CISA Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 28 Dec 2023 22:11:43 +0000 en-US hourly 1 https://wordpress.org/?v=90635 200474804 SLP DDoS Amplification Vulnerability Actively Exploited https://gridinsoft.com/blogs/slp-ddos-amplification-vulnerability-exploited/ https://gridinsoft.com/blogs/slp-ddos-amplification-vulnerability-exploited/#respond Fri, 10 Nov 2023 14:27:54 +0000 https://gridinsoft.com/blogs/?p=17624 In a recent development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised alarms over an actively exploited high-severity flaw in the Service Location Protocol (SLP). Designated as CVE-2023-29552, the vulnerability poses a significant threat, allowing attackers to execute denial-of-service (DoS) attacks with a substantial amplification factor. This revelation follows the disclosure of the… Continue reading SLP DDoS Amplification Vulnerability Actively Exploited

The post SLP DDoS Amplification Vulnerability Actively Exploited appeared first on Gridinsoft Blog.

]]>
In a recent development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised alarms over an actively exploited high-severity flaw in the Service Location Protocol (SLP). Designated as CVE-2023-29552, the vulnerability poses a significant threat, allowing attackers to execute denial-of-service (DoS) attacks with a substantial amplification factor. This revelation follows the disclosure of the flaw by cybersecurity entities Bitsight and Curesec earlier this April.

Vulnerability Overview

Tracked with a CVSS score of 7.5, the vulnerability in question exposes a DoS weakness within the Service Location Protocol. The flaw allows unauthenticated remote attackers to register services and utilize spoofed UDP traffic to orchestrate a DoS attack with a notable amplification factor. SLP is a protocol facilitating communication and discovery among systems on a local area network (LAN). It becomes a potential avenue for malicious actors to exploit.

And while before this threat was mostly a paper tiger, these days it is not just about theoretical possibilities. There are real cyber crooks out there making use of CVE-2023-29552. And the less time you give them to find out that you’re using a vulnerable SLP version – the less is the possibility that it will be used for malicious purposes.

DDoS amplification attack

The nature of the DoS amplification attack leveraging CVE-2023-29552 is relatively straightforward yet potent. Instead of going head-on and bombarding a target server with requests, the cyber crooks take a more sly route. They send tiny requests to a middleman server, but here’s the twist – these requests are like magic spells, making the middleman server send back way bigger responses. And the key move here is faking the source of the request, making it look like it’s coming from the target’s IP. Now, here’s where it gets wild. Thanks to this trick, these bad actors can flood even the most guarded targets with traffic.

Mitigation Measures

In response to the real-world exploits of this vulnerability, federal agencies are mandated to implement mitigations promptly. CISA has set a deadline of November 29, 2023, for federal agencies to secure their networks by applying necessary measures. The recommended mitigations include disabling the SLP service on systems operating in untrusted network environments.

Unfortunately, there is no dedicated solution meant to stop the exploitation without sacrificing any functionality. However, there is the ability to make the exploitation much harder, if not entirely impossible, with the usage of modern security software.

  • EDR/XDR
    Think of EDR as your vigilant guardian, keeping a watchful eye on endpoint activities. It’s the first line of defense, swiftly responding to any suspicious behavior to thwart potential ransomware threats. XDR extends its vigilant reach beyond endpoints. It’s like having a superhero with enhanced senses, covering a broader spectrum of detection and response capabilities against evolving cyber threats.
  • SIEM/SOAR
    SIEM aggregates and organizes security event logs, providing you with a comprehensive overview of your cybersecurity landscape. It’s the strategic hub for informed decision-making. SOAR steps in to automate incident responses, ensuring swift and precise actions in the face of emerging threats. It’s the sidekick that streamlines your defense mechanisms.
  • Back up your data and store those backups offline or on a separate network for added protection. Backups are the ransomware attacks’ kryptonite, as they can do nothing if you just recover everything back.
  • Staying informed through reading the news and studying current material on cybersecurity and related topics is paramount in today’s dynamic and interconnected digital landscape. Reading the news and studying current material on cybersecurity is not just a habit. It’s a proactive approach to staying ahead in the ever-evolving world of digital security.

SLP DDoS Amplification Vulnerability Actively Exploited

The post SLP DDoS Amplification Vulnerability Actively Exploited appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/slp-ddos-amplification-vulnerability-exploited/feed/ 0 17624
MITRE Compiled a List of the 25 Most Dangerous Bugs https://gridinsoft.com/blogs/25-most-dangerous-bugs/ https://gridinsoft.com/blogs/25-most-dangerous-bugs/#respond Mon, 03 Jul 2023 16:16:39 +0000 https://gridinsoft.com/blogs/?p=15644 MITRE specialists have published a list of the 25 most dangerous bugs in software over the past two years. It included a variety of shortcomings, including vulnerabilities and errors in the code, architecture, implementation and design of the software. Love lists of some hacker stuff or cyber threats? Check out this: Huge Ransomware List by… Continue reading MITRE Compiled a List of the 25 Most Dangerous Bugs

The post MITRE Compiled a List of the 25 Most Dangerous Bugs appeared first on Gridinsoft Blog.

