found a simple loophole that allowed us to intercept some of the world’s dynamic DNS traffic that passes through managed DNS providers like Amazon and Google. We basically ‘wiretapped’ the internal network traffic of 15,000 organizations (including Fortune 500 companies and government agencies) and millions of devices, ”Wiz wrote in a technical breakdown of the bug.
Luttwak calls what he found a “loophole” within the process used to handle the now obsolete dynamic DNS within modern DNS server configurations.
“We registered a new domain on the Route 53 platform with the same name as its official DNS server. (Technically, we created a new ‘hosted zone’ within the AWS nameserver ns-1611.awsdns-09.co.uk and named it ‘ns-852.awsdns-42.net’), ”the researchers explained.
The researchers then gained control of the hosted zone by registering thousands of domain name servers with the same name as the official DNSaaS server. “Whenever a DNS client queries this nameserver about itself (which thousands of devices do automatically to update their IP address within their managed network, more on that in a minute), that traffic goes directly to our IP address.” Wiz wrote.
What the researchers observed next was a flood of dynamic DNS traffic from Windows machines querying the “hijacked name server” for itself. In total, the researchers profiled 15,000 organizations (some Fortune 500 companies), 45 US government agencies, and 85 international government agencies.
Bad configuration or vulnerability?. The DNSaaS providers Route53 and Google Cloud DNS fixed the problem by not allowing the kind of spoof record that their own DNS server reflected.
As for Microsoft, the researchers said that the company considered it to be a misconfiguration problem. “Microsoft could provide a global solution by updating its dynamic DNS algorithm. However, when we reported our discovery to Microsoft, they told us that they did not consider it a vulnerability, but rather a known misconfiguration that occurs when an organization works with external DNS resolvers, ”the researchers said.
Luttwak said that companies can prevent this type of DNS exploitation by properly configuring their DNS resolvers so that dynamic DNS updates do not leave the internal network.
New vulnerabilities have been discovered in the Wi-Fi Fortress S03 home security system that could be abused by a malicious party to gain unauthorized access with the aim of altering system behavior, including unknowingly disarming devices of the victim.
The two unpatched issues, tracked with identifiers CVE-2021-39276 (CVSS score: 5.3) and CVE-2021-39277 (CVSS score: 5.7), were discovered and reported by cybersecurity firm Rapid7 in May 2021 with a within 60 days. to fix weaknesses.
The Fortress S03 Wi-Fi Home Security System is a DIY alarm system that allows users to protect their homes and small businesses from burglars, fires, gas leaks, and water leaks by taking advantage of Wi-Fi and RFID technology. . for keyless entry. The company’s security and surveillance systems are used by “thousands of customers and ongoing customers,” according to its website.
Calling the vulnerabilities “trivially easy to exploit,” Rapid7 researchers noted that CVE-2021-39276 refers to unauthenticated API access that allows an attacker in possession of a victim’s email address to query the API. to filter the device’s International Mobile Equipment Identity (IMEI) number. , which is also doubled as the serial number. Armed with the device’s IMEI number and email address, the adversary can proceed to make a number of unauthorized changes, such as disabling the alarm system through an unauthenticated POST request.
CVE-2021-39277, on the other hand, relates to an RF signal replay attack, in which the lack of proper encryption gives the bad actor the ability to capture the radio frequency command and control over-the-air communications using a Software Defined Radio (SDR) and play the broadcast to perform specific functions, such as “arm” and “disarm” operations, on the target device.
“As of CVE-2021-39276, an attacker with knowledge of a Fortress S03 user’s email address can easily disarm the installed home alarm without that user’s knowledge,” the researchers said in a report shared with The Hacker News. .
