Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hacking News. Show all posts
Security Issues
CISO CVE vulnerability CVEs Cyber Security Hacking News Information Security IT Security Security Issues

Cisco Fixes Critical CVE-2024-20418 Vulnerability in Industrial Wireless Access Points

 

Cisco recently disclosed a critical security vulnerability, tracked as CVE-2024-20418, that affects specific Ultra-Reliable Wireless Backhaul (URWB) access points used in industrial settings. These URWB access points are essential for maintaining robust wireless networks in environments like manufacturing plants, transportation systems, and other infrastructure-intensive industries. The vulnerability allows remote, unauthenticated attackers to perform command injection attacks with root privileges by exploiting the device’s web-based management interface. 

This vulnerability results from inadequate validation of input data within Cisco’s Unified Industrial Wireless Software, specifically affecting the web management interface of URWB access points. By sending specially crafted HTTP requests, attackers could exploit this flaw to execute arbitrary commands with root-level access, potentially leading to unauthorized control over the device. This level of access could compromise critical network infrastructure, posing serious risks to businesses relying on URWB technology for uninterrupted connectivity. The vulnerability specifically impacts Cisco Catalyst models IW9165D, IW9165E, and IW9167E when URWB mode is enabled. 

For users concerned about their device’s security, Cisco advises checking vulnerability status by using the “show mpls-config” command in the command-line interface (CLI). If the command confirms URWB mode is active, the device may be vulnerable to potential attacks. Cisco’s Product Security Incident Response Team (PSIRT) has stated that it is not aware of any instances of this vulnerability being actively exploited in real-world scenarios. However, given the nature of this vulnerability, Cisco urges users to update their devices promptly to mitigate the risk. Currently, Cisco has not issued workarounds for this issue. 

As a result, companies relying on these models are advised to stay alert for firmware updates or patches that Cisco may release to resolve the vulnerability. The lack of a temporary fix underlines the importance of applying any future updates immediately, especially as remote exploitation could have significant consequences for the affected systems. For organizations using these Cisco models, securing network access and strengthening device-level defenses can be critical in mitigating potential risks. Limiting access to the web-based management interface, monitoring device activity, and conducting frequent security audits are some proactive steps administrators can take. These actions may help limit exposure while waiting for Cisco’s permanent fix. This incident serves as a reminder of the evolving threat landscape in industrial and operational technology environments. 

As organizations adopt more wireless technologies to improve operational efficiencies, the need for robust cybersecurity practices is crucial. Regularly updating network devices and addressing vulnerabilities promptly are fundamental to protecting systems from cyber threats. Cisco’s disclosure of CVE-2024-20418 underscores the vulnerabilities that even the most reliable industrial-grade devices can exhibit. It also highlights the critical importance of proactive device management and security measures in preventing unauthorized access. Industrial environments should consider this a timely reminder to prioritize cybersecurity protocols across all network-connected devices.
Read more »
Hacking News
Cyber Security Incidents Group-IB Hacking News

Group-IB specialists confirmed the fact of hacking The Bell portal

On October 8, experts from the cybersecurity company Group-IB reported that the criminals on September 2 really hacked The Bell website and sent a newsletter on behalf of the publication.

The Group-IB Computer Forensics and Malware Research Laboratory found out that on the evening of August 29, hackers began sending requests in an attempt to exploit a vulnerability that allows remote code execution. The next day, the program for checking for a number of web application vulnerabilities Burp Suite started to scan the website.

On August 30, the attackers gained access to the administrative panel of the publication's website. This allowed hackers to send a fake newsletter on September 2.

On the morning of September 2, the editorial board of The Bell reported the hacking of the email account, before that subscribers received a newsletter calling for a boycott of the elections to the Duma of Russia and to go on pickets on election day. The text of the letter and the design were stylized for the daily newsletter of the publication. 

The general director of the publication Elizaveta Ossetinskaya called the newsletter a provocation, “the purpose of which is to accuse us of political activity, which we have not engaged in, are not engaged in and were not going to engage in.”

In addition, earlier, it was reported that unknown people tried to hack the phone of The Bell journalist Irina Pankratova. They ordered the details of her calls and SMS messages using a fake notarial power of attorney in the office of MegaFon.

It is worth noting that Group-IB cooperates with Interpol, Europol and the OSCE. The organization provides assistance to Russian special services and law enforcement agencies in operations against hacker groups.

Earlier, CySecurity News reported that on September 29, the head of Group-IB Ilya Sachkov was arrested for two months. The Investigative Committee charged him with high treason.

Read more »
Hacking News
Cyber Attacks Hacker Group ChamelGang Hackers News Hacking News

Cybersecurity experts have discovered a new hacker group

Cybersecurity experts have discovered a new hacker group ChamelGang, which attacks institutions in ten countries around the world, including Russia. Since March, Russian companies in the fuel and energy sector and the aviation industry have been targeted, at least two attacks have been successful. Experts believe that pro-government groups may be behind the attacks.