]]>
MITRE specialists have published a list of the 25 most dangerous bugs in software over the past two years. It included a variety of shortcomings, including vulnerabilities and errors in the code, architecture, implementation and design of the software.

Love lists of some hacker stuff or cyber threats? Check out this: Huge Ransomware List by Gridinsoft Research: Part #1, Part #2. Or like this: US Authorities List Vulnerabilities That Chinese Hackers Attack.

Such flaws can jeopardize the security of systems where problematic software is installed and running. They can become an entry point for attackers trying to take control of vulnerable devices, help attackers gain access to sensitive data, or provoke a denial of service.

To compile this list, MITRE bug analysts examined in detail 43,996 CVE IDs from the NIST National Vulnerability Database (NVD) discovered and described in 2021 and 2022. Experts paid special attention to those CVEs that were added to the list of known exploited vulnerabilities (KEV), which is compiled by analysts from the Cybersecurity and Infrastructure Security Agency (CISA).

Problems in the list have their own CWE identifiers (not to be confused with CVE) – Common Weakness Enumeration. CWE differ from CVE in that, in fact, the former are the predecessors of the latter, that is, CWE lead to the appearance of vulnerabilities directly.

CWEs are divided into more than 600 categories that combine very broad classes of diverse problems, such as CWE-20 (incorrect input validation), CWE-200 (information disclosure), and CWE-287 (incorrect authentication).

The most dangerous problems in MITRE continue to be bugs that are easy to detect, have a strong impact, and are widespread in software released in the last two years.

CISA encourages all developers and security response teams to review the top 25 CWE list and evaluate recommended mitigation measures to determine the most appropriate ones to adopt.CISA recommends.

The top 25 CWE list compiled by MITRE is as follows:

Rank ID Name Score CVEs in KEV Rank Change vs. 2022
1 CWE-787 Out-of-bounds Write 63.72 70 0
2 CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 45.54 4 0
3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 34.27 6 0
4 CWE-416 Use After Free 16.71 44 +3
5 CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 15.65 23 +1
6 CWE-20 Improper Input Validation 15.50 35 -2
7 CWE-125 Out-of-bounds Read 14.60 2 -2
8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 14.11 16 0
9 CWE-352 Cross-Site Request Forgery (CSRF) 11.73 0 0
10 CWE-434 Unrestricted Upload of File with Dangerous Type 10.41 5 0
11 CWE-862 Missing Authorization 6.90 0 +5
12 CWE-476 NULL Pointer Dereference 6.59 0 -1
13 CWE-287 Improper Authentication 6.39 10 +1
14 CWE-190 Integer Overflow or Wraparound 5.89 4 -1
15 CWE-502 Deserialization of Untrusted Data 5.56 14 -3
16 CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) 4.95 4 +1
17 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 4.75 7 +2
18 CWE-798 Use of Hard-coded Credentials 4.57 2 -3
19 CWE-918 Server-Side Request Forgery (SSRF) 4.56 16 +2
20 CWE-306 Missing Authentication for Critical Function 3.78 8 -2
21 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) 3.53 8 +1
22 CWE-269 Improper Privilege Management 3.31 5 +7
23 CWE-94 Improper Control of Generation of Code (‘Code Injection’) 3.30 6 +2
24 CWE-863 Incorrect Authorization 3.16 0 +4
25 CWE-276 Incorrect Default Permissions 3.16 0 -5

The post MITRE Compiled a List of the 25 Most Dangerous Bugs appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/25-most-dangerous-bugs/feed/ 0 15644
US Authorities Warn of Disaster-Related Scams https://gridinsoft.com/blogs/us-authorities-warn-of-disaster-related-scams/ https://gridinsoft.com/blogs/us-authorities-warn-of-disaster-related-scams/#respond Mon, 29 May 2023 20:18:27 +0000 https://gridinsoft.com/blogs/?p=14746 Following natural disasters and severe weather, there is a higher chance of fraudulent activities as scammers prey on vulnerable individuals or those who wish to donate to charity. Scammers use various methods, including phone calls, text messages, mail, emails, and door-to-door visits, to exploit affected areas after hurricanes and damaging storms. Therefore, CISA (Cybersecurity &… Continue reading US Authorities Warn of Disaster-Related Scams

The post US Authorities Warn of Disaster-Related Scams appeared first on Gridinsoft Blog.

