Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label CISA. Show all posts
Vulnerabilities and Exploits
Chinese Hacker CISA FBI Ransomware Gang Vulnerabilities and Exploits

FBI And CISA Issues Warning of Ongoing ‘Ghost’ Ransomware Attack

 

Ghost, a ransomware outfit, has been exploiting software and firmware flaws since January, according to an FBI and Cybersecurity and Infrastructure Security Agency (CISA) advisory issued last week.

The outfit, also known as Cring and based in China, focusses on internet-facing services with unpatched vulnerabilities that users might have fixed years ago, according to the agencies. Cybersecurity researchers initially raised concerns about the group in 2021. 

"This indiscriminate targeting of networks containing vulnerabilities has resulted in the compromise of organisations in more than 70 countries, including China," according to the notice issued by the Multi-State Information Sharing and Analysis Centre (MS-ISAC).

The notice lists the following vulnerabilities: Microsoft Exchange servers that are still vulnerable to the ProxyShell attack chain; servers running Adobe's ColdFusion for web applications; and issues in unpatched Fortinet security appliances. 
 
Critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses are among the listed victims since 2021, according to the notice. The goal is financial gain, with ransom demands occasionally amounting to hundreds of thousands of dollars.

“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” the agencies further added. “In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.” 

The notice claims that the ransomware outfit employs common hacking tools like Cobalt Strike and Mimikatz, and that the malware they deploy frequently has file names like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. 

“The impact of Ghost ransomware activity varies widely on a victim-to-victim basis,” the agencies concluded. “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.” 

Prevention tips 

To combat against Ghost ransomware attacks, network defenders should take the following steps:

  • Create regular, off-site system backups that cannot be encrypted by ransomware. 
  • Patch the operating system, software, and firmware vulnerabilities as quickly as feasible.
  • Focus on the security holes targeted by Ghost ransomware (i.e., CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). 
  • Segment networks to restrict lateral movement from compromised devices. 
  • Implement phishing-resistant multi-factor authentication (MFA) for all privileged accounts and email service accounts.
Read more »
Multi-Factor Authentication (MFA)
CISA Cyber Security Cybersecurity measures FBI FIDO Hackers MFA mobile phone Multi-Factor Authentication (MFA)

CISA's Enhanced Mobile Security Recommendations Following U.S. Telecom Breach

 



The Cybersecurity and Infrastructure Security Agency (CISA) issued updated recommendations in December 2024 aimed at enhancing mobile phone cybersecurity. Following a significant hack involving major U.S. telecom companies like AT&T, Verizon, and Lumen Technologies, these guidelines focus on adopting more secure multifactor authentication (MFA) methods. 
  
Understanding MFA and Its Vulnerabilities 
 
Multifactor authentication (MFA) is a popular cybersecurity measure requiring users to provide additional verification beyond a password. Common practices include:
  • Text Message Verification: Receiving a one-time code via SMS.
  • Device-Based Approvals: Confirming login attempts on associated devices.
However, CISA has raised concerns about the vulnerability of certain MFA techniques, particularly text-based verification. Text message-based MFA, while convenient, is susceptible to interception by hackers. 

The breach highlighted flaws in text messaging systems, particularly when messages were sent between incompatible platforms like Android and iPhone. Malicious actors exploited these weaknesses to intercept authentication codes and gain unauthorized access to user accounts. While CISA continues to advocate for MFA, it strongly urges users to shift away from text-based methods. 

  
Recommendations for Safer Alternatives 

 
CISA recommends adopting authenticator apps as a more secure MFA option. These apps generate time-sensitive codes that operate independently of messaging systems, making them less prone to interception. However, they remain vulnerable to phishing attacks, where users may be tricked into revealing sensitive information. 

For users seeking the most secure MFA solution, CISA suggests transitioning to phishing-resistant methods like the FIDO (Fast Identity Online) protocol. Developed by the FIDO Alliance, this technology eliminates traditional passwords and uses:
  • Digital Passkeys: Unique codes linked to user accounts.
  • Physical USB Devices: Hardware keys that connect to computers.
The FIDO protocol also supports PINs and biometric identifiers like fingerprints and facial recognition, providing a robust defense against phishing attempts. 

