This posting is here to collect cyber security news in October 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
236 Comments
Tomi Engdahl says:
Endpoint Security
Microsoft’s Take on Kernel Access and Safe Deployment Following CrowdStrike Incident
SecurityWeek talked to David Weston, VP enterprise and OS security at Microsoft, to discuss Windows kernel access and safe deployment practices
https://www.securityweek.com/microsofts-take-on-kernel-access-and-safe-deployment-practices-following-crowdstrike-incident/
As the dust settles following the massive Windows BSOD tech outages caused by CrowdStrike in July 2024, the question is now, how do we prevent this happening again? Microsoft convened a summit with members of its Microsoft Virus Initiative (MVI – of which CrowdStrike is one) to discuss a problem that has no simple solution.
SecurityWeek talked to David Weston, VP enterprise and OS security at Microsoft, for a better understanding of Microsoft’s current thinking and plans.
The CrowdStrike incident
Simplistically, back in February 2024, CrowdStrike introduced a new InterProcess Communication (IPC) Template Type with Falcon sensor version 7.1 that defined 21 input fields. CrowdStrike’s rapid response mechanism uses content delivered via Channel Files. The content interpreter for the Channel File 291 provided only 20 input values to match against.
David Weston, Microsoft
David Weston, VP enterprise and OS security at Microsoft.
On July 19, 2024, two additional IPC Template Instances were deployed. This required a comparison against the 21st value when only 20 were expected. In CrowdStrike’s words, “The attempt to access the 21st value produced an out-of-bounds memory read beyond the end of the input data array and resulted in a system crash.”
From a technical perspective, Microsoft was as much a victim of this incident as were the endpoints that suffered the BSOD – Microsoft had no direct involvement. The CrowdStrike kernel driver had been evaluated and signed by the Microsoft Windows Hardware Quality Labs (WHQL) after a full evaluation. The cause of the crash was not the driver per se, but the content passed from outside of the kernel to the driver.
“That’s something Microsoft would never have seen. It traversed Microsoft. It’s not documented. Microsoft doesn’t know what’s in that file. It’s a binary code that only CrowdStrike knows how to interpret,” explained Weston.
While there was no current way Microsoft could have prevented this incident, the OS firm is obviously keen to prevent anything similar happening in the future.
The advantage of having a driver within the kernel for third party security providers is clear: greater security for themselves (and by extension, the users) and better performance. The disadvantage is the damage that can be done from a failure in the kernel is more extensive and less easy to reverse.
“is that if you crash in the kernel, you take down the whole machine. If you crash an app in user mode, we can generally recover it.” This is an argument for maximizing the use of user mode and minimizing the use of kernel mode. It would benefit Microsoft’s own Windows customers, but Weston further suggests that some of the third party software vendors would also welcome the opportunity to employ a user mode component. “Microsoft is now investing in a capability to do that.”
This has already raised several concerns. Is Microsoft intending to increase user mode as an option, or is it intending to phase out third party kernel drivers? Noticeably, ESET (one of the MVI summit attendees), commented at the time, “It remains imperative that kernel access remains an option for use by cybersecurity products.”
Pressed on this, Weston admitted that some vendors are concerned that Microsoft may kick them out of the kernel. “Can user mode framework be as good as the access they currently have in terms of performance, etcetera? These are valid concerns. But at this point, we have no plans to revoke kernel access from anyone. It doesn’t mean that can’t change in the future, but we have no plans to do that. Our goal is to create an equivalent, and an option, for user mode.”
While ‘to kernel or not to kernel’ may be the issue that catches attention, Weston believes it is the smaller part of a two-part problem. Of greater importance is software testing prior to deployment – and the use of safe deployment practices (SDP).
Safe Deployment Practices
“Whether your security product is in the kernel or operating as an app,” explained Weston, “you can still destroy the machine or make it unavailable. If you’re operating as an app and you delete the wrong file, you can cause the machine not to boot. That alone proves the argument that effective SDP is the better ROI in terms of protecting an incident, because whether you’re in kernel or user mode, you must have SDP to avoid accidental outage.”
SDPs are not a new idea. USENIX published a paper out of Utrecht university in 2004 titled ‘A Safe and Policy-Free System for Software Deployment’. Its opening line reads, “Existing systems for software deployment are neither safe nor sufficiently flexible.” This problem with SDPs has yet to be solved, and such a solution is an important aspect of Microsoft’s plans to limit future outages.
This was discussed at some length at the MVI summit. “We face a common set of challenges in safely rolling out updates to the large Windows ecosystem, from deciding how to do measured rollouts with a diverse set of endpoints to being able to pause or rollback if needed. A core SDP principle is gradual and staged deployment of updates sent to customers,” comments Weston in a blog on the summit.
Agreeing and requiring a minimum set of safe deployment practices from partners is one thing; ensuring that those partners employ the agreed SDP is another. “Technical enforcement would be a challenge,” he said. “Transparency and accountability seem to be the best methodology for now.”
It’s not like Microsoft has no teeth. If it finds that a partner has ignored the SDP, it can withdraw signing any kernel driver.
“My TLDR,” Weston told SecurityWeek, “is that SDP is the best tool we have in the toolbox for stopping outages. Kernel mode, user mode – not saying those are invalid, just saying those are a much smaller part of the problem. SDP can help prevent outages both inside and outside of the kernel.”
Tomi Engdahl says:
Toimitusjohtaja: Fortum kohtaa päivittäin kyberhyökkäyksiä
Fortumiin kohdistuu päivittäin kyberhyökkäyksiä ja tietomurtoyrityksiä sekä Suomessa että Ruotsissa.
https://www.iltalehti.fi/digiuutiset/a/d636452f-e693-4a3d-9f9a-4ce0c063e660
Fortumiin kohdistuu kyberhyökkäyksiä päivittäin.
Fortumin toimintoihin sekä Suomessa että Ruotsissa kohdistuu jatkuvasti kyberhyökkäyksiä ja tietomurtoyrityksiä, toimitusjohtaja Markus Rauramo kertoo Reutersille.
Aiemmin tänä vuonna häirittiin myös voimalaitosten satelliittiyhteyksiä. Tämän lisäksi laitosten lähettyvillä on havaittu drooneja, joista on ilmoitettu viranomaisille.
Vaikka hyökkäysten määrä on noussut, ei se ole juurikaan vaikuttanut Fortumin kykyyn toimia. Rauramo kertoo yhtiön panostaneen kyberuhkien aiheuttamien haittojen lieventämiseen ja torjumiseen. Yhteistyötä tehdään myös viranomaisten kanssa.
Suojelupoliisin mukaan erinäisten kriittiseen infrastruktuuriin kohdistuvien kyberhyökkäysten ja operaatioiden määrä on noussut kevään 2022 jälkeen, jolloin suhteet Venäjän kanssa heikkenivät. Myös Ruotsin suojelupoliisi Säpo kertoo Reutersille Venäjän tiedustelun lisääntyneen ja tulleen aggressiivisemmaksi ja rohkeammaksi.
Tomi Engdahl says:
The Register: US and UK govts warn: Russia scanning for your unpatched vulnerabilities > https://go.theregister.com/feed/www.theregister.com/2024/10/12/russia_is_targeting_you_for/, 2024-10-12 03:05:11 +0000
#2600net #irc #secnews #cybersecurity #patch
Tomi Engdahl says:
OpenAI confirms threat actors use ChatGPT to write malware
https://www.bleepingcomputer.com/news/security/openai-confirms-threat-actors-use-chatgpt-to-write-malware/?fbclid=IwZXh0bgNhZW0CMTEAAR10pJvi-YZuSm-HzK3hsSlFF79hkFw9AVLUaLdlWYBHJTMNlw-Pk6XotyI_aem_317dZ4NZ-dgS3fuzvgdB_A
OpenAI has disrupted over 20 malicious cyber operations abusing its AI-powered chatbot, ChatGPT, for debugging and developing malware, spreading misinformation, evading detection, and conducting spear-phishing attacks.
The report, which focuses on operations since the beginning of the year, constitutes the first official confirmation that generative mainstream AI tools are used to enhance offensive cyber operations.
The first signs of such activity were reported by Proofpoint in April, who suspected TA547 (aka “Scully Spider”) of deploying an AI-written PowerShell loader for their final payload, Rhadamanthys info-stealer.
