Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

GoDaddy admits to password breach: check your Managed WordPress site!

Sophos Naked Security - 23 Listopad, 2021 - 20:35
GoDaddy found crooks in its network, and kicked them out - but not before they'd been in there for six weeks.

Uživatelka TikToku omylem spolkla sluchátko Apple AirPods. Během průchodu neztratilo signál

Zive.cz - bezpečnost - 23 Listopad, 2021 - 18:45
Bezdrátová sluchátka Apple Airpods jsou stále rozšířenější, menší a vydrží déle na baterii. Lze tak pozorovat, že je lidé mají na uších stále delší dobu, což s sebou přináší nová nebezpečí. Před dvěma lety jsme tu měli zprávu o mladíkovi, který spolkl jedno sluchátko AirPods během spánku a nyní se ...
Kategorie: Hacking & Security

How to Defend Against Mobile App Impersonation

Threatpost - 23 Listopad, 2021 - 15:00
Despite tight security measures by Google/Apple, cybercriminals still find ways to bypass fake app checks to plant malware on mobile devices. Dave Stewart, CEO of Approov, discusses technical approaches to defense against this.
Kategorie: Hacking & Security

Anatomie jednoho scamu. Co se stane, když naletíte na podvodný e-mail a kliknete „České poště“ na odkaz

Zive.cz - bezpečnost - 23 Listopad, 2021 - 14:45
Do složky s nevyžádanou poštou dorazila zajímavá zpráva. Česká pošta prý nemůže doručit balíček, protože je ještě potřeba doplatit poštovné. Když si na následujícím obrázku prohlédnete detaily, určitě si všimnete různých varovných znaků, které svědčí o tom, že odesílatelem byl někdo jiný. I tak je ...
Kategorie: Hacking & Security

Common Cloud Misconfigurations Exploited in Minutes, Report

Threatpost - 23 Listopad, 2021 - 13:59
Opportunistic attackers instantly exploited insecurely exposed services deployed in honeypots by Unit 42 researchers, demonstrating the immediate danger of these typical mistakes.
Kategorie: Hacking & Security

What Avengers Movies Can Teach Us About Cybersecurity

The Hacker News - 23 Listopad, 2021 - 13:26
Marvel has been entertaining us for the last 20 years. We have seen gods, super-soldiers, magicians, and other irradiated heroes fight baddies at galactic scales. The eternal fight of good versus evil. A little bit like in cybersecurity, goods guys fighting cybercriminals.If we choose to go with this fun analogy, is there anything useful we can learn from those movies? World-ending baddies
Kategorie: Hacking & Security

Linux Kernel 5.14 Reached End of Life, Users Urged to Upgrade to Linux 5.15 LTS>

LinuxSecurity.com - 23 Listopad, 2021 - 13:00
The time has come to say goodbye to another Linux kernel series, Linux 5.14, which is now end-of-life and it won't receive further updates, so it's time to upgrade to a newer kernel branch.
Kategorie: Hacking & Security

More Stealthier Version of BrazKing Android Malware Spotted in the Wild

The Hacker News - 23 Listopad, 2021 - 12:23
Banking apps from Brazil are being targeted by a more elusive and stealthier version of an Android remote access trojan (RAT) that's capable of carrying out financial fraud attacks by stealing two-factor authentication (2FA) codes and initiating rogue transactions from infected devices to transfer money from victims' accounts to an account operated by the threat actor. IBM X-Force dubbed the
Kategorie: Hacking & Security

The Importance of IT Security in Your Merger Acquisition

The Hacker News - 23 Listopad, 2021 - 11:34
In the business world, mergers and acquisitions are commonplace as businesses combine, acquire, and enter various partnerships. Mergers and Acquisitions (M&A) are filled with often very complicated and complex processes to merge business processes, management, and a whole slew of other aspects of combining two businesses into a single logical entity. In the modern business world before and after
Kategorie: Hacking & Security

Threats to ICS and industrial enterprises in 2022

Kaspersky Securelist - 23 Listopad, 2021 - 11:00

Continuing trends

In recent years, we have observed various trends in the changing threat landscape for industrial enterprises, most of which have been evolving for some time. We can say with high confidence that many of these trends will not only continue, but gain new traction in the coming year.

Further evolution of cyberthreats as a response to infosec tools and measures

Improved corporate cybersecurity and the introduction of ever more tools and protection measures are causing cyberthreats to evolve. Here are some of the evolution areas worth paying attention to:

  • Reduced number of targets per individual attack

    Individual attacks as part of cybercriminal campaigns are already targeting ever fewer victims. For instance, we see a new trend emerging in the criminal ecosystem of spyware-based authentication data theft, with each individual attack being directed at a very small number of targets (from single digits to several dozen). The trend is snowballing so rapidly that in some regions of the world up to 20% of all ICS computers on which we block spyware are attacked using this tactic. Such attacks are likely to comprise an even larger portion of the threat landscape next year. And the tactic is likely to spread to other types of threats as well.