CISA’s latest recommendations highlight the growing need for stronger cybersecurity measures. By moving away from text-based MFA and adopting secure alternatives like authenticator apps and the FIDO protocol, users can better protect their personal information and maintain digital security in an increasingly interconnected world.
Read more »
US Agency
Chinese Hackers CISA cyber espionage Cyber Security US Agency

CISA Issues Mobile Security Guidelines Amid Cyber Espionage Threats

 

The US Cybersecurity and Infrastructure Security Agency (CISA) released a comprehensive guide on Wednesday to help individuals in highly targeted positions protect their mobile communications from malicious actors. This move follows a series of sophisticated telecom hacks that impacted major US wireless carriers, including Verizon, AT&T, Lumen Technologies, and T-Mobile. The attacks were linked to Salt Typhoon, a China-backed cyber espionage group.

Earlier this month, the US government emphasized strengthening communications infrastructure security, with specific focus on risks tied to Cisco devices, a prime target for state-sponsored hackers. In line with this, CISA unveiled its Mobile Communications Best Practice guide, aimed at mitigating risks posed by foreign threat actors, especially Chinese cyber espionage groups.

Who Needs This Guide?

CISA’s guidelines are tailored for individuals in senior government and political roles, who are more likely to possess information of interest to sophisticated threat actors. The agency warned, “Highly targeted individuals should assume that all communications between mobile devices—including government and personal devices—and internet services are at risk of interception or manipulation.”

Key Recommendations

  • Use Encrypted Messaging Apps: CISA recommends apps like Signal, which provide end-to-end encryption and features like vanishing messages for enhanced privacy.
  • Enable Phishing-Resistant MFA: Implement Fast Identity Online (FIDO) multi-factor authentication and avoid SMS-based MFA for improved account security.
  • Adopt Additional Security Practices:
    • Use password managers and telco PINs or passcodes for mobile accounts.
    • Regularly update operating systems and applications.
    • Opt for the latest phone models from manufacturers with strong security records.
    • Avoid private virtual private networks (VPNs) due to potential vulnerabilities.

Special Recommendations for Android Users

Android device users are advised to:

  • Enable end-to-end encryption in Rich Communication Services (RCS).
  • Protect DNS queries and use secure connections in Chrome.
  • Activate Enhanced Protection in Safe Browsing and Google Play Protect.
  • Limit unnecessary app permissions to reduce exposure to vulnerabilities.

As cyber threats grow in complexity, CISA’s proactive guidelines serve as a critical resource for mitigating risks and securing sensitive communications. For the complete document, visit the CISA website.

Read more »
Vulnerability
CISA Critical Exploits cyberattacks trending news News Vulnerabilities Vulnerability

CISA Warns of Critical Exploits in ProjectSend, Zyxel, and Proself Systems


Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has discovered and added three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities, impacting North Grid Proself, ProjectSend, and Zyxel firewalls, are being actively exploited, posing serious risks of data breaches and operational disruptions to unpatched systems. At the time of publishing, Zyxel acknowledged the issue and advised users to update their firmware promptly and strengthen admin credentials.

Vulnerabilities Identified in North Grid Proself, ProjectSend, and Zyxel Firewalls

North Grid Proself Vulnerability (CVE-2023-45727): A severe XML processing vulnerability in North Grid Proself has been identified, allowing attackers to bypass restrictions and access sensitive server data. Systems running versions older than 5.62, 1.65, and 1.08 are vulnerable to exploitation through maliciously crafted XML requests, which can extract sensitive account information.

ProjectSend Vulnerability (CVE-2024-11680): A critical authentication flaw in ProjectSend, an open-source file-sharing platform, has been flagged with a CVSS severity score of 9.8. Versions prior to r1720 are susceptible to attacks where malicious actors manipulate the options.php file using crafted HTTP requests. This enables them to create unauthorized accounts, upload webshells, and inject harmful JavaScript code. Security researchers from VulnCheck report that attackers are leveraging automated tools such as Nuclei and Metasploit to exploit this vulnerability.

Notably, exploitation attempts are marked by altered server configurations, including random strings in landing page titles—a trend observed since September 2024. Despite a patch being released in May 2023, over 4,000 exposed instances remain vulnerable.

Zyxel Firewall Vulnerability (CVE-2024-11667): Zyxel firewalls running firmware versions between V5.00 and V5.38 are vulnerable to a directory traversal attack. This flaw allows attackers to upload or download files via manipulated URLs within the web management interface, potentially compromising system integrity.

Exploitation Attempts and Mitigation Strategies

ProjectSend instances have been the primary focus of attackers. Public-facing systems have seen unauthorized user registrations—a setting not enabled by default—facilitating access for malicious actors. Webshells uploaded during these attacks are often stored in predictable directories, with filenames tied to timestamps and user data. Organizations are urged to review server logs to identify and address suspicious activities.

