Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malicious Attacks. Show all posts
Spyware
Cyber Security Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Malicious Attacks Spyware

Digital Dictatorship: The Dangers of Unchecked Spyware

 


The Pegasus scandal broke into the public eye three years ago and has been widely reported in the media ever since. Yet, the surveillance industry has not been fixed. On the contrary, the spyware problem seems to worsen as time passes. 

In light of these issues, civil society organizations and business organizations have written an open letter on Tuesday, September 3 encouraging European regulators to take more decisive action to combat the threats posed by the overuse of spyware to fight the dangers it brings. In the opinion of the experts, it is a non-negotiable issue - the EU Commission needs to come up with a legal framework that includes "a ban on the manufacturing, exporting, selling, importing, acquiring, transferring, servicing, and using of spyware inside the EU." 

There is a loose definition of spyware in computer science, but it is generally considered to be malicious software that enters a user's computer, gathers data about them, and relays that data to a third party without their knowledge or consent. Additionally, there are legitimate software programs, such as consumer monitoring software, that collect and use information from user's computers to provide users with advertisements that are relevant to them 

It is however worth noting that malicious spyware is specifically designed to take advantage of the theft of personal information to make money. There is no doubt that spyware can gather and collect private data, which leaves them open to data breaches and the misuse of their personal information, regardless of whether the person using their information is legitimate or not. The result of spyware campaigns is that devices and networks are slower, delaying daily user activities and resulting in increased costs. 

Understanding the way spyware works is an important part of preventing issues when using it in both business and personal settings. A crucial aspect of spyware which makes it so dangerous is the fact that it can be very difficult to detect, yet pretty easy to inject. This fact makes it one of the key strengths of spyware. 

This is an excellent example of a zero-click attack, called Pegasus since users can harvest it without leaving a trace on any device that becomes infected. There is no security software, not even the best VPN or antivirus apps, that can fully protect users against this growing threat, which makes it impossible for their use alone to be helpful. In the future, it would be reasonable to argue that spyware may one day be one of the most crucial tools available to governments for the purpose of national security. 

As of yet, however, there has been a longer list of authorities that have abused the accessibility of the service. A report claims that Mexico became the first organization to purchase the Israeli cyber-intelligence firm NSO Group's powerful technology in 2011 to support the country's fight against narco-trafficking to help the country combat the drug problem. According to the investigative team of Pegasus, more than a dozen Mexican journalists and activists had their phones found to be infected with the virus in 2017. 

It is believed that over 50,000 phones all over the world were compromised during the Pandora's box incident in 2021. The phone that belonged to the journalist Jamal Khashoggi, who was assassinated inside the Saudi Arabian consulate in Istanbul in 2018, is one of the ones included in these records. In the course of the investigation, it was revealed that over 46 countries around the world bought this very intrusive tool, including at least 14 different nations in the European Union. 

In a new investigation into the use of so-called Predator spyware a few years later, a more in-depth analysis showed that the EU spyware problem is worse than originally thought. It is most likely because the tool was not just used across the EU as a spying tool for journalists, politicians, and activists, but because it was developed, distributed, and exported by EU-based firms based in France, Ireland, and Greece, most of which operate in at least 25 countries around the world.  

Its hard to comprehend how the spy industry is still allowed to function as one of the most lucrative fields of business today. It seems that even Google is concerned that this outbreak of information warfare could pose a threat to free speech, free press, and the integrity of elections throughout the world.  As an example, many companies are turning to what is known as bossware to improve the monitoring of their remote workers in an effort to make sure they are on top of things.

Work productivity monitoring applications, though legal in many countries, raise significant concerns regarding the potential for abuse. These tools, originally designed to track employee performance, have also opened the door to misuse. While the specific regulations around such software vary depending on jurisdiction, the risk of unethical usage persists across the board.

Particularly alarming is the potential for these applications to be weaponized by malicious actors, including hackers, stalkers, and even criminals. The accessibility of these technologies, which often do not require extensive technical knowledge to operate, leaves many individuals exposed to cyber threats. In more personal contexts, such as domestic abuse, an abusive partner could use such an app to exert control, spy on communications, or track movements, further exacerbating the dangers of spyware.

