برچسب: computer security

Major financial and insurance companies located in French-speaking nations in Africa have been targeted over the past two years as part of a persistent malicious campaign codenamed DangerousSavanna.
Countries targeted include Ivory Coast, Morocco, Cameroon, Senegal, and Togo, with the spear-phishing attacks heavily focusing on Ivory Coast in recent months, Israeli cybersecurity firm Check Point said in a Tuesday report.
Infection chains entail targeting employees of financial institutions with social engineering messages containing malicious attachments as a means of initial access, ultimately leading to the deployment of off-the-shelf malware such as Metasploit, PoshC2, DWservice, and AsyncRAT.

“The threat actors’ creativity is on display in the initial infection stage, as they persistently pursue the employees of the targeted companies, constantly changing infection chains that utilize a wide range of malicious file types, from self-written executable loaders and malicious documents, to ISO, LNK, JAR and VBE files in various combinations,” the company said.

The phishing emails are written in French and sent using Gmail and Hotmail services, even as the messages also impersonate other financial institutions in Africa to boost their credibility.
While attacks in 2021 leveraged macro-laced Microsoft Word documents as lures, the company’s decision to block macros in files downloaded from the internet by default earlier this year has led the DangerousSavanna actors to pivot to PDF and ISO files.

Furthermore, the first wave of attacks from the end of 2020 to the beginning of 2021 involved the use of bespoke .NET-based tools, which came disguised as PDF files attached to phishing emails, to retrieve next-stage droppers and loaders from remote servers.

Regardless of the method used, post-exploitation activities carried out after obtaining an initial foothold include establishing persistence, performing reconnaissance, and delivering additional payloads to remotely control the host, kill anti-malware processes, and log keystrokes.
The exact provenance of the threat actor remains unclear, but the frequent shift in its tools and methods demonstrates their knowledge of open-source software and their ability to fine-tune their tactics for maximizing financial gain.
“If one infection chain didn’t work out, they changed the attachment and the lure and tried targeting the same company again and again trying to find an entry point,” Check Point said. “With social engineering via spear-phishing, all it takes is one incautious click by an unsuspecting user.”

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

A Chinese hacking group has been attributed to a new campaign aimed at infecting government officials in Europe, the Middle East, and South America with a modular malware known as PlugX.
Cybersecurity firm Secureworks said it identified the intrusions in June and July 2022, once again demonstrating the adversary’s continued focus on espionage against governments around the world.
“PlugX is modular malware that contacts a command and control (C2) server for tasking and can download additional plugins to enhance its capability beyond basic information gathering,” Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News.

Bronze President is a China-based threat actor active since at least July 2018 and is likely estimated to be a state-sponsored group that leverages a mix of proprietary and publicly available tools to compromise and collect data from its targets.
It’s also publicly documented under other names such as HoneyMyte, Mustang Panda, Red Lich, and Temp.Hex. One of its primary tools of choice is PlugX, a remote access trojan that has been widely shared among Chinese adversarial collectives.
Earlier this year, the group was observed targeting Russian government officials with an updated version of the PlugX backdoor called Hodur, alongside entities located in Asia, the European Union, and the U.S.
Secureworks’ attribution of the latest campaign to Bronze President stems from the use of PlugX and politically-themed lure documents that align with regions that are of strategic importance to China.

Attack chains distribute RAR archive files that contain a Windows shortcut (.LNK) file masquerading as a PDF document, opening which executes a legitimate file present in a nested hidden folder embedded within the archive.
This then paves the way for dropping a decoy document, while the PlugX payload sets up persistence on the infected host.
“Bronze President has demonstrated an ability to pivot quickly for new intelligence collection opportunities,” the researchers said. “Organizations in geographic regions of interest to China should closely monitor this group’s activities, especially organizations associated with or operating as government agencies.”

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Microsoft’s threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as Phosphorus is conducting ransomware attacks as a “form of moonlighting” for personal gain.
The tech giant, which is monitoring the activity cluster under the moniker DEV-0270 (aka Nemesis Kitten), said it’s operated by a company that functions under the public aliases Secnerd and Lifeweb, citing infrastructure overlaps between the group and the two organizations.
“DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities,” Microsoft said.

“DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.”
The use of BitLocker and DiskCryptor by Iranian actors for opportunistic ransomware attacks came to light earlier this May, when Secureworks disclosed a set of intrusions mounted by a threat group it tracks under the name Cobalt Mirage with ties to Phosphorus (aka Cobalt Illusion) and TunnelVision.