Under Binding Operational Directive (BOD) 22-01, federal agencies must prioritize these vulnerabilities, while CISA has recommended that private organizations take immediate action to mitigate the risks. Updating software, reviewing server configurations, and enhancing log analysis are critical steps to safeguard systems from exploitation.

Read more »
regulatory measures
Change Healthcare CISA Cyber Security cybersecurity in healthcare Healthcare Cyberattacks HHS MFA regulatory measures

Proposed US Bill Mandates MFA and Cybersecurity Standards for Healthcare

 

A bipartisan group of US senators has introduced new legislation aimed at strengthening cybersecurity in American hospitals and healthcare organizations. The Health Care Cybersecurity and Resiliency Act of 2024 seeks to mandate the adoption of multi-factor authentication (MFA) and establish minimum cybersecurity standards to protect sensitive health information and ensure system resilience against cyberattacks. 

The proposed law, unveiled by Senators Bill Cassidy (R-Louisiana), Mark Warner (D-Virginia), John Cornyn (R-Texas), and Maggie Hassan (D-New Hampshire), aims to improve coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Under this legislation, HHS would have a year to develop a comprehensive cybersecurity incident response plan and update the breach reporting portal with additional transparency requirements. 

Currently, healthcare entities classified as “covered entities” under HIPAA are obligated to report breaches to HHS. The new legislation expands these requirements, compelling organizations to disclose the number of individuals affected by a breach, corrective actions taken, and recognized security practices considered during investigations. The HHS secretary would have discretion to add further information to the portal as needed. In addition to enforcing MFA and encrypting protected health information, the bill outlines broader cybersecurity mandates. Covered entities and their business associates would need to adopt minimum standards defined by HHS, conduct regular audits, and perform penetration testing to validate their security measures. 

Senator Cassidy, a medical doctor and ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, underscored the urgency of this legislation. “Cyberattacks on our healthcare sector not only put patients’ sensitive health data at risk but can delay life-saving care,” Cassidy emphasized. The devastating impact of cyberattacks on healthcare was exemplified earlier this year when a ransomware gang targeted Change Healthcare, compromising sensitive health data from approximately 100 million individuals. 

The attack disrupted healthcare services nationwide and cost the UnitedHealth-owned company over $2 billion in remediation efforts, taking nine months to restore its operations. This high-profile incident spurred additional legislative action. Senators Warner and Ron Wyden (D-Oregon) proposed another bill earlier this year to establish mandatory minimum cybersecurity standards for healthcare providers and related organizations. 

 If enacted, the Health Care Cybersecurity and Resiliency Act would mark a significant step in fortifying the healthcare sector’s defenses against cyber threats, ensuring the security of patient data and the continuity of critical healthcare services.
Read more »
MirrorFace
CISA cyber espionage Cyber Security Japan MirrorFace

CISA Urges Immediate Fix for Critical Array Networks Flaw

 


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical security flaw in Array Networks AG and vxAG secure access gateways. The flaw, identified as CVE-2023-28461, has been under active exploitation by attackers. CISA has advised the federal agencies to install patches before December 16, 2024, in order to protect their systems. 


Understanding the Vulnerability

The flaw, rated with a critical severity score of 9.8, is caused by missing authentication in the software, enabling attackers to remotely execute harmful commands or access sensitive files without proper authorization. According to Array Networks, the vulnerability can be triggered by sending specific HTTP headers to vulnerable URLs.

A patch for this weakness was issued in March 2023 (version 9.4.0.484), but follow-up attacks indicate many systems have not been patched yet. Organizations using this application should update now to ensure the integrity of their network.


Who is attacking this flaw?

A cyber espionage group known as Earth Kasha, or MirrorFace, has been identified as actively exploiting this flaw. Tied to China, the group usually targets entities in Japan, but its activities have also been seen in Taiwan, India, and Europe.

In one attack, Earth Kasha used the weakness to spearhead a campaign of compromise against a European diplomatic body. The attackers were phishing emails referencing the future World Expo 2025 to be held in Japan that would lure victims to download a backdoor called ANEL. 


Vulnerability of Systems 

The cyber security firm VulnCheck stated that more than 440,000 devices with internet access may be prone to attack because of this type of vulnerability. Also, it was indicated in the report that in 2023 alone, 15 Chinese-linked hacking groups targeted at least one of the top 15 commonly exploited flaws. 


