Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label HTTP Attacks. Show all posts

Understanding HTTPS Spoofing: A Deceptive Online Threat

 

Online security is no longer a luxury but an absolute necessity in today's digital age. For the average internet user, spotting the reassuring green padlock symbol and the "https://" prefix in their browser's address bar has become a common sight, indicating a secure connection.

However, hidden beneath this facade of security lurks a menacing threat known as "HTTPS spoofing," which poses a significant risk to data integrity, user privacy, and the trust we place in our online interactions.

To protect from the perils of HTTPS spoofing, it's crucial to understand the various types of attacks, how they operate, and the potential consequences they entail.

Understanding HTTPS and HTTPS Spoofing

Before delving into the intricacies of HTTPS spoofing, it's essential to grasp the fundamentals of HTTPS itself. Hypertext Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol responsible for transmitting data between a user's web browser and a website's server. HTTPS employs encryption techniques, primarily SSL/TLS protocols, to guarantee data confidentiality, integrity, and authenticity during transmission.

When you come across the familiar green padlock icon and "https://" at the beginning of a website's URL, it signifies that your connection with the website is encrypted. This encryption serves as a safeguard against malicious actors attempting to intercept or manipulate the data being transmitted.

However, HTTPS spoofing is a malicious manipulation of the security features inherent in HTTPS. It involves cyber attackers creating deceptive websites that skillfully mimic the appearance of legitimate ones. These fraudulent sites proudly display the coveted green padlock and "https://" in the address bar, deceiving users into believing they are interacting with a secure and reputable website. In reality, any sensitive information shared on these platforms is at grave risk of being compromised.

Varieties of HTTPS Spoofing Attacks

The realm of HTTPS spoofing encompasses various attack vectors, each targeting specific facets of online security.

1. Phishing Attacks: Phishing attacks exploit users' psychological vulnerabilities, tricking them into divulging sensitive information. Attackers craft fake websites that closely resemble legitimate ones, often replicating logos, layouts, and content to create the illusion of authenticity. Victims are lured into sharing their personal and financial data, under the false belief that they are interacting with a trustworthy site.

2. Man-in-the-Middle Attacks: Man-in-the-Middle (MitM) attacks involve intercepting communications between a user's device and a website's server. Attackers position themselves invisibly between the two parties, enabling them to capture and potentially alter the data in transit. Through HTTPS spoofing, attackers can create a false sense of security, gaining access to sensitive data while remaining undetected.

3. SSL Stripping: SSL stripping is a cunning technique where intruders force a secure HTTPS connection to downgrade into an unencrypted HTTP connection. Users are often unaware of this transition, as attackers manipulate the communication between the user and the website. Victims believe they are on a secure site, while their data becomes susceptible to interception and manipulation.

How HTTPS Spoofing Operates

The mechanics of HTTPS spoofing involve exploiting vulnerabilities in the way browsers display security indicators and how users perceive them. Here are the steps that intruders take to execute HTTPS spoofing:

1. Crafting Deceptive Websites: Attackers design deceptive websites that mirror the appearance of legitimate ones, using similar domain names, logos, and content to create an illusion of authenticity.

2. Obtaining Fake Certificates: To deceive users, cyber attackers obtain counterfeit SSL/TLS certificates for their deceptive websites. These certificates are crucial in generating the green padlock icon and "https://" in the browser's address bar, fostering a false sense of security.

3. Manipulating Browser Behavior: Browsers are designed to prioritize displaying the green padlock and "https://" in the address bar, conveying a message of security to users. Attackers exploit this behavior to ensure their deceptive websites trigger these security indicators.

4. Luring Users: Cyber attackers entice users to their fraudulent websites through various means, including phishing emails, malicious links, or compromised advertisements. The presence of familiar security indicators can lead users to believe they are safe, encouraging them to share sensitive information.

5. Data Interception: Once users input their sensitive data, such as login credentials, credit card numbers, or personal details, attackers capture this information. Despite the appearance of security, the sensitive data falls into the hands of cybercriminals.

