Vulnerability Overview

Tracked with a CVSS score of 7.5, the vulnerability in question exposes a DoS weakness within the Service Location Protocol. The flaw allows unauthenticated remote attackers to register services and utilize spoofed UDP traffic to orchestrate a DoS attack with a notable amplification factor. SLP is a protocol facilitating communication and discovery among systems on a local area network (LAN). It becomes a potential avenue for malicious actors to exploit.

And while before this threat was mostly a paper tiger, these days it is not just about theoretical possibilities. There are real cyber crooks out there making use of CVE-2023-29552. And the less time you give them to find out that you’re using a vulnerable SLP version – the less is the possibility that it will be used for malicious purposes.

The nature of the DoS amplification attack leveraging CVE-2023-29552 is relatively straightforward yet potent. Instead of going head-on and bombarding a target server with requests, the cyber crooks take a more sly route. They send tiny requests to a middleman server, but here’s the twist – these requests are like magic spells, making the middleman server send back way bigger responses. And the key move here is faking the source of the request, making it look like it’s coming from the target’s IP. Now, here’s where it gets wild. Thanks to this trick, these bad actors can flood even the most guarded targets with traffic.

Mitigation Measures

In response to the real-world exploits of this vulnerability, federal agencies are mandated to implement mitigations promptly. CISA has set a deadline of November 29, 2023, for federal agencies to secure their networks by applying necessary measures. The recommended mitigations include disabling the SLP service on systems operating in untrusted network environments.

Unfortunately, there is no dedicated solution meant to stop the exploitation without sacrificing any functionality. However, there is the ability to make the exploitation much harder, if not entirely impossible, with the usage of modern security software.

• EDR/XDR
  Think of EDR as your vigilant guardian, keeping a watchful eye on endpoint activities. It’s the first line of defense, swiftly responding to any suspicious behavior to thwart potential ransomware threats. XDR extends its vigilant reach beyond endpoints. It’s like having a superhero with enhanced senses, covering a broader spectrum of detection and response capabilities against evolving cyber threats.
• SIEM/SOAR
  SIEM aggregates and organizes security event logs, providing you with a comprehensive overview of your cybersecurity landscape. It’s the strategic hub for informed decision-making. SOAR steps in to automate incident responses, ensuring swift and precise actions in the face of emerging threats. It’s the sidekick that streamlines your defense mechanisms.
• Back up your data and store those backups offline or on a separate network for added protection. Backups are the ransomware attacks’ kryptonite, as they can do nothing if you just recover everything back.
• Staying informed through reading the news and studying current material on cybersecurity and related topics is paramount in today’s dynamic and interconnected digital landscape. Reading the news and studying current material on cybersecurity is not just a habit. It’s a proactive approach to staying ahead in the ever-evolving world of digital security.

The post SLP DDoS Amplification Vulnerability Actively Exploited appeared first on Gridinsoft Blog.

Love lists of some hacker stuff or cyber threats? Check out this: Huge Ransomware List by Gridinsoft Research: Part #1, Part #2. Or like this: US Authorities List Vulnerabilities That Chinese Hackers Attack.

Such flaws can jeopardize the security of systems where problematic software is installed and running. They can become an entry point for attackers trying to take control of vulnerable devices, help attackers gain access to sensitive data, or provoke a denial of service.

To compile this list, MITRE bug analysts examined in detail 43,996 CVE IDs from the NIST National Vulnerability Database (NVD) discovered and described in 2021 and 2022. Experts paid special attention to those CVEs that were added to the list of known exploited vulnerabilities (KEV), which is compiled by analysts from the Cybersecurity and Infrastructure Security Agency (CISA).

Problems in the list have their own CWE identifiers (not to be confused with CVE) – Common Weakness Enumeration. CWE differ from CVE in that, in fact, the former are the predecessors of the latter, that is, CWE lead to the appearance of vulnerabilities directly.

CWEs are divided into more than 600 categories that combine very broad classes of diverse problems, such as CWE-20 (incorrect input validation), CWE-200 (information disclosure), and CWE-287 (incorrect authentication).

The most dangerous problems in MITRE continue to be bugs that are easy to detect, have a strong impact, and are widespread in software released in the last two years.

The top 25 CWE list compiled by MITRE is as follows:

The post MITRE Compiled a List of the 25 Most Dangerous Bugs appeared first on Gridinsoft Blog.