How Can Organizations Protect Themselves 

To minimize such threats, organizations must:

  1. Ensure all systems that implement Array Networks software are maintained on the latest patched version. 
  2. Reduce your exposure to sensitive devices on the internet whenever possible.
  3. Use robust patch management and monitoring systems to augment your defenses.
  4. Educate yourself through threat intelligence reports to understand emerging risks.


CISA Message to Agencies

Such direction has been given to agencies of the federal government for immediate action. By the utilization of these patches, they are capable of avoiding possible security breaches and further strengthening themselves against more complex cyber attacks. This reminder underscores a very critical point in proactive cybersecurity.


Read more »
T-Mobile
Chinese Cyber Threat CISA Cyber Crime cyber espionage Cyber Hackers Cyber Threats CyberCrime Cybersecurity Seerver T-Mobile

T-Mobile System Intrusion Tied to Chinese Cyber Threat

 


T-Mobile Corporation has confirmed that it has been a victim of cyber-espionage campaigns launched against telecom companies for a long time. T-Mobile is the latest telecommunications company to report being affected by a large-scale cyber-espionage campaign waged by state-sponsored hackers in China. 

There has been some confusion as to whether the breach involves customer data or critical systems. However, T-Mobile has maintained that there has been no significant impact on its customers' data and critical systems. This breach is part of a larger attack on major telecom providers, raising questions regarding the security of critical communications infrastructure around the world. 

It has been reported that the FBI and CISA are pursuing investigations into a massive cyber-espionage campaign perpetrated by Chinese-linked threat actors that targeted U.S. telecommunications, stealing call records and accessing private communications of government officials and political figures by compromising networks. 

It was confirmed by the USA intelligence agencies that Chinese threats had penetrated the private communications of a "limited number" of government officials after several U.S. broadband providers had been compromised. 

A cyber spy stole personal information belonging to the targeted individuals, according to court orders, which were subject to a search warrant by the United States government to gather that information. This attack was conducted by an intrusion team targeting the World Expo scheduled to take place in Osaka, Japan in 2025, as a lure for the intrusion team, according to ESET's APT Activity Report for the period between April and September 2024.

MirrorFace continues to capture the attention of Japanese people and events, despite this new geographical target, proving their dedication to Japan and its related events. MirrorFace, as well as Earth Kasha, is one of the clusters categorized under an umbrella group called APT10, which includes other clusters classified under Earth Tengshe and Bronze Starlight, as well. 

At least since 2018, the company has been targeting Japanese organizations, although its operations have been further expanded to include Taiwan and India with a new campaign observed in early 2023, albeit it is still focused on the Japanese market. During the hacking crew's history, it has evolved from a few backdoor programs, namely ANEL (a.k.a. Uppercut), LODEINFO, and NOOPDOOR (also known as HiddenFace), to an arsenal of infections, which now consists of backdoors and credential thieves, such as MirrorStealer and ANEL. 

Having said that, it's important to note that T-Mobile's cybersecurity practice has recently been subjected to massive criticism since it's experienced a lot of data breaches in recent years. It was part of the company's settlement with the FCC of $31.5 million for previous breaches, of which half was for an improvement of the security infrastructure. The data breaches that have repeatedly targeted T-Mobile, which is owned by Deutsche Telekom Corporation, have been one of the most challenging aspects of the company's recent history. 

According to the company, back in August 2021, 49 million T-Mobile account holders were affected by the data breach, but the hackers claimed that they had stolen data from 100 million users on the network. According to T-Mobile, it is actively monitoring the situation and is working closely with government officials to investigate the breach to prevent any further issues from occurring. Currently, there is no evidence that the company's systems have hurt the privacy, security, or functionality of its customers, but the firm maintains that no harm has been caused. 

The company is paying close attention to this industry-wide attack that is affecting the entire industry. Quite to the contrary, due to the security controls in our network structure, and the diligent monitoring and response of our systems, T-Mobile has not witnessed any significant impact on its data or systems. As far as we are aware, no evidence has been found that the company's customer or other sensitive information has been accessed or exfiltrated as other companies may have done. 

The situation will be closely monitored by industry peers as well as the relevant authorities, and we will work with them to resolve it.” A recent incident at T-Mobile has come at a time when the company is expanding its cyber-security practices to combat these threats. In February of this year, the company settled a $31.5 million lawsuit with the Federal Communications Commission, more than half of which was devoted to improving security infrastructure as a result of its prior breaches. 

