Monday, March 18, 2024

Streamlining your workday with new customizable Citrix Cloud landing pages!

Administrators are busy people. Whether it’s solving troubleshooting issues, updating software, or playing around with new features there never seems to be enough time in the day to get it all done. You need a streamlined experience to help you achieve everything even faster.

Most Citrix administrators access the same parts of our Cloud Console every day. Other admins only have access to specific parts of the Citrix Cloud tenant, like Citrix Monitor. To help get you exactly where you need to go in the console, directly from login, we have developed our new Citrix Cloud landing page setting! Reduce the number of clicks it takes you to get to your preferred console, and hit the ground running straight from logon. 

In-console announcement of customized landing page

Use case

Currently when you login to Citrix Cloud, you are automatically brought to our Citrix Cloud dashboard which shows you all the cloud features you have access to:

Default landing page when logging into cloud.citrix.com

This provides a good starting point within your Cloud account, however a lot of admins use the same pages everyday (such as the DaaS page to make changes) or only have access to parts of the tenant (like Monitor). With our new landing page feature, you are able to customize your landing page. 

The following pages are currently available, with more on the way:

  • DaaS
  • DaaS Monitor
  • NetScaler Console (formerly ADM Service)
  • General (platform functions)
  • WEM
  • Citrix Analytics
  • Citrix Analytics for Security
  • Citrix Analytics for Performance

This setting is optional and is set on a per account basis so each administrator can customize their own experience within Citrix Cloud. All admins (whether custom or full) have access to this feature. If you change your mind after configuring a landing page, you can always reset your account to the default home page. 

How to get started

Setting up your custom landing is quick and simple. Just go to Account Settings > Customization > My landing page to configure. The options you have are determined by the permissions your admin account has within the Citrix Cloud tenant.

Setting location in the console

To experience your newly configured landing page, log out of your account, open a new tab, and go to citrix.cloud.com  or use your bookmark and sign in again. Note: if you sign in again on the same page where you just signed out, it will take you back to your last viewed page (Account Settings) instead of your new landing page. 

What’s next

We are working internally to onboard all the Cloud services into the landing page options. Comment below to tell us if there’s any specific pages you’d like to see added to this feature!

To try this feature out yourself, head over to citrix.cloud.com and follow the instructions above.


Disclaimer: This publication may include references to the planned testing, release and/or availability of Cloud Software Group, Inc. products and services. The information provided in this publication is for informational purposes only, its contents are subject to change without notice, and it should not be relied on in making a purchasing decision. The information is not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for products remains at the sole discretion of Cloud Software Group, Inc.



from Citrix Blogs https://ift.tt/UF5PL2y
via IFTTT

Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool

Mar 18, 2024NewsroomVulnerability / Threat Mitigation

Fortra has released details of a now-patched critical security flaw impacting its FileCatalyst file transfer solution that could allow unauthenticated attackers to gain remote code execution on susceptible servers.

Tracked as CVE-2024-25153, the shortcoming carries a CVSS score of 9.8 out of a maximum of 10.

"A directory traversal within the 'ftpservlet' of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended 'uploadtemp' directory with a specially crafted POST request," the company said in an advisory last week.

"In situations where a file is successfully uploaded to web portal's DocumentRoot, specially crafted JSP files could be used to execute code, including web shells."

The vulnerability, the company said, was first reported on August 9, 2023, and addressed two days later in FileCatalyst Workflow version 5.1.6 Build 114 without a CVE identifier. Fortra was authorized as a CVE Numbering Authority (CNA) in early December 2023.

Security researcher Tom Wedgbury of LRQA Nettitude has been credited with discovering and reporting the flaw. The company has since released a full proof-of-concept (PoC) exploit, describing how the flaw could be weaponized to upload a web shell and execute arbitrary system commands.

Also resolved by Fortra in January 2024 are two other security vulnerabilities in FileCatalyst Direct (CVE-2024-25154 and CVE-2024-25155) that could lead to information leakage and code execution.

With previously disclosed flaws in Fortra GoAnywhere managed file transfer (MFT) coming under heavy exploitation last year by threat actors like Cl0p, it's recommended that users have applied the necessary updates to mitigate potential threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/6r5hycA
via IFTTT

Key Components of a Robust Cloud Security Maturity Strategy

A cloud security maturity strategy is dynamic and evolves over time to address new threats, technologies, and business requirements. It involves a holistic and proactive approach to security, emphasizing continuous improvement and adaptability in the ever-changing landscape of cloud computing. The goal is to progress through different stages of maturity, from basic to advanced, ensuring that security practices align with an organization’s evolving needs and the dynamic nature of cloud technology.

If you’re not sure where you are now and where you should be headed, Forrester offers the insights and tools you need to gain this visibility. Forrester’s cloud security readiness assessment evaluates cloud security maturity and provides actionable guidance to improve and expand cloud security coverage to more effectively protect cloud workloads and data. You can find it, and additional information on the topic here.

Understanding Cloud Security Maturity

Cloud security maturity refers to an organization’s evolving ability to effectively manage and protect its data, applications, and infrastructure in cloud environments. It involves the systematic development and implementation of security measures, policies, and practices to adapt to the dynamic nature of cloud technology and emerging cyberthreats.

As businesses in all industries increasingly rely on cloud services, a mature cloud security strategy becomes crucial for safeguarding sensitive information, maintaining compliance, and ensuring resilience against cyberthreats. It enables your organization to align its security practices with its business goals, mitigate risks, and foster a proactive and adaptive security culture.

Maturity Levels and the Journey

Within the realm of cloud security, organizations progress through various maturity levels. These are typically categorized as the following:

Basic Security: At the initial stage, organizations focus on foundational security measures such as user authentication and basic access controls. The team often has a limited awareness of cloud-specific threats at this stage.

Intermediate Security: Organizations can improve their cloud security by implementing more comprehensive measures, including encryption, regular security assessments, and incident response planning. Awareness of cloud-related risks increases at this stage.

Advanced Security: In this stage, organizations adopt advanced technologies like automation, AI-driven threat detection, and robust identity and access management. Continuous monitoring, proactive threat hunting, and agile incident response characterize advanced security maturity.

The journey involves a continuous cycle of assessment, improvement, and adaptation to evolving threats and technologies. By moving from reactive, compliance-driven approaches to proactive, risk-informed strategies, organizations achieve a higher level of maturity in securing their cloud environments.

Assessment and Baseline Establishment

Before you move forward in any way, you must establish where you are now. Conducting a thorough assessment of your current security posture is essential for a robust cloud security maturity strategy. It provides your organization with a clear understanding of your existing strengths, weaknesses, and potential vulnerabilities in the cloud environment.

