Law enforcement agencies in 15 countries cooperated in taking down 27 websites selling DDoS-for-hire services.
The post 27 DDoS Attack Services Taken Down by Law Enforcement appeared first on SecurityWeek.
SecurityWeek – Read More
Details have emerged about a now-patched security vulnerability in Apple’s iOS and macOS that, if successfully exploited, could sidestep the Transparency, Consent, and Control (TCC) framework and result in unauthorized access to sensitive information.
The flaw, tracked as CVE-2024-44131 (CVSS score: 5.3), resides in the FileProvider component, per Apple, and has been addressed with improved
The Hacker News – Read More
As cybersecurity threats grow more sophisticated, collaboration becomes a cornerstone of effective defense strategies. This is where MISP, an open-source threat intelligence sharing platform, comes into play.
Recognizing its value, we are excited to announce the launch of our own MISP instance, enabling users to access and use indicators of compromise (IOCs) from ANY.RUN’s Threat Intelligence Feeds.
MISP, which stands for Malware Information Sharing Platform, is a free, open-source platform designed to facilitate the exchange, storage, and correlation of threat intelligence data. MISP lets organizations and researchers:
With ANY.RUN’s MISP instance, you can:
Receive a direct stream of the latest malicious IPs, URLs, domains, ports, file names, and hashes. These are extracted from public malware and phishing samples, including ones not found elsewhere, submitted and analyzed in ANY.RUN’s Interactive Sandbox by security professionals worldwide. IOCs are pulled from different sources, including network activities and malware configurations.
Connect your own monitoring and triage tools and systems, such as SIEM/XDR solutions, to ANY.RUN’s MISP instance via API.
Correlate and enrich your IOCs with ANY.RUN’s to develop a more comprehensive understanding of the threat landscape.
Export indicators (attributes) from ANY.RUN’s MISP instance in NIDS-compatible formats and import them in your detection tools like IDS/IPS or NGFW to improve network security of your organization and ensure proactive defense against current threats.
Leverage ANY.RUN’s indicators in your automated threat analysis workflows.
Synchronize your MISP instance with ANY.RUN’s to get relevant threat data.
Ensure a more convenient view of relevant threats by visualizing ANY.RUN’s TI Feeds data.
Add your IOCs to the ones provided by ANY.RUN to gain a better picture of the threats at hand.
To get started with ANY.RUN’s MISP instance, simply contact our team via this page.
You can test MISP feeds by getting a free demo sample here.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Get a 14-day free trial of ANY.RUN’s Threat Intelligence service →
The post Access and Use ANY.RUN’s TI Feeds via MISP appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Security researchers have discovered multiple vulnerabilities in the infotainment units used in some Skoda cars that could allow malicious actors to remotely trigger certain controls and track the cars’ location in real time. PCAutomotive, a cybersecurity firm specializing in the automotive sector, unveiled 12 new security vulnerabilities impacting the latest model of the Skoda Superb […]
© 2024 TechCrunch. All rights reserved. For personal use only.
Security News | TechCrunch – Read More
On December 6, 2024, Cyble Research & Intelligence Labs (CRIL) observed that the hacktivist alliance known as the “Holy League” on their Telegram channel declared cyberattacks against France. According to the alliance, these operations were executed in retaliation to France’s continued support of Ukraine and Israel. Prominent members of the alliance, including the pro-Russian group NoName057(16), the pro-Islamic threat actor Mr. Hamza, and the pro-Palestinian collective Anonymous Guys, amplified the announcement across their platforms. Shortly after, these groups actively participated in coordinated attacks, demonstrating a unified effort among ideologically diverse threat actors to target French assets.
The timing of the attacks coincides with a political crisis in France and the visit of U.S. President-elect Donald Trump. On December 5, the French Parliament passed a no-confidence vote against Prime Minister Michel Barnier. President Emmanuel Macron now faces mounting pressure to appoint a successor, with some calling for his resignation.
This political turmoil has created a vulnerable environment, providing hacktivist groups with an opportunity to sow chaos, disrupt public order by disrupting public and critical infrastructure, and amplify uncertainty within the nation.
Another startling development observed during the campaign is the collaboration between pro-Islamic and pro-Russian hacktivist collectives, especially when pro-Islamic groups are supporting revolutionary movements in Syria that have led to the ousting of erstwhile President Bashar-al-Assad, previously staunchly supported by Russia. This alliance highlights a pragmatic convergence of interests, where shared objectives in destabilizing common adversaries outweigh ideological differences.
“Holy League” members initiated sustained attacks on France from December 7, 2024. CRIL investigated these cyberattacks on France distinctively in two categories: coordinated attacks by the alliance members and systematic attacks individually by each group as per their modus operandi. Moreover, the “Holy League” has threatened to launch similar attacks against other countries, such as Germany.