Tomi Engdahl says:
It’s 2024 And Your Laptop Can Be Hacked With A BBQ Lighter
https://www.forbes.com/sites/daveywinder/2024/10/12/its-2024-and-your-laptop-can-be-hacked-with-a-bbq-lighter/?fbclid=IwY2xjawF4PsFleHRuA2FlbQIxMQABHQ7L0o4zoqCeX1sULE4sZeg-m-4J2gQbATx3H-rjU0Pdeb9AbLVlJZ5A8Q_aem_0x5ChurcrKTZHNJb73ubhQ
What’s the first thing you think of in 2024 when someone talks about the tools needed to hack your laptop? Malware, probably. A hardware device, possibly. A piezo-electric BBQ lighter, err, what? No, seriously, one hacker has detailed exactly how they managed to get root using just such a device. Here’s how it was done.
Can You Get Root With Only A Cigarette Lighter?
TL;DR. Yes, yes, you can. But please don’t stop here, as this really is a fascinating exploration into how the hacking mindset works.
“Before you can write an exploit,” Buchanan said, “you need a bug.” But what if, as unlikely as it may sound to regular readers, there are no bugs? “When there are no bugs,” Buchanan continued, “we have to get creative—that’s where Fault Injection comes in.” So, what is fault injection? Simply put, it can be anything that you introduce to the target system that can be exploited, including software-controlled data corruption, power glitching and, importantly in the case of the BBQ lighter hack, electromagnetic pulses.
Buchanan opted to use an Intel i3-powered Samsung S3520 laptop from his junk pile as the target device for this hacking experiment. Let’s be clear from the get-go: this is not a new laptop, it dates from 2011. That said, running a desktop Linux installation, Arch in this case, is perfect as a test case.
the hacker decided to inject a fault on one of the 64 DQ pins (the data-in pin is usually called D and the data-out one Q) on the laptop memory module. “I figured that if I could inject faults on one of these pins,” Buchanan said, “I could do something interesting.”
And interesting it was.
He soldered single resistor and wire to DQ pin 26. That was it. This created a simple antenna which is capable of picking up nearby electromagnetic interference.
Buchanan discovered that clicking the lighter in the general vicinity of the antenna wire he had created was enough to reliably trigger the memory errors he was looking to exploit.
Tomi Engdahl says:
https://www.reddit.com/r/hardwarehacking/comments/1fyytp2/can_you_get_root_with_only_a_cigarette_lighter/
Tomi Engdahl says:
https://www.da.vidbuchanan.co.uk/blog/dram-emfi.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-rce-flaw-now-exploited-in-attacks/?fbclid=IwZXh0bgNhZW0CMTEAAR1a_LOMEAR5zecTbQY4jrv2F1HCDnifDBpGGy_vjtU7sltikEZ_Li5uAZ8_aem_gjoMOeFN6mlzPOuI4onSoQ
Tomi Engdahl says:
After breach of billions of records, National Public Data files for bankruptcy
https://cybernews.com/news/national-public-data-breach-social-security-bankruptcy/?fbclid=IwY2xjawF4lVRleHRuA2FlbQIxMQABHVTSW629ez4w-DK3QIbfg2voYdbGIYWebDZtNDRunt0o74PIcoNccbzUIw_aem_Pf_mpoHtwQHrhbT61XyjwA
The breach may have impacted hundreds of millions of people. State prosecutors across the US are demanding civil penalties. No wonder National Public Data, a company responsible for a massive leak of Social Security numbers, has filed for bankruptcy.
The cybersecurity world was shocked when a threat actor posted a database stolen from National Public Data (NPD), a background check and the personal lookup company, on the illicit web marketplace BreachForums in the summer.
The data included Social Security numbers, full names, addresses, phones, and other personal data. The full database is 277GB large and contains 2.7 billion records.
The filings reveal that the company calculates it’ll need to notify and pay for credit monitoring “for hundreds of millions of potentially impacted individuals.”
That’s because the threat actor stole a trove of data containing 272 million unique Social Security numbers and 600 million phone numbers from US residents.
“The enterprise cannot generate sufficient revenue to address the extensive potential liabilities, not to mention, defend the lawsuits and support the investigations,” said the court documents.
Tomi Engdahl says:
In Other News: Traffic Light Hacking, Ex-Uber CSO Appeal, Funding Plummets, NPD Bankruptcy
Noteworthy stories that might have slipped under the radar: traffic lights in the Netherlands can be hacked, cybersecurity funding tumbles, ex-Uber CSO appeals conviction, NPD files for bankruptcy.
https://www.securityweek.com/in-other-news-traffic-light-hacking-ex-uber-cso-appeal-funding-plummets-npd-bankruptcy/
Tomi Engdahl says:
Palo Alto Patches Critical Firewall Takeover Vulnerabilities
Palo Alto warns that attackers can access usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
https://www.securityweek.com/palo-alto-patches-critical-firewall-takeover-vulnerabilities/
Tomi Engdahl says:
CISO Strategy
Looking at Security Challenges Through the Lens of Different Roles
What are CISOs and security leaders prioritizing versus the security operators?
https://www.securityweek.com/looking-at-security-challenges-through-the-lens-of-different-roles/
Tomi Engdahl says:
Artificial Intelligence
OpenAI Says Iranian Hackers Used ChatGPT to Plan ICS Attacks
OpenAI has disrupted 20 cyber and influence operations this year, including the activities of Iranian and Chinese state-sponsored hackers
https://www.securityweek.com/openai-says-iranian-hackers-used-chatgpt-to-plan-ics-attacks/
Tomi Engdahl says:
Network Security
Now on Demand: Zero Trust Strategies Summit – All Sessions Available
With all sessions now available on demand, the online summit is laser focused on helping organizations to level up their Identity and Zero Trust security strategies.
https://www.securityweek.com/securityweek-to-host-zero-trust-strategies-summit-as-virtual-event-on-october-9th/
https://zerotrust.securityweek.com/
Tomi Engdahl says:
SecurityWeek
Malware & Threats
Security Operations
Security Architecture
Risk Management
CISO Strategy
ICS/OT
Funding/M&A
Cybersecurity News
Webcasts
Virtual Events
ICS Cybersecurity Conference
Connect with us
Hi, what are you looking for?
SecurityWeek
SecurityWeek
SecurityWeek
Malware & Threats
Cyberwarfare
Cybercrime
Data Breaches
Fraud & Identity Theft
Nation-State
Ransomware
Vulnerabilities
Security Operations
Threat Intelligence
Incident Response
Tracking & Law Enforcement
Security Architecture
Application Security
Cloud Security
Endpoint Security
Identity & Access
IoT Security
Mobile & Wireless
Network Security
Risk Management
Cyber Insurance
Data Protection
Privacy & Compliance
Supply Chain Security
CISO Strategy
Cyber Insurance
CISO Conversations
CISO Forum
ICS/OT
Industrial Cybersecurity
ICS Cybersecurity Conference
Funding/M&A
Cybersecurity Funding
M&A Tracker
Industrial Cybersecurity Conference
Endpoint Security
Microsoft’s Take on Kernel Access and Safe Deployment Following CrowdStrike Incident
SecurityWeek talked to David Weston, VP enterprise and OS security at Microsoft, to discuss Windows kernel access and safe deployment practices.
https://www.securityweek.com/microsofts-take-on-kernel-access-and-safe-deployment-practices-following-crowdstrike-incident/
Tomi Engdahl says:
Wired:
How scammers in Southeast Asia are using generative AI, crypto drainers, Starlink terminals, and other tools to expand their pig butchering operations — Scammers in Southeast Asia are increasingly turning to AI, deepfakes, and dangerous malware in a way that makes their pig butchering operations even more convincing.
https://www.wired.com/story/pig-butchering-scams-go-high-tech/
Tomi Engdahl says:
The Internet Archive is back as a read-only service after cyberattacks
/ The Wayback Machine is back online after a data breach and DDoS attacks.
https://www.theverge.com/2024/10/14/24269741/internet-archive-online-read-only-data-breach-outage
Tomi Engdahl says:
Cat Zakrzewski / Washington Post:
A profile of Ben Nimmo, OpenAI’s principal threat investigator who found evidence that Russia and China were using ChatGPT to sway political discourse online — Ben Nimmo brings a literary bent to the serious business of keeping ChatGPT from being an engine of misinformation.
https://www.washingtonpost.com/technology/2024/10/13/openai-ben-nimmo-misinformation-us-election-russia/
Tomi Engdahl says:
Nordeassa on vikaa
Pankki sanoo tekevänsä kaiken tilanteen normalisoimiseksi.
https://www.is.fi/digitoday/art-2000010761809.html
Nordean pörssikaupankäynti on suljettu teknisen häiriön takia, pankki kertoo häiriösivuillaan.