]]>
Following natural disasters and severe weather, there is a higher chance of fraudulent activities as scammers prey on vulnerable individuals or those who wish to donate to charity. Scammers use various methods, including phone calls, text messages, mail, emails, and door-to-door visits, to exploit affected areas after hurricanes and damaging storms. Therefore, CISA (Cybersecurity & Infrastructure Security Agency) recommends that people remain alert to disaster-related scams.

Types of Disaster-related Scams

Fraudsters have many methods to convince victims to donate money or go to their malicious sites. Aside from money, crooks aim at collecting personally identifiable information (PII) and credentials. Here are some of the methods they can use:

Social Media Phishing

Scammers often use social networking platforms such as Facebook, Twitter, or LinkedIn to extort money for charitable purposes. You will have seen similar posts on Instagram about raising funds for the victims of the storm or helping relatives of victims. Fraudsters can create fake profiles and use the names of charities or government organizations to make their communications more legitimate. You should be careful and check the validity of such announcements.

Email Phishing

Email phishing is deceptive and pretends to be genuine promotional or personal emails. They often request you click links leading to phishing sites or download attached files. These emails may appear so genuine that even an experienced user can be tricked into believing they are authentic. Occasionally, these emails contain infected attachments or links to phishing sites disguised as text. However, as many email systems now scan for viruses in attachments, this type of phishing is rare.

Example of email from attacker

Vishing

Vishing is a scam in which fraudsters use voice communication (phone calls) to deceive people. One common tactic is when fraudsters pretend to be victims of a disaster or federal officials, claiming that they raise money for disaster victims. For example, they may ask you to transfer money to a bank account. They can also call from hidden numbers, which should be noticed, and do not fall for their tricks.

Vishing
Сalls from hidden numbers

Beware of contractors and home improvement companies calling and saying they are partners with your insurance provider. Do not disclose your policy numbers, coverage details, or personal information to any company you have not contracted with. To ensure that the contractor you are thinking of hiring possesses a legitimate license and sufficient insurance, it is recommended to consult your state’s online database to determine if licensing is mandatory. By checking your state’s online database, you can verify the validity of the contractor’s license and assess whether they possess adequate insurance coverage.

How to Protect Yourself from Disaster-related Scams

The methods of the scammers may seem daunting, but in fact, they are only well-developed schemes of deception. This means that users can avoid all this. Consumers must remain vigilant against fraudsters who disguise themselves as charities demanding donations for disaster relief. However, do not trust everything you see in the information world. To protect yourself from these types of fraud, consider taking the following measures:

Donate to Trusted Charities

Be cautious of individuals or groups who engage in fraudulent activities by establishing counterfeit charitable organizations during natural disasters. To ensure a charity is legitimate, visiting its official website is crucial. If you have doubts, you can seek verification from reputable sources such as the Charity Navigator, Better Business, Bureau’s Wise Giving Alliance, Charity Watch, or GuideStar. Additionally, you can inquire with the National Association of State Charity Officials to determine whether charities are needed to register in your state and if the charity contacting you is listed in their records.

Confirm all Phone numbers for Charities

Suppose you plan to contact a charity via phone. Verifying the number’s legitimacy is best by checking its official website. Similarly, if you intend to donate through text-to-donate, verifying the number’s authenticity with the charity before making any donations is necessary.

Beware of Suspicious Emails

If you receive a suspicious email and request donations or assistance, it is essential not to open links or download attachments. Scammers frequently use email to conduct phishing attacks or distribute malware. Therefore, exercise caution and refrain from engaging with such emails to avoid potential risks.

Confirm all Information in Social Media Posts

It’s essential to verify any requests for charitable donations before donating. While crowd-funding websites may have individual requests for assistance, they may only sometimes be reviewed by the website or other sources.

Important!

Be aware that officials from government disaster assistance agencies do not call or text to ask for financial account information, and there is no need to pay to apply for or receive disaster assistance from FEMA (Federal Emergency Management Agency) or the Small Business Administration. Anyone claiming to be a federal official and asking for money is an imposter.

The post US Authorities Warn of Disaster-Related Scams appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/us-authorities-warn-of-disaster-related-scams/feed/ 0 14746
FBI Says Cuba Ransomware ‘Made’ $60 Million by Attacking More Than 100 Organizations https://gridinsoft.com/blogs/fbi-and-cuba-ransomware/ https://gridinsoft.com/blogs/fbi-and-cuba-ransomware/#respond Mon, 05 Dec 2022 09:09:56 +0000 https://gridinsoft.com/blogs/?p=12397 The FBI and the U.S. Infrastructure and Cyber Security Agency (CISA) report that as of August 2022, Cuba ransomware operators have received more than $60 million in ransom from their victims (initially, the hackers requested more than $145 million in ransoms) and have attacked more than 100 organizations around the world. The new security bulletin… Continue reading FBI Says Cuba Ransomware ‘Made’ $60 Million by Attacking More Than 100 Organizations

The post FBI Says Cuba Ransomware ‘Made’ $60 Million by Attacking More Than 100 Organizations appeared first on Gridinsoft Blog.