  • Reducing the life cycle of malware

    To avoid detection, more and more cybercriminals are adopting the strategy of frequently upgrading malware in their chosen family. They use malware at its peak effectiveness to break through the defenses of security solutions, and then switch to a new build as soon as the current one becomes readily detectable. For some types of threats (for example, spyware again), the lifetime of each build is shortening, and in many cases does not exceed 3–4 weeks (often even less). The evolution of modern MaaS platforms makes it much easier for malware operators globally to use this strategy. Next year we are sure to encounter it even more frequently in various threat scenarios. Combined with the downward trend in the number of victims per individual attack, the widespread use of this strategy will lead to an even greater variety of malware, thus posing a major challenge for security solution developers.

  • Modern APTs: now more persistent than advanced

    To some extent, a similar trend can be traced in the tactics of many APTs. The “P” quality (persistent) in the abbreviation APT has become less dependent on “A” (advanced). We have long seen how a persistent presence in the victim’s infrastructure is maintained through the doggedness and diligence of the operators, and that expanding and regularly upgrading the toolkit is becoming an alternative to finding new technical solutions and developing costly complex frameworks designed to remain undetected for as long as possible. In all likelihood, this strategy will be traced increasingly often in APT campaigns.

  • Minimizing the use of malicious infrastructure

    In the fight against protection tools, attackers naturally seek to reduce the detectable malicious footprint of their actions. This is particularly reflected in attempts to minimize the use of malicious infrastructure. For example, we observed how C&C servers in some APTs had a very short lifespan, operating for no more than a couple of hours during the attack phase for which they were intended.

    And sometimes attackers manage to refrain from using not only any malicious, but also suspicious and untrusted infrastructure. For example, a popular tactic in spyware attacks is now to send phishing e-mails from compromised corporate mail accounts of a partner organization of the intended victim. In this case, well-crafted messages are practically indistinguishable from legitimate ones and virtually undetectable with automated tools.

    In our investigations of АPT-related incidents at industrial enterprises, we have come across traces of how attackers, in parallel to the main thrust of the attack, have simultaneously tried to gain access from the infrastructure of a compromised industrial facility to other organizations or resources of the parent company, government agencies and the like; most likely in the hope that such attempts will go unnoticed.

    There is no doubt that the coming year will see more frequent use of such tactics by attackers in various categories.

Actions of various attacker categories

The debate about which threats pose the most danger to industrial enterprises often revolves around comparisons between APTs and cybercrime. And plans to improve information security and introduce new protection tools and measures are predicated, in some way, on the chosen adversary model. At the same time, bear in mind that perceptions of the interests, capabilities and modus operandi of some categories of attackers can become outdated, and therefore require constant refreshing. Let’s look at the relevant trends that are likely to continue or intensify next year.

  • APT and cybercriminal techniques, tactics and even strategies are becoming increasingly alike and may require similar security measures

    Indeed, many APT and cybercriminal operations are sometimes difficult to distinguish, even for experts. For example,

    • Technically flawed APTs and “sophisticated” cybercriminal attacks no longer surprise anyone. In particular, we have seen more than a few poorly crafted phishing e-mails full of clearly visible blunders in campaigns associated with well-known APTs. And many are the times that we have come across near-flawless e-mails in targeted cybercriminal campaigns.
    • Similarly, APTs masquerading as cybercrime, and attacks by cybercriminals pretending to be an APT, have lost their wow factor.
    • Without a doubt, we will see in the APT arsenal the continued use not only of commercial tools, but of MaaS infrastructure and delivery methods as a means of initial penetration.
  • APT and cybercriminal lists of targets and potential victims can often include the same organizations

    Of the many industrial companies out there, APTs are likely to focus on:

    • The military-industrial complex and aerospace industry — most likely for military and technological espionage purposes
    • Energy, transport and utilities — in an attempt to gain a foothold in the critical infrastructure of a “potential adversary” just in case, and to use it to develop other attacks (see examples above)
    • Knowledge-based industries — primarily for industrial espionage purposes

    Cybercriminals will continue to attack everyone they can reach, and in the vast majority of cases will monetize attacks using the same tried-and-tested methods:

    • Direct theft of funds by substituting bank details — through BEC tactics or access to the organization’s financial systems
    • Extortion and ransomwaring of those able and willing to pay up
    • Reselling of stolen information to fellow cybercriminals, competitors of the victim and other interested parties
  • The direct financial harm caused by cybercrime is larger, but the damage from APTs is harder to predict and may be greater in the long term

    Judging by the events of the past year, in terms of direct financial harm, the actions of cybercriminals might seem far more significant to industrial organizations than APTs. In 2021, for instance, we have seen many industries brought to a standstill and tens of millions of dollars paid out to ransomwarers. Meanwhile, there has been only one known case of significant financial damage from an APT over the entire year — and that happened when the attackers decided to masquerade as extortionists.

    That said, APT attacks can have a delayed negative effect that is very difficult to assess in advance (for example, years later a rival company might create a new product based on stolen data).

  • Don’t forget about cyberhooligans and hacktivists

    In 2021, cyberhooligans and hacktivists made global headlines on at least three occasions, demonstrating that vital industrial infrastructure is often poorly protected and ripe for the picking. The question of whether everything possible has been done to prevent such cases next year, we invite readers to ponder for themselves.