In a post on the Telegram channel on December 6, 2024, “Holy League” announced the campaign against France immediately after December 4, 2024, when Prime Minister Michel Barnier was ousted through a no-confidence vote. The agenda seems evident: to reap this opportunity to stir public unrest.
Between December 7 and December 10, 2024, hacktivists executed DDoS attacks, compromised Industrial Control Systems (ICS), conducted website defacements, and claimed data breaches of several French entities. This analysis will dissect each attack vector and attribute activities to specific threat groups where possible.
Several hacktivists launched a wave of DDoS attacks on French entities from December 7 to December 10, 2024, prominent ones being NoName057(16), People’s Cyber Army, and Mr. Hamza.
NoName057(16) and the People’s Cyber Army primarily focused on the official websites of French cities and other private entities, including the major French financial corporation AXA.
Mr. Hamza concentrated on high-value governmental targets, including the Ministry of Foreign Affairs, the French Directorate-General for External Security (DGSE), the French National Nuclear Energy Commission (CEA), and the French National Cybersecurity Agency (ANSSI).
Anonymous Guys directed their efforts towards several key ministries and government departments, such as the Ministry of Armed Forces, the Ministry of Agriculture and Food, and the Ministry of Solidarity and Health, among others.
According to CRIL, more than 50 separate DDoS attacks were identified against French websites over these four days, affecting multiple sectors of the economy and government.
The pro-Russian group Z-Pentest’s defacement attacks were primarily focused on small-to-medium enterprises (SMEs) from diverse industries in France, including Energy and utilities, Agriculture and livestock, Automotive, and Hospitality. Notably, Energy and Utility firms such as Atlantic Energies Pose and Electricité Générale Lespiau and 10 other websites were defaced with pro-Russian statements.
Four Holy League members—Hunt3rKill3rs, Shadow Unit, EvilNet, and KozSec—have claimed unauthorized access to several systems in France.
Shadow Unit, a pro-Islamic hacktivist collective, claimed the breach of the SCADA systems of Corus Nuclear Power Plant and the French Marne Aval station.
KozSec, A pro-Russian collective, claimed to target an undisclosed French industry. The hacktivist group shared screenshots and videos of the intrusion, emphasizing their successful access to sensitive industrial systems.
Two groups associated with the Holy League – Shadow Unit and UserSec, claimed separately. Compromising the website plubioclimatique.paris.fr and exfiltrating over 50 PDF documents and over 100GB of data from French Government websites, respectively.
The recent cyberattacks by the “Holy League” underscore a new, broader geopolitical landscape where hacktivist alliances can sow and exploit discord for their objectives. The collaboration between ideologically diverse groups, such as pro-Islamic and pro-Russian hacktivists, signals a shift in how adversaries may align their interests against common targets. The implications extend beyond France, as similar threats loom over other nations, signaling a new era of cyber conflict where common adversaries may overshadow ideological differences.
The post Hacktivist Alliances Target France Amidst Political Crisis appeared first on Cyble.
Blog – Cyble – Read More
Two vulnerabilities in the Hunk Companion and WP Query Console WordPress plugins allow attackers to backdoor websites.
The post Hunk Companion, WP Query Console Vulnerabilities Chained to Hack WordPress Sites appeared first on SecurityWeek.
SecurityWeek – Read More
Cleo has released patches for the exploited vulnerability and security firms have detailed the malware delivered in attacks.
The post Cleo Patches Exploited Flaw as Security Firms Detail Malware Pushed in Attacks appeared first on SecurityWeek.
SecurityWeek – Read More
As long as we’ve had the internet, users have tried to obfuscate how and what they are connecting to. In some cases, this is to work around restrictions put in place by governments or a desire to access content that is not otherwise available in a given region.
This is why technologies like VPNs and The Onion Router (TOR) become popular: They allow users to easily access content without exposing their IP address or location. These technologies are intended to protect users and information and have done a good job of doing so. However, adversaries have taken notice and are using proxy networks for malicious activities.
It is important to distinguish the different proxy chain services, as there are legitimate reasons for some of them to exist. From a privacy/defender point-of-view, they can be split into the following groups:
The first group has a clear legitimate use case, and the second has been advertised as a means to measure marketing engagement. However, threat actors can also use them without the bandwidth owner understanding what is at risk. The third case is clear: The networks are built to be rented for distributed denial-of-service (DDoS) attacks or access to be sold so other actors can anonymize their activities.
Leveraging proxy networks for malicious purposes was something we first stumbled on with our research into Honeygain. This was one of the first times we saw technologies like proxyware being abused maliciously.