]]>

The FBI and the U.S. Infrastructure and Cyber Security Agency (CISA) report that as of August 2022, Cuba ransomware operators have received more than $60 million in ransom from their victims (initially, the hackers requested more than $145 million in ransoms) and have attacked more than 100 organizations around the world.

The new security bulletin is a direct continuation of a similar document from a year ago. Let me remind you that in December 2021, it was reported that the Cuba ransomware brought its authors about $43.9 million, compromising at least 49 organizations.

We also wrote that Cuba Ransomware Variant Involves Double-Extortion Scheme.

The FBI also said that the $43.9 million was just actual payments to the victims, but the hackers originally demanded more than $74 million from the victims, but some refused to pay.

Since the newsletter was released in December 2021, the number of U.S. organizations compromised by Cuba ransomware has doubled, and ransoms demanded and paid are on the rise. The FBI has observed that Cuba continues to attack US organizations in the following five critical infrastructure sectors, including financial and public sector, healthcare, manufacturing, and IT.experts write.

The FBI and CISA added that in the past year, it became known that ransomware has been improving its tactics and methods, and now they are associated with the RomCom remote access trojan (RAT) and Industrial Spy ransomware.

Law enforcement officers also said at the time that they tracked Cuba attacks on systems infected with the Hancitor malware, which uses phishing emails, exploits vulnerabilities in Microsoft Exchange, compromised credentials, or RDP brute force to access vulnerable Windows machines. Once Hancitor is infected, access to such a system is rented out to other hackers using the Malware-as-a-Service model.

Interestingly, the statistics of the ID-Ransomware platform do not allow to call the Cuba ransomware particularly active, and this only proves that even such a ransomware can have a huge impact on victims and bring profit to its operators.

FBI and CUBA ransomware

The post FBI Says Cuba Ransomware ‘Made’ $60 Million by Attacking More Than 100 Organizations appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fbi-and-cuba-ransomware/feed/ 0 12397
MITRE experts have published a list of the 25 most dangerous problems of 2022 https://gridinsoft.com/blogs/list-of-25-problems-2022/ https://gridinsoft.com/blogs/list-of-25-problems-2022/#respond Fri, 01 Jul 2022 11:06:00 +0000 https://gridinsoft.com/blogs/?p=9072 MITRE experts have published a list of the 25 most common and dangerous problems of 2022. Such bugs can potentially expose systems to attack, allow attackers to take control of vulnerable devices, access sensitive information, or cause a denial of service. By the way, we also love all sorts of lists and tops, for example:… Continue reading MITRE experts have published a list of the 25 most dangerous problems of 2022

The post MITRE experts have published a list of the 25 most dangerous problems of 2022 appeared first on Gridinsoft Blog.

]]>
MITRE experts have published a list of the 25 most common and dangerous problems of 2022. Such bugs can potentially expose systems to attack, allow attackers to take control of vulnerable devices, access sensitive information, or cause a denial of service.

By the way, we also love all sorts of lists and tops, for example: Top Threats That Gridinsoft Anti-Malware Catches, or here’s another: TOP Facts About Adware Attacks To Be Reminded Today.

This time, the list was compiled with the support of the National Security Systems Design and Engineering Institute and the Cybersecurity and Infrastructure Security Agency (CISA). Interestingly, a few years ago the list was built on the basis of surveys and personal interviews with developers, leading security analysts, researchers, and vendors.

Problems in the list have their own CWE identifiers (not to be confused with CVE) – Common Weakness Enumeration. CWE differ from CVE in that, in fact, the former are the predecessors of the latter, that is, CWE lead to the appearance of vulnerabilities directly.

CWEs are divided into more than 600 categories that combine very broad classes of diverse problems, such as CWE-20 (incorrect input validation), CWE-200 (information disclosure), and CWE-287 (incorrect authentication).

MITRE reports that the dataset used to compile the new top contained a total of 37,899 CVE IDs over the past two calendar years. Also this time, the calculation methodology has changed slightly: the list is based on information from the NVD (National Vulnerability Database) and the Known Exploited Vulnerabilities (KEV) catalog, which CISA began compiling in 2021. Currently, KEV contains information about 800 known vulnerabilities used in attacks.

The most dangerous bugs in MITRE continue to be those that are easy to spot, have a high impact, and are widespread in software released in the last two years.

The top 25 issues identified by MITRE experts can be seen in the table below.