– Selvitämme vikaa parhaillaan ja pyrimme korjaamaan ongelman mahdollisimman pian. Pyydämme anteeksi asiakkaillemme koitunutta haittaa ja teemme kaikkemme, että saamme palvelumme toimimaan ja tilanteen normalisoitumaan, pankki viestittää.
Nordea ilmoitti viime torstaina, että pankin palvelussa esiintyneet tekniset häiriöt on saatu korjattua.
Tomi Engdahl says:
Charlie Warzel / The Atlantic:
The bleak online US discourse about hurricanes Milton and Helene revealed not just a misinformation crisis but a cultural assault on anyone operating in reality — The truth is, it’s getting harder to describe the extent to which a meaningful percentage of Americans have dissociated from reality.
I’m Running Out of Ways to Explain How Bad This Is
What’s happening in America today is something darker than a misinformation crisis.
https://www.theatlantic.com/technology/archive/2024/10/hurricane-milton-conspiracies-misinformation/680221/?gift=bQgJMMVzeo8RHHcE1_KM0QW0K3DKS019CAwkgCJs0j8&utm_source=copy-link&utm_medium=social&utm_campaign=share
The truth is, it’s getting harder to describe the extent to which a meaningful percentage of Americans have dissociated from reality. As Hurricane Milton churned across the Gulf of Mexico last night, I saw an onslaught of outright conspiracy theorizing and utter nonsense racking up millions of views across the internet. The posts would be laughable if they weren’t taken by many people as gospel. Among them: Infowars’ Alex Jones, who claimed that Hurricanes Milton and Helene were “weather weapons” unleashed on the East Coast by the U.S. government, and “truth seeker” accounts on X that posted photos of condensation trails in the sky to baselessly allege that the government was “spraying Florida ahead of Hurricane Milton” in order to ensure maximum rainfall, “just like they did over Asheville!”
Even in a decade marred by online grifters, shameless politicians, and an alternative right-wing-media complex pushing anti-science fringe theories, the events of the past few weeks stand out for their depravity and nihilism. As two catastrophic storms upended American cities, a patchwork network of influencers and fake-news peddlers have done their best to sow distrust, stoke resentment, and interfere with relief efforts. But this is more than just a misinformation crisis. To watch as real information is overwhelmed by crank theories and public servants battle death threats is to confront two alarming facts: first, that a durable ecosystem exists to ensconce citizens in an alternate reality, and second, that the people consuming and amplifying those lies are not helpless dupes but willing participants.
Tomi Engdahl says:
Telian lähettämä viesti täyttää kaikki huijausviestin tunnusmerkit
Tämä sähköposti voi näyttää ihan tavalliselta tietojenkalasteluviestiltä, mutta on todellisuudessa Telian lähettämä aito viesti.
https://www.iltalehti.fi/digiuutiset/a/223aef94-085c-4598-8dc0-d2121cc53187
Tomi Engdahl says:
OpenAI Says Iranian Hackers Used ChatGPT to Plan ICS Attacks
https://www.securityweek.com/openai-says-iranian-hackers-used-chatgpt-to-plan-ics-attacks/
OpenAI has disrupted 20 cyber and influence operations this year, including the activities of Iranian and Chinese state-sponsored hackers.
A report published this week by OpenAI reveals that the artificial intelligence company has disrupted more than 20 cyber and covert influence operations since the beginning of the year, including the activities of Iranian and Chinese state-sponsored hackers.
The report highlights the activities of three threat groups that have abused ChatGPT to conduct cyberattacks.
One of these threat actors is CyberAv3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) that has made headlines this year for its attacks on the water sector.
The group has targeted industrial control systems (ICS) at a water utility in Ireland (the attack left people without water for two days), a water utility in Pennsylvania, and other water facilities in the United States.
These attacks did not involve sophisticated hacking and instead relied on the fact that many organizations leave ICS exposed to the internet and protected with easy to obtain default credentials.
According to OpenAI, accounts associated with CyberAv3ngers used ChatGPT to conduct reconnaissance, but also to help them with vulnerability exploitation, detection evasion, and post-compromise activity.
Many of the reconnaissance activities are related to conducting attacks on programmable logic controllers (PLCs) and other ICS.
Specifically, the hackers asked ChatGPT for industrial ports and protocols that can connect to the internet; industrial routers and PLCs commonly used in Jordan, as well as electricity companies and contractors in this country; and default passwords for Tridium Niagara devices and Hirschmann RS industrial routers.
Tomi Engdahl says:
Bleeping Computer: Google warns uBlock Origin and other extensions may be disabled soon > https://www.bleepingcomputer.com/news/google/google-warns-ublock-origin-and-other-extensions-may-be-disabled-soon/, 2024-10-13 18:16:27 -0400
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisco-investigates-breach-after-stolen-data-for-sale-on-hacking-forum/?fbclid=IwZXh0bgNhZW0CMTEAAR0QrbHiuWGKn13irMAW-TKv_ZRB8–AZrm5pxa1dDJwmWlBa864Q4k9fd4_aem_sDiz3d_k43C2XD1gF-mlcg
Tomi Engdahl says:
Thousands of Fortinet instances vulnerable to actively exploited flaw
No excuses for not patching this nine-month-old issue
iconConnor Jones
Mon 14 Oct 2024 // 12:30 UTC
More than 86,000 Fortinet instances remain vulnerable to the critical flaw that attackers started exploiting last week, according to Shadowserver’s data.
https://www.theregister.com/2024/10/14/fortinet_vulnerability/
Tomi Engdahl says:
Liian siisti koodi paljastaa hakkerin tekoälyksi
https://etn.fi/index.php/13-news/16712-liian-siisti-koodi-paljastaa-hakkerin-tekoaelyksi
Kyberturvallisuusyritys Check Point epäilee, että AsyncRAT-hyökkäysskriptin on kehittänyt generatiivinen tekoäly. Yhtiöiden mukaan tämän paljastaa se, että koodi on liian siistiä ja liian hyvin dokumentoitua.
AsyncRAT on tällä hetkellä maailman kymmenenneksi yleisin haittaohjelma. Haitallinen komentosarja piilottaa ohjelmakoodin HTML- ja ZIP-tiedostoihin, jotka asentavat AsyncRAT:n, mikä puolestaan antaa hyökkääjälle mahdollisuuden tallentaa näppäinpainalluksia, kauko-ohjata laitetta ja jakaa lisäkoodia.
AsyncRAT on yleistynyt nopeasti maailmanlaajuisesti
Asiantuntijat ovat varoittaneet kehityksestä ja uskovat, että tekoälyä käytetään vielä luovemmin: ei vain koodin kirjoittamiseen, vaan myös haavoittuvuuksien etsimiseen.
September 2024’s Most Wanted Malware: Notable AI-Driven Techniques and Persistent RansomHub Threats
https://blog.checkpoint.com/research/september-2024s-most-wanted-malware-notable-ai-driven-techniques-and-persistent-ransomhub-threats/
Check Point’s latest threat index emphasizes the shift towards AI-driven malware tactics in the current cyber landscape
Check Point’s Global Threat Index for September 2024 revealed its Global Threat Index for September 2024. The report highlights an interesting trend in the cybersecurity landscape, particularly the emergence of artificial intelligence (AI)-driven malware, alongside the ongoing dominance of ransomware threats.
This month, researchers discovered that threat actors likely used AI to develop a script that delivers AsyncRAT malware, which has now ranked 10th on the most prevalent malware list. The method involved HTML smuggling, where a password-protected ZIP file containing malicious VBScript code was sent to initiate an infection chain on the victim’s device. The well-structured and commented code suggested AI involvement. Once fully executed, AsyncRAT is installed, enabling the attacker to record keystrokes, remotely control the infected device, and deploy additional malware. This discovery highlights a growing trend of cybercriminals with limited technical skills using AI to create malware more easily.