Establishing a baseline not only serves as a benchmark for measuring progress but also helps you identify specific areas for improvement. This proactive approach empowers your organization to tailor your security measures to address current challenges, adapt to emerging threats, and systematically advance to higher maturity levels. All of this ensures a resilient and effective cloud security framework.

Defining Security Objectives and Policies

The next critical step on your journey is to define your security objectives and policies. Clear security objectives aligned with business goals provide a strategic framework for implementing effective security measures tailored to your organization’s specific needs. These objectives serve as a roadmap, ensuring that your team’s security efforts are not only robust but also contributing directly to overall business success.

Equally important is the development and communication of robust security policies governing cloud environments. These policies establish the rules and guidelines for securing data, applications, and infrastructure in the cloud. They help standardize security practices, ensure compliance with regulations, and create a shared understanding of expectations among employees and stakeholders.

Communication is key. It promotes awareness and adherence to security policies throughout your organization. By fostering a culture of security, your organization empowers its employees to become active participants in safeguarding sensitive information, reducing the risk of human error, and contributing to the overall effectiveness of your cloud security strategy.

Develop a Comprehensive Risk Management Framework

Developing a comprehensive risk management framework is crucial for a robust cloud security maturity strategy as it enables your organization to systematically identify, assess, and prioritize potential risks in its cloud environment.

Regularly updating risk assessments is equally vital, because it allows you to adapt to the dynamic landscape of evolving cyberthreats and business requirements. This ensures that your security measures remain effective and aligned with your organization’s overall risk tolerance and objectives. You need to be proactive, as this will empower your organization to make informed decisions, allocate resources efficiently, and maintain a resilient security posture in the face of emerging challenges.

Incident Response and Recovery

Developing and testing an incident response plan for cloud environments is essential to a robust cloud security maturity strategy. Doing so ensures that your organization is well-prepared to effectively manage and mitigate security incidents.

Implementing mechanisms for quick detection, response, and recovery further strengthens your organization’s resilience by minimizing potential damage, reducing downtime, and swiftly restoring normal operations — ultimately safeguarding against the potential impact of security breaches in cloud environments.

If you’re developing a process for this, check out this free incident response template that can help guide your planing.

The Importance of Continuous Monitoring and Improvement

Continuous monitoring of your cloud infrastructure and applications is vital for maintaining a proactive cloud security maturity strategy. It enables your organization to detect and respond promptly to any irregularities, potential threats, or vulnerabilities in real time, ensuring a resilient security posture.

Create a feedback loop, based on monitoring insights, to facilitate regular reviews and updates to your organization’s security policies and controls. This will ensure that your security strategy remains adaptive and effective. Establishing an iterative process of monitoring, reviewing, and updating enhances your organization’s overall security resilience and readiness.

Make Use of Automation

Integrating automation into your organization’s cloud security maturity strategy is instrumental for efficiency and effectiveness. By leveraging automation and orchestration tools, it’s much easier to streamline security processes — reducing manual effort and response times.

Automation enhances the consistency and speed of security tasks, allowing for swift and standardized responses to potential threats in cloud environments. It’s also worth noting that automated security measures contribute to faster threat detection and remediation, ensuring that your organization can proactively identify and address security incidents in real time. This not only strengthens your security posture but also allows for a more agile and adaptive approach to handling emerging threats.

The Adoption of Emerging Technologies

Making use of automation is simple when you stay abreast of emerging technologies, such as artificial intelligence (AI) and machine learning (ML), for advanced threat detection. By incorporating AI and ML into your cloud security strategy, your organization can enhance its capabilities to automatically analyze vast amounts of data, identify patterns, and detect anomalies that might signify potential security threats.

This proactive use of cutting-edge technologies not only simplifies the integration of automation but also empowers organizations to stay ahead of evolving cyberthreats, making their cloud security posture more adaptive, intelligent, and resilient. We highly encourage you to incorporate these innovative solutions into your security strategy.

Regular Audits and Assessments

Conducting regular internal and external audits is crucial for evaluating the effectiveness of your cloud security maturity program. These audits provide a systematic review of security measures, identifying strengths and weaknesses in your organization’s defense against potential threats.

The process helps pinpoint areas for improvement, enabling a proactive approach to strengthening security controls and strategies. Additionally, regular audits play a pivotal role in ensuring ongoing compliance with industry regulations and standards. By regularly assessing and validating its security program through audits, your organization not only enhances your resilience against emerging threats but also maintains a robust and compliant posture in the ever-evolving landscape of cloud security.

Here are useful tips from the LogRhythm Labs research and compliance team on conducting security risks assessments successfully.

Assess Your Cloud Security Readiness

A cloud security maturity strategy is a systematic and phased approach adopted in order to enhance your level of security readiness and resilience in the context of cloud computing. It involves the development and implementation of measures, processes, and technologies to effectively address security challenges associated with cloud environments. The importance of continuous improvement and adaptability in cloud security cannot be overstated.

In Forrester’s report, you’ll learn more about the fact that although the cloud creates numerous benefits, it also creates numerous security headaches when it comes to planning migrations from on-premises to the cloud and protecting data and resources in the new cloud workloads. One thing the report makes clear is that technology tools deliver automation to free you up for strategy decisions. Cloud security is easier and less expensive to automate using tools.

Wondering about your organization’s cloud security readiness? Looking to improve a low security maturity model score? We encourage you to read Forrester’s report on how to assess your cloud security maturity across six major technology competencies.

How SIEM Can Improve Your Cloud Security Maturity

If you’re ready to learn more about security tools that enable your team to reduce risk to the business, a security information and event management system helps you monitor data and protect your environment in a central console.

LogRhythm Axon is a cloud-native SIEM platform that enables small security teams who are early in their cloud security maturity to manage, enforce, and audit:

  • Administrative access to cloud service provider consoles
  • Data encryption and decryption in cloud workloads
  • All network egress and ingress points
  • Sensitive cloud data governance
  • Analytics to detect threats and misconfiguration
  • The integration of third-party threat analytics to provide a 360-degree view of their threat model
  • Cloud workload security solutions that continually track and manage security posture of cloud workloads
  • Cloud security gateways to intercept and block sensitive or malicious data moving between workloads

For more tips on protecting cloud environments, read this third-party analyst report to “Learn Why Insights Matter for Cloud Application Security.”

The post Key Components of a Robust Cloud Security Maturity Strategy appeared first on LogRhythm.



from LogRhythm https://ift.tt/nGVf7Mg
via IFTTT

Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites

Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called AZORult in order to facilitate information theft.

"It uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website," Netskope Threat Labs researcher Jan Michael Alcantara said in a report published last week.

The phishing campaign has not been attributed to a specific threat actor or group. The cybersecurity company described it as widespread in nature, carried out with an intent to collect sensitive data for selling them in underground forums.

AZORult, also called PuffStealer and Ruzalto, is an information stealer first detected around 2016. It's typically distributed via phishing and malspam campaigns, trojanized installers for pirated software or media, and malvertising.