This growing concern is reflected in recent statistics. A study by the security firm Avast reported a staggering 329% increase in mobile stalkerware usage since 2020. Such figures highlight the expanding threat posed by spyware, not only in corporate environments but also in everyday life.

Further complicating matters is the blurred line between the use of spyware by governments and its regulation. The New York Times recently conducted an investigation revealing that, although the Biden administration has officially banned the use of hacking tools created by the Israeli firm NSO, there remain ongoing efforts by U.S. authorities to find a legal avenue for their utilization. This suggests that while some forms of spyware are deemed unacceptable for certain uses, governments may still be inclined to leverage them under particular circumstances, thereby setting a complex precedent for how these tools should be governed.

The international community has begun addressing this issue. On February 6, 2024, the United Kingdom and France spearheaded an international agreement aimed at curbing the human rights abuses associated with spyware. This joint effort seeks to establish policies that regulate the deployment of intrusive cyber tools in a manner that is both legal and responsible. However, despite these efforts, skepticism remains about whether such regulations will be sufficient to prevent the harm caused by spyware.

In 2022, the European Data Protection Supervisor (EDPS) raised significant concerns about the impact of modern spyware on individual privacy. The EDPS emphasized that the unprecedented level of intrusiveness offered by such technology "threatens the essence of the right to privacy" due to its ability to infiltrate the most intimate aspects of daily life. In their view, the use of spyware is fundamentally incompatible with European Union (EU) law, further underscoring the challenges of regulating this highly invasive technology.

The most effective way to manage the threat of spyware is through prevention. However, avoiding spyware installation isn't always straightforward. Cybercriminals can exploit vulnerabilities in even trusted websites, allowing them to infect a user's computer without any interaction. In such scenarios, relying solely on avoiding suspicious downloads or attachments is insufficient protection.

To safeguard against spyware, individuals are advised to use robust internet security solutions that include reliable antivirus and antimalware detection features. In addition to standard protection, these solutions should offer proactive defences, such as real-time monitoring and detection of potential threats. For users whose systems have already been compromised, many security providers offer specialized spyware removal utilities, designed to identify and eliminate spyware from infected devices. It is crucial, however, to ensure that these utilities are obtained from reputable security providers, as some fraudulent software tools masquerade as spyware removal programs while actually embedding spyware themselves.

While several free antivirus options are available, it is important to recognize their limitations. A free trial can be useful for assessing a product's capabilities, but for comprehensive protection, especially against spyware, users should consider investing in a full-featured internet security suite. Features like virtual encrypted keyboards for securely entering financial information, strong anti-spam filters, and cloud-based detection systems can provide critical layers of defence, reducing the risks posed by spyware schemes.

At end, while productivity monitoring apps and spyware can serve legitimate purposes, their potential for abuse, combined with their increasing use, underscores the need for stringent regulation, heightened awareness, and proactive security measures to protect against both corporate misuse and individual harm.
Read more »
Vulnerabilities and Exploits
Akira Ransomware Cisco COTS Cyberattacks CyberCrime Data Loss LSASS Malicious Attacks MFA Ransomware VPN Vulnerabilities and Exploits

Akira Ransomware Unleashes a New Wave of Attacks via Compromised Cisco VPNs

 


The Cisco Network Security Division is aware of reports suggesting that malicious individuals are infiltrating organizations through Cisco VPNs that are not configured for multi-factor authentication with the Akira ransomware threat. In some instances, threat actors are targeting organizations that do not configure multi-factor authentication for their VPN users. Some instances have been observed where threat actors are targeting organizations that are not doing so. 

It has been verified by several cybersecurity firms that Cisco VPN products are being targeted with ransomware, and there are reports that the perpetrators are members of a relatively new gang known as Akira who have perpetrated the attack. 

Typically, this ransomware campaign is targeted at corporate entities to gain sensitive information about them and make money through charging ransoms as a means of obtaining this sensitive information. All members of Akira have to do to access their accounts is to log in to the VPN service by using their Akira account details. 

As part of Cisco's investigation of similar attack tactics, the company has actively collaborated with Rapid7. Thanks to Rapid7 for providing Cisco with a valuable collaboration over the last few months. To provide secure, encrypted data transmission between users and corporate networks, Cisco VPN solutions are widely adopted across a wide range of industries, primarily by employees who work remotely and rely on these solutions to do so. 

