Overview

In response to the growing threat of cyber and financial crimes targeting individuals and organizations, INTERPOL has launched a new campaign called “Think Twice.” The campaign aims to raise awareness about the dangers of increasingly complex online threats, urging people to pause and think before making decisions online. The campaign highlights five key cyber threats: ransomware attacks, malware attacks, phishing, generative AI scams, and romance baiting.

With these crimes becoming more advanced and widespread, the campaign serves as a timely reminder of the importance of vigilance and careful decision-making in the digital world.

The Rising Threat of Cybercrime

Cybercrime is on the rise, with criminals using more advanced techniques to exploit vulnerable individuals and organizations. According to INTERPOL’s findings, ransomware attacks have increased by 70 percent, and malware attacks have risen by over 30 percent in just the past year.

Fostering a culture of cyber-awareness in the workforce is the first and last line of defense against cybercrime, as employees form the backbone of any cybersecurity strategy.

Phishing attacks have also evolved, becoming increasingly difficult to detect. Cybercriminals are now using sophisticated methods, including generative AI, to manipulate voices, images, and text, creating ultra-realistic human avatars to deceive victims. These scams are gaining traction, with scammers targeting victims worldwide using tactics that were once unimaginable. Another rising threat is romance baiting, where criminals use fake online profiles to form relationships with victims, only to later ask for money.

The “Think Twice” campaign, which will run from December 3 to December 19, 2024, emphasizes the importance of making informed choices online. By raising awareness of these growing threats, INTERPOL hopes to empower individuals and organizations to take proactive steps in safeguarding themselves against cybercrime.

Key Threats Highlighted by the “Think Twice” Campaign

The campaign focuses on five major threats that have been identified as rapidly growing concerns in the online space:

1. Ransomware Attacks:
   Ransomware continues to be one of the most disruptive forms of cybercrime. It involves criminals encrypting a victim’s data and demanding a ransom to unlock it. The rise of ransomware attacks has been staggering, with a 70 percent increase in the past year alone.
2. Malware Attacks:
   Malware attacks involve malicious software designed to infiltrate and damage computers or networks. Over 30 percent of malware attacks have increased in the past year, often spreading through emails, links, or infected files.
3. Phishing:
   Phishing scams involve tricking individuals into revealing sensitive information, such as passwords or financial data, through deceptive emails or messages. Phishing has become more sophisticated, with cybercriminals using AI-generated content to make their scams harder to detect.
4. Generative AI Scams:
   Generative AI scams involve using AI technology to create fake human avatars, voices, and images to deceive victims. These scams are gaining traction, with cybercriminals using realistic content to manipulate and steal money from victims.
5. Romance Baiting Scams:
   Romance baiting is a growing form of fraud where criminals create fake online profiles to form emotional connections with victims. After gaining their trust, they ask for money, often claiming to be in a financial emergency or need.

The “Think Twice” Campaign: Empowering Individuals and Organizations

The primary objective of the “Think Twice” campaign is to encourage individuals to pause and think before acting on digital content. INTERPOL urges people to verify the authenticity of messages, links, and requests before taking any action. This two-week awareness campaign will primarily run through social media channels, reaching individuals globally and educating them about the risks associated with cybercrime.

INTERPOL emphasizes the importance of adopting a mindset of caution and awareness when interacting with digital content. The campaign encourages individuals to:

• Pause and evaluate: Take a moment to verify the authenticity of any unsolicited emails, links, or messages.
• Check for credibility: Ensure the sources of information are legitimate, especially if you’re asked for personal or financial information.
• Verify identities: Even if a request seems to come from a familiar contact, always verify their identity through multiple channels.
• Stay informed: Learn about the latest cybercrime tactics and how to recognize them.
• Be cautious with online relationships: Especially when money is involved, approach online relationships with skepticism.

Taking Action Against Cybercrime: What Can You Do?

