Schools like North Carolina Central University and Glendale Community College experienced significant disruptions to their IT systems, leading to the temporary suspension of online courses and the interruption of critical processes.
Cyware News – Latest Cyber News – Read More
Open AI pushed out its co-founder and CEO Sam Altman after a review found he was “not consistently candid in his communications” with the board of directors.
The post ChatGPT-Maker OpenAI Fires CEO Sam Altman, the Face of the AI Boom, for Lack of Candor With Company appeared first on SecurityWeek.
SecurityWeek – Read More
The threat actors behind the 8Base ransomware are leveraging a variant of the Phobos ransomware to conduct their financially motivated attacks.
The findings come from Cisco Talos, which has recorded an increase in activity carried out by cybercriminals.
“Most of the group’s Phobos variants are distributed by SmokeLoader, a backdoor trojan,” security researcher Guilherme Venere said in an
The Hacker News – Read More
Beyond the blinding speeds and sharp turns on new terrain, the teams at this weekend’s big F1 race are preparing for another kind of danger.
Security Latest – Read More
Plus: The FBI’s baffling inaction on a ransomware group, a massive breach of Danish electric utilities, and more.
Security Latest – Read More
By Deeba Ahmed
Czech Republic Police Expose ‘Fake Bankers’ Gang in $8.7 Million Vishing Operation.
This is a post from HackRead.com Read the original post: Multimillion-Dollar Vishing Scam Busted: Czech-Ukrainian Gang Arrested
Hackread – Latest Cybersecurity News, Press Releases & Technology Today – Read More
Some people believe that if you don’t click on dangerous links, open suspicious files, or install programs from untrusted sources, you don’t have to worry about malware infections. Unfortunately, this isn’t entirely true. There are so-called zero-click exploits that don’t require any actions of the targeted user.
Creating zero-click exploits requires both serious expertise and significant resources. The vulnerabilities needed for zero-clicks to work are, to say the least, not easily discovered — information about such security issues can cost hundreds of thousands, if not millions of dollars on the black market.
However, this does not mean that attacks using zero-click exploits are rare. Information about vulnerabilities (including those suitable for creating zero-click exploits) is often published by researchers on the Internet, sometimes along with proof-of-concept code. That is, after some time, any cybercriminal who follows infosec news will be able to use this vulnerability in their malware. Yes, software developers try to fix such vulnerabilities ASAP, but as we know, not everyone promptly installs updates.
Also, we should not forget about vulnerabilities in IoT devices, servers, and other connected systems such as network attach storage (NAS). All this equipment operates without constant human control, and therefore exploits designed to attack them do not rely on any user action. Either way, it’s worth at least knowing about zero-click attacks; even better — to take some measures to protect your company against them.
Using real-life examples of zero-click attacks, let’s see how they work in practice, and what methods the creators of these exploits use to achieve their goals.
Not long ago, employees of our company were attacked by an unknown group using, among other things, a zero-click exploit. After discovering it, we named this espionage campaign Operation Triangulation. Using Apple’s iMessage service, the attackers sent a message to the victim’s iPhone with a special attachment containing an exploit. Thanks to a previously unknown vulnerability in iOS, this exploit, without any user input, triggered the execution of malicious code that connected to a C2 server and gradually loaded additional malicious payload. It first elevated privileges using additional exploits and then launched a full-blown APT platform.
To get around the iPhone’s internal security mechanisms, the platform operated exclusively in the device’s RAM. It allowed the attackers to collect information about the owner and launch additional plugins downloaded from С2 servers. The infection was only detected thanks to our network event monitoring and analyzing system.
Of course, Apple quickly fixed this vulnerability, but it is not the first exploitation of a bug in iMessage that allows attackers to infect an iPhone using an invisible malware. Since attackers are actively researching this service, there is no guarantee that they will not find some alternative method and use it (possibly even for mass attacks).
Another fairly recent example: Apple recently released an important update for iOS, macOS, and some other software products, fixing several serious vulnerabilities. A vulnerability in the WebKit (a browser engine used by Apple Safari browser) was exploited by a zero-click exploit, part of Intellexa Predator spyware.