Types of Disaster-related Scams

Fraudsters have many methods to convince victims to donate money or go to their malicious sites. Aside from money, crooks aim at collecting personally identifiable information (PII) and credentials. Here are some of the methods they can use:

Social Media Phishing

Scammers often use social networking platforms such as Facebook, Twitter, or LinkedIn to extort money for charitable purposes. You will have seen similar posts on Instagram about raising funds for the victims of the storm or helping relatives of victims. Fraudsters can create fake profiles and use the names of charities or government organizations to make their communications more legitimate. You should be careful and check the validity of such announcements.

Email Phishing

Email phishing is deceptive and pretends to be genuine promotional or personal emails. They often request you click links leading to phishing sites or download attached files. These emails may appear so genuine that even an experienced user can be tricked into believing they are authentic. Occasionally, these emails contain infected attachments or links to phishing sites disguised as text. However, as many email systems now scan for viruses in attachments, this type of phishing is rare.

Vishing

Vishing is a scam in which fraudsters use voice communication (phone calls) to deceive people. One common tactic is when fraudsters pretend to be victims of a disaster or federal officials, claiming that they raise money for disaster victims. For example, they may ask you to transfer money to a bank account. They can also call from hidden numbers, which should be noticed, and do not fall for their tricks.

Beware of contractors and home improvement companies calling and saying they are partners with your insurance provider. Do not disclose your policy numbers, coverage details, or personal information to any company you have not contracted with. To ensure that the contractor you are thinking of hiring possesses a legitimate license and sufficient insurance, it is recommended to consult your state’s online database to determine if licensing is mandatory. By checking your state’s online database, you can verify the validity of the contractor’s license and assess whether they possess adequate insurance coverage.

How to Protect Yourself from Disaster-related Scams

The methods of the scammers may seem daunting, but in fact, they are only well-developed schemes of deception. This means that users can avoid all this. Consumers must remain vigilant against fraudsters who disguise themselves as charities demanding donations for disaster relief. However, do not trust everything you see in the information world. To protect yourself from these types of fraud, consider taking the following measures:

Donate to Trusted Charities

Be cautious of individuals or groups who engage in fraudulent activities by establishing counterfeit charitable organizations during natural disasters. To ensure a charity is legitimate, visiting its official website is crucial. If you have doubts, you can seek verification from reputable sources such as the Charity Navigator, Better Business, Bureau’s Wise Giving Alliance, Charity Watch, or GuideStar. Additionally, you can inquire with the National Association of State Charity Officials to determine whether charities are needed to register in your state and if the charity contacting you is listed in their records.

Confirm all Phone numbers for Charities

Suppose you plan to contact a charity via phone. Verifying the number’s legitimacy is best by checking its official website. Similarly, if you intend to donate through text-to-donate, verifying the number’s authenticity with the charity before making any donations is necessary.

Beware of Suspicious Emails

If you receive a suspicious email and request donations or assistance, it is essential not to open links or download attachments. Scammers frequently use email to conduct phishing attacks or distribute malware. Therefore, exercise caution and refrain from engaging with such emails to avoid potential risks.

Confirm all Information in Social Media Posts

It’s essential to verify any requests for charitable donations before donating. While crowd-funding websites may have individual requests for assistance, they may only sometimes be reviewed by the website or other sources.

Important!

Be aware that officials from government disaster assistance agencies do not call or text to ask for financial account information, and there is no need to pay to apply for or receive disaster assistance from FEMA (Federal Emergency Management Agency) or the Small Business Administration. Anyone claiming to be a federal official and asking for money is an imposter.

The post US Authorities Warn of Disaster-Related Scams appeared first on Gridinsoft Blog.

The FBI and the U.S. Infrastructure and Cyber Security Agency (CISA) report that as of August 2022, Cuba ransomware operators have received more than $60 million in ransom from their victims (initially, the hackers requested more than $145 million in ransoms) and have attacked more than 100 organizations around the world.

The new security bulletin is a direct continuation of a similar document from a year ago. Let me remind you that in December 2021, it was reported that the Cuba ransomware brought its authors about $43.9 million, compromising at least 49 organizations.

We also wrote that Cuba Ransomware Variant Involves Double-Extortion Scheme.

The FBI also said that the $43.9 million was just actual payments to the victims, but the hackers originally demanded more than $74 million from the victims, but some refused to pay.