Place ID Problem Grade Number of KEVs (CVEs) Change from 2021
1 CWE-787 Out-of-bounds entry 64,2 62 0
2 CWE-79 Incorrect input neutralization during webpage creation (cross-site scripting) 45,97 2 0
3 CWE-89 Incorrect neutralization of special elements used in SQL commands (SQL injection) 22,11 7 3
4 CWE-20 Incorrect input validation 20,63 20 0
5 CWE-125 Out-of-bounds reading 17,67 1 -2
6 CWE-78 Incorrect neutralization of special elements used in OS commands (command injection) 17,53 32 -1
7 CWE-416 Use After Free 15,5 28 0
8 CWE-22 Directory Traversal 14,08 19 0
9 CWE-352 Cross-Site Request Forgery (CSRF) 11,53 1 0
10 CWE-434 Unlimited downloads of dangerous files 9,56 6 0
11 CWE-476 Null pointer dereference 7,15 0 4
12 CWE-502 Deserialization of Untrusted Data 6,68 7 1
13 CWE-190 Integer overflow or carry 6,53 2 -1
14 CWE-287 Invalid Authentication 6,35 4 0
15 CWE-798 Using Hardcoded Credentials 5,66 0 1
16 CWE-862 No authorization 5,53 1 2
17 CWE-77 Incorrect neutralization of special elements used in commands (command injection) 5,42 5 8
18 CWE-306 Lack of authentication for a critical function 5,15 6 -7
19 CWE-119 Incorrect limitation of operations within the memory buffer 4,85 6 -2
20 CWE-276 Invalid default permissions 4,84 0 -1
21 CWE-918 Server Side Request Forgery (SSRF) 4,27 8 3
22 CWE-362 Race condition 3,57 6 11
23 CWE-400 Uncontrolled consumption of resources 3,56 2 4
24 CWE-611 Incorrect restriction of links to external XML 3,38 0 -1
25 CWE-94 Incorrect control over code generation (code injection) 3,32 4 3

Compared to the 2021 top, three types of vulnerabilities have disappeared from the list: disclosure of confidential information to an unauthorized subject (dropped to 33rd place), insufficient protection of credentials (now at 38th place) and incorrect assignment of permissions for critical resources (30th place).

The post MITRE experts have published a list of the 25 most dangerous problems of 2022 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/list-of-25-problems-2022/feed/ 0 9072
Nation-State Threat Actors are an Actual Menace, According to CISA https://gridinsoft.com/blogs/nation-state-threat-actors/ https://gridinsoft.com/blogs/nation-state-threat-actors/#respond Tue, 19 Apr 2022 21:35:33 +0000 https://gridinsoft.com/blogs/?p=7352 On April 13, the US government (specifically, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation) made a warning about nation-state threat actors using specialized malware to access industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices. Nation-State threat actors in… Continue reading Nation-State Threat Actors are an Actual Menace, According to CISA

The post Nation-State Threat Actors are an Actual Menace, According to CISA appeared first on Gridinsoft Blog.

]]>
On April 13, the US government (specifically, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation) made a warning about nation-state threat actors using specialized malware to access industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.

Nation-State threat actors in a governmental warning notification

The advanced persistent threat actors, as the alert states, use custom-made software to attack ICS and SCADA devices. These instruments allow finding the targeted devices, compromising them, and taking control over them once the access to operational technology network is established.

The specially tailored tools are designed specifically to attack Open Platform Communications Unified Architecture (OPC UA) servers, Schneider Electric programmable logic controllers (PLCs,) and OMRON Sysmac NEX PLCs.

According to the document, the threat actors can also infiltrate the Windows-based engineering workstations of informational and operational technology networks. That is possible with the usage of an exploit of CVE-2020-15368 vulnerabilities related to AsrDrv103.sys motherboard driver. The driver can be compromised, leading to the execution of malicious code in the Windows core. The infiltrators aim to escalate privileges and, moving laterally within the industrial control system’s networks, create diversions in electricity and natural gas supply and distribution.

Dragos report and scale of the threat

The specialists at Dragos, an industrial cybersecurity company, have described1 the recently revealed PIPEDREAM malware as a modular attack framework that can cause “disruption, degradation, and possibly even destruction, depending on targets and the environment.”

Robert M. Lee, CEO at Dragos, has stated that PIPEDREAM is connected to the nation-state actor under the moniker CHERNOVITE. Lee claims that it is the first time malicious software with such destructive capabilities has been discovered before its actual usage.

The PIPEDREAM is a complex program whose five constituent elements are responsible for different objectives. The malware is designed to detect and hijack devices, compromise the programmable logic controllers, and disrupt them, jeopardizing the correct work of industrial objects. If PIPEDREAM were used against existing industrial systems, the consequences would be unpredictable up to catastrophic.