Risks and Consequences of HTTPS Spoofing
The risks associated with HTTPS spoofing are extensive and can lead to dire consequences:

1. Data Theft and Privacy Breaches: The foremost risk is the theft of sensitive data. Attackers can pilfer users' login credentials, financial information, and personal details, leading to identity theft and severe invasions of privacy.

2. Financial Loss: Stolen financial information can result in unauthorized transactions and financial losses. Victims may find themselves dealing with fraudulent credit card charges, unauthorized withdrawals, or drained bank accounts.

3. Reputation Damage: Businesses falling victim to HTTPS spoofing attacks may suffer substantial damage to their reputation. Customers who are victimized may lose trust in the business's ability to secure their information, potentially resulting in a loss of customer base.

4. Malware Infections: Attackers can exploit HTTPS spoofing to distribute malware. Unsuspecting users who interact with deceptive websites may inadvertently download malicious software onto their devices, endangering their digital environment.

5. Legal and Regulatory Consequences: For businesses, a failure to adequately protect user data can lead to legal repercussions and regulatory fines. Violations of data protection regulations, such as GDPR or HIPAA, can result in severe financial penalties.

Protecting Against HTTPS Spoofing

Mitigating the risks posed by HTTPS spoofing demands a proactive and multifaceted approach:

- Stay Vigilant: Educating users about the perils of phishing and the importance of verifying website domains is essential. Encourage users to scrutinize URLs, inspect SSL certificates, and exercise caution with unsolicited communications.

- Implement Multi-Factor Authentication: Adding an extra layer of security through multi-factor authentication can thwart attackers, even if they manage to steal credentials.

- Regular Monitoring: Regularly monitoring certificate transparency logs can help identify unauthorized SSL certificates issued for your domain, aiding in detecting potential spoofing attempts.

- Security Awareness Training: Businesses should provide regular security awareness training for employees to empower them to recognize phishing attempts and suspicious websites.

- Keep Software Updated: Keeping browsers and security software up to date ensures protection against emerging threats and vulnerabilities.

By adopting robust security practices, staying informed about emerging threats, and fostering a culture of cybersecurity awareness, individuals and organizations can effectively thwart cybercriminals seeking to compromise data, privacy, and the trust that underpins online interactions.

Lazarus Hackers Exploit Windows IIS Web Servers for Initial Access

 

The notorious Lazarus hacking group has once again made headlines, this time for targeting Windows Internet Information Services (IIS) web servers as a means of gaining initial access to compromised systems. The group, believed to have links to the North Korean government, has a long history of conducting high-profile cyberattacks for various purposes, including espionage, financial theft, and disruption.

According to security researchers, Lazarus has been exploiting a vulnerability in Microsoft Internet Information Services (IIS) servers, specifically targeting those running older versions such as IIS 6.0 and IIS 7.0. This vulnerability tracked as CVE-2021-31166, allows remote code execution and has been previously patched by Microsoft. However, many organizations still fail to apply these critical security updates, leaving their systems vulnerable to exploitation.

The attack campaign starts with the hackers sending specially crafted HTTP requests to the targeted IIS servers, triggering a buffer overflow and ultimately allowing the execution of arbitrary code. Once the hackers gain a foothold in the compromised system, they can further expand their access, exfiltrate sensitive data, or even deploy additional malware for advanced persistence.

The motives behind Lazarus' targeting of IIS servers remain unclear, but given the group's history, it is likely to involve espionage or financial gain. It's important to note that the Lazarus group has been involved in numerous high-profile attacks, including the infamous WannaCry ransomware attack in 2017.

To protect against such attacks, organizations must prioritize the security of their web servers. This includes ensuring that all necessary security updates and patches are promptly applied to IIS servers. Regular vulnerability scanning and penetration testing can help identify any weaknesses that could be exploited by threat actors.

Additionally, organizations should implement robust security measures, such as web application firewalls (WAFs) and intrusion detection systems (IDS), to detect and block suspicious activities targeting their web servers. Strong access controls, regular monitoring of system logs, and user awareness training are also crucial in mitigating the risk of initial access attacks.

The Lazarus group's continued activities serve as a reminder that cyber threats are ever-evolving and require constant vigilance. Organizations must stay proactive in their approach to cybersecurity, staying up to date with the latest threats and implementing appropriate measures to protect their systems and data.

