Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

Microsoft has warned of yet another vulnerability that’s been discovered in its Windows Print Spooler that can allow attackers to elevate privilege to gain full user rights to a system. The advisory comes on the heels of patching two other remote code-execution (RCE) bugs found in the print service that collectively became known as PrintNightmare.

The company released the advisory late Thursday for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as CVE-2021-34481. Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue.

The vulnerability “exists when the Windows Print Spooler service improperly performs privileged file operations,” according to Microsoft.

MS Spooler. Ongelmat sen kanssa vain jatkuu vaikka ne on olleet olemassa lähes kolme vuosikymmentä. Ehkä se vaatii kokonaan uudelleen kirjoittamisen, sillä verkko spooler on yksi porteista jotka on automaagisesti skannaus listalla. Hardening tip niille jotka eivät tiedä, disable MS spooler service listalta jos teillä ei ole printteriä. Jos tarvetta tulee niin sen voi kääntää takaisin päälle.
 
Viimeksi muokattu:
The US government blamed the Chinese government on Monday for attacks on thousands of Microsoft Exchange servers.

China's Ministry of State Security (MSS) "has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain," US Secretary of State Antony Blinken said in a statement that blamed the MSS for the Microsoft Exchange hacks. The US government and its allies "formally confirmed that cyber actors affiliated with the MSS exploited vulnerabilities in Microsoft Exchange Server in a massive cyber espionage operation that indiscriminately compromised thousands of computers and networks, mostly belonging to private sector victims," Blinken said.

Blinken's statement was released alongside a Justice Department announcement that three MSS officers and one other Chinese national were indicted by a federal grand jury on charges related to a different series of hacks into the "computer systems of dozens of victim companies, universities, and government entities in the United States and abroad between 2011 and 2018." Blinken said that the US "and countries around the world are holding the People's Republic of China (PRC) accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security."

The US did not announce any new sanctions against China, but Blinken said the indictment is evidence that "the United States will impose consequences on PRC malicious cyber actors for their irresponsible behavior in cyberspace."
 
Suomi on ollut NSO:n myyntitoimenpiteiden kohteena. Lyhennelmä sivun 199 Suomi-annista.
199.JPG
 
China state hackers are compromising large numbers of home and office routers for use in a vast and ongoing attack against organizations in France, authorities from that county said.

The hacking group—known in security circles as APT31, Zirconium, Panda, and other names—has historically conducted espionage campaigns targeting government, financial, aerospace and defense organizations as well as businesses in the technology, construction, engineering, telecommunications, media, and insurance industries, security firm FireEye has said. APT31 is also one of three hacker groups sponsored by the Chinese government that participated in a recent hacking spree of Microsoft Exchange servers, the UK’s National Cyber Security Center said on Monday.
 
The software company at the center of a huge ransomware attack this month has obtained a universal key to unlock files of the hundreds of businesses and public organizations crippled by the hack.

Nineteen days after the initial attack over the Fourth of July weekend, the Florida-based IT management provider, Kaseya, has received the universal key that can unlock the scrambled data of all the attack’s victims, bringing the worst of the fallout to a close.

The so-called supply-chain attack on Kaseya is being labeled the worst ransomware attack to date because it spread through software that companies, known as managed service providers, use to administer multiple customer networks, delivering software updates and security patches.

It affected 800 to 2,000 businesses and organizations – including supermarkets in Sweden and schools in New Zealand whose systems were frozen for days.

News of the key comes after the Russia-linked criminal syndicate that supplied the malware, REvil, disappeared from the internet on 13 July.

The group had asked for $50m to $70m for a master key that would unlock all infections. It is not clear how many victims may have paid ransoms before REvil went dark.

A Kaseya spokesperson, Dana Liedholm, would not say on Thursday how the key had been obtained or whether a ransom had been paid. She said only that it had come from a “trusted third party” and that Kaseya was distributing it to all victims. The cybersecurity firm Emsisoft confirmed that the key worked and was providing support.
 