The FBI and CISA added that in the past year, it became known that ransomware has been improving its tactics and methods, and now they are associated with the RomCom remote access trojan (RAT) and Industrial Spy ransomware.

Law enforcement officers also said at the time that they tracked Cuba attacks on systems infected with the Hancitor malware, which uses phishing emails, exploits vulnerabilities in Microsoft Exchange, compromised credentials, or RDP brute force to access vulnerable Windows machines. Once Hancitor is infected, access to such a system is rented out to other hackers using the Malware-as-a-Service model.

Interestingly, the statistics of the ID-Ransomware platform do not allow to call the Cuba ransomware particularly active, and this only proves that even such a ransomware can have a huge impact on victims and bring profit to its operators.

The post FBI Says Cuba Ransomware ‘Made’ $60 Million by Attacking More Than 100 Organizations appeared first on Gridinsoft Blog.

By the way, we also love all sorts of lists and tops, for example: Top Threats That Gridinsoft Anti-Malware Catches, or here’s another: TOP Facts About Adware Attacks To Be Reminded Today.

This time, the list was compiled with the support of the National Security Systems Design and Engineering Institute and the Cybersecurity and Infrastructure Security Agency (CISA). Interestingly, a few years ago the list was built on the basis of surveys and personal interviews with developers, leading security analysts, researchers, and vendors.

Problems in the list have their own CWE identifiers (not to be confused with CVE) – Common Weakness Enumeration. CWE differ from CVE in that, in fact, the former are the predecessors of the latter, that is, CWE lead to the appearance of vulnerabilities directly.

CWEs are divided into more than 600 categories that combine very broad classes of diverse problems, such as CWE-20 (incorrect input validation), CWE-200 (information disclosure), and CWE-287 (incorrect authentication).

MITRE reports that the dataset used to compile the new top contained a total of 37,899 CVE IDs over the past two calendar years. Also this time, the calculation methodology has changed slightly: the list is based on information from the NVD (National Vulnerability Database) and the Known Exploited Vulnerabilities (KEV) catalog, which CISA began compiling in 2021. Currently, KEV contains information about 800 known vulnerabilities used in attacks.

The most dangerous bugs in MITRE continue to be those that are easy to spot, have a high impact, and are widespread in software released in the last two years.

The top 25 issues identified by MITRE experts can be seen in the table below.

Compared to the 2021 top, three types of vulnerabilities have disappeared from the list: disclosure of confidential information to an unauthorized subject (dropped to 33rd place), insufficient protection of credentials (now at 38th place) and incorrect assignment of permissions for critical resources (30th place).

The post MITRE experts have published a list of the 25 most dangerous problems of 2022 appeared first on Gridinsoft Blog.

Nation-State threat actors in a governmental warning notification

The advanced persistent threat actors, as the alert states, use custom-made software to attack ICS and SCADA devices. These instruments allow finding the targeted devices, compromising them, and taking control over them once the access to operational technology network is established.

The specially tailored tools are designed specifically to attack Open Platform Communications Unified Architecture (OPC UA) servers, Schneider Electric programmable logic controllers (PLCs,) and OMRON Sysmac NEX PLCs.

According to the document, the threat actors can also infiltrate the Windows-based engineering workstations of informational and operational technology networks. That is possible with the usage of an exploit of CVE-2020-15368 vulnerabilities related to AsrDrv103.sys motherboard driver. The driver can be compromised, leading to the execution of malicious code in the Windows core. The infiltrators aim to escalate privileges and, moving laterally within the industrial control system’s networks, create diversions in electricity and natural gas supply and distribution.

Dragos report and scale of the threat

The specialists at Dragos, an industrial cybersecurity company, have described¹ the recently revealed PIPEDREAM malware as a modular attack framework that can cause “disruption, degradation, and possibly even destruction, depending on targets and the environment.”

Robert M. Lee, CEO at Dragos, has stated that PIPEDREAM is connected to the nation-state actor under the moniker CHERNOVITE. Lee claims that it is the first time malicious software with such destructive capabilities has been discovered before its actual usage.

The PIPEDREAM is a complex program whose five constituent elements are responsible for different objectives. The malware is designed to detect and hijack devices, compromise the programmable logic controllers, and disrupt them, jeopardizing the correct work of industrial objects. If PIPEDREAM were used against existing industrial systems, the consequences would be unpredictable up to catastrophic.