DEV-0270 is known to scan the internet to find servers and devices susceptible to flaws in Microsoft Exchange Server, Fortinet FortiGate SSL-VPN, and Apache Log4j for obtaining initial access, followed by network reconnaissance and credential theft activities.
Access to the compromised network is achieved by establishing persistence via a scheduled task. DEV-0270 then escalates privileges to the system level, allowing it to conduct post-exploitation actions such as disabling Microsoft Defender Antivirus to evade detection, lateral movement, and file encryption.

“The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security,” Microsoft said. “They also install and masquerade their custom binaries as legitimate processes to hide their presence.”
In some of the successful infections, the group has been seen dropping a ransom note roughly two days after the initial compromise, and demanding $8,000 for the decryption keys. In one instance where the victim entity refused to pay, the actor opted to post the stolen data for sale.
Users are recommended to prioritize patching of internet-facing Exchange servers to mitigate risk, restrict network appliances like Fortinet SSL-VPN devices from making arbitrary connections to the internet, enforce strong passwords, and maintain regular data backups.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

A recent report revealed that ecommerce provider, Shopify uses particularly weak password policies on the customer-facing portion of its Website. According to the report, Shopify’s requires its customers to use a password that is at least five characters in length and that does not begin or end with a space.
According to the report, Specops researchers analyzed a list of a billion passwords that were known to have been breached and found that 99.7% of those passwords adhere to Shopify’s requirements. While this is not meant to suggest that Shopify customers’ passwords have been breached, the fact that so many known breached passwords adhere to Shopify’s minimum password requirements does underscore the dangers associated with using weak passwords.
The danger of weak passwords in your Active Directory
A recent study by Hive Systems echoes the dangers of using weak passwords. The study examines the amount of time that would be required to brute force crack passwords of various lengths and with varying levels of complexity. According to Hive Systems’ infographic, a five-character password can be cracked instantaneously, regardless of complexity. Given the ease with which shorter passwords can be cracked using brute force, organizations should ideally require complex passwords that are at least 12 characters in length.
Even if you were to put aside the security implications associated with using a five-character password, there is a potentially bigger problem – regulatory compliance.
It’s tempting to think of regulatory compliance as the sort of thing that only large companies have to worry about. As such, many small, independent sellers who open Shopify accounts may be blissfully unaware of the regulatory requirements associated with doing so. However, the payment card industry requires any business that accepts credit card payments to adhere to the Official PCI Security Standards.
Avoiding the PCI requirements with a 3rd party payment system
One of the nice things about using Shopify or a similar ecommerce platform is that retailers do not have to operate their own payment card gateways. Instead, Shopify handles the processing of transactions on their customer’s behalf. This outsourcing of the payment process shields ecommerce business owners from many of the PCI requirements.
For example, PCI standards require merchants to protect stored card holder data. However, when an ecommerce business outsources its payment processing, it will not typically be in possession of customer’s credit card data. As such, the business owner can effectively avoid the requirement to protect cardholder data if they are never in possession of that data in the first place.
One PCI requirement that might be more problematic however, is the requirement to identify and authenticate access to system components (Requirement 8). Although the PCI security standards do not specify a required password length, the PCI DSS Quick Reference Guide states on page 19 that “Every user should have a strong password for authentication.” Given this statement, it would be difficult for an ecommerce retailer to justify using a five-character password.
Start beefing up IT security internally
This, of course, raises the question of what ecommerce companies can be doing to improve their overall password security. Perhaps the most critical recommendation would be to recognize that the minimum password requirements associated with an ecommerce portal might be inadequate. From a security and compliance standpoint, it is usually advisable to use a password that is longer and more complex than what is minimally required.
Another thing that ecommerce retailers should do is to take a serious look at what can be done to improve password security on their own networks. This is especially true if any customer data is stored or processed on your network. According to a 2019 study, 60% of small companies close within 6 months of being hacked. As such, it is extremely important to do what you can to prevent a security incident and a big part of that involves making sure that your passwords are secure.
The Windows operating system contains account policy settings that can control password length and complexity requirements. While such controls are undeniably important, Specops Password Policy can help organizations to build even stronger password policies than what is possible using only the native tools that are built into Windows.
One of the most compelling capabilities offered by Specops Password Policy is its ability to compare the passwords used within an organization against a database of billions of passwords that are known to have been compromised. That way, if a user is found to be using a compromised password, the password can be changed before it becomes a problem.
Specops Password Policy also allows organizations to create a list of banned words or phrases that should not be included in passwords. For example, an administrator might create a policy to prevent users from using your company name as a part of their password.
Additionally, organizations can use Specops Password Policy to block techniques that users commonly use to skirt password complexity requirements. This might include using consecutive repeating characters (such as 99999) or replacing letters with similarly looking symbols (such as $ instead of s).
The bottom line is that Specops Password Policy can help your organization to create a password policy that is vastly more secure, thereby making it more difficult for cybercriminals to gain access to your user accounts. You can test out Specops Password Policy in your Active Directory for free, anytime.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Security threats are always a concern when it comes to APIs. API security can be compared to driving a car. You must be cautious and review everything closely before releasing it into the world. By failing to do so, you’re putting yourself and others at risk.
API attacks are more dangerous than other breaches. Facebook had a 50M user account affected by an API breach, and an API data breach on the Hostinger account exposed 14M customer records.
If a hacker gets into your API endpoints, it could spell disaster for your project. Depending on the industries and geographies you’re talking about, insecure APIs could get you into hot water. Especially in the EU, if you’re serving the banking, you could face massive legal and compliance problems if you’re discovered to be using insecure APIs.
To mitigate these risks, you need to be aware of the potential API vulnerabilities that cybercriminals can exploit.
6 Commonly Overlooked API Security Risks
#1 No API Visibility and Monitoring Means’ Risk’
When you expand your use of cloud-based networks, the number of devices and APIs in use also increases. Unfortunately, this growth also leads to less visibility on what APIs you expose internally or externally.
Shadow, hidden, or deprecated APIs which fall out of your security team’s visibility create more opportunities for successful cyberattacks on unknown APIs, API parameters, and business logic. Traditional tools like API gateway lack the ability to offer a complete inventory of all APIs.
Must have API visibility, includes