According to Positive Technologies, the first attacks were recorded in March. Hackers are interested in stealing data from compromised networks.

India, the United States, Taiwan and Germany were also victims of the attacks. Compromised government servers were discovered in those countries.

The new group was named ChamelGang from the word chameleon, as hackers disguise malware and network infrastructure as legitimate services. The grouping tools include the new, previously undescribed ProxyT malware, BeaconLoader and the DoorMe backdoor, which allows a hacker to gain access to the system.

In one of the attacks, the hackers first attacked the subsidiary, and two weeks later, the parent company. They found out the password of the local administrator on one of the servers and penetrated the company's network using the Remote Desktop Protocol (RDP). Hackers remained undetected on the corporate network for three months and during that time gained control over most of the network, including critical servers and nodes.

In the second attack in August, attackers took advantage of a chain of related vulnerabilities in Microsoft Exchange to penetrate the infrastructure. Hackers were in the organization's infrastructure for eight days and did not have time to cause significant damage.

Kaspersky Lab cybersecurity expert Alexey Shulmin confirmed the targeted nature of the attack and the wide geography of victims. He added that some grouping utilities have an interface in Chinese.

Experts believe that attacks on strategically important industrial facilities, including the fuel and energy sector and the aviation industry, are often carried out by cyber mercenaries and pro-government groups.

Read more »
Russia
Cyber Security Hacking News Russia

Bi. Zone: most of the leaks and hacks in Russian companies are related to old forgotten software

About 60% of information leaks and 85% of hacks in corporate computer networks are related to unaccounted-for digital assets.

According to Bi. Zone, the main reason for hacking and data leaks in Russian companies is digital assets unaccounted for during inventory. Most often, security services forget about public cloud storage like Google Drive, DropBox and files in them. This allows attackers to penetrate the networks of organizations and gain access to confidential information. Digital assets often remain unaccounted for due to the high speed of business digitalization: local security services do not have time to keep track of new software.

Bi.Zone specialists obtained this information by analyzing the data of more than 200 Russian and foreign companies.

“Let's say the company had an information system (IS) A. Then it is changed to an information system B. At the same time, no one disposes of the first IS, it remains. It may still have access to the Internet. As system A stops even being updated, the risk of intruders penetrating through it increases because they may use the vulnerability that the company forgot to close with the appropriate update”, said Andrey Konusov, CEO of Avanpost.

According to him, there is also a risk that an employee of the company who has not worked in it for a long time could give access to the old system to cybercriminals.

During the inventory of digital assets, the company should take into account all its files and services, including those that are stored or work on the Internet. If anything is missed, there is a risk of leaks or compromise of the network. According to Alexei Parfentiev, head of analytics at SerchInform, unaccounted assets are essentially an open door for intruders to access sensitive data.

Digital assets often remain unaccounted for during the inventory due to the fact that local IT and information security services do not keep up with the high speed of business digitalization.

Rostelecom-Solar noted that often the reasons for the discussed violations are a lack of resources and neglect of information security requirements for the sake of convenience.

Read more »
Jee Mains
Cyber Security Hacking News iON Jee Mains

CBI Investigates Hacking Incident in Jee Maine Examination, Three Director Arrested

 

CBI (Central Bureau of Investigation) is investigating the chances of a potential hack into TCS' iON digital platform related to JEE Mains exam hack which appeared recently. The suspected issue surfaced when CBI charged 3 Noida-based directors last week. iON of TCS is India's biggest digital assistant software provider. NTA (National Testing Agency) selected the iON to organize national level examinations like JEE Mains and NEET, in a safe and secure way. Besides conducting examinations, iON also provides logistics requisites for the test, which includes the appointment of venue heads and management of test labs. 

As per sources, CBI is investigating various iON labs at different locations where examinations were organized. TCS hasn't said anything on the issue. As of now, CBI has arrested seven accused of the incident, including three directors from Affinity Education (a private coaching institute). iON doesn't let any other software or tool operate on its platform and also blocks internet access. However, in this particular case, currently under investigation, the examination center computers might've already had some external softwares pre-installed that may have led to remote internet connection and gained access to systems during the examination. It mostly happens with coaching centers in remote areas. 

They conspire with the venue heads and assist students screen share their exams and someone else (most probably from the coaching institute) helps the students by completing their exams. The students give around 2-3 lakhs per hacked system. The systems have pre-installed external softwares prior to the examination. Ethical hacker Sunny Nehra told BusinessLine," these tools are externally installed and connected with a Windows system through which remote access is given. Though iLEON operating systems are very strong and hard to crack, the company would have to identify the loopholes in the back-end and rework the architecture of the software.” 

Experts suggest that a candidate appearing in the examination should only have the option to access URL-based links linked to the exams, which once opened, won't allow other applications to run until the exam is over. It can be made possible by installing a network firewall at examination centers, via which external traffic will flow. If firewall isn't possible,  endpoint security can be installed and the admin can use it to control and restrict access to other softwares.
Read more »
TrickBot trojan
Cyber Security News Hacking News malware Russian Hackers TrickBot TrickBot trojan

Alleged TrickBot Gang Member Arrested While Leaving South Korea




A Russian native – on accusations of being associated with the TrickBot cybercrime gang – was recently arrested by the authorities at Seoul International airport, while trying to leave South Korea. 