The fact that threat actors have started utilizing generative AI as part of their attack infrastructure highlights the continuous evolution of cyber-attack tactics. Cybercriminals are increasingly leveraging available technologies to enhance their operations, making it essential for organizations to implement proactive security strategies, including advanced prevention methods and comprehensive training for their teams.
Tomi Engdahl says:
https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
Tomi Engdahl says:
Miten Telia voi lähettää tällaisia viestejä asiakkailleen? Asiantuntija: ”Ei missään nimessä”
Telian lähettämä viesti oli niin epäilyttävä, että Kuluttajaliitto pyysi erikseen varmistamaan sen aitouden ennen asian kommentointia. Asiantuntija pitää valitettavana, ettei huijausviesteistä varoittelevilla tahoilla ole itselläänkään aina homma hallussa.
https://www.iltalehti.fi/digiuutiset/a/8d2980cf-4673-4bb2-8f59-cce511f0d55e
Telian lähettämä viesti yllätti jopa asiantuntijan.
Kuluttajaliiton pääsihteerin mukaan tällaisia viestejä ei tulisi missään nimessä lähettää.
Myös muut merkittävät organisaatiot ovat asiantuntijan mukaan sortuneet samaan.
Kuluttajaliiton pääsihteeri Juha Beurling-Pomoell kommentoi Telian maanantaina lähettämää epäilyttävää viestiä Iltalehdelle jämäkästi.
– Jos lähdetään siitä olettamasta, että tuo viesti todella on aito, niin tällaisia ei tulisi missään nimessä lähettää, Beurling-Pomoell sanoo.
Telian asiakaspalvelusta vahvistettiin maanantaina, että kyseessä on yhtiön lähettämä aito viesti. Myöhemmin maanantaina Telia lähetti uuden sähköpostin, jossa se kertoi aiemman viestin olleen aiheeton ja epäonnistuneesti muotoiltu.
Esimerkkitapaus tuli kuin tilauksesta
Iltalehti tavoitti Beurling-Pomoellin maanantaina alkuiltapäivästä, kun Kuluttajaliiton koulutustilaisuus Karjaan kirjastossa Raaseporissa oli alkamaisillaan.
– Seison tässä kirjaston ulkopuolella ja olen menossa kertomaan ihmisille juuri tästä aiheesta. Näiden koulutustenkin keskeisin viesti on, että pyytämättä ja yllättäen lähetettyjä linkkejä ei tule klikata, Beurling-Pomoell sanoo.
– Jos yhden ohjeen haluan ihmisten näistä muistavan, niin se on juuri se, että älkää avatko näitä linkkejä, hän jatkaa.
Hän suosittelee yllättävien viestien kohdalla samaa toimintatapaa, jota pankit, viranomaiset ja teleoperaattorit suosittelevat.
– Sinne osoitteeseen telia.fi pitäisi mennä kirjoittamalla se osoite selaimeen ihan itse, kirjautumalla oikeille Telian sivuille ja tarkistamalla sieltä, onko tullut tällaista viestiä.
Tämä oli raskain virhe
Telian lähettämässä viestissä on klikattava linkki, joka johtaa Telian kirjautumissivulle. Linkin takana on vaihtoehtona tunnistautua käyttäjätunnuksen ja salasanan lisäksi myös pankkitunnuksilla tai mobiilivarmenteella.
Tässä tapahtui Beurling-Pomoellin mukaan se kaikkein suurin virhe.
– Pitäisi sanoa sillä tavalla, että turvallisuussyistä emme lähetä linkkejä, vaan käythän Telian sivuilla tarkistamassa. Ei missään nimessä laittaa viesteihin mitään aktiivisia klikattavia linkkejä, hän sanoo.
Kuluttajaliitto on listannut verkkosivuillaan lukuisia keinoja huijausviestien ja tietojenkalasteluyritysten tunnistamiseksi. Ainoa asia, mikä Telian lähettämässä viestissä antoi edes vähän viitteitä siitä, ettei kyseessä ollut huijaus, oli Beurling-Pomoellin mukaan viestissä ollut linkki.
– Se ei ole mikään höpöhöpölinkki, kuten vaikkapa telia-fi.com tai vastaava. Mutta niitäkin voi väärentää, eli tämäkään ei toimi minkäänlaisena ohjeena, hän alleviivaa.
– Muuten tämä kyllä täyttää kaikki huijausviestin tunnusmerkit, hän täräyttää.
Suutarin lapset
Beurling-Pomoell pitää erittäin valitettavana, että Telian kaltainen toimija, jolla on aihepiiristä hyvin laajaa osaamista, sortuu tämän luokan virheeseen.
– Teleoperaattorit työskentelevät paljon huijausten parissa ja ovat näissä erittäin kovan luokan asiantuntijoita. Tämä viesti ei ole selkeästi lähtenyt siltä osastolta, jolla sitä osaamista on.
Telian lähettämä viesti täyttää kaikki huijausviestin tunnusmerkit
Tämä sähköposti voi näyttää ihan tavalliselta tietojenkalasteluviestiltä, mutta on todellisuudessa Telian lähettämä aito viesti.
https://www.iltalehti.fi/digiuutiset/a/223aef94-085c-4598-8dc0-d2121cc53187
Telia lähetti joillekin asiakkailleen maanantaina erikoisen sähköpostin.
Viestissä kerrottiin, että Telia-tili poistuu käytöstä, jos vastaanottaja ei kirjaudu Telian sivuille viestissä olleen linkin kautta.
Telia kertoo viestin olleen tarpeeton ja myöntää sen muotoilun epäonnistuneen.
Mikäli sait Telialta sähköpostitse ilmoituksen, jossa kerrottiin Telia-tilisi poistamisen lähestymisestä, ei kyse ole huijauksesta, vaikka viesti voi skeptisemmän vastaanottajan silmään siltä vaikuttaakin.
– Näyttää siltä, että et ole käyttänyt Telia Tiliäsi enää hetkeen. Poistamme tilisi 30 päivän kuluttua, sähköpostissa kerrotaan aavistuksen uhkaavasti.
Sähköpostin otsikko on niin ikään painetta aiheuttava Telia Tilisi poistetaan pian.
Itse viestissä kehotetaan klikkaamaan linkkiä ja kirjautumaan sen kautta Telian sivuille. Viestissä sanotaan, että näin toimimalla välttyy tilin poistamiselta, sillä kirjautumalla sivustolle käyttäjätili aktivoituu uudelleen.
Vaikka Telian lähettämä viesti on aito, täyttää se kaikki huijausviestin tunnusmerkit:
Vastaanottajaa hoputetaan toimimaan.
Vastaanottajaa uhataan seurauksilla, mikäli tämä ei toimi pyydetysti.
Vastaanottajaa kehotetaan klikkaamaan viestissä olevaa linkkiä.
Vastaanottajaa pyydetään kirjautumaan mainitun linkin kautta.
Linkin takana tarjotaan tunnistautumista pankkitunnuksilla.
Telia myönsi virheen
Telia lähetti myöhemmin maanantaina asiakkailleen sähköpostin, jossa se kertoi viestin olleen aiheeton.
Tomi Engdahl says:
Älä käytä pankkitunnuksia tähän
Pankkitunnukset ovat edelleen yleisin tunnistautumistapa niiden käyttöön liittyvistä riskeistä huolimatta. Mobiilivarmenteen käyttö on kasvussa, mutta yleistyminen voisi olla nopeampaakin.
https://www.iltalehti.fi/digiuutiset/a/6df3db03-3b19-4402-8730-542e030b69ea
Tomi Engdahl says:
Digi- ja väestötietoviraston mukaan mobiilivarmennetta käytetään julkisissa digipalveluissa vain noin joka kymmenenteen tunnistautumiseen. Pankkitunnukset ovat edelleen yleisimmin käytetty tunnistautumistapa myös viranomaispalveluissa.
https://www.iltalehti.fi/digiuutiset/a/6df3db03-3b19-4402-8730-542e030b69ea
https://app.powerbi.com/view?r=eyJrIjoiNmZlZDc0MjEtOGU1ZS00ZDhhLWFlNGEtZTg2N2IzODVhZTZlIiwidCI6IjdjMTRkZmE0LWMwZmMtNDcyNS05ZjA0LTc2YTQ0M2RlYjA5NSIsImMiOjh9
Tomi Engdahl says:
Käytätkö sinäkin? Tätä tunnistautumistapaa ei ole vielä koskaan saatu murrettua
Erilaiset verkkohuijaukset ovat koko ajan kasvava uhka. Niiltä voi kuitenkin suojautua tehokkaasti ottamalla käyttöön mobiilivarmenteen.
https://www.iltalehti.fi/digiuutiset/a/d6dee6c5-9e77-42cb-8295-5a71636f3467
Telia kannustaa tiedotteessaan mobiilivarmenteen käyttöönottoon. Sitä tarjoavat asiakkailleen myös Elisa ja DNA.