First, the attackers waited for the moment when the victim accessed a website whose connection didn’t use encryption (that is, HTTP rather than HTTPS). After that, they conducted a man-in-the-middle (MITM) attack by redirecting the victim to an infected site. Then, the aforementioned vulnerability in the Safari browser was exploited — it allowed the attackers to execute arbitrary code on the iPhone without any action from the victim. Subsequently, the criminals used additional vulnerabilities to install spyware on the compromised iPhone.
Researchers also discovered a similar exploit chain that the creators of Predator used to infect Android smartphones. In this case, the zero-click attack was executed in the Chrome browser.
Earlier this year, we reported other vulnerabilities of this kind in both Apple Safari and Google Chrome. All of them enable the creation of malicious web pages that, in turn, infect with malware the smartphones or computers of users who visit them — again without any additional actions on the part of the victims.
Since the primary danger of zero-clicks lies in the fact that their creators don’t require any active action at all by the victim, the usual principles of online hygiene aren’t very helpful here. However, there are still some things you can do to protect devices:
Keep software up to date — especially the operating system and all browsers installed on it.
If you have any reason to be concerned about attacks using high-level commercial spyware (such as NSO Pegasus), see our dedicated post with recommendations on how to defend against them.
For iPhone users, it’s good to use Lockdown Mode. This mode helps partially protect against serious attacks, but should by no means be considered a panacea.
Supply all corporate devices with a reliable protective solution that will take care of security during periods when new vulnerabilities are already being exploited, but the corresponding patches haven’t yet been released.
This also applies to iOS. Yes, due to Apple’s policy, there are no full-fledged antivirus solutions for this operating system. However, Kaspersky Endpoint Security for Business includes an application that does at least block dangerous web pages, thereby reducing the likelihood of vulnerabilities being exploited in the browser.
Kaspersky official blog – Read More
Another important update round for this month’s Patch Tuesday. Microsoft has patched a total of 63 vulnerabilities in its operating systems. Five of these vulnerabilities qualify as zero-days, with three listed as being actively exploited. Microsoft considers a vulnerability to be a zero-day if it is publicly disclosed or actively exploited with no official fix available.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-days patched in these updates are listed as:
CVE-2023-36025: a Windows SmartScreen security feature bypass vulnerability that would allow an attacker to bypass Windows Defender SmartScreen checks and their associated prompts. SmartScreen is a built-in Windows component designed to detect and block known malicious websites and files.
It requires user interaction since the user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker. Microsoft listed this vulnerability with the remark “Exploitation Detected.”
CVE-2023-36033: a Windows Desktop Window Manager (DWM) Core Library elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability is also listed with the remark “Exploitation Detected.”
CVE-2023-36036: a Windows Cloud Files Mini Filter Driver EoP vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability is also listed with the remark “Exploitation Detected.”
EoP type of vulnerabilities are typically used in attack chains. Once the attacker has gained entrance, the vulnerabilities allow them to increase their permission level.
CVE-2023-36413: a Microsoft Office security feature bypass vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. Full exploitation requires that the attacker sends the target a malicious file and convince them to open it. This is a publicly disclosed vulnerability but there are no known cases of exploitation.
CVE-2023-36038: a vulnerability in ASP.NET that could lead to core denial of service. This vulnerability could be exploited if http requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible. A successful exploitation might result in a total loss of availability. So, basically an attacker would send requests and then cancel them until the program runs out of memory and crashes. Microsoft notes that this vulnerability was publicly disclosed, however no in-the-wild exploitation has been observed, which is not likely to happen either if the denial of service is the best achievable goal for an attacker.
An extra warning for organizations running Microsoft Exchange Server: Prioritize several new Exchange patches, including CVE-2023-36439, which is a vulnerability that enables attackers to install malicious software on an Exchange server.
Other organizations have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.
Adobe has released security updates to address vulnerabilities affecting multiple Adobe products:
APSB23-52: Adobe ColdFusion
APSB23-53: Adobe RoboHelp Server
APSB23-54: Adobe Acrobat and Reader
APSB23-55: Adobe InDesign
APSB23-56: Adobe Photoshop
APSB23-57: Adobe Bridge
APSB23-58: Adobe FrameMaker Publishing Server
APSB23-60: Adobe InCopy
APSB23-61: Adobe Animate
APSB23-62: Adobe Dimension
APSB23-63: Adobe Media Encoder
APSB23-64: Adobe Audition
APSB23-65: Adobe Premiere Pro
APSB23-66: Adobe After Effects
Android’s November updates were released by Google.
