Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label HTTP. Show all posts

The GuptiMiner Attack: Lessons Learned from a Five-Year Security Breach

 

In a startling revelation, security researchers from Avast have uncovered a sophisticated cyberattack that exploited vulnerabilities in the update mechanism of eScan, an antivirus service, for a staggering five years. The attack, orchestrated by unknown hackers potentially linked to the North Korean government, highlights critical flaws in cybersecurity infrastructure and serves as a cautionary tale for both consumers and industry professionals. 

The modus operandi of the attackers involved leveraging the inherent insecurity of HTTP protocol, enabling them to execute man-in-the-middle (MitM) attacks. By intercepting the update packages sent by eScan's servers, the perpetrators clandestinely replaced genuine updates with corrupted ones containing a nefarious payload known as GuptiMiner. This insidious malware facilitated unauthorized access and control over infected systems, posing significant risks to end users' privacy and security. 

What makes this breach particularly alarming is its longevity and the level of sophistication exhibited by the attackers. Despite efforts by Avast researchers to ascertain the precise method of interception, the exact mechanisms remain elusive. However, suspicions linger that compromised networks may have facilitated the redirection of traffic to malicious intermediaries, underscoring the need for heightened vigilance and robust cybersecurity measures. 

Furthermore, the attackers employed a myriad of obfuscation techniques to evade detection, including DLL hijacking and manipulation of domain name system (DNS) servers. These tactics, coupled with the deployment of multiple backdoors and the inclusion of cryptocurrency mining software, demonstrate a calculated strategy to maximize the impact and stealth of their operations. 

The implications of the GuptiMiner attack extend beyond the immediate scope of eScan's compromised infrastructure. It serves as a stark reminder of the pervasive threat posed by cyber adversaries and the imperative for proactive defense strategies. Moreover, it underscores the critical importance of adopting industry best practices such as delivering updates over secure HTTPS connections and enforcing digital signing to thwart tampering attempts. 

For users of eScan and other potentially affected systems, vigilance is paramount. Avast's detailed post provides essential information for identifying and mitigating the threat, while reputable antivirus scanners are likely to detect the infection. Additionally, organizations must conduct thorough security assessments and implement robust cybersecurity protocols to safeguard against similar exploits in the future. 
 
Ultimately, the GuptiMiner attack serves as a wake-up call for the cybersecurity community, highlighting the pressing need for continuous innovation and collaboration in the fight against evolving threats. By learning from this incident and implementing proactive measures, we can bolster our defenses and mitigate the risk of future breaches. Together, we can strive towards a safer and more resilient digital ecosystem.

 Massive DDoS Attack was Thwarted by Cloudflare

 

Prioritized firms like gaming providers, hosting providers, cloud computing platforms, and cryptocurrency enterprises, according to Cloudflare, emanated from more than 30,000 IP addresses.
The greatest volumetric distributed denial-of-service (DDoS) attack that Cloudflare has seen to date was stopped.

The greatest attack, which is the largest documented HTTP DDoS attack, topped 71 million rps, per Cloudlare's analysis. The volume is 35% greater than the previous record, 45 million rps from June 2022, which had been recorded.

The FBI accused six suspects of their involvement in running 'Booter' or 'Stresser' platforms, which anybody can use to execute DDoS attacks, in response to this stream of continuously escalating attacks, and seized dozens of Internet domains. Operation PowerOFF, a larger, more coordinated worldwide law enforcement operation against DDoS-for-hire services, included the action.

Cloudflare has been collaborating with the victims to strike down the botnet and is providing service providers with a free botnet threat feed that will transmit threat intelligence from their IP and any ongoing attacks coming from their hosted autonomous system.

Researchers cautioned entities to take action immediately before the next campaign: protecting against DDoS attacks is crucial for organizations of all sizes, even while DDoS attacks on non-critical websites might not result in permanent harm or safety hazards. DDoS attacks against internet-facing equipment and patient-connect technology in the healthcare industry put patients' safety at risk.



What Exactly is DNS-over-HTTPS and Do you Need to Use it?