– Mobiilivarmenteessa käyttämäämme salausta ei ole koskaan maailmassa murrettu, Telian lisäarvopalveluiden liiketoiminnasta vastaava Vesa Reijonen kertoo.
Reijosen mukaan mobiilivarmenteen turvallisuuden taustalla ovat 256-bittiset EEC-salausavaimet.
– Asiakkaan yksityinen avain on vain käyttäjän SIM-kortin turvamoduulissa. Edes Telian insinööreillä ei ole pääsyä asiakkaan salausavaimeen.
Vaikka pankkiasioinnissa pankkitunnukset ovatkin tarpeen, on muihin palveluihin tunnistautuminen turvallisempaa tehdä mobiilivarmenteen avulla. Sitä käyttäessään ei tule antaneeksi pankkitunnuksiaan henkilöllisyyttä vahvistaessaan, mikäli sattuukin olemaan huijaussivustolla.
Reijonen kertoo Telian tiedotteessa, että mobiilivarmenteen käyttö on ennätyksellisen voimakkaassa kasvussa.
Tomi Engdahl says:
HS: Nordean ongelmien tarkoitus on horjuttaa yhteiskuntaa
Neljä syytä tekee Nordean kuukauden aikana kohtaamista ongelmista ennennäkemättömiä, kertoo Helsingin Sanomat.
HS: Nordean ongelmien tarkoitus on horjuttaa yhteiskuntaa
https://www.is.fi/digitoday/tietoturva/art-2000010764319.html
Nordeaan kohdistuneiden palvelunestohyökkäysten tarkoitus on horjuttaa yhteiskuntaa. Kuluneen kuukauden aikana nähtyjen hyökkäysten voima ja kesto ovat olleet ennennäkemättömiä, kertoo Nordean henkilöasiakasliiketoiminnasta pohjoismaisesti vastaava johtaja Sara Mella Helsingin Sanomille.
Kiivaimpia hyökkäyksiä on nähty Ruotsissa. Mellan mukaan hyökkäysten poikkeuksellisen pitkä kesto, 15-kertainen voima aikaisempaan verrattuna, hämmennystä herättävä tuntematon motiivi sekä pohjoismaalaisista, mahdollisesti kaapatuista laitteista tulleet hyökkäykset kertovat siitä, että hyökkääjällä on käytössään mittavat resurssit.
Nordea arvelee hyökkäyksen maksaneen tekijälleen yli kaksi miljoonaa euroa vapaiden markkinoiden hinnoittelulla. Mellan mukaan hyökkäyksen kohteena on yhteiskunnan kriittinen infrastruktuuri, ja Nordeaa on käytetty tässä välineenä. Pankki sanoo torjuneensa 90 prosenttia hyökkäyksistä ja asiakkaiden rahojen olevan turvassa.
Nordea ilmoitti tekevänsä huoltotöitä järjestelmissään lauantaina 14.9. Tämän jälkeen alkoivat ongelmat, jotka ovat olleet yhdistelmä palvelunestohyökkäyksiä sekä järjestelmäpäivityksistä seuranneita komplikaatioita.
Tomi Engdahl says:
TS: Nordean hyökkäyksessä käytettiin suomalaisia kodinkoneita
Nordean mukaan palvelunestohyökkäys on ollut täysin poikkeuksellinen, kertovat Helsingin Sanomat ja Turun Sanomat.
https://www.iltalehti.fi/digiuutiset/a/405d7a66-81ca-4963-8f77-ed849751c219
Nordea sanoo yhtiötä koetelleiden palvelunestohyökkäyksien olleen voimaltaan ainutlaatuisia. Asiasta uutisoi Helsingin Sanomat.
Lehden haastattelema Nordean henkilöasiakasliiketoiminnasta pohjoismaisesti vastaava johtaja Sara Mella pitää hyökkäysten tarkoituksena yhteiskunnan horjuttamista. Mellan paljastaa, etteivät hyökkääjät ole vaatineet esimerkiksi rahaa.
HS:n mukaan palvelunestohyökkäysten voima on ollut 15-kertainen aiempaan verrattuna. Hyökkäyksien pääpaino on ollut Ruotsissa. Normaalisti hyökkäyksissä on lähetetty miljoona palvelupyyntöä sekunnissa, nyt niitä lähti 15 miljoonaa joka sekunti.
Palvelunestohyökkäyksen tarkoitus on aiheuttaa ylimääräistä kuormitusta, jolla estetään verkkopalvelun toimiminen. Poliisi kertoo verkkosivuillaan hyökkäyksen perustuvan uhripalvelun haavoittuvuuden hyödyntämiseen.
Ensimmäisellä vuosipuoliskolla Nordea kertoo saneensa 20 palvelunestohyökkäystä. Nyt hyökkäyksiä on tullut Mellan mukaan yli 360.
Hyökkääjät käyttivät suomalaisia kodinkoneita
Palvelunestohyökkäykset ovat tulleet poikkeuksellisesti pohjoismaisista ip-osoitteista, mikä on vaikeuttanut torjuntakeinoja.
Mella kertoo Turun Sanomille, että käytännössä hyökkääjät ovat siis nyt käyttäneet hyväkseen suomalaisia ja pohjoismaisia, verkkoon liitettyjä kodinkoneita ja -laitteita, joissa on heikko suojaus.
Suojelupoliisi varoitti viime vuonna suomalaisia huonosti suojatuista kotireitittimistä. Supo pitää vanhoja ja päivittämättömiä laitteita uhkana kansalliselle turvallisuudelle.
Esimerkiksi Telia on kertonut, että suurimman uhan muodostavat yli viisi vuotta vanhat reitittimet, joihin ei saa enää tietoturvapäivityksiä. Tällaisia laitteita on suomalaiskodeissa satojatuhansia.
Mella ei halua spekuloida, kuka voisi olla hyökkäysten takana, mutta hän arvioi tekijällä olevan paljon rahaa. Hän arvioi hyökkäysten kustannuksissa kymmeniä miljoonia.
Nordea arvioi torjuneensa noin 90 prosenttia hyökkäyksistä niin, etteivät vaikutukset ole näkyneet asiakkaille.
– Uskon, että tarvitsemme enemmän kansalaistaitoja, jotta ymmärrämme ja osaamme toimia tällaisissa tilanteissa, Mella sanoo HS:lle.
Nordealla on ollut viime viikkoina toistuvia ongelmia verkkopalveluissa. Pankki kertoi ongelmien johtuneen muutostöistä yhdistettyinä palvelunestohyökkäyksiin.
Tomi Engdahl says:
TE-toimiston verkkopalvelut edelleen juntturassa – Kävijämäärä oli liikaa
TE-toimisto käyttöjärjestelmään tehtiin iso päivitys. Sen jälkeen verkkopalveluihin tuli käyttäjäruuhka.
https://www.iltalehti.fi/digiuutiset/a/88393205-d216-422c-bed5-7672d9cd3c14
Työ- ja elinkeinopalveluiden verkkoasiointipalvelut ovat poissa käytöstä kuudetta päivää. Käyttökatkon syynä on järjestelmäpäivitys ja sen jälkeinen käyttäjäruuhka.
Käyttökatko alkoi torstaina 10. lokakuuta. Päivityksen oli määrä tulla valmiiksi maanantaina, mutta sen aikataulu venyi tiistaiaamuun.
Ely-keskusten ja TE-toimistojen kehittämis- ja hallintokeskuksen (Keha-keskus) yksikön johtaja Jaakko Westerlund kommentoi Iltalehdelle, että päivitys saatiin valmiiksi tiistaiaamuna.