In the paper, the authors lay out a playbook for how a hacker might design a malware-loaded machine learning model and have it spread in the wild:

"First, the attacker needs to design the neural network. To ensure more malware can be embedded, the attacker can introduce more neurons. Then the attacker needs to train the network with the prepared dataset to get a well-performed model. If there are suitable well-trained models, the attacker can choose to use the existing models. After that, the attacker selects the best layer and embeds the malware. After embedding malware, the attacker needs to evaluate the model’s performance to ensure the loss is acceptable. If the loss on the model is beyond an acceptable range, the attacker needs to retrain the model with the dataset to gain higher performance. Once the model is prepared, the attacker can publish it on public repositories or other places using methods like supply chain pollution, etc."
 
The investigation has been based on forensic analysis of phones and analysis of a leaked database of 50,000 numbers, including that of Macron and those of heads of state and senior government, diplomatic and military officials, in 34 countries.

In multiple statements, NSO said the fact a number appeared on the leaked list was in no way indicative of whether it was selected for surveillance using Pegasus. “The list is not a list of Pegasus targets or potential targets,” the company said. “The numbers in the list are not related to NSO Group in any way.”

But the list is believed to provide insights into those identified as persons of interest by NSO’s clients. It includes people whose phones showed traces of NSO’s signature phone-hacking spyware, Pegasus, according to forensic analysis of their devices. The analysis was conducted by Amnesty International’s security lab, which discovered traces of Pegasus-related activity on 37 out of 67 phones that it analysed.

Selkeesti NSO on valinnut linjansa, "Kukaan ei tehnyt mitään ja jos teki niin he eivät tehneet sitä meidän ohjauksessa. Se oli ne isot pojat. Ne pakotti. Oikeesti."
 
Malware authors are increasingly using rarely spotted programming languages such as Go, Rust, Nim and DLang in order to create new tools and to hinder analysis, researchers have found.

Use of those four languages is escalating in the number of malware families being identified, according to a report published on Monday by BlackBerry Research and Intelligence Team. The team chose those four languages to examine, partly because they fit its detection methodologies, but also since the languages have strong community backing and could be considered more developed.

“These uncommon programming languages are no longer as rarely used as once thought,” according to the writeup. “Threat actors have begun to adopt them to rewrite known malware families or create tools for new malware sets.”
 
Boffins in Finland have scanned the open-source software libraries in the Python Package Index, better known as PyPI, for security issues and found that nearly half contain potentially vulnerable code.

In a research paper distributed via ArXiv, Jukka Ruohonen, Kalle Hjerppe, and Kalle Rindell from the University of Turku describe how they subjected some 197,000 Python packages available through PyPI to a static analysis tool called Bandit and found more than 749,000 instances of insecure code.

"Even under the constraints imposed by static analysis, the results indicate [the] prevalence of security issues; at least one issue is present for about 46 per cent of the Python packages," the researchers said.

Of the issues identified, most (442,373) are low severity. About 227,426 are moderate severity, present in about 25 per cent of PyPI packages. And about 80,065 are high severity, present in about 11 per cent of PyPI packages.

Of the 46 per cent of packages with issues, the median number of problems is three. But a few packages were much worse than most.

Ei hirvittävä yllätys. Koodi kirjastot menevät ysärille ja nyt vasta on herätty isosti niihin ongelmiin. Ehkä pitäisi suosiolla laittaa kaikki koodi alle 20 luvun legacy koodiksi, ja aloittaa uudestaan.
 
So much for darkened servers at the headquarters of DarkSide or REvil ransomware groups. Turns out, we’ve got either their rebranded versions or two new ransomware gangs to contend with.

The first new group to appear this month was Haron, and the second is named BlackMatter. As Ars Technica‘s Dan Goodin points out, there may be more still out there.

They’re both claiming to be focused on targets with deep pockets that can pay ransoms in the millions of dollars. They’re also virtue-signaling a la DarkSide, with similar language about sparing hospitals, critical infrastructure, nonprofits, etc.

Ransonwaretus tulee kiihtymään syksyn aikana. Biden varoitti kineettisestä operaatiosta. Saa nähdä mitä tapahtuu.
 
An attack earlier this month on Iran’s train system, which disrupted rail service and taunted Iran’s leadership via hacked public transit display screens, used a never-before-seen wiper malware called Meteor that appears to have been design for reuse, a security researcher has found.