Pipedream is malware aimed a physical destruction

The malware in question uses various-function exploits automatized to a high degree. Different modules of PIPEDREAM inject noxious configurations into devices, alter their parameters, and manage devices’ contents.

CODESYS, a development environment for controller programs, proved to have at least seventeen vulnerabilities potentially exploitable by hackers. PIPEDREAM is capable of compromising CODESYS as well.

The very possibility of hijackers tampering with the settings of the industries’ programmable controllers is appalling. Dragos warns about an option for the terrorists to destabilize the operational environment by disabling the emergency shutdown. If that occurred, the attacked system would go critical and unstable.

Mandiant report and Pipedream origins

Mandiant, a threat intelligence company, provided a report that matches the one by Dragos. In its message, Mandiant describes PIPEDREAM (aka INCONTROLLER) as malware designed to target specifically Schneider Electric and Omron automation systems.

Schneider Electric, in turn, reported² that there was neither evidence of vulnerabilities that could have been exploited by PIPEDREAM nor detected assaults on the company’s devices. However, the enterprise admitted that the threat level was troubling and added the “recommended mitigations” section to the notification for all customers to comply.

The trace leads to Russia

Apparently, the origin of the information about PIPEDREAM is the Russo-Ukrainian war. The clash takes place not solely on the ground but also on the Network³. After an unsuccessful hacker attack on a Ukrainian energy provider, cybersecurity company ESET⁴ has given a thorough description of how the INDUSTROYER2 malware worked. Possibly, that information helped Dragos and Mandiant detect and dissect another malicious program – PIPEDREAM.

The disputed malware now stands in one row with Stuxnet, Havex, Industroyer 1 and 2, Triton, and BlackEnergy2 – malicious tools designed against vital industrial control systems.

As a countermeasure against possible threats, cybersecurity agencies strongly advise industrial control organizations to increase all safety measures. These are well-known rules: 2-factor-authentication, no passwords auto-filling, changing passwords, and overall vigilance against potential invasive actions.

The post Nation-State Threat Actors are an Actual Menace, According to CISA appeared first on Gridinsoft Blog.

China is reported to have used Microsoft’s “zero-day Exchange Server vulnerabilities disclosed in early March 2021 for cyber espionage operations.”

In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server, which the researchers gave the general name ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).

These vulnerabilities can be linked together and exploited allowing an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data.

Already in March, attacks on vulnerable servers were carried out by more than 10 hack groups, deploying web shells, miners and ransomware on the servers.

The UK also added that China’s Ministry of State Security is behind “government hacker groups” such as APT40 and APT31.

The Department of Justice, NSA, CISA and the FBI have already released technical guidance on breaks detection and activity of Chinese hack groups targeting networks of the United States and its allies. Also, American law enforcement officers have published indicators of compromise APT40, so that companies can detect the presence of hackers on their networks.

It is worth noting that almost simultaneously with the accusations against China, the US Department of Justice announced the initiation of a criminal case against four Chinese citizens who are allegedly members of the aforementioned hacker group APT40.

Chinese representatives have already reacted to the accusations against them. Thus, the spokesman for the Foreign Ministry of the country Zhao Lijian said at a press conference that it is the United States that is “the largest source of cyber-attacks in the world”; attacks Chinese aerospace, scientific and research institutions, the oil industry, government agencies and Internet companies for the past 11 years (this was the conclusion of researchers from the Chinese company Qihoo 360 last year); listening to the conversations of both their competitors and allies; and pressure NATO and other allies to create a military alliance in cyberspace that “could provoke a [race] of cyber weapons and undermine international peace and security.”

The post US and UK accused China for attacks on Microsoft Exchange servers appeared first on Gridinsoft Blog.

Let me remind you that work on a complete rejection of Flash Player support has been going on since 2017, when Apple, Facebook, Google, Microsoft, Mozilla, as well as Adobe itself, announced the official date of the final “death” of the technology.

Preparations for this event are in full swing.

The company also said that all “Flash content will be blocked from running in Adobe Flash Player after the support expiration date.” That is, the company has added or is planning to add a kind of time bomb to the Flash Player code to prevent its future use.

