Firewall Firm is a Managed Cyber Security Company in India
Home » Tag: Cyber Security Company

Tag Archives: Cyber Security Company

Home » Tag: Cyber Security Company

Over 3000 Magneto shops have been hacked via insecure extensions in the last 3 months

  • Attackers use an extension bug to download other extensions and later search for zero-day security issues.
  • Failing to keep the extensions up-to-date is one of the main cause for the rise in such attacks.

In the latest research, it has been found that Magneto shops can be targeted by leveraging vulnerable third-party extensions or modules. The attackers can abuse these weak third-party extensions to perform a global scan and find vulnerable victims.

Attack process

According to security researcher and Magneto forensic investigator William de Groot, attackers use an extension bug to download other extensions and later search for zero-day security issues such as POI (PHP Object Injection), SQL injection and Cross-Site Scripting flaws.

“The method is straightforward: attacker uses an extension bug to hack into a Magento store. Once in, they download all of the other installed extensions. The attacker then searches the downloaded code for 0day security issues, such as POI, SQLi and XSS flaws. Once found, the attacker launches a global scan to find vulnerable victims. Rinse and repeat,” said Groot in a blog post.

The researcher, who has been monitoring and documenting card-skimming activities on Magneto shops, estimates that over 3000 stores have been due to insecure extensions in the last 3 months.

Failing to keep the extensions up-to-date is one of the main cause for the rise in such attacks.

“Many extension releases are backward incompatible, which requires costly developer hours. There is no standardized way to get notified of critical releases. And most important: merchants value stability above all, which does not fit well with a continuous upgrade policy,” he noted.

Solution

William De Groot has compiled a list of vulnerable Magento extensions. Online merchants can scan their sites against the repository using Magerun module or a single-line command. Both the processes require access to the server. As a result of the scan, the merchants can figure out:

  • The name of the vulnerable modules
  • The latest version of extensions
  • Part of the URL that attackers use to exploit each module
  • Name of the URLs which are under attack
  • The URL with upgrade instructions.

Groot claims that most of the vulnerable extensions are discovered on Magento 1 installations.

Google works on spotting dodgy ‘evil domains’

Google is working on a way for Chrome to do a better job of spotting fake websites that seek to trick people into handing over personal information.

It is concentrating on websites that use letters and numbers to approximate a recognised brand.

The work will mean Chrome will warn people they are about to visit sites it believes are fake.

Security firm Wandera said it had seen a “constant rise” in attacks using the non-standard characters.

The criminal gangs were exploiting a technology known as punycode, which converts non-English character codes into more familiar formats.

British Airways was a popular target for gangs using these attacks, said the security firm.

Hidden danger

Google engineer Emily Stark talked about the search giant’s development of the “evil domain” spotter at the Usenix Enigma security conference this week. Google has also shared early versions of the tool to help web developers test and refine it.

While Chrome already includes features that aim to spot known unsafe sites, the new tool would go much further.

Ms Stark said more needed to be done, because currently staying secure often relied on users noticing when domains were dodgy – even when experts would struggle to distinguish legitimate ones from those crafted by cyber-criminals.

In particular, the tool will seek to tackle the growth of so-called homograph attacks that exploit modern browsers’ ability to handle non-English characters.

However, this transformation can hide the fact that they were not created by the organisation they seem to represent.

Haris Kampouris, head of threat research at Wandera, said more and more cyber-crime gangs had turned to homograph attacks that abuse the punycode technology.

“We are still seeing a constant rise on this type of scam or phishing domain,” he told the BBC. “That’s likely to be due to the plentiful combinations that can be used.”

Wandera had recently seen punycode domains for Google, BA, Adidas, Tesco, Asda and Ryanair that typically include one character that differed only slightly from its English equivalent, he said.

BA was currently the most-targeted UK brand in terms of punycode domains, said Mr Kampouris.

Many security firms and independent researchers have made add-ons for browsers or programs that spot phishing domains and try to warn people about these criminal domains.

Mr Kampouris said Google’s move was a “step in the right direction” in tackling homograph-based attacks but hoped that the feature would make it to browsers on mobile devices which often did not receive protections seen on desktops and laptop versions.

Updated version of Remexi malware leveraged to spy on foreign diplomats in Iran

  • The malware boasts a variety of capabilities such as recording keystrokes, taking screenshots of Windows and stealing credentials, logins, and the browser history.
  • Once installed, the malware first connects with the C2 server of hackers in order to receive malicious commands.

An updated version of Remexi malware was used in a cyber-espionage campaign that targeted Iranian IP addresses late last year. The goal of the campaign was to infect systems that belonged to foreign diplomats residing in Iran’s border.