INTERPOL’s campaign is not just about raising awareness; it also provides a practical checklist for reducing the risks of cybercrime. Here are some simple steps that individuals and organizations can take to protect themselves:

1. Be cautious of unsolicited requests: Always be wary of emails or messages from unfamiliar sources. Avoid clicking on suspicious links or attachments.
2. Implement a cybersecurity culture: Businesses should foster a culture of cybersecurity awareness among employees, providing training and guidelines on handling potential threats.
3. Verify identities: If you receive a request for money or sensitive information from a known person, verify their identity before acting.
4. Use in-person verification: For high-risk situations, like online transactions or relationships, consider verifying details through face-to-face meetings or phone calls.
5. Stay informed: Cybercrime tactics are constantly evolving, so it’s crucial to stay updated on the latest scams and threats.

Conclusion

As cyber and financial crimes continue to grow in scale, INTERPOL’s “Think Twice” campaign serves as an essential reminder for individuals and organizations to remain vigilant. By pausing to consider their digital actions and verifying the authenticity of online content, people can reduce their exposure to threats like phishing, malware, and romance baiting.

As INTERPOL’s Secretary General Valdecy Urquiza said, cybersecurity is a shared responsibility. Through proactive measures and informed decisions, we can help build a safer digital world for everyone.

Source: https://www.interpol.int/en/News-and-Events/News/2024/INTERPOL-campaign-warns-against-cyber-and-financial-crimes

The post Think Twice Before You Click: INTERPOL Unveils Alarming Cybercrime Trends appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

The TP-Link Archer C50 V4, a popular dual-band wireless router designed for small office and home office (SOHO) networks, has been found to contain multiple security vulnerabilities that could expose users to a range of cyber threats.

These TP-Link Archer router vulnerabilities, identified under the CVE-2024-54126 and CVE-2024-54127 identifiers, affect all firmware versions prior to Archer C50(EU)_V4_240917. The Indian Computer Emergency Response Team (CERT-In) flagged these vulnerabilities and the security of TP-Link Archer routers.

The vulnerabilities identified in the TP-Link Archer C50 V4 wireless router could allow attackers to exploit critical security holes in the device, leading to unauthorized access and potentially damaging consequences. Two specific issues have been highlighted: a flaw in the firmware upgrade process and the exposure of sensitive Wi-Fi credentials.

Details of the TP-Link Archer Router Vulnerabilities

The TP-Link Archer router vulnerabilities have been classified as medium risk. While the immediate impact may not be critical, the potential for exploitation remains a threat to network security. CVE-2024-54126 and CVE-2024-54127 were reported by Khalid Markar, Amey Chavekar, Sushant Mane, and Dr. Faruk Kazi from CoE-CNDS Lab, VJTI, Mumbai.

Vulnerability Details in TP-Link Archer Router

1. Insufficient Integrity Verification During Firmware Upgrade (CVE-2024-54126)

One of the key vulnerabilities in the TP-Link Archer C50 router arises from an improper signature verification mechanism in the firmware upgrade process. This issue is present in the web interface of the router, which could be exploited by an attacker with administrative privileges. If the attacker is within the Wi-Fi range of the router, they could upload and execute malicious firmware, allowing them to compromise the device completely.

The absence of adequate integrity checks during firmware updates could enable an attacker to introduce backdoors or malicious code into the router. This would allow the attacker to control the device, manipulate network traffic, or even hijack the entire system, posing a serious security risk for users relying on this router for their home or business networks.

• Exposure of Wi-Fi Credentials in Plaintext (CVE-2024-54127)

The second vulnerability is related to the lack of proper access control on the serial interface of the TP-Link Archer C50 router. An attacker with physical access to the device could exploit this weakness by accessing the Universal Asynchronous Receiver-Transmitter (UART) shell. Once inside, the attacker could easily extract Wi-Fi credentials, including the network name (SSID) and password, which would give them unauthorized access to the targeted network.

This vulnerability in TP-Link Archer routers is particularly malicious because obtaining Wi-Fi credentials allows attackers to infiltrate the network, potentially exposing sensitive data, intercepting communications, or launching further attacks on connected devices. The ability to obtain such information without the need for remote access makes this vulnerability especially dangerous in situations where physical access to the device is possible.