  • Extortion

    As for perhaps the main trend of the outgoing year, despite the rhetoric of politicians and the frenzied actions of governments, the flywheel of extortion is spinning and cannot easily be stopped. The attacks are set to continue, including on industrial enterprises. Cybercriminals will protect themselves better and hedge the risks. The additional outlays will naturally be covered by victims, in the form of higher ransoms.

Current attack vectors

The following cybercriminal tactics and techniques will no doubt be used actively in the coming year.

  • Phishing is the top initial penetration tool for targeted (and not-so-targeted) attacks. As shown by the past year:
    • Even bad phishing, we are sorry to say, works pretty well. Train your employees to read all incoming mail with a critical eye. Spelling and grammar mistakes, poor phrasing, incorrect names of companies and officials, strange topics and unusual requests are all signs of poorly executed phishing. Any employee, even without IT security expertise, can recognize them
    • High-quality spear phishing, regrettably, is almost guaranteed to work. In every company, there is bound to be someone who blindly opens an attachment, follows a link, clicks a button or even makes contact with the attackers and unwittingly helps them to launch a malicious payload in the system
    • Cybercriminals of various stripes have mastered the art of spear phishing without using malicious infrastructure and of phishing using only trusted infrastructure (as covered above). Moreover, the latter is the most dangerous and hard-to-detect method. Unfortunately, it will doubtless claim many victims in the year to come.
  • Known vulnerabilities in internet-facing hardware are also sure to remain a popular penetration vector. Update firewalls and SSL VPN gateways in good time.
  • Zero-day vulnerabilities in OS components and popular IT products will remain a relatively rare tool in advanced APTs, while unknown security holes in less common (and therefore probably less-well tested) products will be actively exploited by cybercriminals.
  • Compromise of domain name registrars and certification authorities, attacks on suppliers

    Regarding these “advanced” tactics, last year we again saw compromise attacks on domain name registrars (access to the victim’s web control panel at the bare minimum) and certification authorities, as well as new attack scenarios aimed at suppliers. Such threats have the potential to go undetected for a long time, allowing attackers to carry out sustained operations. Those of them who can afford such vectors will certainly not abandon them.

    So, when planning protection means and measures for the coming year, keep an eye on the security not only of your own infrastructure, but of third-party services you use. When choosing suppliers of products for your IT/OT systems, stamp your own cybersecurity requirements on both the products and the suppliers themselves. And when collaborating with business partners, be aware of the threats that their security weaknesses could pose to you.

Building on the success of 2021

Cybercriminals have definitely made significant strides in 2021: the list of high-profile ransomware attacks on industrial enterprises this year is probably longer than for all previous years combined. APT campaigns targeting industrial organizations have also been keeping researchers very busy.

Note that many of the achievements of cybercriminals this year will be used as a stepping stone into the next.

  • Stolen data and compromised IT systems

    According to our telemetry and analysis of information found on the dark web, cybercriminals in 2021 compromised at least thousands of industrial organizations worldwide. We think that their total number vastly exceeds the number of organizations hit by ransomware or targeted by APTs. Some of those compromised might get lucky and simply fall off the cybercriminal radar. But not all. And for some companies, the consequences of a security compromise in 2021 will catch up with them only in 2022.

  • Threats to OT

    Disturbingly, we also found signs of compromise in many organizations on computers directly related to ICS. So the damage in some cases may not be limited to encryption of IT systems and data theft in the office network.

  • P stands for perseverance

    As noted above, the letter P in the abbreviation APT should be understood not only as persistent (as in continuous), but also in the sense of persevering (as in relentless). So organizations that have already been attacked should be on their guard: it is very likely (with some APTs, even “certain”) that they will be targeted again, possibly more than once.

The dangers of “connected” healthcare: predictions for 2022

Kaspersky Securelist - 23 Listopad, 2021 - 11:00

For a second consecutive year, the time for Kaspersky to make its predictions for the healthcare sector comes amid the global COVID-19 pandemic. Unfortunately, the virus still dominates most aspects of our lives, and, of course, the pandemic remained the biggest and most-discussed topic in medicine.

Part of our predictions last year were based on the assumption that in 2021, the pandemic will continue for at least a few months and, because this assumption turned out to be accurate, so did many of our predictions.

As we predicted, there was a significant increase in the number and size of medical data leaks. A 2021 report by Constella Intelligence found that the number of personal data leaks in healthcare grew by half when compared to 2019. Several factors contributed to that. First, the digitization of healthcare has significantly increased over these past couple of years, and thus, because there was more data to leak, the volume of these leaks increased. Second, cybercriminals had already started paying more attention to the industry, and they certainly lost none of their interest in 2021. As we predicted, they continued to use the medical theme as bait and, as a result, their victims were often medical professionals.