 

Traditional Domain Name System (DNS) traffic, such as user requests to visit specific websites, has been largely unencrypted throughout the history of the internet. This means that every party involved in the DNS value chain that your request goes through has the ability to examine your queries and responses, and even change them, whenever you look up a web address in the "internet telephone book." This is altered by DNS encryption, such as DNS over HTTPS (DoH).

Many of the major internet service providers, including Apple, Mozilla, Microsoft, and Google, have integrated encrypted DNS through DoH into their offerings. While Apple implemented DoH with the iOS 14 and macOS 11 updates in the autumn of 2020, Mozilla was an early adopter, integrating it into its browser in the US as early as late 2018. DoH has also been made available on Chrome for Android by Google. 

A global phone directory on the internet 

The Domain Name System (DNS) essentially serves as the internet's version of the phone book. If you think of it a little like this, the operation of DNS will soon become clear. Therefore, the second-level domain (in the case of international.eco.de, this would be.eco.) is the corporate switchboard number, and the top-level domain (the far right part of a web address, like.com,.org, or.info) is the equivalent to the country code or area code. The third level (international) is the particular extension, meanwhile.

It's much simpler to gain a better understanding of how this directory is put together if you keep that in mind as you work. You can also learn how computers locate the websites they want to visit in order to connect you to the website of your choice.

A website or other internet resource that you have typed into your computer or phone will be located by DNS resolvers. The router at your house or place of business, or a public hotspot, is the first DNS resolver to which your device is locally connected.

Following a series of steps, this resolver looks for any preconfigured settings on the device or a history of previous visits to the specified website (called a cache). If this doesn't work, the resolver will pass the DNS request on to the resolver after it, which could be your current internet service provider (ISP). The same steps will be followed by this resolver, and if all else fails, it will look up the domain in the "internet phone book." 

What dangers is DoH shielding users from?

By preventing DNS data manipulation and eavesdropping, one goal in the development of the DoH protocol was to increase user privacy and security. You are shielded from the possibility that a malicious actor could reroute your DNS traffic to another (malicious) location thanks to DNS traffic encryption. Instead of the actual bank website you wanted to visit, it might be a fake one or something similar. 

Man-in-the-Middle (MITM) attacks are the term used to describe this type of cyberattack. The only practical solution at this time is DNS encryption via DoH (or the related DoT protocol). The monetization of DNS data, for example, when it is used for marketing purposes, is another issue that DoH has been able to address. This is a potential and real privacy concern that should be of interest to everyone. 

User safety in public networks 

An analysis of your behaviour and cross-network tracking may be done using the DNS query data from your mobile device when you use a public wireless (Wi-Fi) network in a hotel, coffee shop, or another location. These DNS services are frequently included in an all-inclusive, globally accessible Wi-Fi solution, but they may not be well-suited to abide by local privacy laws.

Additionally, it is possible that the privacy-protecting configurations are not turned on either. Free public Wi-Fi services are also frequently ineffectively managed in terms of security and performance, particularly when they are run or offered by smaller businesses. You could end up exposed to attacks coming from their own networks if this happens. 

The good news is that DoH safeguards users on these open wireless networks because the Wi-Fi network's DNS resolver is avoided. As a result, user tracking and data manipulation at this level are prevented. That ultimately means that DoH provides a chance to safeguard communications in an unreliable setting. It's a fantastic and incredibly useful solution. 

What alters due to DoH? 

Only the transport mechanism by which your device and the resolver communicate changes with the DNS over HTTPS protocol. The well-known HTTPS protocol is used to encrypt both the requests and the responses. DNS requests using DoH currently avoid the local resolver because there aren't many DoH resolvers in use and technical work is still being done to make it possible for DoH resolvers to be "discovered." Instead, they are handled by a third-party DoH service provider that has been recommended by the relevant software maker or developer. The decision to offer their own DoH services is currently being considered by an increasing number of providers. 

DoH in my company's network—do I want it?

DoH is unquestionably a helpful method of self-protection, particularly when using a public hotspot, but it might not be the best choice in environments with trusted network infrastructure. Corporate networks or using internet access services that you get from a reputable ISP are good examples of this.