Impact of the TP-Link Archer Vulnerability

The presence of these vulnerabilities in the TP-Link Archer C50 V4 router could lead to significant security risks, including:

• Compromise of the router: Malicious firmware uploads could enable attackers to control the device, potentially disrupting network operations or using it as a platform for launching further attacks.
• Exposure of sensitive information: The vulnerability related to the exposure of Wi-Fi credentials allows attackers to access the network and all connected devices. This could lead to data breaches, unauthorized surveillance, and even identity theft.
• Potential system compromise: Once the attacker gains access to the router or the Wi-Fi network, they may leverage this foothold to exploit other vulnerabilities in the network infrastructure, leading to a larger-scale attack.

Given that many home and small office networks rely on TP-Link Archer routers for wireless connectivity, these vulnerabilities have the potential to affect a large number of users. The impact could be particularly severe for businesses or individuals who store sensitive information or rely on secure communications.

Mitigating the Vulnerability in TP-Link Archer Router

To mitigate the risks associated with these vulnerabilities, TP-Link has released a firmware update designed to address the issues. The solution is available for download through the official TP-Link website and should be applied as soon as possible to protect the router from potential attacks. Some of the recommended actions include:

• Update Firmware: Users of the TP-Link Archer C50 V4 router are advised to upgrade to the latest firmware version, Archer C50(EU)_V4_240917. This update fixes the vulnerabilities by enhancing the integrity checks during the firmware upgrade process and securing access to the serial interface to prevent unauthorized access to Wi-Fi credentials.
• Firmware Upgrade Instructions: To ensure a smooth upgrade, users should follow the specific instructions provided by TP-Link, which include verifying the hardware version of the router, downloading the correct firmware, and ensuring the router is not powered off during the upgrade process. It is also recommended to use a wired connection during the upgrade to avoid any issues with wireless disconnections.

Conclusion

The discovery of vulnerabilities in the TP-Link Archer router highlights the critical need for users to stay updated with the latest firmware releases and security patches. The vulnerabilities in the TP-Link Archer C50 V4, including the insufficient integrity verification during firmware upgrades and the exposure of Wi-Fi credentials, present an ongoing security risks that could lead to unauthorized access and system compromise.

By upgrading to the latest firmware version, users can mitigate the risks associated with these vulnerabilities and protect their networks from potential exploitation. TP-Link Archer router users should take immediate action to secure their devices and ensure their networks remain safe from attackers seeking to exploit these flaws.

References

• https://www.cert-in.org.in/
• https://www.tp-link.com/en/support/download/archer-c50/v4/#Firmware
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54127
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54126

The post Security Risks in TP-Link Archer Router Could Lead to Unauthorized Access appeared first on Cyble.

Blog – Cyble – ​Read More

Cisco Talos’ Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. 

These vulnerabilities have not been patched at time of this posting. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

MC Technologies OS command injection vulnerabilities 

Discovered by Matt Wiseman of Cisco Talos. 

The MC-LR Router from MC Technologies supports IPsec and OpenVPN implementations, firewall capabilities, remote management via HTTP and SNMP, and configurable alerting via SMS and email, with two-port and four-port variants, includes models that support transparent serial-to-TCP translations and 1-in/1-out digital I/O. 

Talos recently published two advisories detailing OS command injection vulnerabilities discovered in the MC-LR Router from MC Technologies. TALOS-2024-1953 covers three vulnerabilities (CVE-2024-28025 through CVE-2024-28027), which are reachable through the I/O configuration functionality of the web interface. TALOS-2024-1954 covers one vulnerability (CVE-2024-21786) in the importation of uploaded configuration files. All vulnerabilities may be triggered with an authenticated HTTP request. 

GoCast authentication and OS command injection vulnerabilities 

Discovered by Edwin Molenaar and Matt Street of Cisco Meraki. 

The GoCast tool provides BGP routing for advertisements from a host; it is commonly used for anycast-based load balancing for infrastructure service instances available in geographically diverse regions.  