“CVE-2021-39277 presents similar issues, but requires less prior knowledge of the victim, as the attacker can simply monitor the property and wait for the victim to use the RF-controlled devices within radio range. The attacker can then reproduce the ‘disarm’ command later, without the victim’s knowledge. “
Rapid7 said it notified Fortress Security of the errors on May 13, 2021, only for the company to close the report 11 days later, on May 24. We reached out to Fortress Security for comment and will update the story if we receive a response. . In view of the fact that problems continue to persist, it is recommended that users configure their alarm systems with a unique and unique email address to avoid IMEI number exposure.
“For CVE-2021-39277, there appears to be very little a user can do to mitigate the effects of RF playback issues without a firmware update to enforce cryptographic controls on RF signals. Users concerned about This exposure should avoid using key fobs and other RF devices linked to their home security systems, “the researchers said.
Exploitation and abuse related to COVID-19 are increasing as vaccine data opens new frontiers for threat actors.
This week, the Indiana Department of Health issued an advisory that the state’s COVID-19 contact tracing system had been exposed through misconfiguration in the cloud, revealing names, emails, gender, ethnicity, race and birth dates of more than 750,000 people.
The incident shows that COVID-19 data could be primed for abuse and misuse, according to experts, now being collected on millions of people around the world. The question is whether you are adequately protecting yourself from threat actors. And it turns out there might be some work to be done on the security front.
Meanwhile, COVID-19 vaccine fraud is also on the rise, showing that the pandemic still offers a rich vein for cybercriminals of all stripes.
When it comes to the contact tracing incident, “We believe the risk to Hoosiers residents whose information was accessed is low,” State Health Commissioner Kris Box, MD, said in a statement. “We did not collect Social Security information as part of our contact tracing program and we did not obtain medical information. We will provide adequate protections for anyone affected.”
Turns out the Indiana Department of Health was half right; the threat was low. The company that accessed the information was a cybersecurity company called UpGuard, which found an API that was misconfigured, insecure, and visible to anyone on the Internet. When UpGuard alerted Indiana officials, they did not seem to understand that UpGuard was trying to help, not abuse their data.
Unprotected Indiana Contact Tracking Data In response to a report by UpGuards security researchers that data was not protected, the Indiana Department of Health said the company gained “unauthorized access” to its contact tracing database, according to the AP report. . The state also claimed that UpGuard “improperly accessed” the data, apparently without understanding that UpGuard was trying to help them improve their cybersecurity posture.
“For one thing, our company did not ‘improperly access’ the data. The data was made accessible to the public on the Internet, ”said Kelly Rethmeyer, a spokesperson for the UpGuard company. “This is known as a data leak. It was not unauthorized because the data was configured to allow access to anonymous users and we accessed it as an anonymous user. “ The Indiana Office of Technology later said that the software configuration problem was fixed and asked UpGuard to return the accessed records, which it did.
Although the issue has been fixed and the API is now secured, the apparent confusion surrounding a disclosure from a cybersecurity company shows that local governments may not be fully aware of the risks or tools available to help shore up cybersecurity, how to work. with the research community effectively to mitigate reported vulnerabilities. Nonetheless, municipalities around the world are collecting vast amounts of data through COVID-19 contact tracing programs, like the one in Indiana, and vaccine record keeping.
“We are in a data breach pandemic,” UpGuard’s Rethmeyer told Threatpost. Counterfeit COVID-19 cards Meanwhile, Flashpoint has also released a report detailing an increase in cybercriminals selling counterfeit COVID-19 vaccine certificates and other public health documentation related to COVID-19 in reaction to an increase in US businesses requiring proof of vaccination. before congregating in public spaces.
The Flashpoint report added that these fake credentials are available on various underground closed channels such as underground forums, chat rooms, and more.
Flashpoint observed a cybercriminal named “Freedom” posting bogus vaccine documentation provided with the help of doctors.
“Flashpoint analysts believe this ad was placed on an anti-COVID blackout channel to target customers who are skeptical about vaccines and blockages in the US,” the report says.
Another person named “BigDOCS” was offering letters stating that someone tested negative for COVID-19, for $ 40. Another counterfeit certificate vendor was offering a fake vaccine card for $ 100, and for $ 125 the recipient can receive it overnight.