The T-Mobile Security breach is a prime example of the unique challenges that face the telecommunications sector, which is classified as critical infrastructure under federal law because of its importance to the nation. As an upstream provider of information and communications, telecommunications companies play a vital role in healthcare, government, and the private sector, allowing everything from emergency services to business transactions to personal connectivity to take place. 

Therefore, these networks are prime targets for state-sponsored cyber campaigns that seek to exploit their role in facilitating sensitive communications by exploiting their vulnerability to state-sponsored cyber campaigns. There has been a shift in how cyber-espionage tactics have been used over the past few years twhichis disturbing. Attackers like Salt Typhoon take advantage of wiretap systems and sensitive communication channels to steal data and compromise the integrity of systems and networks vital to national security efforts. 

As part of a new analysis published on November 19, 2024, Trend Micro discovered that the MirrorFace actor was using the vulnerability of Array AG (CVE-2023-45727), Proself (CVE-2023-45727) and FortiOS/FortiProxy (CVE-2023-45727) for the initial access of its public-facing enterprise products, which enabled the MirrorFace attacker to access the products. It has been reported that they had installed several backdoors within the victim's network after gaining access to achieve persistence on the network," said security researcher Hara Hiroaki. Among these are the 'Cobalt Strike' and 'LODEINFO' programs, as well as the 'NOOPDOOR' program that was discovered last year. 

A sophisticated and complex implant like NOOPDOOR can be decrypted and launched using a shellcode loader named NOOPLDR to install it on the system. It includes built-in functions, in addition to modules that enable the uploading and downloading of files, the running of additional programs, and the communication with a server controlled by an attacker either actively or passively. As a result, Hiroaki noted, both active and passive modes, for the most part, use different encryption algorithms, as well as backdoor commands, respectively, which means that the channels can't be accessed by one another and are completely independent of one another.
Read more »
Telecom Firms
CISA cyber espionage Data Breach Telecom Firms

US Exposes Major Chinese Cyber-Espionage Targeting Telecom Networks

 


The United States has accused China of conducting a vast cyber espionage operation that targeted multiple telecommunications networks. The hackers allegedly stole sensitive data and intercepted communications relating to a few government and political leaders. The incident raises national security concerns, in which officials are sounding warning bells.

US officials said that Chinese state-sponsored hackers broke into the systems of several telecom companies, looking to syphon away customer call records and gain unauthorised access to communication data. In some cases, the attackers allegedly copied information sought by US law enforcement through court-approved procedures, said analysts. That's a disturbing breach of sensitive data.

This is receiving full-time investigation by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to help targeted companies. Officials said they are only slowly learning the extent of what happened, but preliminary reports indicate a sophisticated attack that probably reaches virtually everywhere in the country.


 

Key Targets and Methods


Unnamed sources suggest that major telecom providers, including AT&T and Verizon, were among those breached. Hackers allegedly found a way into systems used for court-authorised wiretaps, bypassing security measures. Microsoft identified the group responsible as “Salt Typhoon,” a hacking collective linked to the Chinese state.


According to reports, this group had been undetected for months before exploiting vulnerabilities to gain access to sensitive communication networks. The list of allegedly targeted big fish includes former President Donald Trump, members of his family, and Vice President Kamala Harris' campaign staff. 


Impact Beyond Large Companies

The scope of the attack does not only extend to big corporations. Regional internet service providers were also targeted, which shows how the hackers covered many areas. Experts think that the attackers must have abused the wiretap systems by monitoring some specific numbers, which may give them audio data through such breaches.

 

Wider Issues and Follow-Up Investigations

US authorities have already informed dozens of affected organisations. Classified briefings have lately been conducted to enlighten lawmakers on the serious implications. Senator Ron Wyden, who attended one of the briefings described the breach as deeply concerning in regard to its implications across various sectors.

While the probe is still ongoing, more efforts have been committed toward discovering the scope of the operation. According to a State Department official, this attack highlighted vulnerabilities in telecom systems believed to have been secure, and a greater need for upgraded cyber defence mechanisms is therefore urgent.

This incident typifies the dynamic threat of state-sponsored cyberattacks with regard to challenges in safeguarding critical infrastructure. The US is to enhance its defence mechanisms and systems for better preparedness to such breaches in the future as investigations continue.

Read more »
Subscribe to: Posts (Atom)