– Kuormitus käyttökatkon jälkeen on ollut niin kovaa, että meillä ovat järjestelmät hetken aikaa alhaalla. Kansalaisten pitäisi päästä palveluihin tämän päivän aikana. Olettaisin, että puhutaan tunneista, jotta saadaan kapasiteettia nostettua.
Tomi Engdahl says:
Nordealta hätkähdyttävä tieto: palvelunestohyökkäyksessä hyödynnetty suomalaisten kodinlaitteita
https://www.ts.fi/uutiset/6461070
Nordean pankkipalveluissa on ollut laajoja häiriöitä viimeisen kuukauden aikana. Syynä on palvelunestohyökkäys, joka on pankin mukaan poikkeuksellinen.
Tomi Engdahl says:
Splunk Enterprise Update Patches Remote Code Execution Vulnerabilities
Splunk has released patches for multiple vulnerabilities in Splunk Enterprise, including two high-severity remote code execution flaws.
https://www.securityweek.com/splunk-enterprise-update-patches-remote-code-execution-vulnerabilities/
Splunk on Monday announced fixes for 11 vulnerabilities in Splunk Enterprise, two of which are high-severity bugs leading to remote code execution on Windows systems.
The most severe of the flaws is CVE-2024-45733 (CVSS score of 8.8), an insecure session storage configuration issue that could allow a user without ‘admin’ or ‘power’ Splunk roles to execute code remotely.
According to Splunk, only instances running on Windows machines are affected by this vulnerability. Instances that do not run Splunk Web are not impacted either.
Tomi Engdahl says:
Organizations Slow to Protect Doors Against Hackers: Researcher
Door access controllers remain vulnerable to remote hacker attacks for extended periods of time, a researcher has found.
https://www.securityweek.com/organizations-slow-to-protect-doors-against-hackers-researcher/
A significant percentage of organizations whose door access controllers have been analyzed by a cybersecurity researcher have failed to take any action to protect them against hacker attacks.
The research was conducted by Shawn Merdinger, who in 2010 showed how S2 Security door access controllers used by schools, hospitals, and other organizations could have been remotely hacked.
A decade later, Merdinger was jailed after sending threatening emails to people at several universities during a mental health crisis. After being released and staying sober, he launched a cybersecurity research project named Box of Rain — described as a “project of personal redemption” — whose goal is to show that many organizations are still impacted by physical access control vulnerabilities.
The project focused on S2 door access systems made by LenelS2 (S2 Security before it was combined with Lenel), and targeted management interfaces exposed on the web and protected with default ‘admin/admin’ credentials.
As part of the project, the researcher last year documented nearly 40 instances of buildings that had hackable door controllers. They mostly belonged to organizations in the education and healthcare sectors, with some owned by churches, courthouses, sports teams, power utilities, and law enforcement.
The findings were reported last year to the US cybersecurity agency CISA and other agencies in hopes that they would notify the impacted organizations and that the exposed systems would be protected. In some cases the researcher reached out to impacted organizations directly.
In recent weeks, roughly one year after the findings were first responsibly disclosed, Merdinger has reviewed the vulnerable instances to see how many organizations have taken action.
The researcher has determined that roughly half of the access controllers he discovered last year are now offline, or the findings are no longer relevant. Half a dozen of the instances are still exposed to the internet, but their password has been changed and they are no longer accessible with default credentials.
According to Merdinger, ten organizations have failed to take any action and their doors are still vulnerable to hacker attacks because they are exposed to the internet and continue to use default credentials.
The exposed web interface can allow a threat actor to open doors or schedule them to open at specified times, learn when certain people leave or arrive, add arbitrary people to the staff list, and cause disruptions to prevent the doors from opening. These controllers can also be leveraged to launch further attacks on the impacted organization’s network.
SecurityWeek previously highlighted one of Merdinger’s findings, which involved a US healthcare facility that changed the password of the exposed system only after we published an article.
Tomi Engdahl says:
Critical Vulnerability Patched in 101 Releases of WordPress Plugin Jetpack
Automattic has rolled out updates for 101 Jetpack versions released over the past eight years to resolve a critical vulnerability.
https://www.securityweek.com/critical-vulnerability-patched-in-101-releases-of-wordpress-plugin-jetpack/
Automattic on Monday announced patches for 101 versions of the popular WordPress security plugin Jetpack, to resolve a critical-severity vulnerability introduced in 2016.
The bug, which was discovered internally and does not have a CVE identifier yet, was introduced in Jetpack version 3.9.9 and affects all subsequent releases.
“During an internal security audit, we found a vulnerability with the Contact Form feature in Jetpack ever since version 3.9.9, released in 2016. This vulnerability could be used by any logged in users on a site to read forms submitted by visitors on the site,” Automattic announced.
To ensure that all WordPress websites using Jetpack are protected, the team decided to release a patch for each iteration of the plugin impacted by the bug, which amounted to a total of 101 updates being released.
Specifically, patches were released for all Jetpack versions between 3.9 and 13.9.
Tomi Engdahl says:
Open Source Package Entry Points May Lead to Supply Chain Attacks
Entry points in packages across multiple programming languages are susceptible to exploitation in supply chain attacks.
https://www.securityweek.com/open-source-package-entry-points-may-lead-to-supply-chain-attacks/
Entry points in open source packages across multiple programming languages can be abused for code execution, leading to supply chain attacks, web application security firm Checkmarx warns.
In Python, for instance, entry points are designed as a mechanism for exposing specific package functionality, enabling developers to create command-line scripts to be executed after package installation, and can be used in applications to load plugins that provide additional functionality.
“The most popular kind of entry point is console_scripts, which points to a function that you want to be made available as a command-line tool to whoever installs your package,” Checkmarx explains.
Upon package installation, entry points are recorded in the package’s metadata and other packages can query the metadata to discover and use them.
“If an attacker can manipulate a legitimate package’s metadata or convince a user to install a malicious package, they can potentially execute arbitrary code on the user’s system whenever the defined command or plugin is invoked,” the security firm says.
Attackers could rely on command-jacking, malicious plugins, and malicious extensions to exploit Python entry points to convince users to execute malicious code.
Threat actors can build malicious packages that rely on entry points to pose as popular third-party tools, targeting developers who frequently use such tools in workflows.
“For instance, an attacker might create a package with a malicious ‘aws’ entry point. When unsuspecting developers who regularly use AWS services install this package and later execute the aws command, the fake ‘aws’ command could exfiltrate their AWS access keys and secrets,” Checkmarx explains.
Malicious packages could impersonate commands used in various development environments, such as docker, npm, pip, git, kubectl, terraform, gcloud, heroku, and dotnet. They could also impersonate system utilities by using command names such as touch, curl, cd, ls, and mkdir, among others.
Checkmarx notes that entry points can be exploited in supply chain attacks targeting major ecosystems, including Dart Pub, npm (JavaScript), NuGet (.NET), Ruby Gems, and Rust Crates.
Tomi Engdahl says:
Meet the Chinese ‘Typhoon’ hackers preparing for war
https://techcrunch.com/2024/10/13/meet-the-chinese-typhoon-hackers-preparing-for-war/?fbclid=IwY2xjawF7k2FleHRuA2FlbQIxMQABHQzr-eXyRmqX1j8w0CKm9ebN3w1frjaGCvA9Bmbw-q9FABpNQ89eEY2KRg_aem_g6HyUehrCP_yxXWLJUldUA
Of the cybersecurity risks facing the United States today, few loom larger than the potential sabotage capabilities posed by China-backed hackers, which top U.S. officials have described as an “epoch-defining threat.”
In recent months, U.S. intelligence officials said Chinese government-backed hackers have been burrowing deep into the networks of U.S. critical infrastructure, including water, energy, and transportation providers. The goal, officials say, is to lay the groundwork for potentially destructive cyberattacks in the event of a future conflict between China and the U.S., such as over a possible Chinese invasion of Taiwan.
“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,” FBI Director Christopher Wray told lawmakers earlier this year.
Volt Typhoon represents a new breed of China-backed hacking groups; no longer just aimed at stealing sensitive U.S. secrets, but rather preparing to disrupt the U.S. military’s “ability to mobilize,” according to the FBI’s director.