The GoCast HTTP API allows the registration and deregistration of apps without requiring authentication, shown in TALOS-2024-1962 (CVE-2024-21855). The lack of authentication can be used to exploit TALOS-2024-1960 (CVE-2024-28892) and TALOS-2024-1961 (CVE-2024-29224), leading to OS command injection and arbitrary command execution. 

Cisco Talos Blog – ​Read More

Why do even large companies that have invested heavily in their cyberdefense still fall victim to cyberattacks? Most often, it’s a matter of an outdated approach to security. Security teams may deploy dozens of tools, but lack visibility within their own networks, which nowadays include not only usual physical segments, but cloud environments as well. Hackers often exploit stolen credentials, operate through compromised contractors, and try to use malware as rarely as possible — preferring to exploit legitimate software and dual-purpose applications. That’s why security tools that are usually used to protect company’s endpoints may not be effective enough against well-disguised cyberattacks.

In a recent survey, 44% of CISOs reported missing a data breach, with 84% attributing the issue to an inability to analyze traffic, particularly encrypted traffic. This is where network detection and response (NDR) systems come into play. They offer comprehensive traffic analysis, including internal traffic — significantly enhancing security capabilities. In the Kaspersky product range, NDR functionality is implemented as part of its Kaspersky Anti Targeted Attack Platform (KATA).

Outdated security tools aren’t enough

If there was one word to describe the priorities of today’s attackers, it would be “stealth”. Whether it’s espionage-focused APTs, ransomware groups, or any other attacks targeting a specific organization, adversaries go to great lengths to avoid detection, and complicate post-incident analysis. Our incident response report illustrates this vividly. Attackers exploit legitimate employee or contractor credentials, leverage admin tools already in use within the system (a tactic known as “living off the land”), and exploit vulnerabilities to perform actions from privileged user accounts, processes, or devices. Moreover, edge devices, such as proxy servers and firewalls, are increasingly being used as attack footholds.

How do cybersecurity teams respond to this? If a company’s threat detection approach was designed several years ago, its defenders might simply lack the tools to detect such activity in a timely manner:

• In their traditional form, they only protect the organization’s perimeter, and don’t assist in detecting suspicious network activity inside it (such as attackers taking over additional computers).
• Intrusion detection and prevention systems (IDS/IPS). The capabilities of classic IDS’s for detecting activity over encrypted channels are very limited, and their typical location between network segments impedes detection of lateral movement.
• Antivirus and endpoint protection systems. These tools are difficult to use for detecting activity conducted entirely with legitimate tools in manual mode. Moreover, organizations always have routers, IoT devices, or network peripherals where it’s not possible to deploy such protection systems.

What is network detection and response?

NDR systems provide detailed monitoring of an organization’s traffic and apply various rules and algorithms to detect anomalous activity. They also include tools for rapid incident response.

The key difference to firewalls is the monitoring of all types of traffic flowing in various directions. Thus, not only communications between a network and the internet (north-south) are being analyzed, but data exchange between hosts within a corporate network (east-west) as well. Communications between systems in external networks and corporate cloud resources, as well as between cloud resources themselves, are not left unattended either. This makes NDR effective in various infrastructures: on-premises, cloud, and hybrid.

The key difference to classic IDS/IPS is the use of behavioral analysis mechanisms alongside signature analysis.

Besides connections analysis, an NDR solution keeps traffic in its “raw” form, and provides a whole range of technologies for analysis of such “snapshots” of data exchange; NDR can analyze many parameters of traffic (including metadata), going beyond simple “address-host-protocol” dependencies. For example, using JAx fingerprints, NDR can identify the nature even of encrypted SSL/TLS connections, and detect malicious traffic without needing to decrypt it.

Benefits of NDR for IT and security teams

Early threat detection. Even the initial steps of attackers — whether it’s brute-forcing passwords or exploiting vulnerabilities in publicly accessible applications — leave traces that NDR tools can detect. NDR, having “presence” not only on the edges of a network, but at its endpoints as well, is also well-suited to detecting lateral movement within the network, manipulation with authentication tokens, tunneling, reverse shells, and other common attack techniques, including network interactions.