The beginning of the mass vaccination campaign also led to many fraudulent scams. After the first vaccines appeared on the Internet – and especially dark web forums – a busy trade in vaccines began online, with no one being able to verify the authenticity of the vaccines being sold. Nevertheless, these scammers found buyers wishing to obtain vaccines as quickly as possible. Later, offers for fake vaccination certificates and various QR codes appeared, which were bought by users who wanted to evade the restrictions imposed on those who were unvaccinated.

Our prediction that hacking attacks against vaccine developers would ramp up did not come true. The main instances of these attacks occurred at the end of 2020. Most vaccines appeared on the market shortly afterwards and, by all appearances, it seemed as if it was no longer necessary or worthwhile to meddle in the process of their development or to steal confidential information.

Ransomware groups continued to attack medical organizations. In September, new research was published indicating that the type of attacks has led to an increase in patient mortality, as well as delayed test results, and delays in providing treatment and discharging patients from hospitals. In fact, in the fall, a story of a death caused, not in a statistical sense but rather directly, by a ransomware attack on a medical institution caught the media’s attention. As a result of a ransomware attack, an infant in a US hospital died after the doctors could not provide adequate treatment due to frozen computers. Unfortunately, despite the best efforts by medical institutions and information security companies, the healthcare industry remains one insufficiently protected and vulnerable to attacks of this kind.

Predictions for the year 2022
  • Telemedicine will continue evolving. This means more applications for doctor consultations and patient health monitoring will appear, and cybercriminals will have the opportunity to discover security holes in a whole slew of new applications created by developers who have never made this kind of products before. What is more, malicious counterfeits of telehealth apps will most likely appear in app stores: fake apps that will imitate the real thing and promise to deliver the same functionality.
  • Demand for fake digital medical documents will increase, as will supply. The more privileges are given to those with a COVID passport, the more people will be interested in buying one instead of getting vaccinated or tested.
  • The sensitivity of the medical data found in leaks will grow. The data contained in medical records is, by itself, highly sensitive. However, digitization possibilities for medical equipment are growing, and providers are more frequently using wearable devices or even sensors implanted in the human body to collect even more sensitive data that is not necessarily of a medical nature. These devices may, for example, provide details of the person’s movements.
  • The medical theme will forever be a popular one for use as bait in cybercrime schemes. Since the beginning of the pandemic, an increasing number of medical services have moved online either partly or in full, so patients now watch for notifications about test results and messages from doctors. Therefore, a letter, spoofed as an important “medical” notification can be just as successful in catching victims off their guard as fake messages from banks.
  • The growth in the number of data leaks and ransomware attacks on medical organizations makes clear, among other things, a lack of information security awareness in healthcare employees. If the year 2022 does not see a wide-scale training process – and none is expected at the moment – we will witness a continued increase in the type of attacks in question.

Privacy predictions 2022

Kaspersky Securelist - 23 Listopad, 2021 - 11:00

We no longer rely on the Internet just for entertainment or chatting with friends. Global connectivity underpins the most basic functions of our society, such as logistics, government services and banking. Consumers connect to businesses via instant messengers and order food delivery instead of going to brick-and-mortar shops, scientific conferences take place on virtual conferencing platforms, and the remote work is the new normal in an increasing number of industries.

All these processes have consequences for privacy. Businesses want better visibility into the online activity of their clients to improve their services, as well as more rigorous know-your-customer procedures to prevent fraud. Governments in many countries push for easier identification of Internet users to fight cybercrime, as well as “traditional” crime coordinated online. Citizens, for their part, are increasingly concerned with surveillance capitalism, a lack of anonymity and dependence on online services.

Reflecting on the previous installment of the privacy predictions, we see that most of them indeed have been big trends this year. Most of all, privacy-preserving technologies were among the most discussed tech topics, even if opinions on some of the implementations, e.g. NeuralHash or Federated Learning of Cohorts, were mixed. Nevertheless, things like on-device sound processing for Siri and Private Compute Core in Android are big steps towards user privacy. We have also seen many new private services, with many privacy-focused companies taking their first steps towards monetization, as well as a bigger push for privacy – both in technology and in marketing – on both iOS and Android. Facebook (now Meta) moved towards more privacy for its users as well, providing end-to-end encrypted backups in WhatsApp and removing the facial recognition system in its entirety from Facebook.
While we hope 2022 will be the last pandemic year, we do not think the privacy trends will reverse. What will be the consequences of these processes? Here, we present some of our ideas about what key forces will shape the privacy landscape in 2022.

  1. BigTech will give people more tools to control their privacy – to an extent.

    As companies have to comply with stricter and more diverse privacy regulations worldwide, they are giving users more tools for controlling their privacy as they use their services. With more knobs and buttons, experienced users might be able to set up their privacy to the extent that suits their needs. As for less computer-savvy folk, do not expect privacy by default: even when legally obliged to provide privacy by default, enterprises whose bottom ine depends on data collection will continue to find loopholes to trick people into choosing less private settings.

  2. Governments are wary of the growing big tech power and data hoarding, which will lead to conflicts – and compromises.

    With governments building their own digital infrastructures to allow both simpler and wider access to government services and, hopefully, more transparency and accountability, as well as deeper insights into the population and more control over it, it is not surprising they will show more interest in the data about their citizens that flows through big commercial ecosystems. This will lead to more regulation, such as privacy laws, data localization laws and more regulation on what data and when are accessible to law enforcement. The Apple CSAM scanning privacy conundrum shows exactly how difficult it can be to find the balance between encryption and user privacy on the one side and pinpointing criminal behavior on the other.

