برچسب: the hacker news

In recent months, the House of Representatives has been hard at work drafting various spending bills for the 2023 fiscal year. While these bills provide funding for a vast array of government programs and agencies, there was one thing that really stands out. Collectively, the bills that are making their way through the house allocate a staggering $15.6 billion to cybersecurity spending.
As you could probably guess, the lion’s share of this spending ($11.2 billion) is being allocated to the Department of Defense. It is worth noting, however, that nearly $3 billion is going to the Cyber Security and Infrastructure Security Agency (CISA).
Although it may be tempting to think of these cybersecurity budget allocations as just another example of excessive government spending, it’s worth considering what a $15.6 billion cash infusion will mean for the IT security industry. It’s equally important to consider why the US government finds it necessary to ramp up its cybersecurity spending to such a degree.
What Does Increased Government Cybersecurity Spending Mean for the Future?
So, what does all of this cybersecurity spending mean for the future? For starters, it means that 2023 is going to be a good year for cybersecurity companies who are authorized to sell their products to the government. Such companies will likely see record profits and may end up hiring additional staff in order to help meet the sudden demand for their products and services.
More importantly, all this spending will almost certainly drive innovation. In the past (pre-cloud), security companies would generally release a new version of their products each year to keep up with an ever-changing security landscape. These new versions almost always contained new features that were designed to entice customers and to get a leg up on competitors (who would inevitably add a comparable feature to the next version of their own product).
Although the cloud era has forced security companies to change the way that they do things, the basic concepts from years past still apply. The main difference is that the cloud has given these companies the ability to release new features and capabilities much more rapidly than might have been possible in the past.
Investing in Cybersecurity Innovation
All of this is to say that innovation has always been an important part of the cybersecurity industry. Security companies have always invested resources into developing new tools and capabilities that will help them to stay ahead of cybercriminals and competitors alike.
With billions of dollars in government spending being poured into the security industry, we will almost certainly see security products and cloud services eventually take an exponential leap forward as a direct result of being able to invest more heavily in product development and security research.
This innovation will not be limited solely to security product vendors and cloud providers. Remember that CISA is going to be receiving $2.9 billion. CISA has historically provided cybersecurity guidance and recommendations to government agencies and to the private sector.
These recommendations are not pulled from thin air but are the product of research. The increased funding will allow CISA to engage in even more cybersecurity research, ultimately positioning it to produce better recommendations.
Why is the Government Spending More on Cyber Security?
The increased budget allocations for cybersecurity are most likely tied to a White House directive from March 21, 2022 stressing the need for increased cyber defenses. This directive follows a long line of high-profile security incidents, such as last year’s attack on the Colonial Pipeline, which caused fuel shortages along the east coast.
It is worth noting that this statement was not directed exclusively at government agencies. The statement also encouraged private sector businesses to shore up their cyber security defenses in accordance with CISA guidelines.
Beef up your own cybersecurity initiatives, without the price tag
CISA offers numerous recommendations for how organizations can improve their overall cybersecurity, but many of these guidelines pertain to passwords.
If your organization isn’t quite ready to make such a hefty investment in cybersecurity, it’s a good idea to start with quantifiable metrics to see where your Active Directory is (or isn’t!) at risk. Gather your own organization-specific cybersecurity measurements with a free, read-only Password Audit from Specops.
This scan will generate reports demonstrating the effectiveness of your organization’s password policy and existing password security vulnerabilities. This free tool can also help you to identify other vulnerabilities, such as accounts that are using passwords that are known to have been leaked or passwords that do not adhere to compliance standards or industry best practices. Download the Specops Password Auditor for free today.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

A new, large-scale phishing campaign has been observed using adversary-in-the-middle (AitM) techniques to get around security protections and compromise enterprise email accounts.
“It uses an adversary-in-the-middle (AitM) attack technique capable of bypassing multi-factor authentication,” Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu said in a Tuesday report. “The campaign is specifically designed to reach end users in enterprises that use Microsoft’s email services.”
Prominent targets include fintech, lending, insurance, energy, manufacturing, and federal credit union verticals located in the U.S., U.K., New Zealand, and Australia.