Installing Software via Google Poses Concerns

Researchers and a keystream sample of inquiries claim that while browsing Google for downloads of well-known software has always had certain dangers, in recent months it has become downright risky. 
On Thursday, volunteers at Spamhaus stated that threat researchers were accustomed to receiving a moderate volume of malicious advertising through Google Ads. 

Multiple malware groups, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader, are responsible for the rise. In the past, these groups frequently depended on spam attachments with malicious Microsoft Word papers that had booby-trapped macros. The past month has seen Google Ads develop into the preferred channel for thieves to disseminate their malicious software, which is disguising itself as a legitimate download by mimicking well-known companies including Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, and Thunderbird.

This week, researchers from the security firm Saiflow discovered two flaws in older versions of the Open Charge Point Standard, an open-source protocol used to operate many electric vehicle charging stations (OCPP). An attacker might take control of a charger, disable groups of chargers, or steal electricity from a charger for their own use by utilizing weak instances of the OCPP standard, which is used to communicate between charges and management software. To reduce the risks posed by the vulnerabilities, Saiflow claims to be collaborating with manufacturers of EV chargers.

Hegel from Sentinel One provides one case: Real C2 traffic is masked by Formbook and XLoader's HTTP requests to several sites that are randomly chosen from an embedded list and sent with encoded and encrypted content. The rest of the domains are merely ruses; only one is the actual C2 server. A sample that we examined sent HTTP GET and/or POST requests to the 17 domains (16 endpoints) specified in the IOC table below while encoding and encrypting the HTTP data. The implementation of this technology in particular by XLoader is covered in length in prior research.

The strategy of disguising the genuine C2 domain by beaconing to many domains continues to be supported by earlier studies. The malicious software sends beacons to websites that have valid or unregistered domains. The accompanying figure, which is a snapshot of some of the domains the virus contacts, demonstrates the vast range of domain ages, hosting companies, and registration dates.

The use of decoy domains or other obfuscation techniques to hide the real control servers used in the pervasive MalVirt and other malvertising campaigns continues to be effective unless Google develops new protections. MalVirt also spreads malware that is difficult to detect.


Cisco Fixes a Major Issue in Small Business Routers


Several end-of-life (EoL) VPN routers are affected by a critical authentication bypass flaw that Cisco alerted customers. The issue has publicly available attack code. Hou Liuyang of Qihoo 360 Netlab discovered the security hole (CVE-2023-20025) in the internet management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 routers.

CVE-2023-20025 validation of user input within incoming HTTP packets could enable an unauthorized remote attacker to bypass authorization on an affected system. An attacker could send false HTTP requests to the router, bypass authentication, and get root access to the operating system due to a flaw where user input within inbound HTTP packets is not properly validated.

The second vulnerability, identified as CVE-2023-20026, could enable remote code execution (RCE), but in order to exploit it, an attacker must have access to the device in question. As a result, the bug is graded medium and has a CVSS score of 6.5.

According to Cisco, the flaws do not need to be exploited in tandem by attackers and are independent of one another. However, it would be simple to exploit an authentication bypass with a remote code execution flaw that first requires attackers to be able to authenticate.

An effective mitigation, as per Cisco, is to stop remote administration of the routers and block access to ports 443 and 60443, making the routers only reachable through the LAN interface, even though there are no fixes for the issues. Despite the routers were stopped, researchers found that the installed base still exists. Out-of-date equipment frequently remains in commercial settings even after it has been disconnected, providing a fertile target for cyber attacker's.

As per Mike Parkin, senior technical engineer at Vulcan Cyber, the Cisco small business routers afflicted by such flaws still see pretty broad usage, even they are all finally end of term.  A difficulty is that the devices are frequently used by people who may not have the money to replace them or by smaller firms with limited resources.

SMB routers are widely used, since many users now work from home or hybrid offices, not just SMBs that are affected. The susceptible product could be used by branch offices, COEs, or even home offices.



Must Follow Guidelines for API Security

An online store can collect payments via the PayPal API, for instance, rather than developing their own payment gateway. APIs serve the required function while sparing business time and effort, which is why it is evident they are useful. 

Protecting these APIs from security risks and breaches entails securing them together with all linked apps and users. 