Accelerated incident investigation. NDR tools allow for both broad and deep analysis of suspicious activity. Network interaction diagrams show where attackers moved and where their activity originated from, while access to raw traffic allows for the reconstruction of the attacker’s actions and the creation of detection rules for future searches.

A systematic approach to the big picture of an attack. NDR works with the tactics, techniques, and procedures of the attack — systematized according to such a popular framework as MITRE ATT&CK. Solutions of this class usually allow a security team to easily classify the detected indicators and, as a result, better understand the big picture of the attack, figure out the stage it’s at, and how the attack can be stopped as effectively as possible.

Detection of internal threats, misconfigurations, and shadow IT. The “behavioral” approach to traffic allows NDR to address preventive tasks as well. Various security policy violations, such as using unauthorized applications on personal devices, connecting additional devices to the company infrastructure, sharing passwords, accessing information not required for work tasks, using outdated software versions, and running server software without properly configured encryption and authentication, can be identified early and stopped.

Supply chain threat detection. Monitoring the traffic of legitimate applications may reveal undeclared functionality, such as unauthorized telemetry transmission to the manufacturer or attempts to deliver trojanized updates.

Automated response. The “R” in NDR stands for response actions such as isolating hosts with suspicious activity, tightening network zone interaction policies, and blocking high-risk protocols or malicious external hosts. Depending on the circumstances, the response can be either manual or automatic, triggered by the “if-then” presets.

NDR, EDR, XDR, and NTA

IT management and executives often ask tricky questions about how various *DR solutions differ from each other and why they’re all needed at the same time.

NTA (network traffic analysis) systems are the foundation from which NDR evolved. They were designed to collect and analyze all the traffic of a company (hence the name). However, practical implementation revealed the broader potential of this technology — that is, it could be used for rapid incident response. Response capabilities, including automation, are NDR’s primary distinction.

EDR (Endpoint Detection & Response) systems analyze cyberthreats on specific devices within the network (endpoints). While NDR provides a deep analysis of devices’ interactions and communication within the organization, EDR offers an equally detailed picture of the activity on individual devices. These systems complement each other, and only together do they provide a complete view of what’s happening in the organization and the tools needed for detection and response.

XDR (eXtended Detection & Response) systems take a holistic approach to threat detection and response by aggregating and correlating data from various sources, including endpoints, physical and cloud infrastructures, network devices, and more. This enables defenders to see a comprehensive overview of network activity, combine events from different sources into single alerts, apply advanced analytics to them, and simplify response actions. Different vendors put different spins on XDR: some offer XDR as a product that includes both EDR and NDR functionalities, while for others it may only support integration with these external tools.

Kaspersky’s approach: integrating NDR into the security ecosystem

Implementing NDR implies that an organization has already achieved a high level of cybersecurity maturity, with established monitoring and response practices, as well as tools for information exchange between systems, ensuring correlation and enrichment of data from various sources. This is why in Kaspersky’s product range and the NDR module enhances the capabilities of the Kaspersky Anti Targeted Attack Platform (KATA). The basic version of KATA includes mechanisms such as SSL/TLS connection fingerprint analysis, north-south traffic attack detection, selective traffic capture for suspicious connections, and basic response functions.

The KATA NDR Enhanced version includes all the NDR capabilities described above, including deep analysis and full storage of traffic, intra-network connection monitoring, and automated advanced response functions.

The top-tier version, KATA Ultra, combines expert EDR capabilities with full NDR functions, offering a comprehensive, single-vendor XDR solution.

Kaspersky official blog – ​Read More

The ransomware attack that hit supply chain management platform Blue Yonder and its customers last month was the work of a new ransomware group called “Termite.”

Cyble Research and Intelligence Labs (CRIL) researchers have examined a Termite ransomware binary and determined that Termite is essentially a rebranding of the notorious Babuk ransomware. The Termite leak site claims seven victims so far (geographic distribution below).