Another scammer on Telegram claimed that he could produce a vaccine card for a Pfizer or Johnson & Johnson vaccine.
Similar fraudulent documents can be purchased for use throughout the European Union, Flashpoint added. On the underground Nulled forum, investigators found an EU vaccine certificate for sale for $ 450.
“The threat actor announcing the certificate mentioned that he too is a vaccine skeptic who does not trust the government and does not want to be forced to get vaccinated,” Flashpoint reported.
Flashpoint even found a blank CDC COVID-19 vaccine template available for free on 4chan.
“Flashpoint analysts have observed threat actors on the 4chan image board sharing CDC COVID-19 vaccine templates, which can be accessed for free through open web sources,” the report says.
With criminals determined to circumvent public health requirements for vaccines, testing, and contact tracing, governments will have to keep up.
A modified version of the WhatsApp messaging app for Android has been trojanized to intercept text messages, serve malicious payloads, display full-screen ads, and register device owners for unwanted premium subscriptions without their knowledge.
“The Triada Trojan snuck into one of these modified versions of the messenger called FMWhatsApp 16.80.0 along with the adware development kit (SDK),” researchers at Russian cybersecurity firm Kaspersky said in a whitepaper published Tuesday. “This is similar to what happened with APKPure, where the only malicious code that was embedded in the application was a payload downloader.”
Modified versions of legitimate Android apps, a practice called Modding, are designed to perform functions that app developers didn’t originally envision or intended. FMWhatsApp, billed as a custom version of WhatsApp, allows users to reshape the app with different themes, customize icons and hide features like last seen views, and even disable video calling features. The application is only available through third party websites.
The manipulated variant of the application detected by Kaspersky comes equipped with capabilities to collect unique device identifiers, which are sent to a remote server that responds with a link to a payload that is subsequently downloaded, decrypted, and launched by the Triada Trojan.
The payload, meanwhile, can be used to carry out a wide range of malicious activities, ranging from downloading add-on modules and displaying full-screen ads to stealthily subscribing victims to premium services and logging into WhatsApp accounts on the device. Worse still, attackers can hijack and take control of WhatsApp accounts to carry out social engineering attacks or distribute spam messages, thus spreading the malware to other devices.
“It is worth noting that FMWhatsapp users grant the application permission to read their SMS messages, which means that the Trojan and all the additional malicious modules it loads also gain access to them,” the researchers said. “This allows attackers to automatically enroll the victim in premium subscriptions, even if a confirmation code is required to complete the process.”
A Nigerian threat actor has been observed attempting to recruit employees by offering to pay them $ 1 million in bitcoin to deploy Black Kingdom ransomware on company networks as part of an insider threat scheme.
“The sender tells the employee that if they are able to deploy ransomware on a company computer or Windows server, then they would be paid $ 1 million in bitcoin, or 40% of the presumed US $ 2 ransom, 5 million, “abnormal Security said in a report released Thursday. “The employee is told that he can initiate the ransomware physically or remotely. The sender provided two methods to contact him if the employee is interested: an Outlook email account and a Telegram username.”
Black Kingdom, also known as DemonWare and DEMON, attracted attention in early March when it was discovered that threat actors were exploiting ProxyLogon flaws affecting Microsoft Exchange servers to infect unpatched systems with the ransomware strain.
Abnormal Security, which detected and blocked the phishing emails on August 12, responded to the attempted request by creating a fictitious persona and approached the actor on Telegram Messenger, only for the individual to inadvertently spill the modus operandi of the attack, which included two links. for an executable ransomware payload that the “employee” could download from WeTransfer or Mega.nz.
“The actor also instructed us to delete the .EXE file and remove it from the recycle bin. Based on the actor’s responses, it seems clear that 1) he expects an employee to have physical access to a server and 2) not very familiar with it. digital forensics or incident response investigations, “said Crane Hassold, director of threat intelligence for Abnormal Security.