Once installed, it's capable of gathering credentials, cookies, and history from web browsers, screenshots, documents matching a list of specific extensions (.TXT, .DOC, .XLS, .DOCX, .XLSX, .AXX, and .KDBX), and data from 137 cryptocurrency wallets. AXX files are encrypted files created by AxCrypt, while KDBX refers to a password database created by the KeePass password manager.

The latest attack activity involves the threat actor creating counterfeit Google Docs pages on Google Sites that subsequently utilize HTML smuggling to deliver the payload.

HTML smuggling is the name given to a stealthy technique in which legitimate HTML5 and JavaScript features are abused to assemble and launch the malware by "smuggling" an encoded malicious script.

Thus, when a visitor is tricked into opening the rogue page from a phishing email, the browser decodes the script and extracts the payload on the host device, effectively bypassing typical security controls such as email gateways that are known to only inspect for suspicious attachments.

The AZORult campaign takes this approach a notch higher by adding a CAPTCHA barrier, an approach that not only gives a veneer of legitimacy but also serves as an additional layer of protection against URL scanners.

The downloaded file is a shortcut file (.LNK) that masquerades as a PDF bank statement, launching which kicks off a series of actions to execute a series of intermediate batch and PowerShell scripts from an already compromised domain.

One of the PowerShell scripts ("agent3.ps1") is designed to fetch the AZORult loader ("service.exe"), which, in turn, downloads and executes another PowerShell script ("sd2.ps1") containing the stealer malware.

"It executes the fileless AZORult infostealer stealthily by using reflective code loading, bypassing disk-based detection and minimizing artifacts," Michael Alcantara said. "It uses an AMSI bypass technique to evade being detected by a variety of host-based anti-malware products, including Windows Defender."

"Unlike common smuggling files where the blob is already inside the HTML code, this campaign copies an encoded payload from a separate compromised site. Using legitimate domains like Google Sites can help trick the victim into believing the link is legitimate."

The findings come as Cofense revealed the use of malicious SVG files by threat actors in recent campaigns to disseminate Agent Tesla and XWorm using an open-source program called AutoSmuggle that simplifies the process of crafting HTML or SVG smuggled files.

AutoSmuggle "takes a file such as an exe or an archive and 'smuggles' it into the SVG or HTML file so that when the SVG or HTML file is opened, the 'smuggled' file is delivered," the company explained.

Phishing campaigns have also been observed employing shortcut files packed within archive files to propagate LokiBot, an information stealer analogous to AZORult with features to harvest data from web browsers and cryptocurrency wallets.

"The LNK file executes a PowerShell script to download and execute the LokiBot loader executable from a URL. LokiBot malware has been observed using image steganography, multi-layered packing and living-off-the-land (LotL) techniques in past campaigns," SonicWall disclosed last week.

In another instance highlighted by Docguard, malicious shortcut files have been found to initiate a series of payload downloads and ultimately deploy AutoIt-based malware.

That's not all. Users in the Latin American region are being targeted as part of an ongoing campaign in which the attackers impersonate Colombian government agencies to send booby-trapped emails with PDF documents that accuse the recipients of flouting traffic rules.

Present within the PDF file is a link that, upon click, results in the download of a ZIP archive containing a VBScript. When executed, the VBScript drops a PowerShell script responsible for fetching one of the remote access trojans like AsyncRAT, njRAT, and Remcos.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/lpknzO3
via IFTTT

WordPress Admins Urged to Remove miniOrange Plugins Due to Critical Flaw

Mar 18, 2024NewsroomWebsite Security / Vulnerability

WordPress users of miniOrange's Malware Scanner and Web Application Firewall plugins are being urged to delete them from their websites following the discovery of a critical security flaw.

The flaw, tracked as CVE-2024-2172, is rated 9.8 out of a maximum of 10 on the CVSS scoring system. It impacts the following versions of the two plugins -

It's worth noting that the plugins have been permanently closed by the maintainers as of March 7, 2024. While Malware Scanner has over 10,000 active installs, Web Application Firewall has more than 300 active installations.

"This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password," Wordfence reported last week.

The issue is the result of a missing capability check in the function mo_wpns_init() that enables an unauthenticated attacker to arbitrarily update any user's password and escalate their privileges to that of an administrator, potentially leading to a complete compromise of the site.

"Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would," Wordfence said.

"This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content."

The development comes as the WordPress security company warned of a similar high-severity privilege escalation flaw in the RegistrationMagic plugin (CVE-2024-1991, CVSS score: 8.8) affecting all versions, including and prior to 5.3.0.0.

The issue, addressed on March 11, 2024, with the release of version 5.3.1.0, permits an authenticated attacker to grant themselves administrative privileges by updating the user role. The plugin has more than 10,000 active installations.

"This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise," István Márton said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/HraWes2
via IFTTT

APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme

Mar 18, 2024NewsroomCyber Warfare / Malware

The Russia-linked threat actor known as APT28 has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.

"The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production," IBM X-Force said in a report published last week.

The tech company is tracking the activity under the moniker ITG05, which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.

The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing Israel-Hamas war to deliver a custom backdoor dubbed HeadLace.

APT28 has since also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.

Other campaigns have entailed the exploitation of security flaws in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to plunder NT LAN Manager (NTLM) v2 hashes, raising the possibility that the threat actor may leverage other weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks.

The latest campaigns observed by IBM X-Force between late November 2023 and February 2024 leverage the "search-ms:" URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.

There is evidence to suggest that both the WebDAV servers, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers, a botnet comprising which was taken down by the U.S. government last month.

The phishing attacks impersonate entities from several countries such as Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., putting to use a mix of authentic publicly available government and non-government lure documents to activate the infection chains.

"In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations," security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr said.

The climax of APT28's elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data. OCEANMAP has been characterized as a more capable version of CredoMap, another backdoor previously identified as used by the group.

"ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities," the researchers concluded.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/qLEdG6x
via IFTTT

Sunday, March 17, 2024

What if the CNCF was private equity?

For years, the CNCF has been the central governance body for cloud-native projects. But are there too many projects now? What if the CNCF was less governance and more like private equity?

SHOW: 804

CLOUD NEWS OF THE WEEK - http://bit.ly/cloudcast-cnotw

CHECK OUT OUR NEW PODCAST - "CLOUDCAST BASICS"

SHOW SPONSORS:

SHOW NOTES:

WHY DOESN’T THE CNCF RECOMMEND A CLOUD-NATIVE STACK? 

  • Originally the CNCF was just trying to get projects to use them for governance. 
  • Many people wanted them to “define” a cloud-native stack. 
  • Defining a stack would have held back their business model - accepting projects and adding sponsors

HOW MANY PROJECTS WOULD GET “CNCF APPROVED” IF THEY TOOK A PRIVATE EQUITY APPROACH?