The initial attack, dubbed MeteorExpress, occurred July 9, when “a wiper attack paralyzed the Iranian train system,” according to a report by Juan Andres Guerrero-Saade at Sentinel Systems.

That attack disrupted service and directed customers via all of the displays and message boards at the train station to call “64411”–the number for the office of Supreme Leader Ali Khamenei—for more information.
“Batch files spawn other batch files, different RARarchives contain intermingled executables, and even the intended action is separated into three payloads: Meteor wipes the filesystem, mssetup.exe locks the user out, and nti.exe presumably corrupts the MBR,” Guerrero-Saade wrote.
The wiper also includes much more functionality that was not used in the Iranian train attack, he noted. It can: change passwords for all users; disable screensavers; terminate processes based on a list of target processes; install a screenlocker; disable recovery mode; changesboot policy error handling; create scheduled tasks; and log off local sessions, among other actions.
 
"Telcos are a prime target for nation-state espionage programs for various reasons, among them, the ability to collect information about the telco's subscribers," Assaf Dahan, senior director and head of threat research at Cybereason, told The Register. "Knowing the location of individuals, with whom they conversed or texted, can be key to facilitating cyber-espionage and to build profiles on a given list of targets.

"We identified hundreds of gigabytes of data exfiltrated from the environment during our investigation. The threat actors were after high value targets, including business leaders, government officials, politicians, political activists, law enforcement officials, human rights activists, and anyone the Chinese government feels is of interest."

Perhaps the most surprising – and concerning – finding in the report: the intruders were operating in some of the systems for years, in one case all the way back to 2017. As to how they could stay undetected for so long: "It's not an easy question to answer," Dahan told us. "However, I'll provide possible explanations.

"First, the groups involved in these intrusions are considered top-tier APT [Advanced Persistent Threat] groups, known for their sophistication, advanced techniques, and stealth. One of their main goals was to maintain access inside the telcos' networks and to remain under-the-radar for as long as possible and the APT groups invest heavily in efforts to cover their tracks.

"Second, each organisation has its own security posture, relying on different security measures and tools put in place to protect the network," Dahan continued. "Not all security tools are born equal, and unfortunately, traditional security tools can often miss sophisticated attacks. Third, even the best security solution needs to be operated by humans at the end of the day – and humans can make mistakes."
 
Let’s say you’re a large company that has just shipped an employee a brand-new replacement laptop. And let’s say it comes preconfigured to use all the latest, best security practices, including full-disk encryption using a trusted platform module, password-protected BIOS settings, UEFI SecureBoot, and virtually all other recommendations from the National Security Agency and NIST for locking down federal computer systems. And let’s say an attacker manages to intercept the machine. Can the attacker use it to hack your network?

Research published last week shows that the answer is a resounding "yes." Not only that, but a hacker who has done her homework needs a surprisingly short stretch of time alone with the machine to carry out the attack. With that, the hacker can gain the ability to write not only to the stolen laptop but to the fortified network it was configured to connect to.

Researchers at the security consultancy Dolos Group, hired to test the security of one client’s network, received a new Lenovo computer preconfigured to use the standard security stack for the organization. They received no test credentials, configuration details, or other information about the machine. An analysis of the BIOS settings, boot operation, and hardware quickly revealed that the security measures in place were going to preclude the usual hacks, including:

 
Russia has put forward a draft convention to the United Nations ostensibly to fight cyber-crime.

The proposal, titled "United Nations Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes," [PDF] calls for member states to develop domestic laws to punish a far broader set of offenses than current international rules recognize.

Russia, the ransomware hotbed whose cyber-spies were blamed for attacking US and allied networks, did not join the 2001 Budapest Convention on Cybercrime because it allowed cross-border operations, which it considers a threat to national sovereignty.

Russian media outlet Tass also said the 2001 rules are flawed because they only criminalize nine types of cyber offenses. The new draft convention from Russia, submitted last week, defines 23 cybercrimes for discussion.

Russia's proposed rule expansion, for example, calls for domestic laws to criminalize changing digital information without permission – "the intentional unauthorized interference with digital information by damaging, deleting, altering, blocking, modifying it, or copying of digital information."