  3. Machine learning is sure great, but we are going to hear more about machine unlearning.

    Modern machine learning often entails training huge neural networks with astounding numbers of parameters (while this is not entirely correct, one can think of these parameters as neurons in the brain), sometimes on the order of billions. Thanks to this, neural networks not only learn simple relationships, but also memorize entire chunks of data, which can lead to leaks of private data and copyrighted materials, or recitations of social biases. Moreover, this leads to an interesting legal question: if a machine learning model was trained using my data, can I, for example, under GDPR, demand to remove all influence that my data had on the model? If the answer is yes, what does it mean for data-driven industries? A simple answer is that a company would have to retrain the model from scratch, which sometimes can be costly. This is why we expect more interesting development, both in technologies that prevent memorization (such as differentially private training) and those that enable researchers to remove data from already trained systems (machine unlearning).

  4. People and regulators will demand more algorithmic transparency.

    Complicated algorithms, such as machine learning, are increasingly used to make decisions about us in various situations, from credit scoring to face recognition to advertising. While some might enjoy the personalization, for others, it may lead to frustrating experiences and discrimination. Imagine an online store that divides its users into more and less valuable based on some obscure LTV (lifetime value) prediction algorithm and provides its more valued customers with live customer support chats while leaving less lucky shoppers to a far-from-perfect chatbot. If you are deemed by a computer to be an inferior customer, would you want to know why? Or, if you are denied a credit card? A mortgage? A kidney transplant? As more industries are touched by algorithms, we expect more discussion and regulations about explaining, contesting and amending decisions made by automated systems, as well as more research into machine learning explainability techniques.

  5. Thanks to work from home, many people will become more privacy-aware – with the help of their employers.

    If you have been working from home due to the pandemic, odds are you have learned lots of new IT slang: virtual desktop infrastructure, one-time password, two-factor security keys and so on – even if you work in banking or online retail. Even when the pandemic is over, the work-from-home culture might persist. With people using the same devices both for work and personal needs, corporate security services would need more security-minded users to protect this bigger perimeter from attacks and leaks. This means more security and privacy trainings – and more people translating these work skills, such as using 2FA, into their personal lives.

To conclude, privacy is no longer a topic for geeks and cypherpunks, and we see how it has become a mainstream topic in the public debate touching on the subjects of personal and human rights, safety and security, and business ethics. We hope that this debate, involving the society, business and governments, will lead to more transparency, accountability, and fair and balanced use of personal data, and that both legal, social and technological solutions to the most pressing privacy issues will be found.

Cyberthreats to financial organizations in 2022

Kaspersky Securelist - 23 Listopad, 2021 - 11:00

First of all, we are going to analyze the forecasts we made at the end of 2020 and see how accurate they were. Then we will go through the key events of 2021 relating to attacks on financial organizations. Finally, we will make some forecasts about financial attacks in 2022.

Analysis of forecasts for 2021
  • The COVID-19 pandemic is likely to cause a massive wave of poverty, and that invariably translates into more people resorting to crime, including cybercrime. We might see certain economies crashing and local currencies plummeting, which would make Bitcoin theft a lot more attractive. We should expect more fraud, targeting mostly BTC, because this cryptocurrency is the most popular.
  • Yes. Data from the Brazilian Federation of Banks registered a considerable increase in crime (such as explosions at bank branches to steal money) and cybercrime (increased phishing and social-engineering attacks) against banking customers and banking infrastructure. Of course, this is the result of economic problems caused by the pandemic.

    In addition, bitcoin ended 2020 at around $28,000 and quickly rose to a peak of $40,000 in January 2021. Currently, at a value of approximately $60,000, cybercriminals have adapted their malware to monitor the operating system’s clipboard and redirect funds to addresses under their control. In fact, from January through the end of October, Kaspersky detected more than 2,300 fraudulent global resources aimed at 85,000 potential crypto investors or users who are interested in cryptocurrency mining. The lockdown’s effect on the global economy is leading emerging markets and different regions to adopt cryptocurrency as legal tender or at least as a way of storing value during these times.

  • MageCart attacks moving to the server side. We can see that the number of threat actors that rely on client-side attacks (JavaScript) is diminishing by the day. It is reasonable to believe that there will be a shift to the server side.
  • Yes. Magecart Group 12, known for skimming payment information from online shoppers, now uses PHP web shells to gain remote administrative access to the sites under attack to steal credit card data, rather than using their previously favored JavaScript code. A file that attempts to pass itself as ‘image/png’ but does not have the proper .PNG format loads a PHP web shell in compromised sites by replacing the legitimate shortcut icon tags with a path to the fake .PNG file. The web shell is harder to detect and block because it injects the skimmer code on the server-side rather than the client-side.