Pipedream is malware aimed a physical destruction

The malware in question uses various-function exploits automatized to a high degree. Different modules of PIPEDREAM inject noxious configurations into devices, alter their parameters, and manage devices’ contents.

CODESYS, a development environment for controller programs, proved to have at least seventeen vulnerabilities potentially exploitable by hackers. PIPEDREAM is capable of compromising CODESYS as well.

The very possibility of hijackers tampering with the settings of the industries’ programmable controllers is appalling. Dragos warns about an option for the terrorists to destabilize the operational environment by disabling the emergency shutdown. If that occurred, the attacked system would go critical and unstable.

Mandiant report and Pipedream origins

Mandiant, a threat intelligence company, provided a report that matches the one by Dragos. In its message, Mandiant describes PIPEDREAM (aka INCONTROLLER) as malware designed to target specifically Schneider Electric and Omron automation systems.

Schneider Electric, in turn, reported2 that there was neither evidence of vulnerabilities that could have been exploited by PIPEDREAM nor detected assaults on the company’s devices. However, the enterprise admitted that the threat level was troubling and added the “recommended mitigations” section to the notification for all customers to comply.

The trace leads to Russia

Apparently, the origin of the information about PIPEDREAM is the Russo-Ukrainian war. The clash takes place not solely on the ground but also on the Network3. After an unsuccessful hacker attack on a Ukrainian energy provider, cybersecurity company ESET4 has given a thorough description of how the INDUSTROYER2 malware worked. Possibly, that information helped Dragos and Mandiant detect and dissect another malicious program – PIPEDREAM.

The disputed malware now stands in one row with Stuxnet, Havex, Industroyer 1 and 2, Triton, and BlackEnergy2 – malicious tools designed against vital industrial control systems.

As a countermeasure against possible threats, cybersecurity agencies strongly advise industrial control organizations to increase all safety measures. These are well-known rules: 2-factor-authentication, no passwords auto-filling, changing passwords, and overall vigilance against potential invasive actions.

The post Nation-State Threat Actors are an Actual Menace, According to CISA appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/nation-state-threat-actors/feed/ 0 7352
US and UK accused China for attacks on Microsoft Exchange servers https://gridinsoft.com/blogs/us-and-uk-accused-china-for-attacks-on-microsoft-exchange-servers/ https://gridinsoft.com/blogs/us-and-uk-accused-china-for-attacks-on-microsoft-exchange-servers/#respond Tue, 20 Jul 2021 16:50:49 +0000 https://blog.gridinsoft.com/?p=5725 The United States and a coalition of its allies, including the EU, Britain and NATO, have formally accused China and its authorities of a large-scale hacking campaign to break into Microsoft Exchange servers. Let me remind you that these attacks have been going on since the beginning of 2021 and are targeted tens of thousands… Continue reading US and UK accused China for attacks on Microsoft Exchange servers

The post US and UK accused China for attacks on Microsoft Exchange servers appeared first on Gridinsoft Blog.

]]>
The United States and a coalition of its allies, including the EU, Britain and NATO, have formally accused China and its authorities of a large-scale hacking campaign to break into Microsoft Exchange servers. Let me remind you that these attacks have been going on since the beginning of 2021 and are targeted tens of thousands of companies and organizations around the world.

China is reported to have used Microsoft’s “zero-day Exchange Server vulnerabilities disclosed in early March 2021 for cyber espionage operations.”

In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server, which the researchers gave the general name ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).

These vulnerabilities can be linked together and exploited allowing an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data.

We know that in some cases, cybercriminals affiliated with the PRC government carried out extortion operations against private companies, demanding multimillion-dollar ransoms,” the White House said.

Already in March, attacks on vulnerable servers were carried out by more than 10 hack groups, deploying web shells, miners and ransomware on the servers.

Attacks on Microsoft Exchange software are most likely associated with a large-scale spy campaign aimed at obtaining personal data and intellectual property. It is highly likely that a group known as HAFNIUM, affiliated with the Chinese government, is responsible for this activity.the National Cybersecurity Center in the UK say.

The UK also added that China’s Ministry of State Security is behind “government hacker groups” such as APT40 and APT31.

The Department of Justice, NSA, CISA and the FBI have already released technical guidance on breaks detection and activity of Chinese hack groups targeting networks of the United States and its allies. Also, American law enforcement officers have published indicators of compromise APT40, so that companies can detect the presence of hackers on their networks.

It is worth noting that almost simultaneously with the accusations against China, the US Department of Justice announced the initiation of a criminal case against four Chinese citizens who are allegedly members of the aforementioned hacker group APT40.