Proxyware is a type of technology that uses agents installed by users to act as proxies for other users. The users installing these agents are typically compensated for adding their node to the proxy network. Criminals stumbled upon this quickly and began to weaponize and monetize it, allowing them to benefit from the anonymity these technologies provide since it traces back to a random computer in a random location. At the time, the focus was purely criminal in nature, but state-sponsored groups have been leveraging TOR and VPNs for decades to launch their attacks, typically dropping out of a VPN near the target.
State-sponsored groups also realize that TOR and VPNs have limitations and could potentially expose their operations, so they needed something more opaque and less traceable. Enter VPNFilter.
VPNFilter was the first large-scale proxy network leveraged by state-sponsored actors, in this case Russia. This completely changed how proxy networks were operated and would set the tradecraft for state-sponsored proxy networks for the next several years. The most unique aspect of VPNFilter was the targeting: small office and home office (SOHO) routers.
The network was made up of SOHO routers that were being compromised with malicious firmware providing a variety of capabilities, including interception and proxy capabilities.
This was also a fairly significant botnet, consisting of some 500,000 devices that created a massive network from which to launch attacks without repercussions. Fortunately, we worked with affected vendors, and they resolved many of the issues that were being exploited, both vulnerability and otherwise.
This wasn’t the last time we saw Russian-aligned actors leveraging these types of botnets. A few years later, Cyclops Blink was uncovered. Another Russian actor controlled a proxy network that again primarily consisted of consumer devices.
The targeting of consumer devices for this type of activity has become the focus of state-sponsored groups’ foray into this space. They also make excellent targets, since many users leave default configurations in place and rarely think to update their devices. Fortunately, post-VPNFilter, many vendors have switched to automatic updates, allowing for more frequent patching. This has resulted in state-sponsored groups widening their targeting.
Today, we see not just SOHO routers, but also NAS and a variety of IoT devices being targeted and added to these networks. This problem has just gotten worse in the past several years.
As recently as September, the FBI took down a botnet associated with Chinese hacking activities. This was just the latest in a spate of attacks originating from proxy networks. This activity has been largely associated with Volt Typhoon by the U.S. Government, with a broader attribution of China-linked activities in the recent FBI takedown.
Currently, there are several proxy-based networks, with a focus on SOHO devices (e.g., routers, NAS, etc.) and a variety of IoT components (e.g., security cameras) being compromised and added to a botnet that, in some ways, mirrors Mirai botnet activities.
The basic operating model for these botnets is that they are peer-to-peer, meaning there is no discernable routing. This model provides a sophisticated network of devices to obfuscate the true origin of an attack, and in many circumstances, allows the attacker to appear in close proximity to the victim, including coming from geographically adjacent residential networks.
The attacks originating from these networks have been tied to espionage and the targeting of critical infrastructure in the U.S. and globally. Most countries are concerned with this escalation, and it has the attention of the majority of vendors in this space.
These networks have also grown with staggering efficiency, with new nodes being added constantly as other nodes fall off and need to be compromised again. Based on reporting, the majority of these infections are using N-Day vulnerabilities or weak credentials to gain access, something we’ve seen repeatedly out of botnets like Mirai for the last decade. The major difference is that Mirai is used to conduct DDoS attacks, and the new iterations are being used to launch state-sponsored attacks with anonymity.
The repeated use of N-Day vulnerabilities and weak credentials ties into the work that Cisco has been doing for some time related to old and outdated networking equipment and the risks they introduce. The Network Resiliency Coalition is one of the projects aimed at trying to resolve this difficult problem. Anonymization networks’ reliance on networking equipment, specifically exploiting known vulnerabilities, adds more weight to the importance of this effort. By working with industry peers, Cisco is trying to help remove many of the systems that are being abused in these attacks by working with vendors to ensure proper patching is provided to mitigate these known vulnerabilities, in a timely manner.
More projects like this that encompass the IoT industry and the non-edge SOHO appliances like NAS devices would also have a contribution to the fight against anonymization networks. This combined with better credential management, most notably ensuring that default credentials are complex and unique, could make a huge impact on how successful these networks are in continuing to grow. Vendors are working to try and resolve some of these weaknesses, but it also is paramount for defenders to take note.
This continued focus by state-sponsored groups to leverage these networks presents problems for defenders. Attacks from these groups are likely to be coming from residential networks, potentially even from residential networks in the same cities and countries as your organization operates, making identification and attribution increasingly difficult.
Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly.
This is further complicated by the increased focus by state-sponsored groups on the use of legitimate credentials. If you have a connection coming from the same IP space as your employees, using legitimate credentials organizations have little hope to stop it. This is where the increased focus on identity comes into play — organizations need to start taking additional steps to be able to distinguish between the illegitimate and legitimate use of credentials, and that ties back to behavior.
Increasingly, organizations should be looking at users’ behavior when it comes to connections.