APIs are used by businesses to link services and move data. Major data breaches are caused by compromised, broken, or exposed APIs. They make private and delicate financial, medical, and personal information available to the public. However, not all data is created equal, and not all data should be safeguarded in the same way. The type of data being exchanged will determine how you should approach API security. 

In the last 12 months, 95% of firms encountered an API security issue, according to the most recent Salt Labs State of API Security report. Additionally, during the past year, a variety of businesses—including Facebook, Experian, Starbucks, and Peloton—have experienced public API problems. Clearly, APIs need more protection against intrusions than the present crop of application security approaches can provide.

Security leaders need to carefully examine the way they are currently approaching API security to fix the issue. Understanding how a third-party application is sending data back to the internet is important if user API connects to one. 

Strategies for API Security

  1.  Put a secure authentication and authorization protocol into action: The first stage in an API security approach is authenticating and authorizing the appropriate users.
  2. Implement the "Least Privilege" Principle: The attack surface is decreased by restricting access to only essential tasks, which helps reduce the exposure to security breaches.
  3.  Constrain Data Sharing: To find weak spots, keep track of the data shared between apps, APIs, and users, and then secure them by restricting the shared data.
  4. Not utilize HTTPS: In order to communicate data securely, APIs employ HTTP connections and require Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption.
  5.  Implement a policy of zero trust: We can leave out the zero-trust policy when discussing API security advice. It operates under the premise that no user, device, or server should be trusted until proven otherwise.
  6. Implement data logging: Logs provide admins with a wealth of information that can be utilized to enhance API security and assist with manual inspection and monitoring.
Security requires ongoing work in the age of technology and the internet. Unfortunately, security problems would not disappear, and as IoT technology grows more widespread, the dangers and vulnerabilities will only become worse. Beware of such ineffective strategies for API security. The security strategy must broaden to keep up with attackers' growing skill sets. 

Being proactive is vital, which means keeping an eye on current technology, patching up any flaws, and implementing cutting-edge cybersecurity measures.

Android Spills Wi-Fi Traffic When VPNs Are Enabled

Regardless of whether the Block connections without VPN or Always-on VPN options are turned on, Mullvad VPN has found that Android leaks traffic each time the device links to a WiFi network. 

Source IP addresses, DNS lookups, HTTPS traffic, and most likely NTP traffic are among the items that are being leaked outside VPN tunnels. With the help of a VPN, encrypted data can flow anonymously and be untraceable between two sites on the internet. Consider passing a ping pong ball to someone else across a table as an example. The ball is freely available for third parties to take, manipulate, and return to their intended location. It would be far more difficult to intercept the ball if it were to roll through a tube. 

Information is difficult to obtain because data goes through VPNs similarly. The source and destination of the data packet are likewise obscured because it is encrypted. The Android platform was intentionally designed with this behavior. However, due to the erroneous description of the VPN Lockdown functionality in Android's documentation, users were probably unaware of this until now.

The finding was made by Mullvad VPN while conducting an unpublished security check. The supplier has submitted a feature request to Google's Issue Tracker to fix the problem. A Google developer, however, stated that the functionality was working as intended and that Google has no plans to change it.

"We have investigated the feature request you have raised, and we are pleased to inform you that everything is operating as intended. We don't believe there is a compelling reason to offer this because we don't believe most consumers would grasp it," the Google engineer added.

Unfortunately, Always-on VPN is not totally functioning as intended and contains a glaring weakness, according to a Swedish VPN company by the name of Mullvad. The issue is that Android will send a connectivity check, every now and then to see whether any nearby servers are offering a connection. Device information essential to connectivity checks includes IP addresses, HTTPS traffic, and DNS lookups. Even with Always-on VPN turned on, anyone monitoring a connectivity check could view bits of information about the device because none of this is encrypted since it doesn't travel over the VPN tunnel.

The traffic that escapes the VPN connection contains metadata from which critical de-anonymization information, such as the locations of WiFi access points, may be derived.

The blog post by Mullvad explains that "the connection check traffic could be observed and evaluated by the party controlling the interconnect check server and any entity noticing the network traffic. Even if the message only indicates that an Android device is connected, the metadata, which includes the source IP, can be used to derive additional information, especially when combined with information like WiFi access point locations."