• Centralized visibility as well as an inventory of all APIs
• Detailed view of API traffics
• Visibility of APIs transmitting sensitive information
• Automatic API risk analysis with predefined criteria

#2 API Incompetence
Paying attention to your API calls is important to avoid passing duplicate or repeated requests to the API. When two deployed APIs try to use the same URL, it can cause repetitive and redundant API usage problems. This is because the endpoints on both APIs are using the same URL. To avoid this, each API should have its own unique URL with optimization.
#3 Service Availability Threats
Targeted DDoS API attacks, with the help of botnets, can overload CPU cycles and processor power of the API server, sending service calls with invalid requests and making it unavailable for legitimate traffic. DDoS API attacks target not only your servers where the APIs are running but also each API endpoint.
Rate limiting grants you the confidence to maintain your applications healthy, but a good response plan comes with multi-layer security solutions like AppTrana’s API protection. The accurate and fully managed API protection continuously monitors the API traffic and instantly blocks malicious requests before reaching your server.
#4 Hesitating over API Utilization
As a B2B company, you often need to expose your internal API utilization numbers to teams outside the organization. This can be a great way to facilitate collaboration and allow others to access your data and services. However, it’s essential to carefully consider to whom you give your API access and what level of access they need. You don’t want to open your API too broadly and create security risks.
API calls need to be monitored closely when they’re shared between partners or customers. This helps ensure that everyone uses the API as intended and does not overload the system.
#5 API Injection
API injection is a term used to describe when malicious code is injected with the API request. The injected command, when executed, can even delete the user’s entire site from the server. The primary reason APIs are vulnerable to this risk is that the API developer fails to sanitize the input before it turns up in the API code.
This security loophole causes severe problems for users, including identity theft and data breaches, so it’s essential to be aware of the risk. Add input validation on the server side to prevent injection attacks and avoid executing special characters.
#6 Attacks Against IoT Devices through APIs
The effective utilization of IoT depends on the level of API security management; if that is not happening, you will have a tough time with your IoT device.
As time goes on and technology advances, hackers will always use new ways to exploit vulnerabilities in IoT products. While APIs enable powerful extensibility, they open new entrances for hackers to access sensitive data on your IoT devices. To avoid many threats and challenges IoT devices faces, APIs must be more secure.
Therefore, you need to keep your IoT devices updated with the latest security patches to ensure they are protected against the latest threats.
Stop API Risk by Implementing WAAP
In today’s world, organizations are under constant threat of API attacks. With new vulnerabilities appearing every day, it’s essential to inspect all APIs for potential threats regularly. Web application security tools are insufficient to protect your business from such risks. For API protection to work, it needs to be fully dedicated to API security. WAAP (Web Application and API Protection) can be an effective solution in this regard.
Indusface WAAP is a solution to the ever-present problem of API security. It allows you to limit the data flow to what is necessary, preventing you from accidentally leaking or exposing sensitive information. Also, the holistic Web Application & API Protection (WAAP) platform comes with the trinity of behaviour analysis, security-centric monitoring, and API management to keep malicious actions on APIs at bay.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.