This is not the first time such a phishing attack has come to light. Last month, Microsoft disclosed that over 10,000 organizations had been targeted since September 2021 by means of AitM techniques to breach accounts secured with multi-factor authentication (MFA).
The ongoing campaign, effective June 2022, commences with an invoice-themed email sent to targets containing an HTML attachment, which includes a phishing URL embedded within it.

Opening the attachment via a web browser redirects the email recipient to the phishing page that masquerades as a login page for Microsoft Office, but not before fingerprinting the compromised machine to determine whether the victim is actually the intended target.
What stands out here is the use of different methods, counting open redirect pages hosted by Google Ads and Snapchat, to load the phishing page URL as opposed to embedding the rogue URL directly in the email.
AitM phishing attacks go beyond the traditional phishing approaches designed to plunder credentials from unwitting users, particularly in scenarios where MFA is enabled – a security barrier that prevents the attacker from logging into the account with only the stolen credentials.

To circumvent this, the rogue landing page developed using a phishing kit functions as a proxy that captures and relays all the communication between the client (i.e., victim) and the email server.
“The kits intercept the HTML content received from the Microsoft servers, and before relaying it back to the victim, the content is manipulated by the kit in various ways as needed, to make sure the phishing process works,” the researchers said.

This also entails replacing all the links to the Microsoft domains with equivalent links to the phishing domain so as to ensure that the back-and-forth remains intact with the fraudulent website throughout the session.
Zscaler said it observed the attacker manually logging into the account eight minutes after the credential theft, following it up by reading emails and checking the user’s profile information.
What’s more, in some instances, the hacked email inboxes are subsequently used to send additional phishing emails as part of the same campaign to conduct business email compromise (BEC) scams.
“Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks,” the researchers noted.
“With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions.”

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Microsoft has detailed the evolving capabilities of toll fraud malware apps on Android, pointing out its “complex multi-step attack flow” and an improved mechanism to evade security analysis.
Toll fraud belongs to a category of billing fraud wherein malicious mobile applications come with hidden subscription fees, roping in unsuspecting users to premium content without their knowledge or consent.
It’s also different from other fleeceware threats in that the malicious functions are only carried out when a compromised device is connected to one of its target network operators.
“It also, by default, uses cellular connection for its activities and forces devices to connect to the mobile network even if a Wi-Fi connection is available,” Dimitrios Valsamaras and Sang Shin Jung of the Microsoft 365 Defender Research Team said in an exhaustive analysis.
“Once the connection to a target network is confirmed, it stealthily initiates a fraudulent subscription and confirms it without the user’s consent, in some cases even intercepting the one-time password (OTP) to do so.”

Such apps are also known to suppress SMS notifications related to the subscription to prevent the victims from becoming aware of the fraudulent transaction and unsubscribing from the service.
At its core, toll fraud takes advantage of the payment method which enables consumers to subscribe to paid services from websites that support the Wireless Application Protocol (WAP). This subscription fee gets charged directly to the users’ mobile phone bills, thus obviating the need for setting up a credit or debit card or entering a username and password.
“If the user connects to the internet through mobile data, the mobile network operator can identify him/her by IP address,” Kaspersky noted in a 2017 report about WAP billing trojan clickers. “Mobile network operators charge users only if they are successfully identified.”
Optionally, some providers can also require OTPs as a second layer of confirmation of the subscription prior to activating the service.
“In the case of toll fraud, the malware performs the subscription on behalf of the user in a way that the overall process isn’t perceivable,” the researchers said. “The malware will communicate with a [command-and-control] server to retrieve a list of offered services.”
It achieves this by first turning off Wi-Fi and turning on mobile data, followed by making use of JavaScript to stealthily subscribe to the service, and intercepting and sending the OTP code (if applicable) to complete the process.
The JavaScript code, for its part, is designed to click on HTML elements that contain keywords such as “confirm,” “click,” and “continue” to programmatically initiate the subscription.
Upon a successful fraudulent subscription, the malware either conceals the subscription notification messages or abuses its SMS permissions to delete incoming text messages containing information about the subscribed service from the mobile network operator.
Toll fraud malware is also known to cloak its malicious behavior by means of dynamic code loading, a feature in Android that allows apps to pull additional modules from a remote server during runtime, making it ripe for abuse by malicious actors.