  • CNCF currently has 184 projects, up 4x over the last 4 years. 
  • 14% graduates, 20% incubating, 62% sandbox 
  • Does the CNCF suffer from the “Big Tent” problem that caused so many issues with OpenStack? 
  • KubeCon keynotes are just a list of projects giving status updates - they could be an email. 
  • How many projects should the CNCF sponsor? How many categories should remain?
  • How would a private equity group apply metrics to CNCF projects? 

FEEDBACK?



from The Cloudcast (.NET) https://ift.tt/Wzpx3Me
via IFTTT

Saturday, March 16, 2024

Hackers Using Cracked Software on GitHub to Spread RisePro Info Stealer

Mar 16, 2024NewsroomMalware / Cybercrime

Cybersecurity researchers have found a number of GitHub repositories offering cracked software that are used to deliver an information stealer called RisePro.

The campaign, codenamed gitgub, includes 17 repositories associated with 11 different accounts, according to G DATA. The repositories in question have since been taken down by the Microsoft-owned subsidiary.

"The repositories look similar, featuring a README.md file with the promise of free cracked software," the German cybersecurity company said.

"Green and red circles are commonly used on Github to display the status of automatic builds. Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency."

The list of repositories is as follows, with each of them pointing to a download link ("digitalxnetwork[.]com") containing a RAR archive file -

  • andreastanaj/AVAST
  • andreastanaj/Sound-Booster
  • aymenkort1990/fabfilter
  • BenWebsite/-IObit-Smart-Defrag-Crack
  • Faharnaqvi/VueScan-Crack
  • javisolis123/Voicemod
  • lolusuary/AOMEI-Backupper
  • lolusuary/Daemon-Tools
  • lolusuary/EaseUS-Partition-Master
  • lolusuary/SOOTHE-2
  • mostofakamaljoy/ccleaner
  • rik0v/ManyCam
  • Roccinhu/Tenorshare-Reiboot
  • Roccinhu/Tenorshare-iCareFone
  • True-Oblivion/AOMEI-Partition-Assistant
  • vaibhavshiledar/droidkit
  • vaibhavshiledar/TOON-BOOM-HARMONY

The RAR archive, which requires the victims to supply a password mentioned in the repository's README.md file, contains an installer file, which unpacks the next-stage payload, an executable file that's inflated to 699 MB in an effort to crash analysis tools like IDA Pro.

The actual contents of the file – amounting to a mere 3.43 MB – act as a loader to inject RisePro (version 1.6) into either AppLaunch.exe or RegAsm.exe.

RisePro burst into the spotlight in late 2022 when it was distributed using a pay-per-install (PPI) malware downloader service known as PrivateLoader.

Written in C++, it's designed to gather sensitive information from infected hosts and exfiltrate it to two Telegram channels, which are often used by threat actors to extract victims' data. Interestingly, recent research from Checkmarx showed that it's possible to infiltrate and forward messages from an attacker's bot to another Telegram account.

The development comes as Splunk detailed the tactics and techniques adopted by Snake Keylogger, describing it as a stealer malware that "employs a multifaceted approach to data exfiltration."

"The use of FTP facilitates the secure transfer of files, while SMTP enables the sending of emails containing sensitive information," Splunk said. "Additionally, integration with Telegram offers a real-time communication platform, allowing for immediate transmission of stolen data."

Stealer malware have become increasingly popular, often becoming the primary vector for ransomware and other high impact data breaches. According to a report from Specops published this week, RedLine, Vidar, and Raccoon have emerged as the most widely-used stealers, with RedLine alone accounting for the theft of more than 170.3 million passwords in the last six months.

"The current rise of information-stealing malware is a stark reminder of constantly evolving digital threats," Flashpoint noted in January 2024. "While the motivations behind its use is almost always rooted in financial gain, stealers are continually adapting while being more accessible and easier to use."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/g1vibLx
via IFTTT

Friday, March 15, 2024

Talos launching new machine learning-based exploit detection engine








By Brandon Stultz.

Every day, new vulnerabilities are discovered in the software critical to the function of the modern world. Security analysts take apart these new vulnerabilities, isolate what is necessary to trigger them and write signatures to block any exploits targeting them. For Snort, these signatures are called Snort rules — and they’re extremely versatile. They can access specific network service fields, locate a vulnerable parameter and scan that parameter for the presence of an exploit. They can also leverage numerous rule options to traverse protocols and file formats. Written well, these rules can have high efficacy and performance with few or no false positives. This approach to defense is very good at protecting networks from known threats, but what if the threat is unknown? What if a vulnerability is discovered, an exploit for it is written, and the security community has no knowledge of it? We need another approach to defense that doesn’t require prior knowledge of the attack to function. Over the past year at Cisco, we have been prototyping and building this new approach into a new detection engine for Snort. Today, I am proud to announce we are open-sourcing this engine to the community in the latest Snort 3 release (version 3.1.82.0). This new detection engine is called “SnortML.” SnortML is a machine learning-based detection engine for the Snort intrusion prevention system. At a high level, there are two components to this new detection engine. The first component is the snort_ml_engine itself, which loads pre-trained machine learning models, instantiates classifiers based on these models and then makes the classifiers available for detection. The second is the snort_ml inspector, which subscribes to data provided by Snort service inspectors, passes the data to classifiers, and then acts on the output of the classifiers. Currently, the snort_ml_engine module only has one model type, namely the http_param_model, but we plan on building other models in the future. This http_param_model is used for classifying HTTP parameters as malicious or normal. Once the snort_ml_engine loads the http_param_model, it can be used in the snort_ml inspector to detect exploits. The inspector subscribes to the HTTP request data provided by the HTTP inspector through the publish/subscribe interface. It then passes this data (HTTP URI query and optionally HTTP POST body) to a binary classifier based on the http_param_model. This classifier then returns the probability that it saw an exploit. Based on this probability, SnortML can generate an alert, similar to a Snort rule alert, which can be configured to block malicious traffic. Now that you know how the machine learning engine works, let’s get into how the models work. SnortML models are designed to be extremely flexible, much like their Snort rule counterparts. To that end, we based our models and our inference engine on TensorFlow. The TensorFlow project is a free and open-source library for machine learning and artificial intelligence. Any TensorFlow model can be a SnortML binary classifier model so long as it satisfies three conditions, namely, the model must have a single input tensor and a single output tensor, the input and output tensor types must be 32-bit floating point, and finally, the output tensor must have only a single element. We plan on adding other model types in the future (including multiclass classifiers), but right now, this is the only model type currently supported. The SnortML engine uses TensorFlow through a support library we call LibML. The LibML library handles loading, configuring and running machine learning models for Snort. It also includes the XNNPACK accelerator needed to run CPU-bound models at line rate. The easiest way to build a SnortML model is to use the TensorFlow Keras API. If you are new to machine learning, don’t worry, Keras is a simple but powerful deep-learning framework that allows you to build neural networks and train them in a few lines of Python. To get started, import the following:

import os

import numpy as np

import tensorflow as tf

from tensorflow.keras import layers

from urllib.parse import unquote_to_bytes

We are going to train our example model on just two samples, but a real production model would use far more:

# Example data

data = [

{ 'str':'foo=1', 'attack':0 },

{ 'str':'foo=1%27%20OR%201=1%2D%2D', 'attack':1 }

]

The next thing we need to do is prepare our data. SnortML models expect input data to be zero-padded which is what we are going to do here:

# Prepare Data

maxlen = 1024

X = []

Y = []

def decode_query(str):

return unquote_to_bytes(str.replace('+',' '))

for item in data:

arr = decode_query(item['str'])[:maxlen]

arrlen = len(arr)

seq = [0] * maxlen

for i in range(arrlen):

seq[maxlen - arrlen + i] = arr[i]

X.append(seq)

Y.append(item['attack'])

Now, we need to construct a neural network that can classify our data. This example uses a simple LSTM (Long Short-Term Memory) network, but other combinations of layers available in Keras work here as well. LSTM is a type of neural network that is keenly suited to identify patterns in sequences of data, such as the sequences of bytes in HTTP parameters. To translate the bytes on the wire to tensors that the LSTM can accept, we can place an embedding layer in front of it. Embedding layers are a kind of association layer, they can learn relationships between input data (bytes in our case) and output those relationships as tensors that the LSTM neurons can accept. Finally, we will converge the output of our LSTM neurons to a single output neuron with a Dense layer. This will serve as the output of the neural network.

#

# Build Model (Simple LSTM)

#

model = tf.keras.Sequential([

layers.Embedding(256, 32, input_length=maxlen, batch_size=1),

layers.LSTM(16),

layers.Dense(1, activation='sigmoid')])

model.compile(loss='binary_crossentropy', optimizer='adam', metrics=['accuracy'])

model.summary()

Now for the fun part — let’s train this neural network: # # Train Model # model.fit(np.asarray(X).astype(np.float32), np.asarray(Y).astype(np.float32), epochs=100, batch_size=1) Training output: Model: "sequential" ----------------------------------------------------------------- Layer (type) Output Shape Param # ================================================================= embedding (Embedding) (1, 1024, 32) 8192 lstm (LSTM) (1, 16) 3136 dense (Dense) (1, 1) 17 ================================================================= Total params: 11,345 Trainable params: 11,345 Non-trainable params: 0 ----------------------------------------------------------------- Epoch 1/100 2/2 [==============================] - 1s 129ms/step - loss: 0.6910 - accuracy: 0.5000 ... Epoch 100/100 2/2 [==============================] - 0s 134ms/step - loss: 0.0208 - accuracy: 1.0000

As you can see above, the accuracy of our network increased, and the loss dropped. These metrics show that the neural network learned to differentiate attack from normal in our example dataset. Now, let’s save this model to a file so we can load it in Snort:

#

# Save Model

#

converter = tf.lite.TFLiteConverter.from_keras_model(model)

snort_model = converter.convert()

with open('snort.model', 'wb') as f:

f.write(snort_model)

Now that we have a model file, we can run it against PCAPs with Snort 3:

$ snort -q --talos \

--lua 'snort_ml_engine = { http_param_model = "snort.model" };' \

--lua 'snort_ml = {};' \

-r test.pcap

##### test.pcap #####

[411:1:0] (snort_ml) potential threat found in HTTP parameters via Neural Network Based Exploit Detection (alerts: 1)

#####

If you have Snort 3 built with debug messages enabled, you can even trace the ML engine input and output.

$ snort -q --talos \

--lua 'trace = { modules = { snort_ml = { all = 1 } } };' \

--lua 'snort_ml_engine = { http_param_model = "snort.model" };' \

--lua 'snort_ml = {};' \

-r test.pcap

P0:snort_ml:classifier:1: input (query): foo=1' OR 2=2-- P0:snort_ml:classifier:1: output: 0.971977 P0:snort_ml:classifier:1: <ALERT> ##### test.pcap ##### [411:1:0] (snort_ml) potential threat found in HTTP parameters via Neural Network Based Exploit Detection (alerts: 1) #####

P0:snort_ml:classifier:1: input (query): foo=1' OR 2=2--

P0:snort_ml:classifier:1: output: 0.971977

P0:snort_ml:classifier:1: <ALERT>

##### test.pcap ##### [411:1:0] (snort_ml) potential threat found in HTTP parameters via Neural Network Based Exploit Detection (alerts: 1) #####

##### test.pcap #####

[411:1:0] (snort_ml) potential threat found in HTTP parameters via Neural Network Based Exploit Detection (alerts: 1)

#####

Notice that even with variations in the SQL injection attack above, we still detected it. For years, we had dreamed about tackling the zero-day problem, providing coverage for attacks that were like those we had seen before, but targeting different applications or parameters. Now, with SnortML, this dream is becoming a reality. You can find the SnortML and LibML code here. Feel free to join the conversation on our Discord or on the Snort users mailing list if you have any questions or feedback. 



from Snort Blog https://ift.tt/gW60LlU
via IFTTT

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

In ancient Greek mythos, the mighty Hercules faced a seemingly insurmountable challenge when he encountered the Lernaean Hydra. This fearsome serpent had a terrifying ability: For every head that Hercules severed, two more would spring forth, creating a never-ending cycle of regrowth and renewal. 

Much like the Hydra, modern ransomware gangs present society with a daunting task. When law enforcement manages to take one adversary or low-level member off the streets, the victory is often short-lived. In the hidden depths of these criminal organizations, the heads — or leaders — remain shrouded in shadow, orchestrating their operations often with impunity. 

And so, as one member falls, two more may rise to take their place, perpetuating an enduring saga of illicit activity that are the challenges of our time: the ransomware ecosystem. A landscape where affiliates tend to move from ransomware group to ransomware group, following the money, bringing their skills and tools with them to conduct new attacks.

In this blog, we’ll explore the recent law enforcement takedown of LockBit, a group who previously held the title of the number one most deployed ransomware variant for two years running. Just seven days after the takedown, LockBit claimed to resume their operations.

The History of LockBit

LockBit emerged around 2019. Since then, it has continually evolved and innovated to update their ransomware and build their RaaS program.

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

 

For the past two years, LockBit ransomware operations accounted for over 25 percent of the total number of posts made to data leak sites. CISA’s assessment is also that LockBit has been the most deployed ransomware variant in recent years.