Microsoft first identified Volt Typhoon in May 2023, finding that the hackers had targeted and compromised network equipment, such as routers, firewalls, and VPNs, since mid-2021 as part of an ongoing and concerted effort to infiltrate deeper into U.S. critical infrastructure. In reality, it’s likely the hackers were operating for much longer; potentially for as long as five years.
Tomi Engdahl says:
Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server
https://www.bleepingcomputer.com/news/microsoft/microsoft-deprecates-pptp-and-l2tp-vpn-protocols-in-windows-server/?fbclid=IwY2xjawF8FXtleHRuA2FlbQIxMQABHVwDhL31fMt3TA-4bT-kS8UHliZueDM8BH4PXJqNDfMzD4Pxj5R_oEgN7Q_aem_Pv0dgaYhPpqbBo8ir-Ajlg
Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) in future versions of Windows Server, recommending admins switch to different protocols that offer increased security.
For over 20 years, the enterprise has used the PPTP and L2TP VPN protocols to provide remote access to corporate networks and Windows servers.
However, as cybersecurity attacks and resources have grown more sophisticated and powerful, the protocols have become less secure.
For example, PPTP is vulnerable to offline brute force attacks of captured authentication hashes, and L2TP provides no encryption unless coupled with another protocol, like IPsec. However, if L2TP/IPsec is not configured correctly, it can introduce weaknesses that make it susceptible to attacks.
Due to this, Microsoft is now recommending users move to the newer Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2) protocols, which provide better performance and security.
“These modern protocols offer superior encryption, faster connection speeds, and better reliability, making them more suitable for today’s increasingly complex network environments.”
Benefits of SSTP
Strong encryption: SSTP uses SSL/TLS encryption, providing a secure communication channel.
Firewall traversal: SSTP can easily pass through most firewalls and proxy servers, ensuring seamless connectivity.
Ease of use: With native support in Windows, SSTP is simple to configure and deploy.
Benefits of IKEv2
High security: IKEv2 supports strong encryption algorithms and robust authentication methods.
Mobility and multihoming: IKEv2 is particularly effective for mobile users, maintaining VPN connections during network changes.
Improved performance: With faster establishment of tunnels and lower latency, IKEv2 offers superior performance compared to legacy protocols.
Microsoft stresses that when a feature is deprecated, it does not mean it is being removed. Instead, it is no longer in active development and may be removed from future versions of Windows. This deprecation period could last months to years, giving admins time to migrate to the suggested VPN protocols.
As part of this deprecation, future versions of Windows RRAS Server (VPN Server) will no longer accept incoming connections using the PPTP and L2TP protocols. However, users can still make outgoing PPTP and L2TP connections.
https://learn.microsoft.com/en-us/windows-server/remote/remote-access/get-started-install-ras-as-vpn?tabs=powershell
Tomi Engdahl says:
New tool can detect malware on Android phones
https://techxplore.com/news/2024-10-tool-malware-android.amp?fbclid=IwY2xjawF8GkNleHRuA2FlbQIxMQABHfjwRZ1SRTAF7CBySFH20gAnXUFZ0eE986br3IIJDsaAlZMRHD4KHUYwcA_aem_gbkslOVB0cVBLJjwH960SA#amp_tf=From%20%251%24s&aoh=17290180501357&csi=0&referrer=https%3A%2F%2Fwww.google.com
Screen readers, voice-to-text, and other accessibility features have enabled people with disabilities to use smartphones. Yet these same features make the phones more accessible to hackers, too.
Researchers at Georgia Tech have developed a new tool, Detector of Victim-specific Accessibility (DVa), that can check for malware. DVa runs on the cloud to check the phone for this malware, then sends the user a report of its findings that shows which apps are malware and how to delete them. It will also tell them which victim apps the malware was targeting and how to contact those companies to check for damages. DVa also sends a report to Google, so the company can attempt to eradicate this malware from apps.
Tomi Engdahl says:
Chinese hack of US ISPs shows why Apple is right about backdoors for law enforcement
https://9to5mac.com/2024/10/08/chinese-hack-of-us-isps-shows-why-apple-is-right-about-backdoors-for-law-enforcement/?fbclid=IwY2xjawF8HQVleHRuA2FlbQIxMQABHZNnfrV_1EV65_SIVEmxKQgqV5mzp9pm6pcj8uVsJu2K0_T4PGVilyhsGQ_aem_G-g_8f6CuHpHDF2rIdGXCw
It was revealed this weekend that Chinese hackers managed to access systems run by three of the largest internet service providers (ISPs) in the US.
What’s notable about the attack is that it compromised security backdoors deliberately created to allow for wiretaps by US law enforcement …
Chinese hack of US ISPs
The WSJ was first to report on the successful penetration of wiretap systems at AT&T, Lumen (aka CenturyLink), and Verizon.
A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests.
For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter.
The Washington Post says that the hack appears to have been made by the Chinese government.
The law required ISPs to create backdoors that could be used for wiretaps by US law enforcement, and hackers have now found and accessed them.
Tomi Engdahl says:
EDRSilencer red team tool used in attacks to bypass security
https://www.bleepingcomputer.com/news/security/edrsilencer-red-team-tool-used-in-attacks-to-bypass-security/?fbclid=IwZXh0bgNhZW0CMTEAAR1vqjI5mAlqDGl3-URrRHdLE_jjo2KN-p1vz7yliLvJbpc2stfYafCyIV0_aem_sGBPwtXee59dAlVKcRV34A
A tool for red-team operations called EDRSilencer has been observed in malicious incidents attempting to identify security tools and mute their alerts to management consoles.
Researchers at cybersecurity company Trend Micro say that attackers are trying to integrate EDRSilencer in attacks to evade detection.
“Our internal telemetry showed threat actors attempting to integrate EDRSilencer in their attacks, repurposing it as a means of evading detection.” – Trend Micro.
EDRSilencer is an open-source tool inspired by MdSec NightHawk FireBlock, a proprietary pen-testing tool, which detects running EDR processes and uses Windows Filtering Platform (WFP) to monitor, block, or modify network traffic on IPv4 and IPv6 communication protocol.
WFP is typically used in security products such as firewalls, antivirus, and other security solutions, and filters set in the platform are persistent.
With custom rules in place, an attacker can disrupt the constant data exchange between an EDR tool and its management server, preventing the delivery of alerts and detailed telemetry reports.
In its latest version, EDRSilencer detects and blocks 16 modern EDR tools, including:
Microsoft Defender
SentinelOne
FortiEDR
Palo Alto Networks Traps/Cortex XDR
Cisco Secure Endpoint (formerly AMP)
ElasticEDR
Carbon Black EDR
TrendMicro Apex One
“This allows malware or other malicious activities to remain undetected, increasing the potential for successful attacks without detection or intervention,” the researchers say.
TrendMicro’s solution to EDRSilencer is to detect the tool as malware, stopping it before it allows the attackers to disable security tools.
Additionally, researchers recommend implementing multi-layered security controls to isolate critical systems and create redundancy, use security solutions that provide behavioral analysis and anomaly detection, look for indicators of compromise on the network, and apply the principle of the least privilege.
https://github.com/netero1010/EDRSilencer
A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
Tomi Engdahl says:
Suomalaisten kotiverkot hyökkäävät pankkiin – tee reitittimellesi nämä 3 + 5 asiaa
https://www.is.fi/digitoday/tietoturva/art-2000010766023.html
Suomalaisten verkkolaitteet tekevät palvelunestohyökkäyksiä. Näin varmistat, ettei kotiverkkosi ole osa ongelmaa.
Lue tiivistelmä
Nordea on kohdannut tavallista vaikeampia palveluestohyökkäyksiä.
Hyökkäykset tulevat suomalaisista ja pohjoismaalaisista kotien verkkolaitteista.
Traficom neuvoo poistamaan reitittimen etähallinnan, vaihtamaan oletussalasanan ja pitämään laitteen päivitettynä. Tämän lisäksi on muutama muu turvallisuutta lisäävä keino.
DNA suosittelee vaihtamaan reitittimen neljän vuoden välein tietoturvapäivitysten puutteen vuoksi.
Nordea kertoi tiistaina, että pankkiin kohdistuneiden palveluestohyökkäysten torjuminen on ollut tavallista vaikeampaa. Tähän on syynä se, että verkkohyökkäyksiin on osallistunut suomalaisia ja muita pohjoismaalaisia kotien verkkolaitteita.