This last point is a critical one. For organizations particularly concerned with credential abuse, managed device access restriction may be the best option.
This ensures that only managed devices can connect to corporate VPNs through technologies like certificates.
The downside to this approach is that it’s expensive, and for many organizations not practical, but for those with the budgets and the concern, it’s a needed escalation beyond just multi-factor authentication (MFA).
You may have noticed we haven’t mentioned MFA until now. But that’s because in 2024, it’s assumed you’ve already rolled out MFA for medium to large enterprises. It is no longer an optional security feature.
Defenders need to adjust for the state-sponsored threats they will be facing in 2024 and beyond. This means adding more identity capabilities in the near term and looking at additional security protections like managed device-only access in the future.
Cisco Talos Blog – Read More
Byte Federal, one of the largest Bitcoin ATM operators in the U.S., said the personal data of thousands of customers may have been compromised during a recent breach. In a filing with Maine’s attorney general, Florida-based Byte Federal said hackers tried to access the data of 58,000 customers, including names, addresses, phone numbers, government-issued IDs, […]
© 2024 TechCrunch. All rights reserved. For personal use only.
Security News | TechCrunch – Read More
No one can deny the convenience of cloud file-storage services like Dropbox or OneDrive. The one drawback is that cybercriminals, intelligence agencies, or the hosting provider itself can view your cloud-based files without authorization. But there’s a more secure alternative: encrypted cloud file-storage. Some call it end-to-end encryption (E2EE) — similar to Signal and WhatsApp. According to the marketing blurb, files are encrypted on your device and sent to the cloud already in secure form — the encryption key remaining in your possession and no one else’s. Not even the provider can sniff this information. But is that really the case?
The Applied Cryptography Group at ETH Zurich took apart the algorithms of five popular encrypted storage services: Sync.com, pCloud, Icedrive, Seafile, and Tresorit. In each of them, the researchers found errors in the implementation of encryption allowing, to varying degrees, file manipulation, and even access to fragments of unencrypted data. Earlier, they’d discovered flaws in two other popular hosting services — MEGA and Nextcloud.
In all cases, attacks are carried out from a malicious server. The scenario is as follows: the intruders either hack the encrypted hosting servers, or, by manipulating routers along the client-to-server path, force the victim’s computer to connect to another server mimicking the genuine encrypted hosting server. If this tricky maneuver succeeds, the attackers can theoretically:
The malicious server in each case is a hard-to-implement but not blue-sky component of the attack. In light of the cyberattacks on Microsoft and Twilio, the possibility of compromising a major player is real. And of course, E2EE by definition needs to be resistant to malicious server-side actions.
Without going into technical details, we note that the developers of all the services seem to have implemented bona fide E2EE and used recognized, strong algorithms like AES and RSA. But file encryption creates a lot of technical difficulties when it comes to document collaboration and co-authoring. The tasks required to overcome these difficulties and factor in all possible attacks involving modified encryption keys remain unsolved, but Tresorit has done a far better job than anyone else.
The researchers point out that the developers of the various services made very similar errors independently of each other. This means that the implementation of encrypted cloud storage is fraught with non-trivial cryptographic nuances. What’s needed is a well-developed protocol thoroughly tested by the cryptographic community — such as TLS for websites or the Signal Protocol for instant messengers.
The biggest problem with fixing the identified bugs is that not only do the applications and server software need updating, but also, in many cases, user-saved files need re-encrypting. Not every hosting provider can afford these huge computational outlays. What’s more, re-encryption is only possible in cooperation with each user — not unilaterally. Which is probably why fixes are slow in coming:
Although the issues identified by the Applied Cryptography Group cannot be called purely theoretical, they do not represent a mass threat readily exploitable by cybercriminals. Therefore, hasty action isn’t required; rather — a sober assessment of your situation is needed:
If collaboration isn’t important, while the data stored is critical, the best option is to switch to local file encryption. You can do this in a variety of ways — for example, by storing data in an encrypted container file or an archive with a strong password. If you need to transfer data to another device, you can upload an already encrypted archive to the cloud hosting service.
If you want to combine collaboration and convenience with proper security guarantees, and the amount of stored data isn’t that great, it’s worth moving the data to one of the services that better withstood ETH Zurich’s testing. That means Tresorit first and foremost, but don’t discount MEGA and Nextcloud.
If none of these solutions fits the bill, you can opt for other encrypted hosting services, but with additional precautions: avoid storing highly sensitive data, promptly update client applications, regularly check your cloud drives, and delete outdated or extraneous information.
In any case, remember that the most likely attack on your data will take the shape of an infostealer simply compromising your computer or smartphone. Therefore, encrypted hosting must go hand in hand with full anti-malware protection for all smartphones and computers.
Kaspersky official blog – Read More