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

As we wrote in the 2023 Talos Year in Review report, posts made to the group’s data leak site ebbed and flowed from September 2022 to August 2023. Detections of LockBit activity appear to spike in March, partially coinciding with LockBit’s deployment against vulnerable instances of the printer management software PaperCut, where it has remained consistently high.

💡
In 2020, Talos researchers made contact with a self-described LockBit operator. Over several weeks, we conducted multiple interviews that gave us a rare, first-hand account of a ransomware operator’s cybercriminal activities. Confirmed theories included LockBit having a profit-sharing requirement that the affiliate has to meet for the first four or five ransoms. This also used to be the case for Maze. Also, keeping your word to the victim is an important part of LockBit’s business model. Read the interview in full here.

The Collaboration Trend

For the past two years, Talos researchers have written about a growing ransomware trend, wherein actors are increasingly collaborating with each other and sharing tools and infrastructure (aka the affiliate model).

For example, Talos recently reported on how the GhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries. The two groups have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates.

We are seeing more diversified groups employing multiple encryption programs, as well as less sophisticated actors “standing on the shoulders” of giants by using leaked ransomware code. Some players are exiting the game altogether, but not before selling their source code to the highest bidder. This is posing significant challenges to the security community, especially when it comes to attributing attacks.

In the case of LockBit, this was also a group that operated as a RaaS model. They recruited affiliates by offering them shares of profits and encouraging them to conduct ransomware attacks using LockBit’s tools and infrastructure. These affiliates were often unconnected, and as a result, there were many variations in the attacks that used LockBit ransomware.

Notably, the LockBit ransomware group posted on a Russian-speaking dark web forum in December 2023 offering to recruit ALPHV (BlackCat) and NoEscape ransomware affiliates and any of the ALPHV developers, after the Federal Bureau of Investigation (FBI)’s announcement of a disruption campaign against the ALPHV ransomware operation.

Operation Cronos

The NCA, working closely with the FBI and supported by international partners from nine other countries, covertly investigated LockBit as part of a dedicated taskforce called Operation Cronos

On Feb. 20, 2024, after infiltrating the group’s network, the NCA took control of LockBit’s primary administration environment. This environment enabled affiliates to build and carry out ransomware attacks, as well as host the group’s public-facing leak site on the dark web, which was used to threaten the publication of data stolen from victims. 

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

The technical infiltration and disruption were only the beginning of a series of actions against LockBit and their affiliates. In wider actions coordinated by Europol, at least three LockBit affiliates were arrested in Poland and Ukraine, and more than 200 cryptocurrency accounts linked to the group have been frozen.

The Return

Seven days after the operation, messages and leak information was published on a new LockBit page. Here are screenshots of their leak site taken daily from Feb. 27 – March 4, with a huge increase of cards on March 3.

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

The site lists both pre- and post-takedown victims, suggesting LockBit may not have lost access to their entire dataset or infrastructure. 

Of particular interest is the fbi.gov card in the lower right corner that links to a lengthy writeup (in English and Russian), stating what LockBit thinks happened during the operation. They talk about lessons learned, speculations and discredit the law enforcement agencies. Talos believes the operation was carried out by the NCA, not the FBI, as LockBit stated.

A recurring theme

While LockBit is currently dominating the headlines, we’ve seen similar stories before following takedown attempts. For example, the commodity trojan Trickbot had its infrastructure dismantled in February 2022.

However, Talos telemetry picked up Trickbot activity throughout 2023, as covered in our Year in Review.

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

Still open for business

Talos has intelligence that Lockbit is still accepting affiliates into their program. 

Does this mean that law enforcement operations are pointless? Far from it. Takedown attempts such as Operation Cronos severely disrupt their operations, and forces ransomware operators to change their attacks. The operation against LockBit doesn’t appear to have inflicted the final blow against the ransomware group, but it has wounded them. 

We also know that law enforcement was able to obtain troves of intelligence through their operation. That intelligence will only serve to be useful in further disruptions, undermining Lockbit's growth. Therefore, if you put Lockbit into a market perspective, they appear to be quite exposed. 

Crucially, as with the case of LockBit, decryption tools can be released so that victims of ransomware can gain access to their systems again. In January Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor.

Therefore, it’s important not to view this operation as a “one and done” effort. Sustained, targeted approaches from law enforcement and the defender community can and do have a significant impact. For example, following the FBI’s actions against BlackCat/ALPHV, the group reportedly denied an affiliate a $22 million ransomware payment before subsequently going out of business in early March, as Brian Krebs wrote about on his website a few days ago.

Azim Khodjibaev from Talos’ threat interdiction and intelligence organization team discusses the ebs and flows of ransomware groups after a takedown in the episode of Talos Takes below. This episode was recorded in 2022 after a separate law enforcement operation to disrupt LockBit.

The lucrative affiliate model

One of the major issues when tackling ransomware crime is the nature of the affiliate program, with actors often working for multiple RaaS outfits at a time. In underground forums, we are seeing increased advertisements by RaaS groups showcasing their affiliate programs and offering profit shares. They can offer large profits, as threat actors can conduct multiple campaigns using the encryption programs that are offered or distributed. 

In the case of the GhostSec group, they have a business model that offers affilates three different options: a paid version, a free version and a version that allows actors who don’t want to become a member ransomware gang but would like to publish victim data on their leak site.

We are also seeing multiple groups working together, sharing their malicious tooling with each other, then falling out, and then building trust back up with each other, adding to the difficulty in attributing attacks. Here are Talos’ Nick Biasini and Matt Olney talking about the impact of leaked ransomware code, where Matt describes the situation as “The Real Housewives of Eastern Europe:”

Fundamentally, ransomware continues to be hugely profitable and widespread. In the last quarter, the Talos Incident Response team responded to ransomware incidents involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time, and there was a 17% rise in ransomware incidents in this quarter.

In the end, Operation Cronos may have disrupted LockBit’s operations temporarily with valuable assets gained, a weaker market position for the group, and a few affiliates are now sitting in jail. However, the Hyrdra’s roots run deeper, and this is why we may continue to see LockBit activity throughout the course of the year.

Where to go from here

Like Hercules who outwitted the Hydra with a blend of strength and strategy, our law enforcement’s relentless efforts are essential and commendable. It’s going to take persistent, strategic efforts to significantly damage RaaS operations and weaken the regenerative power of these gangs. Arrests at the top will be a key part of this. In the case of LockBit, it appears as though the leaders of the group have evaded arrest on this occasion.  

At the very same time the people of Lerna (or us, the private defenders), need to pay attention to the entire threat landscape. We can’t rely on just Hercules to take them down. Just like we can’t be sure there is just a single Hydra.

