Hacking news

Microsoft down: Netizens react to global outage with hilarious memes

Microsoft has confirmed that its cloud services are suffering a global outage across the US, Australia, India, and more. As per Down Detector, 59 per cent of users are facing problems with login, 22 per cent with app and 19 per cent with One Drive currently. This outage has impacted Microsoft’s Azure and Office 365 services worldwide along with US airlines.  Low-cost carriers Frontier Airlines, a unit of Frontier Group Holdings ULCC.O, Allegiant and SunCountry had reported outages that affected operations. Frontier said that it was in the process of resuming normal operations, and that the ground stop had been lifted. Microsoft stated that its outage started at about 6 pm ET on Thursday, with a subset of its customers experiencing issues with multiple Azure services in the Central U.S. region. Microsoft Windows users globally are also reporting an issue of blue screen error that made the system to suddently shut down or restart. Microsoft in a message has revealed that the error is due to a recent CrowdStrike update.  Here are a few hilarious memes that you shouldn’t miss. Looking for internship: Click here Post Credit: businesstoday

Microsoft down: Netizens react to global outage with hilarious memes Read More »

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target for gaining unauthorized access or spreading malware.  Besides this, its open-source nature allows threat actors to study the code and identify new vulnerabilities in it closely. Cybersecurity researchers at Symantec recently identified a new Linux backdoor actively attacking Linux users via installation packages. New Linux Backdoor Symantec unveiled a new Linux backdoor named Linux.Gomir, which had been developed by the Springtail hacking group from North Korea has reportedly been connected with recent malware attacks on South Korean targets. Gomir is similar to the GoBear backdoor, which was found in previous Springtail campaigns where Trojanized software was used. Springtail believed to be a tight-knit organization within the North Korean military intelligence, has carried out cyber espionage missions before, including the 2014 disk wiper attack on Korea Hydro and Nuclear Power.  They recently misused DMARC policies for social engineering purposes, impersonating experts on issues concerning North Korea. The Springtail group launched a campaign delivering the new Troll Stealer malware, a Go-based information stealer with overlapping code from previous Springtail malware like GoBear or BetaSeed backdoors.  Troll Stealer was distributed via Trojanized software installers, including those for TrustPKI, NX_PRNMAN from SGA Solutions, and Wizvera VeraPort, which was previously compromised in 2020.  Targeting government agencies by copying GPKI data, the campaign exploited legitimate websites requiring a login.  GoBear was also spread, masquerading as a Korean transport org’s app installer with a stolen cert. Symantec noticed Linux.Gomir, a Linux version of Springtail’s GoBear Windows backdoor, which shares much code similarity. If run with the “install” argument, Gomir checks its privileges by copying itself to /var/log/syslogd and creating a persistent systemd service if it is root or else configuring a crontab entry. When installed, it communicates over HTTP POST with its C&C server, sending an infection ID after hashing the hostname and the username and receiving Base64-encoded commands. Gomir’s structure and installation routines, which are remarkably similar to those of GoBear, also highlight the group’s cross-platform targeting capabilities. Gomir employs custom encryption to decode received commands, with this ensuring that the system can support 17 GoBear-like operations.  This campaign reveals North Korean groups’ inclination toward software supply chain vectors such as Trojanized installers, fake apps, and compromised update channels. Springtail carefully chooses popular software among desired South Korean audiences to Trojanize them on third-party websites where they must be installed. The group’s developing tactics exhibit a sophisticated and targeted approach to cyber espionage operations. IOCs Wanna join Internship : CLick here Entire post credit: GB hackers

New Linux Backdoor Attacking Linux Users Via Installation Packages Read More »