From a security standpoint, this also means that a malware author can fashion an app such that the rogue functionality is only loaded when certain prerequisites are met, effectively defeating static code analysis checks.
“If an app allows dynamic code loading and the dynamically loaded code is extracting text messages, it will be classified as a backdoor malware,” Google lays out in its developer documentation about potentially harmful applications (PHAs).
With an install rate of 0.022%, toll fraud apps accounted for 34.8% of all PHAs installed from the Android app marketplace in the first quarter 2022, ranking second below spyware. Most of the installations originated from India, Russia, Mexico, Indonesia, and Turkey.
To mitigate the threat of toll fraud malware, it’s recommended that users install applications only from the Google Play Store or other trusted sources, avoid granting excessive permissions to apps, and consider upgrading to a new device should it stop receiving software updates.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

The threat actor known as SideWinder has added a new custom tool to its arsenal of malware that’s being used in phishing attacks against Pakistani public and private sector entities.
“Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan are primary attack vectors of the gang,” Singapore-headquartered cybersecurity company Group-IB said in a Wednesday report.
SideWinder, also tracked under the monikers Hardcore Nationalist, Rattlesnake, Razor Tiger, and T-APT-04, has been active since at least 2012 with a primary focus on Pakistan and other Central Asian countries like Afghanistan, Bangladesh, Nepal, Singapore, and Sri Lanka.

Last month, Kaspersky attributed to this group over 1,000 cyber attacks that took place in the past two years, while calling out its persistence and sophisticated obfuscation techniques.
The threat actor’s modus operandi involves the use of spear-phishing emails to distribute malicious ZIP archives containing RTF or LNK files, which download an HTML Application (HTA) payload from a remote server.

This is achieved by embedding fraudulent links that are designed to mimic legitimate notifications and services of government agencies and organizations in Pakistan, with the group also setting up lookalike websites posing as government portals to harvest user credentials.
The custom tool identified by Group-IB, dubbed SideWinder.AntiBot.Script, acts as a traffic direction system diverting Pakistani users clicking on the phishing links to rogue domains.
Should a user, whose client’s IP address differs from Pakistan’s, click on the link, the AntiBot script redirects to an authentic document located on a legitimate server, indicating an attempt to geofence its targets.

“The script checks the client browser environment and, based on several parameters, decides whether to issue a malicious file or redirect to a legitimate resource,” the researchers said.
Of special mention is a phishing link that downloads a VPN application called Secure VPN (“com.securedata.vpn”) from the official Google Play store in an attempt to impersonate the legitimate Secure VPN app (“com.securevpn.securevpn”).

While the exact purpose of the fake VPN app remains unclear, this is not the first time SideWinder has sneaked past Google Play Store protections to publish rogue apps under the pretext of utility software.
In January 2020, Trend Micro detailed three malicious apps that were disguised as photography and file manager tools that leveraged a security flaw in Android (CVE-2019-2215) to gain root privileges as well as abuse accessibility service permissions to harvest sensitive information.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Network security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices.
“These credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor’s scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable,” the company said in a statement on Wednesday.

The disclosure comes after the threat actor leaked a list of Fortinet credentials for free on a new Russian-speaking forum called RAMP that launched in July 2021 as well as on Groove ransomware’s data leak site, with Advanced Intel noting that the “breach list contains raw access to the top companies” spanning across 74 countries, including India, Taiwan, Italy, France, and Israel. “2,959 out of 22,500 victims are U.S. entities,” the researchers said.

CVE-2018-13379 relates to a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext.

Although the bug was rectified in May 2019, the security weakness has been repeatedly exploited by multiple adversaries to deploy an array of malicious payloads on unpatched devices, prompting Fortinet to issue a series of advisories in August 2019, July 2020, April 2021, and again in June 2021, urging customers to upgrade affected appliances.

CVE-2018-13379 also emerged as one of the top most exploited flaws in 2020, according to a list compiled by intelligence agencies in Australia, the U.K., and the U.S. earlier this year.
In light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above followed by initiating an organization-wide password reset, warning that “you may remain vulnerable post-upgrade if your users’ credentials were previously compromised.”

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.