Read more about the recent ransomware operations Talos Incident Responders engaged in.



from Cisco Talos Blog https://ift.tt/dG7MeIK
via IFTTT

The Good, the Bad and the Ugly in Cybersecurity – Week 11

The Good | Top LockBit Ransomware Admin Charged & Ordered to Pay Restitutions

Russian-Canadian cybercriminal Mikhail Vasiliev has been sentenced to nearly four years in prison for his involvement in the LockBit ransomware operation. Initially arrested in November 2022, Vasiliev has pled guilty to eight charges, including cyber extortion, mischief, and weapons-related allegations.

Court sketch of Mikhail Vasiliev by John Mantha

Within LockBit, Vasiliev held a significant administrative role, participating in numerous high-profile attacks totalling over $100 million in ransom demands, which primarily affected businesses across Canada. Alongside a four-year sentence, he must pay $860,000 in restitution to his Canadian victims and faces extradition to the United States for further charges. American prosecutors have Vasiliev lined up to receive up to five years in a US prison for conspiring to intentionally damage protected computers and transmitting ransom demands.

LockBit, a notorious ransomware-as-a-service (RaaS) operation, has extorted at least $120 million in ransom payments from over 2000 victims in the last 3 years alone. The gang experienced major setbacks just last month, though, when a joint law enforcement operation seized its main infrastructure and arrested key affiliates. While the group quickly resumed operations on new leak sites to maintain activity, analysis suggests that most data leaked post-operation belonged to victims from before the takedown, indicating the threat groups’ struggle to regain momentum.

Currently, the Department of State is offering rewards up to $15 million for information that could lead to the arrest of other LockBit key leaders and affiliates. Two suspected members of LockBit, Ruslan Astamirov and Mikhail Matveev, were also apprehended in 2023 though only Astamirov has been officially charged for deploying LockBit ransomware. Matveev remains at large facing cyber sanctions and a 20-year prison term in the event of arrest and conviction.

The Bad | Almost 13 Million Authentication Secrets Exposed on GitHub

Threat actors are increasingly exploiting GitHub and repositories as a conduit for malicious activities. In a recent report detailing the issue of secrets sprawl, the findings show that in 2023 alone, GitHub users inadvertently exposed a 12.8 million authentication and sensitive secrets across over 3 million public repositories, with only 1.8% of users rectifying the issue upon receiving alerts.

These exposed secrets include critical data such as passwords, API keys, TLS/SSL certificates, OAuth tokens, and encryption credentials – all of which, if obtained by a threat actor, lead to unauthorized access and costly data breaches. This data corroborates another report from summer of 2023 pointing to compromised credentials as the root cause of 50% of recorded attacks in the first half of last year.

Just this week, security researchers observed a new phishing campaign that delivered remote access trojans (RATs) like VCURMS and STRRAT via a malicious Java-based downloader. The attackers behind these RATs are employing sophisticated tactics, leveraging public services such as GitHub and Amazon Web Services (AWS) to store malware and evade detection.

Millions of organizations rely on source code management platforms like GitHub for software development, version control, and continuous integration and deployment (CI/CD). The abuse of such platforms speaks to a concerning trend where threat actors leverage public infrastructure for malicious purposes.

Securing DevOps platforms and open-source code repositories involves implementing access controls, updating dependencies, and enforcing strong authentication. Threat intelligence and security monitoring tools help detect and respond to suspicious activities, while solutions like XDR offer comprehensive protection against cyber threats and infrastructure abuse.

The Ugly | One-Day Flaws Exploited by Money-Hungry ‘Magnet Goblin’ Threat Actor

A financially motivated threat actor dubbed ‘Magnet Goblin’ has been exploiting one-day vulnerabilities in public-facing servers to distribute custom Linux malware. Magnet Goblin’s adoption of the flaws has been quick: Security researchers confirmed cases where the one-days were already being leveraged to gain initial entry.

In one instance, Magnet Goblin integrated an exploit for the Ivanti Connect Secure RCE bug (CVE-2024-21887) just a day after a proof-of-concept (PoC) was published online. This exploit facilitated arbitrary code execution, enabling the group to compromise systems that had not yet patched to the latest updates. Magnet Goblin’s exploits extend beyond Ivanti, targeting platforms like Magento (CVE-2022-24086), Qlik Sense (CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365), and potentially Apache ActiveMQ.

The group is currently deploying custom remote access trojans (RATs) and backdoors, including variants of the Nerbian family such as NerbianRAT and MiniNerbian. Upon execution, NerbianRAT establishes communication with a command-and-control (C2) server, allowing malicious activities like executing commands, modifying connection intervals, and updating configurations.

Source: Check Point

Over the years, the Linux OS has attracted threat actors for its ubiquity, powering a significant portion of servers, cloud infrastructure, and IoT devices which, in turn, provides a large attack surface. Its open-source nature also allows actors to study its codebase, identifying vulnerabilities and developing tailored exploits. With emerging threat actors like Magnet Goblin adding to the threat landscape who take advantage of the chaos that follows released PoCs, having a strict patch management process in place becomes a critical factor in staying ahead of one-day flaws.



from SentinelOne https://ift.tt/FYVLPk5
via IFTTT

How Wi-Fi WPA2 is hacked using PMKID interception | Kaspersky official blog

Being concerned about the security of your wireless network is not as paranoid as some may think it is. Many routers have a setting enabled by default that makes your WPA/WPA2-protected Wi-Fi network rather vulnerable. In this post, we’ll discuss one of the most effective methods of hacking wireless networks that exploits this setting, and how to protect against it.

The simplest and most effective attack on WPA/WPA2-PSK: PMKID interception

PMKID interception is the most effective, easy-to-execute, and completely undetectable method of attacking wireless networks protected by the WPA/WPA2 standards. In essence, this attack involves intercepting the encrypted Wi-Fi passwords that wireless routers broadcast constantly — even when no devices are connected to them. Having obtained the encrypted password, the attacker can use the brute-force method to decrypt it — and thereby connect to the Wi-Fi network.

This attack can also be carried out on a large scale using a technique called wardriving. Here, the attacker drives around a city scanning all available wireless networks and intercepting encrypted passwords that are broadcast by routers. Not much equipment is required for this — just a laptop, a long-range Wi-Fi adapter, and a powerful antenna.

The intercepted encrypted passwords can be cracked on the go. But an attacker may prefer to wait until they’re home and enter all the garnered passwords into a password-cracking tool on a high-performance computer (or rent computing power in the cloud). The effectiveness of this attack was recently demonstrated in Hanoi: a Vietnamese hacker scanned around 10,000 wireless networks and managed to decrypt the passwords for half of them.

Equipment required for mass Wi-Fi hacking using PMKID interception

This is all you need to hack 5000 wireless networks using PMKID interception. Source

How is it even possible to hack Wi-Fi using PMKID interception?

So why do wireless routers broadcast their Wi-Fi password all the time, albeit in encrypted form? Well, this is a basic function of the 802.11r standard, which is implemented on most routers and usually enabled by default. This standard enables fast roaming in Wi-Fi networks using multiple access points. To speed up the reconnection of the client device to new access points, they constantly broadcast their identifier — the very same PMKID.