Remexi malware is typically associated with an APT group named Chafer. According to Denis Legezo, a researcher from Kaspersky, the malware’s use in the 2018 campaign suggests that Iranian actors may have executed a domestic operation against these foreign diplomatic entities.

Remexi malware capabilities

Although Remexi originally dates back to at least 2015, the newest module’s was observed by researchers in March 2018.

“The main tool used in this campaign is an updated version of the Remexi malware, publicly reported by Symantec back in 2015. The newest module’s compilation timestamp is March 2018. The developers used GCC compiler on Windows in the MinGW environment,” said Legezo in a blog post.

The malware boasts a variety of capabilities such as recording keystrokes, taking screenshots of Windows, stealing credentials, logons and the browser history and executing remote commands.

Once installed, the malware first connects with the C2 server of hackers in order to receive malicious commands.

“Its C2 is based on IIS using .asp technology to handle the victims’ HTTP requests. All the commands received from the C2 are first saved to an auxiliary file and then stored encrypted in the system registry. The standalone thread will decrypt and execute them,” Legezo explained.

There is no evidence of how the new variant of Remexi spreads. However, in one instance of infection, researcher Legezo was able to establish a connection between Remexi and an AutoIT script compiled as a PE file. Kaspersky believes that this executable may have been used to drop the Remexi malware.

New JobCrypter ransomware variant captures screenshots of infected devices

Security researchers have discovered a new variant of the two-year-old JobCrypter ransomware that now features an additional encryption layer and a much longer decryption key, making it more powerful and difficult to evade compared to its earlier variants.

While analysing the ransomware, researchers at Trend Micro also observed that it features the ability to send a screenshot of a targeted device to an email address via SMTP and can even change the wallpaper of infected devices to include a ransom note as well as a display box containing details of ransom demands and instructions.

“Once it finds a file, it encodes all the file’s content to Base64 and encrypts the encoded content with Triple DES algorithm, and then encodes the encrypted file again to Base64. It also prepends the ransom note with the encrypted file instead of dropping another file in the system as most ransomware routines do before it finally deletes the original file in the drive.

“The ransom note demands a payment of €1,000 within 24 hours to get the decrypter. The key is made of 67 digits of random numbers between 0 to 9 – found in the registry and body of the sent email – but is deleted by the malware itself during encryption of the files,” they noted in a blog post detailing the ransomware’s traits.

Commenting on the discovery of JobCrypter’s new and more powerful variant, Roy Rashti, cyber-security expert at BitDam, told SC Magazine UK that the earlier variant of JobCrypter wasn’t among the most potent ones of its time as it decrypted files with a relatively weak 20-character decimal key which made it conducive to brute-force attack methods.

The original ransomware also displayed several predictable behaviours which made it easy for security professionals to assess the source of the random function which, in turn, made it possible to discover the encryption key in about 10 seconds.

“In the new version, the attackers have significantly improved the encryption method using the Triple DES algorithm and longer keys,” Rashti added.

Despite such improvements, the new JobCrypter variant does have an Achilles heel after all. According to researchers at Trend Micro, the 67-digit decryption key required by victims to recover their files is initially stored in the registry and body of the sent email before it is deleted by the malware itself during encryption of the files.

“Since the key used in encrypting the files was in the system prior to deletion, decryption is possible. Experienced cybersecurity practitioners will notice and know that while the routine is unconventional, the ransom note always ends in “;” and is prepended before the encrypted file content, making it possible to recover important data files,” they added.

Rashti added that there are more tell-tale signs of the presence of the ransomware before it starts encrypting files stored in targeted devices. The ransomware is usually stored in zip files or business folders that serve as attachments to phishing or spam emails sent to targeted individuals or businesses.

By deploying advanced threat protection solutions that can detect sophisticated threats as well as a reputed endpoint solution, victims of ransomware attacks can prevent their devices from getting infected by the new variant. Considering that the ransomware initially stays dormant and only registers itself to run after a reboot, targeted businesses and individuals will need to be alert at all times to spot/preempt its arrival.   

According to Martin Jartelius, CSO at Outpost24, a simple and easy ways to decrease impact is to ensure that users have write access only where needed, that local users are not administrators on their devices and that the system does not execute software from the temporary internet files or temporary email file folders.

“The most important steps users can take is ensuring that their systems are up-to-date, and they have endpoint protection software with the latest definitions installed. AV vendors and independent researchers are constantly finding and reporting new strains of malware, and it’s critical to stay on top of updates to ensure you remain protected from emerging threats. It is also important to take regular, full backups to ensure your data is protected in case of disaster,” says Ben Schmidt, CSO at PolySwarm.