People who use VPNs to shield themselves from persistent attacks would still perceive the risk to be high, even though this is difficult for inexperienced threat actors. Mullvad adds that even if the leaks are not rectified, Google has to at least update the documentation to accurately state that the Block connections without VPN function would not safeguard Connectivity Checks. 

Mullvad is still discussing the data leak's relevance with Google and has requested that they make it possible to turn off connectivity checks and reduce liability points. Notably, this option has the intended capability thanks to GrapheneOS, Android-based anonymity and safety os version that can only be utilized with a select few smartphone models.

Hacktivists Target Asian Government Organizations

 

An unknown espionage group called Worok that is active since late 2020 targets high-profile businesses and municipal governments with headquarters largely in Asia.

The cyber gang, originally identified as Worok by ESET experts, also has attacked targets in the Middle East and Africa.

Worok is alleged to have parallels with another antagonistic collective known as TA428 in terms of skills and goals. TA428 has been linked to attacks against military, government, and public sector organizations, as well as telecom, banking, maritime, and energy firms.

Worok's toolkit, according to ESET researcher Thibaut Passilly, "includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that employs steganography to extract concealed malicious payloads from PNG files."

Between May 2021 and January 2022, the group's malicious operations took a significant hiatus before picking back up the following month. The Slovak cybersecurity company determined that the group's objectives were compatible with identity theft.

In certain cases, ProxyShell exploits were used to gain an initial foothold on target networks until 2021 and 2022. Additional custom backdoors were then introduced for entrenched access. Other initial compromise approaches are not yet known.

Infection chains in 2022 have now abandoned CLRLoad in favor of PowHeartBeat, a fully functional PowerShell implant that launches PNGLoad and communicates with a remote server via HTTP or ICMP to carry out associated file operations, transmit and receive files, and execute arbitrary commands.

​"In such situations, webshells have often been uploaded after these vulnerabilities have been exploited on order to enable persistence in the victim's network. The operators then utilized a variety of implants to obtain more capabilities, "Passilly continued.

ESET discovered a new PowerShell backdoor called PowHeartBeat, which has replaced CLRLoad in instances recorded since February 2022 as the tool designed to launch PNGLoad on infected systems. However, it has not yet been able to recover one of the final payloads delivered in the group's attacks.

A cyber espionage organization called Worok compromises its targets using both custom-built tools and techniques that already exist.

We believe the attackers are after information theft from their victims as they target high-profile organisations in Asia and Africa, focusing on diverse sectors, both private and public, but with a particular emphasis on government entities.

Microsoft IIS Servers Targeted by SessionManager Backdoor


Since March 2021, threats on Microsoft IIS Servers have used a new backdoor called "SessionManager," according to Kaspersky Lab researchers. 

Victims of the backdoor

SessionManager, the malicious software that takes advantage of one of the ProxyLogon vulnerabilities in Exchange servers, poses as a module for Internet Information Services (IIS), a virtual server application for Windows systems. 

The 24 different targets were spread over the continents of Africa, South America, Asia, Europe, Russia, and the Middle East. They also included political, military, and industrial institutions. To date, a SessionManager variation has compromised 34 servers in total.

Due to the comparable victims and a widely used OwlProxy variation, the researchers describe the attack as the GELSEMIUM malicious attacker.

Features  supported by SessionManager:
  • On the hacked server, reading, writing to, and deleting arbitrary files is possible.
  • Remote command execution also runs on arbitrary programs from the compromised server.
  • Creating connections to any network endpoints that the hacked server is capable of accessing, as well as reading and writing in those connections.
The backdoor also might serve as a post-deployment tool, enabling operators to spy on the intended environment, collect in-memory passwords, and introduce new malicious payloads.

Elements of  command and control code

Since its initial discovery in March 2021, ProxyLogon has drawn the interest of numerous malicious actors, and the most recent attack chain is no exception. The Gelsemium team took use of the flaws to drop SessionManager, a backdoor designed in C++ to handle HTTP requests submitted to the server.

