Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CVSS 4.0. Show all posts
SMB
BlueKeep Botnet Botnet attack CVSS 4.0 Cyber Security Information Security RDP SMB

Prometei Botnet: The Persistent Threat Targeting Global Systems

 

The Prometei botnet, active since at least 2016, continues to pose a persistent threat worldwide by exploiting unpatched software vulnerabilities. First identified in 2020, Prometei has since infected over 10,000 systems across diverse regions, including Brazil, Indonesia, Turkey, and Germany. Its resilience stems from its focus on widely used software gaps, particularly in systems with weak configurations, unmonitored security measures, or outdated patches. The Federal Office for Information Security in Germany has labeled it a medium-impact threat, given its extensive reach and ability to bypass security protocols. Prometei operates by exploiting vulnerabilities in widely used software, spreading particularly through unpatched or poorly configured Exchange servers. 

Critical Start’s Callie Guenther highlights Prometei’s strategy of leveraging regions with inadequate cybersecurity, making it highly effective in targeting various systems regardless of location. One notable aspect is its ability to spread through legacy vulnerabilities, such as the BlueKeep flaw in Remote Desktop Protocol (RDP), which has a critical CVSS score of 9.8. By targeting these known issues, Prometei can quickly access poorly maintained systems that remain unprotected. A Prometei attack often starts with a series of network login attempts, typically originating from locations associated with known botnet infrastructure. Once access is secured, the malware tests various system weaknesses, particularly outdated vulnerabilities like BlueKeep and EternalBlue. If successful, it can propagate through Server Message Block (SMB) systems or use ProxyLogon flaws to exploit Windows environments further. 

Prometei’s use of outdated exploits could be seen as less sophisticated; however, its approach is strategic, focusing on identifying vulnerable, under-maintained systems rather than tackling those with robust security protocols. Once established in a target system, Prometei employs several techniques to maintain control and evade detection. For example, it uses a domain generation algorithm (DGA) to enhance its command-and-control (C2) system, allowing continuous operation even if some domains are blocked. It further manipulates firewall settings to ensure its traffic is not obstructed, enabling it to persist even after system reboots. Among its advanced methods is the use of the WDigest protocol, which stores plaintext passwords in memory. 

Prometei forces systems to store passwords in plaintext, then exfiltrates them while bypassing detection by configuring Windows Defender to ignore specific files. The primary goal of Prometei appears to be cryptojacking, as it harnesses infected systems to mine the Monero cryptocurrency without the owners’ knowledge. Additionally, it installs an Apache web server as a web shell, creating a backdoor for attackers to upload more malicious files or execute commands. Prometei’s presence, according to Trend Micro’s Stephen Hilt, often signals deeper security concerns, as it can coexist with other malicious software, highlighting vulnerabilities that attackers may leverage for various purposes. Interestingly, Prometei avoids certain regions, specifically targeting systems outside former Soviet countries. Its command-and-control servers bypass exit nodes within these nations, avoiding accounts tagged as “Guest” or “Other user” in Russian.

Older versions of Prometei also included Russian-language settings, hinting at a potential connection to Russian-speaking developers. The botnet’s name, “Prometei,” references the Greek titan Prometheus, symbolizing a persistence that echoes the botnet’s own sustained presence in global cyber threats. Prometei exemplifies the persistent and evolving nature of modern botnets. Its success in exploiting well-known but unpatched vulnerabilities underscores the importance of maintaining updated security systems. For organizations worldwide, especially those with legacy systems or lax monitoring, Prometei serves as a critical reminder to reinforce defenses against cyber threats, as outdated security leaves systems vulnerable to malicious actors seeking to exploit any gap available.
Read more »
Upgrade CVSS
CVSS 4.0 FIRST New Technology Risk Management Technology Upgrade CVSS

FIRST Launched CVSS 4.0, Revolutionizing Cybersecurity Assessment and Risk Management

In a recent development, the Forum of Incident Response and Security Teams (FIRST) has made headlines by unveiling version 4.0 of the Common Vulnerability Scoring System (CVSS). This latest release, following four years since CVSS v3.1, represents a noteworthy advancement in the standard employed for evaluating the severity of cybersecurity vulnerabilities. 