Cyber Security Predictions: 2019 and Beyond

As you think about how to deploy in advance of a new year of cyber threats, here are the trends and activities most likely to affect your organization

In anticipating the major cyber security and privacy trends for the coming year, you can find plenty of clues in the events of the past 12 months. Among the now familiar forms of attack, cyber hacks of major corporate systems and websites continued in 2018 and will inevitably be part of the 2019 cyber security scene. Many well-known organizations around the world suffered significant breaches this year. The single largest potential data leak, affecting marketing and data aggregation firm Exactis, involved the exposure of a database that contained nearly 340 million personal information records.

Beyond all-too-common corporate attacks, 2018 saw accelerated threat activity across a diverse range of targets and victims. In the social networking realm, Facebook estimated that hackers stole user information from nearly 30 million people. A growing assortment of nation-states used cyber probes and attacks to access everything from corporate secrets to sensitive government and infrastructure systems. At the personal level, a breach into Under Armour’s MyFitnessPal health tracker accounts resulted in the theft of private data from an estimated 150 million people.

So, what can we expect on the cyber security front in the coming year? Here are some of the trends and activities most likely to affect organizations, governments, and individuals in 2019 and beyond.

Japan To Survey 200 Million Gadgets For Cyber Security Ahead Of Olympics

Tokyo is rushing to beef up cyber security as the nation prepares to host major global events, such as the Rugby World Cup this year, the Group of 20 meetings and the summer Olympic Games.

TOKYO, JAPAN: 

Japan is preparing a national sweep of some 200 million network-connected gadgets for cyber-security lapses ahead of the 2020 Tokyo Olympic Games, an official said on Tuesday.

The government-backed National Institute of Information and Communications Technology will start the survey from February to check potential vulnerabilities in items such as routers, webcams and web-connected home appliances.

Tokyo is rushing to beef up cyber security as the nation prepares to host major global events, such as the Rugby World Cup this year, the Group of 20 meetings and the summer Olympic Games.

Cyber security has become increasingly important as sporting events introduce new technologies for everything from broadcasting to ticketing.

For the study, researchers will take common but unsafe IDs and passwords often exploited by malware — like “abcd”, “1234” or “admin” — to see if devices are readily accessible by hackers, said institute spokesman Tsutomu Yoshida.

The researchers will survey gadgets with the consent of internet service providers and will mostly examine products that use physical cables to access the internet, Yoshida said.

The institute will not conduct expensive and complex operations necessary to check individual mobile gadgets like smartphones, but the survey may examine routers at cafes, for example, that provide free connectivity for mobile users, Yoshida said.

“Too often, we see webcams, for example, that are already being hacked because security settings are too simple and their images are being seen by outsiders. Sometimes they are put on public websites without the owners being aware,” Yoshida informed.

“We will see, of roughly 200 million products to be surveyed, how many are being exposed” to risks, Yoshida said.

The survey will notify ISPs about vulnerable users without breaking into individual gadgets to view data stored inside, he added.

Major global sporting events like the football World Cup and the Olympics face a growing threat from cyber attacks.

At the PyeongChang winter Olympic Games last year for example, internal internet and wifi systems went down just as the opening ceremonies began.

PyeongChang officials acknowledged they had been the victim of a cyber attack, without elaborating further.

Zero-day vulnerability in ‘Total Donations’ plugin could allow attackers to take over WordPress sites

  • The zero-day affects all versions of Total Donations plugin, a commercial plugin that is used to gather and manage donations.
  • The plugin’s code contains several design flaws that inherently expose the plugin and the WordPress site as a whole to external manipulation.

WordPress site owners are being alerted about an unpatched vulnerability discovered in ‘Total Donations’ plugin. The vulnerability, identified as CVE-2019-6703, could allow attackers to take over affected sites.

Security expert Mikey Veenstra from Defiant observed that attackers have been using this zero-day vulnerability to infect several WordPress sites over the past week.

About CVE-2019-6703

The zero-day affects all versions of Total Donations plugin, a commercial plugin that is used to gather and manage donations from the respective user bases.

Giving more details, Veenstra explained that the plugin’s code contains several design flaws that inherently expose the plugin and the WordPress site as a whole to external manipulation.

“Searching the site’s codebase for the strings migla_getme and miglaA_update_me revealed the installed Total Donations plugin, and we quickly identified the exploited vulnerabilities as well as the attacker’s workflow,” said Veenstra in a blog post.

Where does the flaw exist?

The plugin in question contains an AJAX endpoint that can be queried by any unauthorized person.