The Akira Ransomware Attack 


As of March 2023, there have been multiple instances of the Akira ransomware. To attack VMware ESXi servers, the group developed an encryptor for Linux that, like many other ransomware gangs, targets this server type.

If the ransom demands are not met, the threat actors responsible for the Akira ransomware will employ a variety of extortion strategies and they will run a website using the Tor network (with an IP address ending in .onion) that lists victims and the information they have stolen from them. To begin negotiations, victims are instructed to contact the attackers via a TOR-based website, through a unique identifier provided in the ransom message, that can be used to contact them. 

It was first discovered by Sophos researchers in May that the ransomware gang was abusing VPN accounts to breach a network with the use of "VPN access using Single Factor authentication." A person known as 'Aura', who responded to multiple Akira attacks as part of the Akira operation, shared on Twitter further information about how he and other incident responders dealt with incidents that were carried out using Cisco VPN accounts that were not protected by multi-factor authentication. 

Akira is a malicious program that targets not only corporations but also educational institutions, real estate, healthcare, manufacturing, as well as the financial sector. As part of its encryption capabilities, the Linux versions of Akira ransomware make use of the Crypto++ library to enable the encryption process on the target device. Akira offers only a limited number of commands, but there are no options to shut down VMs before encrypting them using Akira. 

With the -n parameter of the command, there is still the possibility of the attacker modifying the encryption speed and the chance that the victim's data can be recovered. Consequently, if the encryption speed is high, there is a slim chance that the victim who is hiding the data will be able to recover it with the help of a decryption tool. 

The first indication of Akira's activities was picked up by a cybersecurity firm based in the US in March 2023, called Arctic Wolf. Their research shows that small and medium-sized businesses worldwide have been the main target of attackers and that they have paid particular attention to the US and Canada in particular. Akira, as well as Conti's operators, have also been linked between the researchers. 

There was a recent report from the SentinelOne WatchTower, shared privately with BleepingComputer, that looked at the same attack method and speculated that Akira may have exploited a newly discovered vulnerability in Cisco VPN software that may be able to bypass authentication in the absence of the multi-factor authentication mechanism. 

In leaked data posted on the Akira group's extortion page, SentinelOne found evidence that the ransomware group used Cisco VPN gateways. At least eight instances were observed that displayed Cisco VPN-related characteristics, which shows that the ransomware gang is continuing to use Cisco VPN gateways as part of their ongoing extortion scheme. 

Implementing VPNs Without MFA


As a general rule, when an attacker tries to target VPNs or any other type of network services or applications, the first stage of their attack is to exploit an exposed service or application. In many cases, attackers focus on the fact that there is no multi-factor authentication (MFA) or there is a known vulnerability in VPN software in the form of software that has multi-factor authentication. 

Once the attackers have gained access to a target network, they attempt to breach the network using LSASS dumps (Local Security Authority Subsystem Service) to obtain credentials that will enable them to move further within the network and raise privileges if necessary. 

There have also been reports that this group has been using other tools, such as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf (COTS) tools, or creating minidump files, to gather further intelligence about or pivot within the target network, as well as using other tools commonly referred to as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf tools (COTS). 

Moreover, SentinelOne researchers observed that Akira operators maintained access to compromised networks by using the legitimate open-source remote access tool RustDesk which works similarly to RustDesk. It has been announced that cybersecurity company Avast has released a free decryptor that can be used by victims of the Akira ransomware to restore their valuable data without having to pay a ransom.

It was decided by the threat actors to encrypt their encryptors by patching them. By doing so, they would prevent victims from using them to recover data that was encrypted by the newer version of the encryption. Business users prefer Cisco VPN products due to their reliability and ease of use. 

Data transmission between networks/users can be made more secure with this technique, which is relied upon by organizations. Those who work in a hybrid or remote environment are expected to comply with it as a matter of course. That is why there might be a desire on the part of threat actors to exploit the vulnerability. Data loss and computer extortion attempts from ransomware operators can be prevented by organizations remaining vigilant and ensuring foolproof digital security measures.
Read more »
Software
Cyber Attacks Cybersecurity IP Address Malicious Attacks Proxy Jacking Proxyware Software

Malicious Attacks Use Log4j Bugs

 


An increasingly popular form of fraud that utilizes legitimate proxyware services to hijack legitimate ones has been identified by threat actors. Some services allow people to sell Internet bandwidth to third parties to make extra money. According to researchers from Sysdig Threat Research Team (TRT), large-scale attacks exploiting cloud-based systems can bring cybercriminals hundreds of thousands of dollars of passive income per month by exploiting this vector - dubbed "proxy jacking" - that is used by attackers to obtain access to the server. 