Geoblokkaus eli ulkomailta tulevan nettiliikenteen torjuminen on yleinen tapa torjua verkkohyökkäyksiä. Se on kuitenkin vaikeaa, jos suuri osa hyökkäysliikenteestä tulee samasta Suomen osoiteavaruudesta kuin asiakkaiden verkkoliikenne.
Kun hyökkäykset tulevat kodinkoneista, oikeita ihmisiä niiden estämiseen ovat kotiverkkojen omistajat.
Tärkeimpiä asioita reitittimen turvallisuuden varmistamisessa on kolme, kertoo Suomen tietoturvaviranomainen, Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus:
Poista reitittimen etähallinnan mahdollisuus. Jos reitittimen asetuksissa on päällä etähallinta, voi rikollinen sisään tunkeuduttuaan muokata asetuksia etänä. Viranomainen suosittelee ottamaan ominaisuuden (remote access) pois päältä.
Vaihda oletussalasana. Reitittimiin valmiiksi kirjatut oletustunnukset ovat tietoturvariski, ja reitittimen hallintaportaaliin kirjautuessa on suositeltavaa muuttaa tunnuksen salasana vahvemmaksi. Nykyisin monissa reitittimissä on jo tehtaalla asetettu laitekohtainen ja ainutlaatuinen salasana. Tämä on usein laitteen pohjassa olevassa tarrassa.
Pidä laite päivitettynä. Vanha sääntö laitteiden ja ohjelmistojen pitämisestä ajan tasalla pätee myös reitittimiin. Päivitykset tukkivat aukkoja, joiden kautta rikolliset ja vakoojat pääsevät kaappaamaan laitteesi. Joskus reitittimet päivittyvät itse, joskus se pitää tehdä itse. Tutustu laitteesi käyttöohjeisiin, vaikka yleensä viittaisit sellaisille kintaalla.
Lisäksi on muutama toimenpide, jolla reitittimen turvallisuutta voi parantaa entisestään:
Vaihda reitittimen luoman langattoman verkon nimi eli ssid. Alkuperäinen saattaa antaa hyökkääjälle vihjeitä siitä, mikä laite on kyseessä. Kotiverkon oletusnimi voi paljastaa reitittimen valmistajan ja kertoa, onko laite haavoittuvainen. Nimen pitäisi olla sellainen, ettei siitä pysty suoraan päättelemään laitteen sijaintia tai omistajaa.
Kytke päälle reitittimen palomuuri. Tämä löytyy reitittimen asetuksista, englanniksi kohdan firewall takaa. Palomuuri estää tehokkaasti laitteeseen pääsyä ja tekee siitä verkossa vaikeammin havaittavan.
Varmista, että langaton verkkosi on salattu. Useimmat ovat, mutta asetuksista kannattaa tarkistaa, että WPA2- tai WPA3-salaus on päällä. Se suojaa omassa verkossasi liikkuvan tiedon.
Käynnistä reititin uudelleen säännöllisesti. Tämä voi korjata verkon toimivuuteen ja nopeuteen liittyviä ongelmia sekä poistaa mahdollisesti laitteeseen pesiytyneen haittaohjelman.
Luo langaton vierailijaverkko. Uudet reitittimet antavat mahdollisuuden luoda rinnakkainen wifi-verkko. Sen käyttäminen vähentää tarvetta jakaa oman verkon salasanaa ja siihen voi kytkeä älyvalojen tai kodinkoneiden kaltaiset harvoin päivittyvät ja mahdollisesti turvattomammat älylaitteet.
Teleoperaattori DNA:n mukaan reititin kannattaa myös vaihtaa 4 vuoden välein.
Tomi Engdahl says:
Cybercriminals Are Increasingly Helping Russia and China Target the US and Allies, Microsoft Says
The growing collaboration between authoritarian governments and criminal hackers has alarmed national security officials and cybersecurity experts.
https://www.securityweek.com/cybercriminals-are-increasingly-helping-russia-and-china-target-the-us-and-allies-microsoft-says/
Tomi Engdahl says:
Election Day is Close, the Threat of Cyber Disruption is Real
New threat report shows that the potential for disruption to November’s Election Day is severe, and the threat is real.
https://www.securityweek.com/election-day-is-close-the-threat-of-cyber-disruption-is-real/
Tomi Engdahl says:
GitHub Patches Critical Vulnerability in Enterprise Server
A critical-severity flaw in GitHub Enterprise Server could lead to unauthorized access to the vulnerable instances.
https://www.securityweek.com/github-patches-critical-vulnerability-in-enterprise-server/
Tomi Engdahl says:
OpenAI Says Iranian Hackers Used ChatGPT to Plan ICS Attacks
OpenAI has disrupted 20 cyber and influence operations this year, including the activities of Iranian and Chinese state-sponsored hackers.
https://www.securityweek.com/openai-says-iranian-hackers-used-chatgpt-to-plan-ics-attacks/
Tomi Engdahl says:
New CounterSEVeillance and TDXDown Attacks Target AMD and Intel TEEs
Intel and AMD respond to new attack methods named TDXDown and CounterSEVeillance that can be used against TDX and SEV technology.
https://www.securityweek.com/new-counterseveillance-and-tdxdown-attacks-target-amd-and-intel-tees/
Security researchers continue to find ways to attack Intel and AMD processors, and the chip giants over the past week have issued responses to separate research targeting their products.
The research projects were aimed at Intel and AMD trusted execution environments (TEEs), which are designed to protect code and data by isolating the protected application or virtual machine (VM) from the operating system and other software running on the same physical system.
On Monday, a team of researchers representing the Graz University of Technology in Austria, the Fraunhofer Institute for Secure Information Technology (SIT) in Germany, and Fraunhofer Austria Research published a paper describing a new attack method targeting AMD processors.
The attack method, named CounterSEVeillance, targets AMD’s Secure Encrypted Virtualization (SEV) TEE, specifically the SEV-SNP extension, which is designed to provide protection for confidential VMs even when they are running in a shared hosting environment.
CounterSEVeillance is a side-channel attack targeting performance counters, which are used to count certain types of hardware events (such as instructions executed and cache misses) and which can aid in the identification of application bottlenecks, excessive resource consumption, and even attacks.
They demonstrated the impact of CounterSEVeillance by extracting a full RSA-4096 key from a single Mbed TLS signature process in minutes, and by recovering a six-digit time-based one-time password (TOTP) with roughly 30 guesses. They also showed that the method can be used to leak the secret key from which the TOTPs are derived, and for plaintext-checking attacks.
Conducting a CounterSEVeillance attack requires high-privileged access to the machines that host hardware-isolated VMs — these VMs are known as trust domains (TDs). The most obvious attacker would be the cloud service provider itself, but attacks could also be conducted by a state-sponsored threat actor (particularly in its own country), or other well-funded hackers that can obtain the necessary access.
“For our attack scenario, the cloud provider runs a modified hypervisor on the host. The attacked confidential virtual machine runs as a guest under the modified hypervisor,” explained Stefan Gast, one of the researchers involved in this project.
“Attacks from untrusted hypervisors running on the host are exactly what technologies like AMD SEV or Intel TDX are trying to prevent,” the researcher noted.
Gast told SecurityWeek that in principle their threat model is very similar to that of the recent TDXDown attack, which targets Intel’s Trust Domain Extensions (TDX) TEE technology.
The TDXDown attack method was disclosed last week by researchers from the University of Lübeck in Germany.
Intel TDX includes a dedicated mechanism to mitigate single-stepping attacks. With the TDXDown attack, researchers showed how flaws in this mitigation mechanism can be leveraged to bypass the protection and conduct single-stepping attacks. Combining this with another flaw, named StumbleStepping, the researchers managed to recover ECDSA keys.
Intel has updated TDX to address the TDXDown attack, but considers it a ‘low severity’ issue and has pointed out that it “represents very little risk in real world environments”. The company has assigned it CVE-2024-27457.
As for StumbleStepping, Intel said it “does not consider this technique to be in the scope of the defense-in-depth mechanisms” and decided not to assign it a CVE identifier.
https://www.stefangast.eu/papers/counterseveillance.pdf
https://uzl-its.github.io/tdxdown/
TDXdown presents two attacks on TDX’s single-stepping countermeasure and uses them to recover ECDSA keys via a new weakness in nonce generation of OpenSSL and wolfSSL.