“Total Donations registers a total of 88 unique AJAX actions into WordPress, each of which can be accessed by unauthenticated users by querying the typical /wp-admin/admin-ajax.php endpoint. We have determined that 49 of these 88 actions can be exploited by a malicious actor to access sensitive data, make unauthorized changes to a site’s content and configuration, or take over a vulnerable site entirely,” Veenstra added.

The AJAX endpoint allows an attacker to change the core setting value of any WordPress site. It can also enable the hacker to modify the destination account of donations received through the plugin and even retrieve Mailchimp mailing lists.

Defiant said that the developer’s site for the plugin appears to have gone inactive since May 2018. As there is no security patch for the vulnerability, users are therefore requested to delete or deactivate the plugin as soon as possible in order to secure their sites.

‘Fake Stake’ attacks vulnerability found in 26 low-end cryptocurrencies

  • The flaws could enable attackers to take control over a currency’s entire blockchain transactions and conduct fraudulent operations.
  • The research team claims that the two issues were discovered in August 2018.

Two extremely dangerous security flaws have been discovered in 26 Proof-of-Stake (PoS) cryptocurrencies. The flaws dubbed as ‘Fake Stake’ attacks can allow an attacker to crash rival network nodes and gain remote access of the same up to 51 percent.

Side-effects of the flaws

The flaws were discovered by a group of four academics from the University of Illinois at Urbana-Champaign in the US. The researchers found that the flaws could enable attackers to take control over a currency’s entire blockchain transactions and conduct fraudulent operations.

PoS cryptocurrencies are particularly based on chain-based PoSv3 (Proof-of-Stake version 3). They draw the basic codes from Bitcoin’s codebase, with the PoS functionality grafted in them. However, some of these design codes are copied inappropriately, thus leading to new vulnerabilities.

“We call the vulnerabilities we found ‘Fake Stake’ attacks. Essentially, they work because PoSv3 implementations do not adequately validate network data before committing precious resources (disk and RAM). The consequence is that an attacker without much stake (in some cases none at all) can cause a victim node to crash by filling up its disk or RAM with bogus data. We believe that all currencies based on the UTXO and longest chain Proof-of-Stake model are vulnerable to these “Fake Stake” attacks,” the researchers wrote on Medium.

Impacted cryptocurrencies

The research team claims that the two issues were discovered in August 2018. Upon discovery, it started contacting the development teams of the affected cryptocurrencies in October.

However, some of the development teams could not be informed as their GitHub accounts appear to have become inactive. Demo code for reproducing the two vulnerabilities is available on GitHub.

The list of impacted cryptocurrencies includes the names of NavCOIN, Qtum, Emercoin, HTMLCOIN, ReddCoin, CloakCoin, BitBay, Linda, Phore, PotCoin and more.

Although some cryptocurrencies have deployed mitigations for the reported bugs, researchers believe that these mitigation processes are not fool-proof. Hence, they are looking out for better ways to address the problem.

Cloud infrastructure exposed by multivector, multi-platform malware attacks prevalent, mass scale

Persistent malicious attacks exposing cloud infrastructure are the result of a perfect storm combining cryptomining, ransomware and botnet/worms for both Linux and Windows, the Securonix Threat Research Team reported.

“The attack activity described in the report is likely prevalent and mass-scale,” Oleg Kolesnikov told SC Media.

The research Addison, Texas-based Securonix provides further insight into the inner-workings of particularly persistent, not to mention complex, threats to cloud infrastructures.

“Based on what we’ve been seeing in the wild, it has been taking on the order of minutes for new exposed IPs to be compromised by different threat actors using the attack vectors discussed in the report,” said Kolesnikov, who co-authored the report with Harshvardhan Parashar.  

Some Xbash botnet attacks, which emerged a few months ago but has been active since May 2018, target multi-vectors and multi-platforms,while others are “fairly trivial,” involving single-vector/single-platform attacks where the focus is mainly on cryptomining,

Xbash malware infects Linux and Windows systems with the aim of deleting critical databases instead of encrypting them without any functionality to backup/recover the files, while installing cryptojacking scripts and impersonating a ransomware attack.

“We are seeing more and more cases where attackers are leveraging multiple different attack modalities as part of the actions on objectives in the same attack campaign,” Kolesnikov explained, adding that the trend is “becoming part of the norm.” Subsequently, blue teams need to be able to deal with such an attack combination on a daily basis, he added.

From a detection perspective, some attacks have been associated with observed Moanacroner and Xbash behaviors. “But these are not the only attacks that were observed exhibiting the behaviors,” Kolesnikov noted.

“In most cases, the focus of the attacks is on installing a second-stage payload for cryptomining and/or remote access,” the report stated. “In other cases, the malware propagates and infects the exposed services,removes data, and installs second-stage cryptomining and ransomware payloads.”

Read More »