Chinese representatives have already reacted to the accusations against them. Thus, the spokesman for the Foreign Ministry of the country Zhao Lijian said at a press conference that it is the United States that is “the largest source of cyber-attacks in the world”; attacks Chinese aerospace, scientific and research institutions, the oil industry, government agencies and Internet companies for the past 11 years (this was the conclusion of researchers from the Chinese company Qihoo 360 last year); listening to the conversations of both their competitors and allies; and pressure NATO and other allies to create a military alliance in cyberspace that “could provoke a [race] of cyber weapons and undermine international peace and security.”

The post US and UK accused China for attacks on Microsoft Exchange servers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/us-and-uk-accused-china-for-attacks-on-microsoft-exchange-servers/feed/ 0 5725
Microsoft has released an update to remove Adobe Flash from Windows https://gridinsoft.com/blogs/microsoft-has-released-an-update-to-remove-adobe-flash-from-windows/ https://gridinsoft.com/blogs/microsoft-has-released-an-update-to-remove-adobe-flash-from-windows/#respond Wed, 28 Oct 2020 23:14:51 +0000 https://blog.gridinsoft.com/?p=4489 As you know, very soon, on December 31, 2020, support for Adobe Flash Player will be completely discontinued, after which it will no longer be supported by all modern browsers. Now Microsoft has released an update to remove Adobe Flash from Windows. Let me remind you that work on a complete rejection of Flash Player… Continue reading Microsoft has released an update to remove Adobe Flash from Windows

The post Microsoft has released an update to remove Adobe Flash from Windows appeared first on Gridinsoft Blog.

]]>
As you know, very soon, on December 31, 2020, support for Adobe Flash Player will be completely discontinued, after which it will no longer be supported by all modern browsers. Now Microsoft has released an update to remove Adobe Flash from Windows.

Let me remind you that work on a complete rejection of Flash Player support has been going on since 2017, when Apple, Facebook, Google, Microsoft, Mozilla, as well as Adobe itself, announced the official date of the final “death” of the technology.

Preparations for this event are in full swing.

The company intends not only to stop providing updates for the Flash Player, but will also remove all download links from its site to prevent users from downloading and installing unsupported software.said Adobe representatives in the summer of this year.

The company also said that all “Flash content will be blocked from running in Adobe Flash Player after the support expiration date.” That is, the company has added or is planning to add a kind of time bomb to the Flash Player code to prevent its future use.

Let me remind you that the vulnerabilities of the Adobe Flash Player technology have traditionally been included in the ratings of the most dangerous bugs for quite some time. For example, recently Cybersecurity and Infrastructure Protection Agency (CISA), and the Federal Bureau of Investigation (FBI) published the TOP 10 software vulnerabilities, most commonly exploited in 2016-2019, and of course Flash Player got its rightful place there.

Now representatives of Microsoft have come up with a similar initiative. This week, KB4577586 was released to remove Adobe Flash from all versions of Windows 10 and Windows Server and to prevent it from being reinstalled on the device.

The update is only available through the official directory and cannot be removed after installation. Later, in early 2021, the company plans to distribute the update through WSUS and Windows Update.

Those who want to install Adobe Flash Player on a device with this update will have to perform a system reset to an earlier restore point or install a fresh copy of Windows 10.say Microsoft representatives.

Bleeping Computer journalists tried to figure out what exactly is removed after installing KB4577586.

During tests, it turned out that the version of Flash Player (32-bit) included with Windows 10 and accessible through Control Panel is being removed. However, the Adobe Flash Player component built into Microsoft Edge and other browsers stays in place, just like any other standalone version of the program.

The post Microsoft has released an update to remove Adobe Flash from Windows appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-has-released-an-update-to-remove-adobe-flash-from-windows/feed/ 0 4489
CISA experts warned about the growth of LokiBot infostealer activity https://gridinsoft.com/blogs/cisa-experts-warned-about-the-growth-of-lokibot-infostealer-activity/ https://gridinsoft.com/blogs/cisa-experts-warned-about-the-growth-of-lokibot-infostealer-activity/#respond Wed, 23 Sep 2020 16:37:26 +0000 https://blog.gridinsoft.com/?p=4322 Specialists from the Agency for Cybersecurity and Infrastructure Protection, organized by the US Department of Homeland Security (DHS CISA), warned about growth of activity of LokiBot infostealer aka Loki and Loki PWS; not to be confused with the Trojan of the same name for Android), which has been increasing since July this year. ZDNet journalists… Continue reading CISA experts warned about the growth of LokiBot infostealer activity

The post CISA experts warned about the growth of LokiBot infostealer activity appeared first on Gridinsoft Blog.

]]>
Specialists from the Agency for Cybersecurity and Infrastructure Protection, organized by the US Department of Homeland Security (DHS CISA), warned about growth of activity of LokiBot infostealer aka Loki and Loki PWS; not to be confused with the Trojan of the same name for Android), which has been increasing since July this year.

ZDNet journalists note that Malwarebytes experts also drew attention to the surge in LokiBot activity, confirming the findings of CISA specialists.