For instance, your firm may have good cause to forbid an application that deviates from and overrides the system default. Given that the network administrator has no control over it inside the network, this might even be considered potentially harmful. If DoH is implemented at the system level as opposed to the application level, many of the issues with corporate networks vanish. At the system level, for instance, a corporate network administrator can configure the system and create a policy to ensure that the corporate resolver should be used for as long as the device is connected to the corporate network.

However, DoH should be used to increase security and privacy once the device is connected to a public network. These different configurations are, however, avoided if DoH is applied by default at the application level. 

Concerning factors 

Other issues with the use of external DNS resolution through DoH include potential slow response times, circumvention of parental controls, and legally required blocking, among others. However, depending on the situation, many of the DoH's potential drawbacks are balanced out by just as many benefits. 

There is no question that DNS encryption enhances user security and privacy. DoH can offer a simple method for carrying this out. If you choose to activate DoH, you should make sure to research who will be handling the resolution, how they will handle your data, and whether you can easily turn it off when necessary.

To Keep you Secure, Google Chrome is Releasing a Critical Update

 

The popular web browser Google Chrome will now automatically block insecure downloads from HTTP sites thanks to a recent code change. Several HTTP sites have since been updated to use HTTPS encryption in an effort to protect the extensive data that we share about ourselves on the web, which was previously the norm. 

Google, which is now the preferred option, has already implemented a series of changes that allow its users to retrieve and share data more securely. One of those updates is the recently added "Always use secure connections" checkbox, which instructs Chrome to switch all connections from HTTP to HTTPS. The address bar of older websites that solely use HTTP will also show a "Not Secure" warning.

According to the code change discovered by 9To5Google, the toggle will now warn users against downloading anything from an HTTP connection. Chrome users were previously notified when an HTTPS website downloaded a file in HTTP format, which is known as mixed content. 

Given the nature of a toggle button, it will primarily act as a warning rather than a complete preventative measure, letting users use the web as they see fit, which in some situations may still include an insecure HTTP connection. 

The update is unlikely to appear in Chrome 111, which is scheduled for release in March 2023, but it could be included in the company's next release later that year. 

Google's dedication to its browser, whether through security enhancements or other features such as the recently announced memory and energy saver modes, has been lauded by web users, with the company now accounting for two-thirds (66%) of all desktop browsers installed, according to StatCounter.

SAP Security Patch for July: Six High Priority Notes

The July 2022 patch release from SAP was released in addition to 27 new and updated SAP Security Notes. The most serious of these problems is information disclosure vulnerability CVE-2022-35228 (CVSS score of 8.3) in the BusinessObjects Business Intelligence Platform's central administration console.

Notes for SAP Business One 

The three main areas that are impacted by the current SAP Security Notes are as follows, hence Onapsis Research Labs advises carefully reviewing all the information:
  • In integration cases involving SAP B1 and SAP HANA, with a CVSS score of 7.6(CVE-2022-32249), patches a significant information release vulnerability. The highly privileged hackers take advantage of the vulnerability to access confidential data that could be used to support further exploits.
  • With a CVSS rating of 7.5 (CVE-2022-28771),  resolves a vulnerability with SAP B1's license service API. An unauthorized attacker can disrupt the app and make it inaccessible by sending bogus HTTP requests over the network if there is a missing authentication step.
  • A CVSS score of 7.4(CVE-2022-31593), is the third High Priority note. This notice patches SAP B1 client vulnerability that allowed code injection. An attacker with low privileges can use the vulnerability to manipulate the application's behavior.
On July 20, 2022, SAP announced 17 security notes to fix vulnerabilities of medium severity, the bulk of which affect the NetWeaver Enterprise Portal and Business Objects.

Cross-site scripting (XSS) vulnerabilities in the NetWeaver Enterprise Portal were addressed in six security notes that SAP published, each of which had a CVSS score of 6.1. Medium-severity problems in Business Objects are covered by five more security notes.

The SAP July Patch Day illustrates the value of examining all SAP Security Notes prior to applying patches. 

Cybercriminals Impersonate Government Employees to Spread IRS Tax Frauds

 

At end of the 2021 IRS income tax return deadline in the United States, cybercriminals were leveraging advanced tactics in their phishing kits, which in turn granted them a high delivery success rate of spoofed e-mails with malicious attachments. 