This identifier is a derivative of the Pairwise Master Key (PMK). More precisely, it contains the result of an SHA-1 hash function calculation, whose source data includes the PMK key and some additional data. The PMK key itself, in turn, is the result of an SHA-1 hash function calculation of the Wi-Fi password.

In other words, the PMKID contains the wireless network password, hashed twice. In theory, the hashing process is irreversible, meaning it’s impossible to recover the original data from the resulting hashed value. Presumably, the creators of the 802.11r standard relied on this when devising the PMKID-based fast roaming mechanism.

However, hashed data can be brute-forced. This is made especially straightforward by the fact that people rarely use particularly strong passwords for wireless networks, often relying on fairly predictable combinations of characters instead. The creators of 802.11r obviously didn’t take this into account.

This problem was discovered a few years ago by the team behind one of the most popular password recovery utilities — in other words, a password-cracking tool — Hashcat. Since then, specialized tools have been developed specifically for cracking intercepted PMKIDs.

Hacking a Wi-Fi password from an intercepted PMKID

Successful extraction of the password “hashcat!” from the intercepted PMKID of a wireless network. Source

Thus, in practice, the attacker usually intercepts the PMKID containing the encrypted password, and then uses a dictionary attack — that is, they brute-force the most common passwords, which are collected in a database.

How to protect your wireless network from a PMKID attack

What can you do to prevent a PMKID interception attack on your wireless network? Fortunately, there are several protective measures that aren’t too difficult to implement:

  • Create a password for your wireless network that is as long and complex as possible. If a PMKID attacker intercepts the hashed password from your Wi-Fi, they still need to decrypt it afterward, but the more complex the password — the less likely the attackers are to succeed. Therefore, to protect against this attack, create the longest and most unguessable password possible for your wireless network.
  • Disable PMKID transmission in the router settings. Unfortunately, not all routers allow this, but it’s worth checking if yours has this setting. You can find it by searching for PMKID or 802.11r.
  • Switch to WPA3. If all your devices support this newer Wi-Fi security standard, it’s worth considering switching to it: WPA3 is generally much more secure than WPA2 and, importantly, isn’t susceptible to PMKID interception.
  • Set up a guest network. It can be tedious to have to frequently enter a strong password for the main network on new devices, so set up a guest network with a simpler password. By the way, it’s also a good idea to transfer potentially insecure things like IoT devices to the guest network.
  • Use the “Devices on My Network feature, which is available in our Kaspersky Plus and Kaspersky Premium This feature shows a list of devices on your network and alerts you if a new device connects to it.

For additional protection of transmitted data in case someone still manages to hack your Wi-Fi, use a VPN on all your devices to secure the internet connection — for example, our Kaspersky Secure Connection, which is also included in the Kaspersky Plus and Kaspersky Premium subscriptions.



from Kaspersky official blog https://ift.tt/pixSyhK
via IFTTT

Third-Party ChatGPT Plugins Could Lead to Account Takeovers

Cybersecurity researchers have found that third-party plugins available for OpenAI ChatGPT could act as a new attack surface for threat actors looking to gain unauthorized access to sensitive data.

According to new research published by Salt Labs, security flaws found directly in ChatGPT and within the ecosystem could allow attackers to install malicious plugins without users' consent and hijack accounts on third-party websites like GitHub.

ChatGPT plugins, as the name implies, are tools designed to run on top of the large language model (LLM) with the aim of accessing up-to-date information, running computations, or accessing third-party services.

OpenAI has since also introduced GPTs, which are bespoke versions of ChatGPT tailored for specific use cases, while reducing third-party service dependencies. As of March 19, 2024, ChatGPT users will no longer be able to install new plugins or create new conversations with existing plugins.

One of the flaws unearthed by Salt Labs involves exploiting the OAuth workflow to trick a user into installing an arbitrary plugin by taking advantage of the fact that ChatGPT doesn't validate that the user indeed started the plugin installation.

This effectively could allow threat actors to intercept and exfiltrate all data shared by the victim, which may contain proprietary information.

The cybersecurity firm also unearthed issues with PluginLab that could be weaponized by threat actors to conduct zero-click account takeover attacks, allowing them to gain control of an organization's account on third-party websites like GitHub and access their source code repositories.

"'auth.pluginlab[.]ai/oauth/authorized' does not authenticate the request, which means that the attacker can insert another memberId (aka the victim) and get a code that represents the victim," security researcher Aviad Carmel explained. "With that code, he can use ChatGPT and access the GitHub of the victim."

The memberId of the victim can be obtained by querying the endpoint "auth.pluginlab[.]ai/members/requestMagicEmailCode." There is no evidence that any user data has been compromised using the flaw.

Also discovered in several plugins, including Kesem AI, is an OAuth redirection manipulation bug that could permit an attacker to steal the account credentials associated with the plugin itself by sending a specially crafted link to the victim.

The development comes weeks after Imperva detailed two cross-site scripting (XSS) vulnerabilities in ChatGPT that could be chained to seize control of any account.

In December 2023, security researcher Johann Rehberger demonstrated how malicious actors could create custom GPTs that can phish for user credentials and transmit the stolen data to an external server.

New Remote Keylogging Attack on AI Assistants

The findings also follow new research published this week about an LLM side-channel attack that employs token-length as a covert means to extract encrypted responses from AI Assistants over the web.

"LLMs generate and send responses as a series of tokens (akin to words), with each token transmitted from the server to the user as it is generated," a group of academics from the Ben-Gurion University and Offensive AI Research Lab said.

"While this process is encrypted, the sequential token transmission exposes a new side-channel: the token-length side-channel. Despite encryption, the size of the packets can reveal the length of the tokens, potentially allowing attackers on the network to infer sensitive and confidential information shared in private AI assistant conversations."

This is accomplished by means of a token inference attack that's designed to decipher responses in encrypted traffic by training an LLM model capable of translating token-length sequences into their natural language sentential counterparts (i.e., plaintext).

In other words, the core idea is to intercept the real-time chat responses with an LLM provider, use the network packet headers to infer the length of each token, extract and parse text segments, and leverage the custom LLM to infer the response.

Two key prerequisites to pulling off the attack are an AI chat client running in streaming mode and an adversary who is capable of capturing network traffic between the client and the AI chatbot.

To counteract the effectiveness of the side-channel attack, it's recommended that companies that develop AI assistants apply random padding to obscure the actual length of tokens, transmit tokens in larger groups rather than individually, and send complete responses at once, instead of in a token-by-token fashion.

"Balancing security with usability and performance presents a complex challenge that requires careful consideration," the researchers concluded.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/3hO9QCS
via IFTTT