We’ll cover the technical details of the new Termite ransomware strain, which was first identified by PCrisk, along with MITRE ATT&CK techniques, indicators of compromise (IoCs) and recommendations.

Technical Details of Termite Ransomware

Upon execution, the ransomware invokes the SetProcessShutdownParameters(0, 0) API to ensure that its process is one of the last to be terminated during system shutdown. This tactic is used to maximize the time available for the ransomware to complete its encryption process.

The ransomware then attempts to terminate services on the victim’s machine to prevent interruptions during the encryption process. It uses the OpenSCManagerA() API to establish a connection with the Service Control Manager, granting access to the service control manager database (image below).

After gaining access, the ransomware enumerates the services on the victim’s machine to retrieve their names. It specifically looks for services such as veeam, vmms, memtas and others, and terminating them if they are found to be actively running.

The ransomware enumerates running processes using the CreateToolhelp32Snapshot(), Process32FirstW(), and Process32NextW() APIs. It checks process names such as sql.exe, oracle.exe, firefox.exe and others and terminates them if they are actively running.

After that, the ransomware launches the vssadmin.exe process to delete all Shadow Copies, as shown in the below figure. This action is performed to prevent system recovery after the files have been encrypted.

The ransomware also uses the SHEmptyRecycleBinA() API to delete all items from the Recycle Bin, ensuring that no deleted files can be restored after encryption. After execution, Termite Ransomware attempts to retrieve system information using the GetSystemInfo() API, which collects details like the number of processors, as shown in the below figure.

The ransomware then creates a separate thread for each detected CPU, generates ransom notes named “How To Restore Your Files.txt”, and encrypts files on the victim’s machine.

It avoids encrypting certain system folders such as AppData, Boot, Windows, Windows.old etc. Additionally, it specifically excludes system files such as autorun.inf, boot.ini, bootfont.bin etc., as well as file extensions like .exe, .dll, and .termite from the encryption process to ensure that essential system functions remain intact.

Similar to Babuk ransomware, Termite appends the signature “choung dong looks like hot dog” at the end of the encrypted file.

The figure below shows the ransom note dropped by the ransomware, titled ” How To Restore Your Files.txt,” which instructs victims to visit the onion site for additional information.

After dropping the ransom notes, the malware encrypts the files on the victim’s machine and appends the “.termite” extension, as shown in the figure below.

The Termite ransomware can also spread through network shares and paths of the infected machine, as shown below.

If the command-line argument is “shares,” the ransomware uses the NetShareEnum() API to locate network shares and retrieve information about each shared resource on the server. It then checks for the $ADMIN share and begins encrypting the files. If the command-line argument is “paths,” the ransomware calls the GetDriveTypeW() API to identify network drives connected to the infected machine, and once located, it starts encrypting the files. If neither “-paths” nor “-shares” are provided, and the mutex named “DoYouWantToHaveSexWithCuongDong” is not found on the infected machine, the ransomware recursively traverses all local drives and encrypts the files.

Conclusion

Termite ransomware represents a new and growing threat in the cyber landscape, leveraging advanced tactics such as double extortion to maximize its impact on victims. By targeting businesses and demanding substantial ransoms, it not only disrupts operations but also exposes organizations to significant financial, legal, and reputational risks. The emergence of Termite underscores the critical need for robust cybersecurity measures, proactive threat intelligence, and incident response strategies to counter the evolving tactics of ransomware groups.

Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices below:

Safety Measures to Prevent Ransomware Attacks

• Do not open untrusted links and email attachments without first verifying their authenticity.
• Conduct regular backup practices and keep those backups offline or in a separate network.
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
• Use a reputable antivirus and Internet security software package on your connected devices, including PC, laptop, and mobile. 

MITRE ATT&CK® Techniques

IOC

The post A Technical Look at the New ‘Termite’ Ransomware that Hit Blue Yonder appeared first on Cyble.

Blog – Cyble – ​Read More