Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Brute-force attack. Show all posts

Six New Vulnerabilities Found in DIR-865L Model of D-Link Routers


Over the last few months, the cyber world witnessed an alarming spike in the number of malicious attacks, it's seen as a direct result of more and more people working from home. As organizations have been experiencing unprecedented cybersecurity challenges, it has become even more crucial for users to keep their networks updated and hence secured.

DIR-865L model of D-Link routers, designed for monitoring home network from anywhere, was found to be containing six vulnerabilities as follows:

1. CVE-2020-13782 [Improper Neutralization of Special Elements used in a Command (Command Injection)]: A backend engine known as cgibin.exe controls the web interface for this router; attackers can place arbitrary code to be executed with administrative privileges.

2. CVE-2020-13786 [Cross-Site Request Forgery (CSRF)]: Threat actors can intercept data present on sections under password protection by capturing the network traffic; the router's web interface consists of various pages that are vulnerable to this security flaw.

3. CVE-2020-13785 (Inadequate Encryption Strength): The attackers can learn a user's password via a brute force attack carried offline on the basis of information that's sent to the client from the router when the user logs into the SharePort Web Access portal in port 8181.

4. CVE-2020-13784 (Predictable Seed in Pseudo-Random Number Generator): By exploiting this vulnerability, the attackers can deduce the information required to perform CSRF attacks even if the router is encrypting session information using HTTPS.

5. CVE-2020-13783 (Cleartext Storage of Sensitive Information): When an attacker attempts to acquire the admin password stored in the tools_admin.php page, he requires physical access to a logged-on machine as credentials sent over the wire are not clear. Once the attacker acquires physical access, he can view the password via the HTML source of the page.

6. CVE-2020-13787 (Cleartext transmission of sensitive information): Attackers capturing network traffic and stealing data can access the password used for guest wifi network, it's done via an option 'Wired Equivalent Privacy' (WEP).

These 6 newly discovered vulnerabilities by Palo Alto Networks' Unit 42 researchers in the D-Link DIR-865L home wireless router can be exploited all at once to run arbitrary commands, delete information, upload malware, exfiltrate data or intercept information and obtain user credentials illicitly.

To stay protected against the session hijacking attacks, users are advised to default all traffic to HTTPS and stay updated with the latest available version of the firmware with fixes, one can find the firmware on the D-Link's website. The website also provides a 'how-to' tutorial for changing the time zone on the router for the users to further defend themselves from possible malicious attacks.

Banking Sector suffered more Credential Stuffing than DDoS Attacks


According to F5's cybersecurity agency's report published recently, the financial sector has been a victim of severe credential stuffing attacks than the DDoS attacks in the last three years. The statistics included attacks against the financial industry as a whole. It recorded attacks against the banks, credit unions, insurance companies, broker agencies, and other services like Saas (Software as a Service) and payment processors.


The report's conclusion rejects the common belief that the financial sectors suffer the most from DDoS attacks, as other prominent threat actors are emerging. Reports say that in recent times, brute force attacks, ATO (Account Takeover) attacks, credential stuffing attacks have done more considerable damage on the financial sectors than DDoS, from the year 2017-19.
The ATO attacks include:

  • Credential Stuffing- When the hackers try to attacks by using leaked usernames and passwords they find on websites. 
  • Brute Force Attacks- Hackers use very common or weak passwords from a list to carry out brute attacks. 
  • Password Spraying- Hackers use the same passwords but against many individuals. 
Similarities between Credential Stuffing and DDoS attacks 
According to F5's reports, the DDoS attacks surged in the year 2019, but these figures cant be entirely accurate. Some credential-stuffing and brute force attacks are so fast and destructive that they are sometimes mistaken for DDoS attacks. The reason for the rapid rise of credential stuffing and brute force attacks is because the availability of leaked usernames and passwords is getting shorter and shorter. Due to scarcity in leaked passwords, the hackers are trying to get as much as they can from the attacks, hence the increase. 

Banks in North America a bigger target
According to the experts, North American banks have witnessed the highest number of brute force and credential stuffing attacks because of the availability of leaked passwords and credentials of the North American users on the websites since the last decade. "The combination of a global rise in DoS attacks and an increasing focus in North America on credential-based attacks suggests some ambivalence among attackers regarding the best strategies for extracting value from financial services targets," concludes F5 in its report.

Cyber Attack Alert! Microsoft Gives Inside Revelations About RDP Brute Force Attacks


Microsoft conducted a long-term study, which majorly focused on RDP brute-force attacks, their success and the duration they last for.

Per sources, according to the reports of the study, over 0.8% of the RDP brute force attacks on an average last for about “2-3 days”. The study also revolved around the effect of such attacks on various business organizations.

Data from over 45,000 devices and workstations that ran “Microsoft Defender Advanced Threat Protection” (commercial version of the free Defender anti-virus app) was acquired in terms of RDP login related acts.

According to reports, both failed and successful attempts at RDP login was part of the data collected for the detailed study that spread across numerous months of dedication.

Reportedly, the aforementioned successful and failed events include Windows events with ID 4264 and 4265, correspondingly. The usernames that the attackers or users may have used were also collected.


Per sources, RDP, Remote Desktop Protocol happens to be a feature of the Windows operating system that enables the users to log into a “remote computer” or device by way of an interface that looks much like a desktop, by means of the computer’s public IP address and port 3389.

Businesses and organizations usually make use of RDP and its provisions to manage servers, workstations and other connected devices in remote areas. It’s easier for the administrators and employees alike to work that way.

Brute force attacks have been pretty common on Windows devices especially via open RDP ports. Automated tools that the hackers use help them to create various combinations of passwords and usernames to figure out the target computer’s RDP login details.

Simple and basic combinations stand at the top of the hit list. The password and usernames combinations that have previously been leaked on the dark web are also used the most.

Where on an average these brute force attacks last for 2 to 3 days, in 90% of the cases, as the reports have found out, the attacks last for around a week.

According to the study reports the attacks spread across days because the hackers were trying out selected combos per hour rather than blindly shooting combos.

This clearly helped the attackers dodge the chances of their attack Internet Protocols getting banned by the firewalls.

Microsoft, according to sources, also mentioned that “0.8% of the devices that were attacked by the brute-force attacks were compromised. Also, that on an average a machine was expected to have a high probability of being compromised leading to an RDP brute force attack every 3-4 days”.

Per sources it’s imperative to look for the following things in a sign-in attempt:
 Event ID 4625 login type
 number of other devices with RDP inbound connections from one or more of the same IP
 number of failed sign-ins
 Event ID 4625 failure reason
 The number count of a username and the times it failed to log in
 number of RDP inbound external IP
 an hour and the day of the failed sign-in
 RDP connections
 Timing of successful sign-in attempts

To secure your device from such attacks, it’s supremely essential to monitor unknown connections and failed sign-in attempts.