Once the malicious code receives the carefully constructed HTTP requests from the threat actors, it runs the instructions concealed in the requests before sending them to the server to be handled like any other request.

Additionally, the malware serves as a covert route for spying, collects passwords stored in memory, and distributes other tools like Mimikatz and an Avast memory export application.

Hackers Dropping Malware via Free WinZip Trial Popup Vulnerability

 

Researchers have discovered a critical security flaw in WinZip 24 that targets users with malware. WinZip trial popup vulnerability allows hackers to perform arbitrary code execution and DNS poisoning.
 
When WinZip displays prompt informing about the expiry of the free trial and sends requests for checking updates, it communicates in plaintext over HTTP instead of HTTPS; the vulnerability has been reported to exist in the way WinZip communicated with its servers, making it susceptible to exploits by malicious actors who delivered malware through the same. 

WinZip is free to download ZIP tool program that is used to compress and decompress files easily. It enables users to zip and unzip almost all file formats including zip, tar, rar, and etc. However, the tool is available online free for a trial period, and to continue availing its services fully, users need to purchase a license for which the tool checks software status for users over a period of time, repeatedly. Once it detects the trial period being expired, the software displays a prompt using the abovementioned way of communication: That is where the bug was found.
 
It was in between that attackers could intercept the traffic and intervene in the communicated text and added an infected WinZip version. Furthermore, the users' concerns are aggravated by the fact that the update request also contains personal data of the user such as 'registered username', 'registration code', and other required information for the processing of the request. This information could also be accessed by the attacker meddling with the trial popup.
 
"WinZip 24 opens pop-up windows time to time when running in Trial mode. Since the content of these popups is HTML with JavaScript that is also retrieved via HTTP, it makes manipulation of that content easy for a network adjacent attacker," as told by Researchers from Trustwave.
 
"The application sends out potentially sensitive information like the registered username, registration code and some other information in query string as a part of the update request. Since this is over an unencrypted channel this information is fully visible to the attacker."
 
"This means anyone on the same network as user running a vulnerable version of WinZip can use techniques like DNS poisoning to trick the application to fetch “update” files from malicious web server instead of legitimate WinZip update host. As a result, unsuspecting user can launch arbitrary code as if it is a valid update," the researchers further added.

Malware escalation in Q2 2020 : HTTP and Java based script attacks on the rise




While Q2 of this year saw an overall 8% decrease in malware attacks, 70% of them were zero-day attack (attacks occurring after the discovery of a vulnerability and before the release of a patch) - a 12% increase from the previous quarter. After the zero-day attacks, HTTP based attacks marked up to be 34%, and consequently organizations that do not inspect incoming traffic will be blind to one-third of attacks.

 But, there is some good news- encryption attacks reduced to 64% from Q1. Though it comes with a catch, while encryption threats decreased HTTP attacks made a massive jump even after many organizations equip HTTP inspection in their security intel.

 “Businesses aren’t the only ones that have adjusted operations due to the global COVID-19 pandemic – cybercriminals have too,” said Corey Nachreiner, CTO of WatchGuard, on the report.

 “The rise in sophisticated attacks, despite the fact that overall malware detection declined in Q2 2020, likely due to the shift to remote work, shows that attackers are turning to more evasive tactics that traditional signature-based anti-malware defenses simply can’t catch."

  “Every organization should be prioritizing behavior-based threat detection, cloud-based sand boxing, and a layered set of security services to protect both the core network, as well as the remote workforce.” 

Malware detected in Q2

Java Script-Based Attacks 

 Script attacks like Trojan. Gnaeus and J.S. PopUnder were among the top malware in the last quarter. Both of the access to the user's browser and settings and redirect them. 

 Updating your browser, preventing the browser from loading pages from unknown resources can help combat this malware. 

 Encrypted Excel files 

This malware uses an encrypted Excel file with a default password and once opened- the file automatically runs a VBA script. 

Abracadabra is one such Trojan malware that uses a default password to bypass security as the file is encrypted and later decrypted in Excel. 

 Dos makes a comeback 

 A very old (six years), Dos attacks affecting WordPress and Drupal made in the top 10 malware attack list in Q2. Though these were high in volume, they were concentrated in regions of Germany and Europe.