The draft also directs members states to formulate domestic laws to disallow unsanctioned malware research – "the intentional creation, including adaptation, use and distribution of malicious software intended for the unauthorized destruction, blocking, modification, copying, dissemination of digital information, or neutralization of its security features, except for lawful research."

It would forbid "the creation and use of digital data to mislead the user," such as deep fakes – "the intentional unlawful creation and use of digital data capable of being mistaken for data already known and trusted by a user that causes substantial harm."

The proposal also contemplates a broader basis for extradition by stating that, where allowed by domestic law, the listed cybercrimes should not be considered "political offenses" (mostly exempt from extradition under current international conventions).
 
Taiwanese chip designer Realtek has warned of four vulnerabilities in three SDKs accompanying its Wi-Fi modules, which are used in almost 200 products made by more than five dozen vendors.

The flaws allow a remote, unauthenticated attacker to deny service, crash devices, and inject arbitrary commands, the advisory states [PDF]:
  • CVE-2021-35392, Wi-Fi Simple Config stack buffer overflow via UPnP
  • CVE-2021-35393, Wi-Fi Simple Config heap buffer overflow via SSDP
  • CVE-2021-35394, MP Daemon diagnostic tool command injection
  • CVE-2021-35395, management web interface multiple vulnerabilities
The first two are rated high in terms of severity (8.1 on the CVSS scale); the second two are rated critical severity (9.8). These flaws require an attacker to be on the same network as the device, or be able to reach it over the internet, to achieve successful exploitation. As such, these bugs are likely to be abused by malware on someone's PC to hijack their cable internet router and smart home gear; by miscreants to commandeer public Wi-Fi spots; and so on.

Security firm IoT Inspector, based in Bad Homburg, Germany, disclosed the vulnerabilities to Realtek in May, and said more than 65 hardware makers' products incorporate the Realtek RTL819xD module, which implements wireless access point functions and includes one of the vulnerable SDKs.

"By exploiting these vulnerabilities, remote unauthenticated attackers can fully compromise the target device and execute arbitrary code with the highest level of privilege," the biz said in its advisory, estimating – conservatively, we think – that almost a million vulnerable devices may be in use, including VoIP and wireless routers, repeaters, IP cameras, and smart lighting controls.

No voi kyrpä RealTek tuotteita on joka puolella. Odotettavissa tietomurtoja jne
 
In an award-winning paper today, academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks against any target on the internet.

Authored by computer scientists from the University of Maryland and the University of Colorado Boulder, the research is the first of its kind to describe a method to carry out DDoS reflective amplification attacks via the TCP protocol, previously thought to be unusable for such operations.

Making matters worse, researchers said the amplification factor for these TCP-based attacks is also far larger than UDP protocols, making TCP protocol abuse one of the most dangerous forms of carrying out a DDoS attack known to date and very likely to be abused in the future.

TCP-DDoS-amp-factor-packtes.png

The flaw they found was in the design of middleboxes, which are equipment installed inside large organizations that inspect network traffic.

Middleboxes usually include the likes of firewalls, network address translators (NATs), load balancers, and deep packet inspection (DPI) systems.

The research team said they found that instead of trying to replicate the entire three-way handshake in a TCP connection, they could send a combination of non-standard packet sequences to the middlebox that would trick it into thinking the TCP handshake has finished and allow it to process the connection.

Under normal circumstances, this wouldn’t be an issue, but if the attacker tried to access a forbidden website, then the middlebox would respond with a “block page,” which would typically be much larger than the initial packet—hence an amplification effect.

Following extensive experiments that began last year, the research team said that the best TCP DDoS vectors appeared to be websites typically blocked by nation-state censorship systems or by enterprise policies.

Attackers would send a malformed sequence of TCP packets to a middlebox (firewall, DPI box, etc.) that tried to connect to pornography or gambling sites, and the middlebox would reply with an HTML block page that it would send to victims that wouldn’t even reside on their internal networks—thanks to IP spoofing.
Many of these systems work with huge traffic loads and are sometimes misconfigured with traffic loops that send the same malformed TCP packet multiple times through the same or other middleboxes, effectively allowing for infinite-loop DDoS attacks. Researchers said such situations were common in the censorship systems employed by China and Russia.
 
Back
Top