Let me remind you that the vulnerabilities of the Adobe Flash Player technology have traditionally been included in the ratings of the most dangerous bugs for quite some time. For example, recently Cybersecurity and Infrastructure Protection Agency (CISA), and the Federal Bureau of Investigation (FBI) published the TOP 10 software vulnerabilities, most commonly exploited in 2016-2019, and of course Flash Player got its rightful place there.

Now representatives of Microsoft have come up with a similar initiative. This week, KB4577586 was released to remove Adobe Flash from all versions of Windows 10 and Windows Server and to prevent it from being reinstalled on the device.

The update is only available through the official directory and cannot be removed after installation. Later, in early 2021, the company plans to distribute the update through WSUS and Windows Update.

Bleeping Computer journalists tried to figure out what exactly is removed after installing KB4577586.

During tests, it turned out that the version of Flash Player (32-bit) included with Windows 10 and accessible through Control Panel is being removed. However, the Adobe Flash Player component built into Microsoft Edge and other browsers stays in place, just like any other standalone version of the program.

The post Microsoft has released an update to remove Adobe Flash from Windows appeared first on Gridinsoft Blog.

ZDNet journalists note that Malwarebytes experts also drew attention to the surge in LokiBot activity, confirming the findings of CISA specialists.

LokiBot is one of the most dangerous infostealers at the moment. The Trojan has been known to cybersecurity experts since the mid-2010s.

For many years, its source code was distributed on hacker forums completely free of charge, which made LokiBot one of the most popular password stealing tools (mainly among low and medium-skilled cybercriminals).

Currently, several hack groups actively use malware at once, spreading it using a variety of methods, from email spam to hacked installers and malicious torrent files.

“By infecting victims’ computers, LokiBot focuses on finding locally installed applications and retrieving credentials from their internal databases. For example, LokiBot steals data from browsers, email clients, FTP applications and cryptocurrency wallets”, – inform DHS CISA researchers.

Today LokiBot is no longer just an info-stealer, but a more complex threat. Thus, the malware is equipped with a keylogger that intercepts keystrokes in real time (in order to steal passwords that are not always stored in the internal database of the browser), and a utility for creating screenshots (usually used to capture documents after they have been opened on a computer victims). In addition, LokiBot also acts as backdoor, allowing hackers to launch other malware on infected hosts.

The data stolen by LokiBot usually ends up on underground marketplaces. According to KELA analysts, LokiBot is one of the main providers of credentials for the Genesis marketplace.

In 2019, SpamHaus experts named LokiBot the malware with the most active command servers, Any.Run experts placed LokiBot in 4th place in the ranking of the most common threats in 2019, and in the SpamHaus ranking for the first half of 2020, LokiBot confidently occupies second place.

The post CISA experts warned about the growth of LokiBot infostealer activity appeared first on Gridinsoft Blog.

According to CISA experts, over the past year, Chinese hackers have regularly scanned US government networks in search of network devices, and then used against them exploits for resh vulnerabilities, trying to gain a foothold in vulnerable networks and continue lateral movement.

The Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies”, — says CISA report.

According to the report, some of these attacks were successful, and the attackers achieved their goal.

The main targets of the Chinese hackers were F5 Big-IP load balancers, Citrix and Pulse Secure VPN devices, and Microsoft Exchange mail servers. Serious vulnerabilities have been identified in all of these products over the past year, including: CVE-2020-5902, CVE-2019-19781, CVE-2019-11510, and CVE-2020-0688.

Having infiltrated the network, Chinese hackers seek to advance further and steal data. For this is used a variety of tools (including open source and legitimate), the most common of which are the Cobalt Strike platform, as well as the China Chopper Web Shell and Mimikatz tools.

ZDNet journalists note that not only Chinese cybercriminals are interested in the listed above vulnerabilities.

“In addition, Chinese hackers aren’t the only ones targeting these particular networking appliances. The devices listed above have also been targeted by Iranian state actors, according to a report from the private cyber-security sector and a cyber-security alert published by the FBI last month”, — report ZDNet journalists.

Let me remind you that recently specialists of the Crowdstrike and Dragos companies noticed that the Iranian “government” hackers are putting on sale access to the networks of compromised companies, and provide access to other criminal groups.

I will also remind you that the US authorities warned of a possible intensification of attacks by Iranian hacker groups on the public sector. Perhaps their warning was reasonable.

The post Chinese hackers attack US organizations and exploit bugs in F5, Citrix and Microsoft Exchange appeared first on Gridinsoft Blog.