SAP released its November 2023 Patch Day updates.
SysAid released security updates for a zero-day vulnerability that is actively being exploited by a ransomware affiliate.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.
Malwarebytes – Read More
This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.
In October, 318 new victims were posted on ransomware leak sites. The top active gangs were LockBit (64), NoEscape (40), and PLAY (36). Major stories for the month included the takedown of several high-profile groups, including alleged Sony Systems attacker RansomedVC, new data shedding light on Cl0p’s education sector bias, and a deep-dive revealing the danger of the group behind September’s infamous casino attacks.
Last month three major ransomware groups—RansomedVC, Ragnar, and Trigona—were shut down, the first two by law enforcement and the third by Ukrainian hacktivists. Let’s dive into RansomedVC, a group which burst onto the scene in August and quickly gained notoriety for allegedly breaching several well-known companies. In late October, the lead hacker behind the group was seen on Telegram trying to sell the operation. Just days later, the account announced that it was “putting an end to” the group after learning that six of its affiliates may have been arrested. The group had posted 42 victims on their leak site at the time of their take down.
While law enforcement is yet to come forward confirming the RansomedVC arrests, the same is not true for RagnarLocker group, which Europol and Eurojust announced they had taken down last month. RagnarLocker started in 2019 and was responsible for numerous high-profile attacks against municipalities and critical infrastructure across the world. At the time of the takedown action, the group had posted a total of 42 victims on their leak site.
Trigona’s demise, on the other hand, was not at the hands of investigators but activists, highlighting the impact that broader geopolitical struggles can have on the ransomware landscape. In mid-October, the Ukrainian Cyber Alliance (UCA) breached the Trigona Confluence server and completely deleted and defaced their sites. Formed around 2016 to defend Ukraine’s cyberspace against Russian interference, the UCA used a public exploit for CVE-2023-22515 to gain access to Trigona infrastructure. Trigona is responsible for at least 30 attacks across various sectors since first emerging in October 2022.
Known ransomware attacks by ransomware group, October 2023
Known ransomware attacks by country, October 2023
Known ransomware attacks by industry sector, October 2023
In other October news, Resilience, a cyber insurance company, reported that 48% of all MOVEit cyberattack victims in its client base during the first half of 2023 were from the education sector. This suggests a possible targeting preference of the Cl0p campaign towards educational institutions. However, this figure might not fully represent the situation.
For instance, if Resilience has a higher proportion of clients in the education sector, it could bias the data towards that sector. On the other hand, data from Malwarebytes indeed indicates that while the education sector comprises only 3% of all MOVEit hosts, they account for 6% of the victims. However, this trend is likely not due to a deliberate focus by Cl0p, whose attacks were more opportunistic in scope, but rather because educational sectors often have fewer resources to promptly address vulnerabilities like those in MOVEit. Thus, the bias observed is more circumstantial than intentional. At any rate, given that the education sector frequently relies on third-party applications like MOVEit, the impact of Cl0p’s activities serves as a stark reminder for these institutions to adopt robust third-party security best practices.
Microsoft’s deep dive into Scattered Spider last month shed new light on the relatively new, albeit dangerous, ransomware gang who made headlines in September for attacking MGM Resorts and Caesar Entertainment. For small security teams, one of the most important findings about the group is their use of Living Of The Land (LOTL) techniques to avoid detection: Scattered Spider employs everyday tools like PowerShell for reconnaissance and stealthily alters network settings to bypass security measures. They also exploit identity providers and modify security systems, blending their malicious activities with normal network operations.
With the success of groups like Scattered Spider increasingly relying on LOTL attacks, it’s vital for defenders to focus on detecting anomalous activities within legitimate tools and network configurations. Strengthening monitoring and analysis capabilities can help identify and counter the subtle, sophisticated techniques employed by these ransomware gangs.
Hunters International is a new ransomware player suspected to be a rebrand of the Hive ransomware, which was shutdown in January 2023 by law enforcement. Despite Hunters International’s denial, claiming they are a distinct entity that purchased Hive’s source code, the overlap in their malware’s coding and functionality suggests a direct lineage from Hive.
Their activity, though limited, includes a notable attack on a UK school.
Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Malwarebytes – Read More