LokiBot infostealer activity growth

LokiBot is one of the most dangerous infostealers at the moment. The Trojan has been known to cybersecurity experts since the mid-2010s.

For many years, its source code was distributed on hacker forums completely free of charge, which made LokiBot one of the most popular password stealing tools (mainly among low and medium-skilled cybercriminals).

Currently, several hack groups actively use malware at once, spreading it using a variety of methods, from email spam to hacked installers and malicious torrent files.

“By infecting victims’ computers, LokiBot focuses on finding locally installed applications and retrieving credentials from their internal databases. For example, LokiBot steals data from browsers, email clients, FTP applications and cryptocurrency wallets”, – inform DHS CISA researchers.

Today LokiBot is no longer just an info-stealer, but a more complex threat. Thus, the malware is equipped with a keylogger that intercepts keystrokes in real time (in order to steal passwords that are not always stored in the internal database of the browser), and a utility for creating screenshots (usually used to capture documents after they have been opened on a computer victims). In addition, LokiBot also acts as backdoor, allowing hackers to launch other malware on infected hosts.

The data stolen by LokiBot usually ends up on underground marketplaces. According to KELA analysts, LokiBot is one of the main providers of credentials for the Genesis marketplace.

In 2019, SpamHaus experts named LokiBot the malware with the most active command servers, Any.Run experts placed LokiBot in 4th place in the ranking of the most common threats in 2019, and in the SpamHaus ranking for the first half of 2020, LokiBot confidently occupies second place.

The post CISA experts warned about the growth of LokiBot infostealer activity appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cisa-experts-warned-about-the-growth-of-lokibot-infostealer-activity/feed/ 0 4322
Chinese hackers attack US organizations and exploit bugs in F5, Citrix and Microsoft Exchange https://gridinsoft.com/blogs/chinese-hackers-attack-us-organizations/ https://gridinsoft.com/blogs/chinese-hackers-attack-us-organizations/#respond Wed, 16 Sep 2020 16:17:04 +0000 https://blog.gridinsoft.com/?p=4298 The Department of Homeland Security (DHS CISA) Cybersecurity and Infrastructure Protection Agency (DHS CISA) has published security guidelines for the private sector and government agencies. CISA said that Chinese hackers associated with the Ministry of State Security of the Republic of China are attacking organizations in the United States and exploit bugs in F5, Citrix,… Continue reading Chinese hackers attack US organizations and exploit bugs in F5, Citrix and Microsoft Exchange

The post Chinese hackers attack US organizations and exploit bugs in F5, Citrix and Microsoft Exchange appeared first on Gridinsoft Blog.

]]>
The Department of Homeland Security (DHS CISA) Cybersecurity and Infrastructure Protection Agency (DHS CISA) has published security guidelines for the private sector and government agencies. CISA said that Chinese hackers associated with the Ministry of State Security of the Republic of China are attacking organizations in the United States and exploit bugs in F5, Citrix, Pulse Secure and Microsoft Exchange.

According to CISA experts, over the past year, Chinese hackers have regularly scanned US government networks in search of network devices, and then used against them exploits for resh vulnerabilities, trying to gain a foothold in vulnerable networks and continue lateral movement.

The Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies”, — says CISA report.

According to the report, some of these attacks were successful, and the attackers achieved their goal.

Chinese hackers attack the USA

The main targets of the Chinese hackers were F5 Big-IP load balancers, Citrix and Pulse Secure VPN devices, and Microsoft Exchange mail servers. Serious vulnerabilities have been identified in all of these products over the past year, including: CVE-2020-5902, CVE-2019-19781, CVE-2019-11510, and CVE-2020-0688.

Having infiltrated the network, Chinese hackers seek to advance further and steal data. For this is used a variety of tools (including open source and legitimate), the most common of which are the Cobalt Strike platform, as well as the China Chopper Web Shell and Mimikatz tools.

ZDNet journalists note that not only Chinese cybercriminals are interested in the listed above vulnerabilities.

“In addition, Chinese hackers aren’t the only ones targeting these particular networking appliances. The devices listed above have also been targeted by Iranian state actors, according to a report from the private cyber-security sector and a cyber-security alert published by the FBI last month”, — report ZDNet journalists.

Let me remind you that recently specialists of the Crowdstrike and Dragos companies noticed that the Iranian “government” hackers are putting on sale access to the networks of compromised companies, and provide access to other criminal groups.

I will also remind you that the US authorities warned of a possible intensification of attacks by Iranian hacker groups on the public sector. Perhaps their warning was reasonable.

The post Chinese hackers attack US organizations and exploit bugs in F5, Citrix and Microsoft Exchange appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/chinese-hackers-attack-us-organizations/feed/ 0 4298