On April 18th, 2022, a notable campaign was detected which invested phishing e-mails imitating the IRS, and in particular one of the industry vendors who provide services to government agencies which include e-mailing, Cybercriminals chose specific seasons when taxpayers are all busy with taxes and holiday preparations, which is why one should be extra cautious at these times.

The impersonated IT services vendor is widely employed by key federal agencies, including the Department of Homeland Security, as well as various state and local government websites in the United States. The detected phishing e-mail alerted victims about outstanding IRS payments, which should be paid via PayPal, and included an HTML attachment which looked like an electronic invoice. Notably, the e-mail has no URLs and was delivered to the victim's mailbox without being tagged as spam. The e-mail was delivered through many "hops" based on the inspected headers, predominantly using network hosts and domains registered in the United States.

It is worth mentioning that none of the affected hosts had previously been 'blacklisted,' nor had any evidence of bad IP or anomalous domain reputation at the time of identification. The bogus IRS invoice's HTML attachment contains JS-based obfuscation code. Further investigation revealed embedded scenarios which detected the victim's IP (using the GEO2IP module, which was placed on a third-party WEB-site), most likely to choose targets or filter by region. 

After the user views the HTML link, the phishing script shall prompt the user to enter personal credentials, impersonating the Office 365 authentication process with an interactive form.

The phishing-kit checks access to the victim's e-mail account through IMAP protocol once the user enters personal credentials. The actors were utilizing the "supportmicrohere[.]com" domain relying on the de-obfuscated JS content. 

Threat actors most likely tried to imitate Microsoft Technical Support and deceive users by utilizing a domain with similar spelling. The script intercepts the user's credentials and sends them to the server using a POST request. Login and password are sent to the jbdelmarket[.]com script through HTTP POST. A series of scripts to examine the IP address of the victim is hosted on the domain jbdelmarket[.]com. The phishing e-header emails include multiple domain names with SPF and DKIM records. 

A Return-Path field in the phishing e-mail was set as another e-mail controlled by the attackers which gather data about e-mails that were not sent properly. The Return-Path specifies how and where rejected emails will be processed, and it is used to process bounces from emails.

Here's Why You Should Not Rely on a VPN Anymore

 

Virtual private networks (VPNs) are still used by millions of people to hide their activities on the internet by encrypting their location and web traffic. Over a period of time, advancement in technology brought changes in cybersecurity landscapes, thanks to the widespread use of encryption that has made public internet connections far less of a security threat, cybersecurity experts stated. 

Cybercriminals are less interested in attacking people’s individual devices and instead focus on the login credential to their most important accounts, experts said. For years, cybercrimes experts urged people not to use Wi-Fi hotspots at public places like coffee shops and stations without taking steps to obscure their internet traffic. For example, if you are sharing a Wi-Fi network with a stranger it means you essentially sharing all your traffic with him who was using it. If someone decides to check their Bank balance, for instance, they give an opportunity to a nearby hacker to steal important data. 

But VPNs provided net safety to this problem over the decades. VPN allows users to use the internet with enhanced security and privacy. It reroutes users’ internet traffic through their own servers and makes browsing more secure and private. It also helps users to stay secure when using public Wi-Fi connections. That can slow browsing speed, but hides the user’s Internet Protocol address and allows access to more internet sources. 

However, now most browsers have implemented (HTTPS) an extra layer of security that automatically encrypts internet traffic. Hypertext transfer protocol secure (HTTPS) is a secure version of HTTP, it is a protocol that is used for sending data between a web browser and a website. HTTPS is encrypted in order to secure data transfer. It becomes important when a user transmits important data, such as by logging into a bank account, email service, etc. 

More and more websites offer HTTPS connections such as Google, Brave, Chrome, Firefox, Safari, and Edge. 

“Most commercial VPNs are snake oil from a security standpoint,” said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. “They don’t improve your security at all...” 

 “…Remember, someone attacking you at the coffee shop needs to be basically AT the coffee shop. I don’t know of them ever being used outside of pranks. And those are all irrelevant now with most sites using HTTPS,” he added.