  • A re-integration and internalization of operations inside the cybercrime ecosystem: the major players on the cybercrime market and those who made enough profit will mostly rely on their own in-house development, reducing outsourcing to boost their profits.
  • Yes. Lots of groups recruited numerous affiliates, but this approach comes with the potential problems of human error and leaks. To boost their profits and depend less on outsourcing, some groups such as Revil even scammed their affiliates, adding a backdoor capable of hijacking negotiations with victims and taking the 70% of the ransom payments that is supposed to go to the affiliates.

    The Conti Gang was another group that also had issues with their associates when an apparently vengeful affiliate leaked the ransomware group’s playbook after claiming the notorious cybercriminal organization underpaid him for doing its dirty work. The data revealed in the post included the IP addresses for the group’s Cobalt Strike command-and-control servers (C2s) and a 113MB archive containing numerous tools and training materials explaining how Conti performs ransomware attacks.

  • Advanced threat actors from countries placed under economic sanctions may rely more on ransomware imitating cybercriminal activity. They may reuse publicly available code or create their own campaigns from scratch.
  • Yes. In April 2021, the Andariel group attempted to spread custom Ransomware. According to the Korean Financial Security Institute, Andariel is a sub-group of the Lazarus threat actor. Interestingly, one victim was found to have received ransomware after the third stage payload. This ransomware sample is custom made and developed explicitly by the threat actor behind this attack. This ransomware is controlled by command line parameters and can either retrieve an encryption key from the C2 or an argument at launch time.

  • As ransomware groups continue to maximize profits, we should expect to see the use of 0-day exploits as well as N-day exploits in upcoming attacks. These groups will purchase both to expand the scale of their attacks even further, boosting their success rate, and resulting in more profit.
  • Definitely yes. We saw many attacks using N-days, such as the attack that targeted the Brazilian Supreme Court (exploiting vulnerabilities in VMWare ESXI (CVE-2019-5544 and CVE-2020-3992). Also, many groups relied on vulnerabilities in VPN servers. Threat actors conducted a series of attacks using the Cring ransomware. An incident investigation conducted by Kaspersky ICS CERT at one of the attacked enterprises revealed that they exploited a vulnerability in FortiGate VPN servers (CVE-2018-13379).

    We also saw attackers relying on 0-days. Probably the most impactful was the Kaseya compromise, using supply-chain vulnerabilities to distribute ransomware (CVE-2021-30116). Another impressive attack, also relying on supply-chain compromise, was against BQE Software, the company behind billing software BillQuick, which claims to have a 400,000 strong user base worldwide. An unknown ransomware group exploited a critical SQL injection bug found in the BillQuick Web Suite time and billing solution to deploy ransomware on their targets’ networks in ongoing attacks (CVE-2021-42258).
    As these groups have deep pockets with all the money they have received from numerous attacks, we can expect more attacks exploiting N-days and 0-days to deliver ransomware to lots of targets.

  • Cracking down hard on the cybercrime world. In 2020, OFAC announced that they would supervise any payment to ransomware groups. Then US Cyber Command took down Trickbot temporarily ahead of the elections. There should be an expansion of the “persistent engagement” strategy to financial crime. There is also a possibility of economic sanctions against institutions, territories or even countries that show a lack of resolve to combat cybercrime that originates on their territory.
  • Yes. With continued opposition to ransomware payments, OFAC made clear its view that making ransomware payments encourages future ransomware attacks and, if such payments (and related services and facilitation) violate US sanctions prohibitions, may expose payment participants to OFAC sanctions enforcement. And while “the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers,” the Updated Advisory strongly discourages all private companies and citizens from paying the ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.

    The Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments describes the potential sanctions risks associated with making and facilitating ransomware payments and provides information for contacting relevant US government
    agencies, including OFAC, if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.

    In addition, a new proposed law compels US businesses to disclose any ransomware payments within 48 hours of the transaction. The Ransom Disclosure Act will:

    • Require ransomware victims (excluding individuals) to disclose information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom;
    • Require DHS to make public the information disclosed during the previous year, excluding identifying information about the entities that paid ransoms;
    • Require DHS to establish a website through which individuals can voluntarily report payment of ransoms;
    • Direct the Secretary of Homeland Security to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks and provide recommendations for protecting information systems and strengthening cybersecurity.

    The US Department of the Treasury recently sanctioned two virtual currency exchanges, which helped ransomware threat actors to process victims’ payments. Back in September 2021, SUEX got sanctioned and accused of money laundering. In November 2021, Chatex, which is directly connected to SUEX, also got sanctioned with similar charges, according to public information.

  • With the special technical capabilities of monitoring, deanonymization and seizing of BTC accounts now in place, we should expect cybercriminals to switch to transit cryptocurrencies for charging victims. There is reason to believe they might switch to other privacy-enhanced currencies, such as Monero, to use these first as a transition currency and then convert the funds to any other cryptocurrency of choice including BTC.
  • No. While the Department of Justice seized $2.3 million in cryptocurrency paid to the ransomware extortionists Darkside, other privacy and anonymity-focused cryptocurrencies such as Monero, Dash or Zcash, still aren’t the default choice used by cybercriminal groups. With more regulatory pressure aimed at exchanges, threat actors attempting to cash out ransomware bounties obtained through anonymous coins could face additional difficulties than those that rely on Bitcoin or Ethereum for their illegal businesses. Even if the payments are traceable, different coin-mixing and coin-laundering underground services facilitate re-entering funds into the legitimate exchange ecosystem. Monero, among other similar cryptocurrencies, has been delisted (banned from operating) from popular exchanges. Using it for trading or simply swapping is not as easy as it used to be.