Many companies now charge customers a fee for using a different Internet Protocol (IP) address when watching YouTube videos that aren’t available in their region, scraping and surfing the web without attribution, or browsing dubious websites without attribution of their IP address. This kind of service can be found in dozens of companies now. 

As part of the proxyware ecosystem, you can find legitimate businesses overseas selling it as proxyware. These businesses include IPRoyal, Honeygain, and Peer2Profit. The concept has, as expected, also attracted the attention of cybercriminals, and its potential can also be exploited. 

As proxyware services have grown and become popular in recent years, proxy jacking has become an increasingly prevalent phenomenon brought about by this growing use. Proxyware services offer legitimate and non-malicious applications or software that can be installed on any internet-connected device as long as it is not connected to malicious websites or programs. 

When you run this program, you share your internet bandwidth with others when the program is asked to share an IP address with you. 

Sysdig says proxy hacking could even be as lucrative and easier to commit as it is less computationally demanding and energy-consuming than actual hacking because it uses less energy. 

This report claims that an attacker sold the victim's IP addresses to proxyware services for profit to profit from the attack. There is a method known as proxy jacking. This is where a threat actor installs proxyware on an unsuspecting victim's computer to segment their network. The goal here is to resell bandwidth to compromised devices for a price of $10 per month, allowing the operation to be profitable. Victims are consequently exposed to higher costs and risks than they would otherwise be. 

IP addresses can also be abused to commit crimes in a variety of ways, including as a means to steal personal information. The Cisco Talos Intelligence Group and AhnLab Security researchers have identified that in recent years attacks have been perpetrated where, without a person's knowledge, the IP address of their device has been permanently changed and infected adware has been used to secretly take over the device. Neither company isolated the practice from crypto mining, which involves hacking into compromised systems and mining cryptocurrency. 

Log4j vulnerability was discovered by Chinese researchers in December 2021, and reported by many news outlets. In response to the issue, governments and businesses around the globe launched a global initiative designed to address it. Cybercriminals still exploit this bug to gain access to sensitive information. It has been reported that millions of computers still run vulnerable versions of Log4j based on data from the security company Censys. Various data can be recorded and stored with this software, depending on the service and device being used. 

Even though other attacks have been seen in proxy jacking incidents, researchers believe that the Log4j vulnerability appears to be the most popular method of attack. 

Mike Parkin, director of Vulcan Cyber's security operations, said in an interview that if Log4j's "long tail" is anything to go by, then it will take a while before the number of vulnerable systems will just disappear altogether. 

As per Sysdig's identification of the case, hackers exploited the Kubernetes infrastructure by exploiting the services it offers. Kubernetes container orchestration system is an open-source system for orchestrating software container deployment. Specifically, the hackers exploited a vulnerability in Apache Solr. This vulnerability, if not patched, makes it possible for them to take control of the container and execute a proxy jacking attack on the container. 

It is estimated that the amount of money an attacker can net from crypto-jacking and proxy jacking will be about the same each month - proxy jacking is even likely to be more lucrative today given the current crypto-exchange rates and proxyware payment schedules. 

There is, however, no doubt that most monitoring software will use CPU usage (and it's for very good reason) as one of their first (and most important) metrics. Proxy jacking has minimal system impact. A single gigabyte of traffic spread across a month would be the equivalent of tens of megabytes a day - very unlikely to make a noticeable impact. 

You should remember that the IP address market can often lead to other problems. Several researchers have suggested that it is still possible for your internet bandwidth to be misused or stolen if you sell it knowingly to a proxyware service, according to Sysdig's and other researchers' findings. 

As easy as purchasing and using your shared internet, an attacker can do the same to launch an attack against you. Researchers from Sysdig explained how malicious attackers employ proxy servers to conceal command, control activities, and identify information.
Read more »
Subscribe to: Posts (Atom)