Reportedly, the Russian resident – identified as Mr. A by media –  was leaving for his home in Russia after waiting for over a year in the South Asian country. As per local media reports (Seoul's KBS) the alleged individual was prevented from leaving South Korea due to COVID-19 travel restrictions – international travel had been canceled by Seoul officials as the global pandemic broke out. Subsequently, Mr. A's passport expired, and he was stranded in South Korea as he waited to renew his passport. 

The Russian man who allegedly worked as a web browser developed for the malware spreading TrickBot gang in 2016 during his stay in Russia, denied 'being aware' of working for a cybercrime group. “When developing the software, the user manual did not identify malware,” said the individual at Seoul High Court. 

As per a Korean newspaper, on September 01, an interrogation was held at the 20th Criminal Division of the Seoul High Court – for the extradition request case against the alleged developer of the malware. While fighting the US extradition attempt, the lawyer of the accused argued that the US will prosecute the man unjustly. "If you send it to the United States, it will be very difficult to exercise your right of defense and there is a good chance that you will be subject to excessive penalties,” claimed the attorney. 

As per the reports, the suspect continued to maintain that the operation manual did not fall under malicious software when he developed the software. He received work from TrickBot via a job search site, following which he developed a web browser for the gang, according to The Record. Notably, the recruiters preferred applicants who did not ask a lot of questions. 

TrickBot is an advanced banking trojan that targets Windows machines. Initially created to steal the banking information of unsuspecting users, TrickBot has evolved over the last five years to be versatile, widely available, and easy to use. With new variants being increasingly released, TrickBot infections have become more frequent on home office networks; continuous advancement since its inception has cemented TrickBot's reputation as a highly adaptive modular malware.
Read more »
Hacking News
Data Breach Data Leakage Database Leaked Hackers News Hacking News

Hacker gained access into a major CIS drug marketplace

Part of the database of the forum and its owners is available free of charge, the hackers offered to purchase the rest for 1 bitcoin. Experts hope that the action will allow a series of arrests and deal a major blow to the drug trade.

According to the leaked data, the owner and developer of the forum is a citizen of Latvia Artem Shvedov, one of the former developers is Roman Kukharenko, registered in the Moscow region, and the current administrator is a citizen of Ukraine Alexander Prokhozhenko.

Cybersecurity experts pointed out that in 99% of cases a person, whose name domain and hosting such resources are registered, may not even know about it.

According to Blockchair, a total of 20.57 bitcoins (about $1 million) went through the Legalizer forum's cryptocurrency wallet. At the same time, it is associated with larger wallets. More than 5.3 thousand bitcoin (about $248 million) passed through one of them.

In addition, the email address given by the hacker who hacked Legalizer matches the contact whose user calls himself a Russian-speaking hacker and an information security specialist at the shadow site o3shop.

An analyst of the operational monitoring group Angara Professional Assistance said that usually shadow forums are hacked "because of competition or partner revenge." In his opinion, the attack on Legalizer may be related to the redistribution of the drug market or extortion.

The expert admitted that hacking Legalizer can lead to arrests.

State borders may also become an obstacle for law enforcement agencies. Although the forum is oriented at the Russian-speaking audience from the CIS, it may be physically located on servers hosted in a country where drugs are legal.

Read more »
Russian Cyber Security
Data Breach Database Leaked Hacking News Russia Russian Cyber Security

Logins and passwords of at least 1.2 million Russians have been leaked online

 The credential verification service developed by cybersecurity company BI.ZONE (a subsidiary of Sberbank) has revealed that information about logins and passwords of more than 1.2 million Russians is freely available as a result of data leaks.

"BI.ZONE, a strategic digital risk management company, helped over one and a half million Russians check their credentials for leaks containing their usernames and open passwords. The owners of more than 1 million 200 thousand contacts could become potential victims," the company said.

Experts note that this information is available not only on the darknet but also on the normal Internet. At the same time, since it is freely available, attackers do not even need to buy it.

According to Anton Okoshkin, director of anti-fraud at BI.ZONE, many Russians use the same credentials for many sites, so their leakage can lead to hacking of all accounts.

"In most cases, people use the same username and password on a variety of resources: from accounts in social networks and online stores to work services. In such a situation, if your account is compromised on one of them, the risk of hacking all accounts increases," Okoshkin noted.

At the same time, the expert noted that attackers usually begin automated verification of credentials on different services a few hours after the appearance of the leak in the public domain. "It is very important to promptly warn users about the compromise of their data," he stressed.

Almost 1.7 million Russians have already used the Bi.zone company's credential verification service. The service checks for a set of 5 billion credentials that have exactly fallen into the hands of attackers and contain user usernames and passwords. The leaked database is updated weekly.

Read more »
Subscribe to: Posts (Atom)