Before Understanding CVSS 4.0, Let’s Delve Into CVSS 

Before we get into CVSS 4.0, it is crucial to grasp the roots of the Common Vulnerability Scoring System. This framework had its beginnings back in 2005 when the National Infrastructure Advisory Council (NIAC) first introduced it. 

It plays a crucial role by providing essential information about vulnerabilities for security teams. Nowadays, the Forum of Incident Response and Security Teams (FIRST), a non-profit organization with over 500 global member organizations, manages CVSS as an open platform. 

CVSS essentially acts as a tool, offering a standardized way to measure the severity of computer system problems. It takes into account factors like the likelihood of exploitation, potential impact, and complexity. These considerations come together to form a score, aiding organizations in deciding which issues to prioritize and how to address them effectively. 

Criticism of CVSS 3.0 which led to CVSS 4.0 

In the realm of cybersecurity assessments, Version 3.0 of the Common Vulnerability Scoring System (CVSS) and the CVSS standard overall have been widely regarded for their effectiveness in gauging the "impact" of vulnerabilities. 

However, a notable shortcoming has been identified in their ability to accurately score the "exploitability" of a vulnerability. Exploitability, encompassing the likelihood of a vulnerability being exploited, takes into account various factors such as user interactions, the proficiency and capabilities of potential threat actors, and the configuration of the system in question. 

Following this, FIRST has come up with CVSS v4.0 to make things simpler and better. This new version is a big change, making scoring easier, more flexible, and accurate. The idea is to fix the problems with the old version, showing risks more realistically. This will help organizations decide which problems to fix first and use their resources better to fix them. 

 CVSS 4.0 - What's New? 

 1. Attack Vector: 

• Considers how close an attacker needs to be to exploit a vulnerability. 
• Determines if the attack can happen over the internet, in the same network, or requires physical access. • Network-based vulnerabilities are seen as more severe. 

 2. Attack Complexity: 

• Describes the conditions beyond the attacker's control needed to exploit a vulnerability. 
• Addresses factors that enhance security or complicate exploit development. 
• Considers whether specific information about the target is necessary for exploitation. 

3. Privileges Required: 

• Outlines the level of access rights an attacker needs before exploiting a vulnerability. 
• Does not focus on how the attacker gains these permissions. 
• Considers the extent of permissions needed for a successful exploit. 

4. User Interaction: 

• Gauges if successful exploitation requires human interaction. 
• Examples include phishing emails needing user clicks or network-based exploits without user involvement. 
• Directly impacts the CVSS score, with non-user interactive vulnerabilities generally considered more severe. 

5. Scope

• Captures if a vulnerability in one component affects resources beyond its security scope. 
• Removed as a base metric in CVSS version 4.0. 

6. Impact Metrics (Confidentiality, Integrity, Availability): 

• Measures consequences if a vulnerability is exploited successfully. 
• Introduced new "Subsequent System" impact metrics to capture effects on systems beyond the vulnerable one. 

7. Exploit Code Maturity: 

• Evaluates the probability of an attacker utilizing the vulnerability. 
• Considers existing exploit strategies, accessibility of exploit code, and real-time exploitation reports. 
• Categories include "Attacked," "PoC" (Proof-of-Concept), and "Unreported." 

Additionally, the optional Supplemental Metrics in CVSS 4.0 provide essential insights beyond standard vulnerability assessment. Safety evaluates human safety risks, Automatable gauges exploit automation potential, Recovery assesses system resilience, Value Density explores resource control, Vulnerability Response Effort aids in response planning, and Provider Urgency standardizes severity assessments from suppliers. Together, these metrics enhance the depth and context of vulnerability analysis for more informed decision-making.
Read more »
Subscribe to: Posts (Atom)