  • Extortion on the rise. One way or another, cybercriminals targeting financial assets will rely on extortion. If not ransomware, then DDoS or possibly both. This could be especially critical to companies that lose data, go through an exhausting data recovery process and then have their online operations knocked out.
  • Yes. 2021 saw the appearance of two new botnets. News broke in January of the FreakOut malware that attacks Linux devices. Cybercriminals exploited several critical vulnerabilities in programs installed on victim devices, including the newly discovered CVE-2021-3007. Botnet operators use infected devices to carry out DDoS attacks or mine cryptocurrency.

    Cybercriminals also found a host of new tools for amplifying DDoS attacks.

    The most significant event in Q1 was the COVID-19 vaccination program. As new segments of the population became eligible for vaccination, related websites suffered interruptions. For example, at the end of January, a vaccine registration website in the US state of Minnesota crashed under the load.

    We have seen how some groups like Egregor (arrested) extorted via massive LAN printing. Other groups rely on telephone calls, leaving voice messages and threatening employees and their families.

Key events in 2021
  • Ransomware threat actor arrests
  • With ransomware attacks going wild and stealing the headlines this year, law enforcement all around the world intensified their fight against ransomware groups. In 2021, we saw Egregor, one of the noisiest ransomware families, reborn from Sekhmet and previously from Maze, get busted. Another case in point is REvil, aka Sodinokibi, that came from GandCrab, which came from Cerber. In November, some of their affiliates were arrested as well. The arrest of Yaroslav Vasinskyi and the charges against Yevgeniy Polyanin are excellent examples of effective international cooperation in the cybercrime fight.

  • Facebook incidents (a data breach in April and a data leak in October)
  • Because of Facebook’s rebrand and new mission announced by its CEO, the company’s data leaks may represent a severe risk to their customers. Some companies have gone entirely virtual, and an account takeover could cause severe harm to their business or sales.
    We also learned that Meta’s goal is to consolidate people’s lives, connecting them in all aspects of life, including financially. This concerns, for instance, money transfers and, potentially, other financial activities. With customers’ plain text information disclosed by leaks on the internet, cybercriminals have gained new attack possibilities.

  • Android Trojan bankers on the rise
  • This year, we saw more Android Trojan bankers targeting users worldwide with a special focus on Europe, Latin America and the Middle East. In 2021, we have witnessed several families, such as RealRAT, Coper, Bian, SMisor, Ubel, TwMobo, BRata, and BasBanke actively targeting mobile users. Some of those campaigns are accompanied by social engineering where the threat actor calls the victim and sends a specially crafted text message with a download link leading to a malicious APK file after a short conversation.

Forecasts for 2022
  • Rise and consolidation of information stealers
  • Our telemetry shows an exponential growth in infostealers in 2021. Given the variety of offers, low costs, and effectiveness, we believe this trend will continue. Additionally, it might even be used as a bulk collector for targeted and more complex attacks.

  • Cryptocurrency targeted attack
  • The cryptocurrency business continues to grow, and people continue to invest their money in this market because it’s a digital asset and all transactions occur online. It also offers anonymity to users. These are attractive aspects that cybercrime groups will be unable to resist.
    And not only cybercrime groups but also state-sponsored groups who have already started targeting this industry. After the Bangladesh bank heist, the BlueNoroff group is still aggressively attacking the cryptocurrency business, and we anticipate this activity will continue.

  • More cryptocurrency-related threats: fake hardware wallets, smart contract attacks, DeFi hacks and more
  • While in some regions cryptocurrency has been banned, it has received official recognition and acceptance in others. And it’s not just about El Salvador. For example, the Mayor of Miami declared that the City plans to start paying residents who use cryptocurrency, and he stated on Twitter that he would receive his salary 100% in bitcoin.
    While some people consider it risky to invest in cryptocurrencies, those who do realize that their wallet is the weakest link. While most infostealers can easily steal a locally stored wallet, a cloud-based one is also susceptible to attacks with the risk of losing funds. Then there are hardware-based cryptocurrencies wallets. But the question is, are there sufficiently reliable and transparent security assessments to prove that they are safe?
    In the scramble for cryptocurrency investment opportunities, we believe that cybercriminals will take advantage of fabricating and selling rogue devices with backdoors, followed by social engineering campaigns and other methods to steal victims’ financial assets.

  • Targeted ransomware – more targeted and more regional
  • With the international efforts to crack down on major targeted ransomware groups, we will see a rise in small regionally derived groups focused on regional victims.