How Attackers Can Own a Business Without Touching the Endpoint

Attackers are increasingly making use of “networkless” attack techniques targeting cloud apps and identities. Here’s how attackers can (and are) compromising organizations – without ever needing to touch the endpoint or conventional networked systems and services. Before getting into the details of the attack techniques being used, let’s discuss why these attacks are becoming more prevalent. SaaS adoption is changing the make-up of company IT # The SaaS revolution and product-led growth have had a huge impact on the structure of company networks, and where core business systems and data reside. Most organizations today are using tens to hundreds of SaaS applications across business functions.Some are entirely SaaS-native, with no traditional network to speak of, but most have adopted a hybrid model with a mixture of on-premise, cloud, and SaaS services forming the backbone of business applications being used. The bulk of SaaS adoption is user-driven, as opposed to centrally managed by IT, as bottom-up adoption is inherent to product-led growth.The latest data from Push Security indicates that only 1 in 5 SaaS apps have been sanctioned by the business. The majority is simply unknown and, therefore, has not been reviewed at all. Cloud and SaaS apps are designed to be interconnected, functioning like the closed networks of internal business applications you might have used in the past. The vehicle for this interconnectedness is identity. Digital identities are increasingly complicated and hard to secure# The most basic form of identity is a user account created for services you sign up to with a username/email and password.To reduce the risk of account takeover and complexity of managing an ever-increasing number of accounts, organizations are using the services of identity providers (IdPs) to centralize access to apps within a single platform and identity, using protocols like single sign on (SSO) and OAuth to manage authentication and authorization respectively. The particular make-up of an identity can vary a lot. Depending on the app, it’s possible to have multiple authentication mechanisms for the same account – for example, via SAML, social logins (OIDC), and username and password. Whilst SAML requires that admins set it up in advance for a given app tenant, users can sign up for an app using OIDC simply by using the “sign in with Google” feature. In effect this creates multiple identities tied to a single account, which can introduce a lot of confusion and complexity – for example, just because an IdP admin deletes that account, doesn’t mean the app/account can’t then be accessed by using one of the other login methods that’s been created. This can make it hard to know what apps are in use, and what identities exist in the organization. So, in practice, it’s possible to end up with a combination of the following: It can get pretty complicated – with most organizations having 100+ apps in their inventory, resulting in thousands of sprawled identities. Then, depending on the OAuth scopes approved for a given app, permissions and workflows in one app can impact other apps where approval is granted for them to talk to one another. Identity is the glue that holds this ecosystem together. However, the controls that exist to secure identity have serious limitations. Companies often think that all their apps and identities have MFA rolled out or all apps are behind SSO. But the reality is that only 1/3 of apps actually support SSO (and many of these only at the premium tier, with a hefty price increase). Further, around 60% of unique identities (i.e., not using SSO) do not have MFA registered. So in reality, there are significant gaps in the security controls protecting cloud identities, while identities and cloud apps are becoming more prevalent. Attackers are targeting cloud identity vulnerabilities# Attackers are taking note of this.According to Verizon’s 2024 DBIR, 74% of all breaches involved the human element, targeting compromised user accounts via human error, privilege misuse, use of compromised credentials, or social engineering. While this is nothing new (some description of identity/phishing attacks have been the top attack vector since at least 2013), Crowdstrike’s latest global threat report goes further, noting that 75% of attacks to gain access were malware-free, and that “cloud-conscious” attacks (deliberate rather than opportunistic targeting of cloud services to compromise specific functionality) increased 110%.Microsoft also notes around 4,000 password attacks per second specifically targeting cloud identities, while there are suggestions from Google employees that attacks looking to steal session cookies (and therefore bypass MFA) happen at roughly the same order of magnitude as password-based attacks. Looking beyond the numbers, evidence from breaches in the public eye tells the same story. Threat groups like APT29/Cozy Bear/The Dukes and Scattered Spider/0ktapus show how attackers are actively targeting IdP services, SaaS apps, and SSO/OAuth to carry out high-profile attacks against companies like Microsoft and Okta. Cloud apps and identities are the new land of opportunity for attackers. Because of the shift to cloud services, they offer the same value as a traditional attack designed to breach a network perimeter via the endpoint.In many ways, identity itself is the new attack surface.Contrary to other security boundaries like the network or endpoint, it also presents much less of an obstacle in terms of the controls that currently exist to defend this new perimeter. Identity-based attacks used to be localized to the endpoint or adjacent “identity systems” like Active Directory.The goal for the attacker was to breach this perimeter and move within the organization. Now, identity is much more dispersed – the gateway to an ecosystem of interconnected cloud apps and services, all accessed over the internet. This has significantly shifted the magnitude of the challenge facing security teams. After all, it’s much harder to stop credential-stuffing attacks against 100 SaaS apps than the single centralized external VPN/webmail endpoint of yesteryear. Cloud identities are the new perimeter# It seems pretty clear that cloud identities are the new digital perimeter. This isn’t the future, it’s now. The only piece that is still to be determined is what offensive techniques and tradecraft will emerge, and what the industry response will be in order to stop them. Security era Techniques of the day Industry response 2000s Traditional perimeter hacking Port scanners, vuln scanners, buffer overflows, web app attacks, WiFi hacking, client/server backdoors Firewalls, DMZs, patch management, secure coding, WPA, penetration testing 2010s Endpoint is the new perimeter Phishing, office macros, file format bugs, browser exploits, memory resident implants, C2 frameworks Endpoint hardening, EDR, SIEMS, red teaming, threat hunting 2020s Cloud identities are the new perimeter ??? ??? Last year, Push Security released a matrix of SaaS attack techniques on GitHub (inspired by the more endpoint-focused MITRE ATT&CK Framework) that demonstrates how attackers can target a business without touching traditional