  • The adoption of Open Banking in more countries may lead to more opportunities for cyberattacks
  • The UK was the pioneer, but nowadays many countries are adopting it. As most of the Open Banking systems are based in APIs and Web API queries, performed by financial institutions, we can expect more attacks against them, as pointed out by Gartner: “in 2022, API abuses will move from an infrequent to the most frequent attack vector, resulting in data breaches for enterprise web applications.”

  • Mobile banking Trojans on the rise
  • As mobile banking experienced booming adoption worldwide due the pandemic (in Brazil it represented 51% of all transactions in 2020), we can expect more mobile banking Trojans for Android, especially RATs that can bypass security measures adopted by banks (such as OTP and MFA). Regional Android implant projects will move globally, exporting attacks to Western European countries.

  • Rise of threat to online payment systems
  • Amid the pandemic, many companies have gone digital and moved their systems online. And the longer people stay at home because of quarantine and lockdowns, the more they rely on online markets and payment systems. However, this rapid shift does is not accompanied by the appropriate security measures, and it is attracting lots of cybercriminals. This issue is particularly severe in developing countries, and the symptoms will last for a while.

  • With more fintech apps out there, the increasing volume of financial data is attracting cybercriminals
  • Thanks to online payment systems and fintech applications, lots of important personal information is stored on mobile. Many cybercrime groups will continue to attack personal mobile phones with evolved strategies such as deep fake technology and advanced malware to steal victims’ data.

  • Remote workers using corporate computers for entertainment purposes, such as online games, continue to pose financial threats to organizations
  • In 2020, the number of gamers surpassed 2.7 billion, with the Asia-Pacific becoming the most active region. Even if video game platforms such as Steam reached all-time highs during April and May 2020, this year, Steam peaked at 27 million concurrent players in March. In our Do cybercriminals play cyber games during quarantine? article, we wrote that users relied on corporate laptops to play video games, watch movies and use e-learning platforms. This behavior was easy to identify because there was a boom in the Intel and AMD mobile graphic cards market in 2020-2021 compared to previous years. This trend is here to stay, and while during 2020, 46% of employees had never worked remotely before, now two-thirds of them state they wouldn’t go back to an office, with the rest claiming to have a shorter office work week.
    Cybercriminals spread malware and steal logins, in-game items, payment information and more through the use of video games such as Minecraft or Counter-Strike: Global Offensive. In addition, Hollywood blockbuster movies have become the perfect lure for those desperate to watch a film before it’s released, and all from the comfort of their own homes. That was the case with the latest James Bond film, No Time to Die, with cybercriminals using adware, Trojans and ransomware to steal private information and even blackmailing victims who wanted their data back.

  • ATM and PoS malware to return with a vengeance
  • During the pandemic, some locations saw PoS/ATM transaction levels drop significantly. Lockdowns forced people to stay at home and make purchases online, and this was mirrored in PoS/ATM malware too. As restrictions are lifted, we should expect the return of known PoS/ATM malware projects and the appearance of new projects. Cybercriminals will regain their easy physical access to ATMs and PoS devices at the same time as customers of retailers and financial institutions.

Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns

The Hacker News - 23 Listopad, 2021 - 08:33
Threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems. The findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a
Kategorie: Hacking & Security

GoDaddy’s Latest Breach Affects 1.2M Customers

Threatpost - 22 Listopad, 2021 - 23:03
The kingpin domain registrar has logged its fifth cyber-incident since 2018, after an attacker with a compromised password stole email addresses, SSH keys and database logins.
Kategorie: Hacking & Security

8 důvodů, proč uživatelé iPhonu nikdy nepřejdou na Android

Zive.cz - bezpečnost - 22 Listopad, 2021 - 21:15
** Obě největší mobilní platformy mají svůj tábor skalních příznivců ** Ti mají jasno, proč je právě iOS nebo Android jediný správný systém ** Tady je několik důvodů, proč jablíčkáři nechtějí o robotech ani slyšet
Kategorie: Hacking & Security

Online Merchants: Prevent Fraudsters from Becoming Holiday Grinches

Threatpost - 22 Listopad, 2021 - 21:13
Black Friday and Cyber Monday approach! Saryu Nayyar, CEO at Gurucul, discusses concerning statistics about skyrocketing online fraud during the festive season.
Kategorie: Hacking & Security

Black Friday and Cyber Monday – here’s what you REALLY need to do!

Sophos Naked Security - 22 Listopad, 2021 - 20:52
The world fills up with cybersecurity tips every year when Black Friday comes round. But what about the rest of the year?

Attackers Hijack Email Threads Using ProxyLogon/ProxyShell Flaws

Threatpost - 22 Listopad, 2021 - 20:26
Exploiting Microsoft Exchange ProxyLogon & ProxyShell vulnerabilities, attackers are malspamming replies in existing threads and slipping past malicious-email filters.
Kategorie: Hacking & Security

Imunify360 Bug Leaves Linux Web Servers Open to Code Execution, Takeover

Threatpost - 22 Listopad, 2021 - 20:14
CloudLinux's security platform for Linux-based websites and web servers contains a high-severity PHP deserialization bug.
Kategorie: Hacking & Security
Syndikovat obsah