How Attackers Can Own a Business Without Touching the Endpoint Read More »

Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks

Apple on Wednesday revised its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks. It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off “individually targeted attacks of such exceptional cost and complexity.” “Though deployed against a very small number of individuals — often journalists, activists, politicians, and diplomats — mercenary spyware attacks are ongoing and global,” Apple said. “The extreme cost, sophistication, and worldwide nature of mercenary spyware attacks makes them some of the most advanced digital threats in existence today.” The update marks a change in wording that previously said these “threat notifications” are designed to inform and assist users who may have been targeted by state-sponsored attackers. According to TechCrunch, Apple is said to have sent threat notifications to iPhone users in 92 countries at 12:00 p.m.PST on Wednesday coinciding with the revision to the support page. It’s worth noting that Apple began sending threat notifications to warn users it believes have been targeted by state-sponsored attackers starting November 2021. However, the company also makes it a point to emphasize that it does not “attribute the attacks or resulting threat notifications” to any particular threat actor or geographical region. The development comes amid continued efforts by governments around the world to counter the misuse and proliferation of commercial spyware. Last month, the U.S. government said Finland, Germany, Ireland, Japan, Poland, and South Korea had joined an inaugural group of 11 countries working to develop safeguards against the abuse of invasive surveillance technology. “Commercial spyware has been misused across the world by authoritarian regimes and in democracies […] without proper legal authorization, safeguards, or oversight,” the governments said in a joint statement. “The misuse of these tools presents significant and growing risks to our national security, including to the safety and security of our government personnel, information, and information systems.” According to a recent report published by Google’s Threat Analysis Group (TAG) and Mandiant, commercial surveillance vendors were behind the in-the-wild exploitation of a chunk of the 97 zero-day vulnerabilities discovered in 2023. All the vulnerabilities attributed to spyware companies targeted web browsers – particularly flaws in third-party libraries that affect more than one browser and substantially increase the attack surface – and mobile devices running Android and iOS. “Private sector firms have been involved in discovering and selling exploits for many years, but we have observed a notable increase in exploitation driven by these actors over the past several years,” the tech giant said. “Threat actors are increasingly leveraging zero-days, often for the purposes of evasion and persistence, and we don’t expect this activity to decrease anytime soon.” Google also said that increased security investments into exploit mitigations are affecting the types of vulnerabilities threat actors can weaponize in their attacks, forcing them to bypass several security guardrails (e.g., Lockdown Mode and MiraclePtr) to infiltrate target devices. Join our internship: Click here Content Credit: The hackers news

Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks Read More »

Hacking Update 09/04/2024

End-f-Life (EOL) crisis hits again! D-Link advised retiring tens of thousands of internet-facing NAS devices as those would no longer receive security updates or vendor support. A security bug in these devices allows attackers to execute arbitrary commands and trigger denial of service. In another bug-related headline, Cisco fixed a critical vulnerability for its Catalyst 6000 Series Switches triggered by improper handling of process-switched traffic, potentially leading to denial of service. AI-themed fraud campaigns continue to proliferate as digital adversaries leverage ongoing technology trends. Most recently, victims were manipulated into joining fraudulent Facebook communities to download and access malicious executables posing as upcoming AI features and services. Top Malware Reported in the Last 24 Hours Malicious Facebook ads steal malware A cybercrime group was spotted promoting fake AI services like MidJourney, OpenAI’s SORA, and ChatGPT-5, tricking users into downloading password-stealing malware. They do it through Facebook ads and hijacked profiles impersonating popular AI services that promise previews of new features. Information-stealing malware like Rilide, Vidar, IceRAT, and Nova targeted victims’ browsers to steal credentials, cryptocurrency wallets, and other sensitive data. APT group launches malware campaign The Vedalia APT group deployed a new malware campaign leveraging oversized LNK files to bypass traditional security measures and compromise targeted systems. Broadcom recently highlighted this evolution in the group’s tactics, revealing how the use of large LNK files with double extensions and excessive whitespace obscures malicious command lines, making detection challenging. By executing PowerShell commands, the embedded script within these files aims to evade detection and deliver payloads like CL.Downloader!gen20 and trojans. Top Vulnerabilities Reported in the Last 24 Hours EOL D-Link NAS models pose threats A researcher, known as Netsecfish, disclosed a sensitive flaw, CVE-2024-3273, affecting multiple EOL D-Link NAS models, including DNS-340L, DNS-320L, DNS-327L, and DNS-325. The flaw enables arbitrary command injection and involves a hardcoded backdoor accessible via the nas_sharing.cgi uri. Exploitation could lead to unauthorized access, system configuration changes, or denial of service. Over 92,000 Internet-facing devices were found at risk. Cisco fixes high-severity issue in switches Cisco resolved a high-severity vulnerability, tracked as CVE-2024-20276, in Cisco IOS Software for Catalyst 6000 Series Switches. The flaw, triggered by improper handling of process-switched traffic, could allow an unauthenticated, local attacker to force a device to reload, leading to a DoS attack. Affected products include Catalyst 6500 and 6800 Series Switches with specific supervisor engines. Top Scams Reported in the Last 24 Hours Social media platforms exploited for phishing Threat actors were found abusing work-associated social media accounts in a new attack combining compromised accounts with a 2-step phishing scheme. Attackers used deceptive messages from compromised accounts to lure victims into clicking malicious links disguised as legitimate OneDrive documents, leading to account takeovers and credential theft. Threat groups, such as 3rr0r Hun73r, used this tactic aimed at stealing both personal and corporate data. Healthcare IT helpdesks targeted by social engineering hacks The HHS alerted the HPH sector about adversaries attempting to enroll their own devices in MFA through IT helpdesk assistance where they impersonate financial department employees. By using stolen ID verification details and feigning smartphone issues, they can gain access to corporate resources. According to experts, this modus operandi shares similarities with the Scattered Spider threat group, known for ransomware attacks on prominent organizations. Content Credit: Bleeping Computers, gb hackers, Security affairs, Cyware

Hacking Update 09/04/2024 Read More »