Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Network Attacks. Show all posts

Avoid Evil Twin Attacks: Hackers Target Public Wi-Fi in Airports and Coffee Shops

 

Travelers have long been warned about the dangers of public Wi-Fi, especially in places like airports, where lax security makes them a hacker’s playground. A recent arrest in Australia has drawn attention to the resurgence of “evil twin” attacks, where cybercriminals set up fake Wi-Fi networks to steal login credentials. This type of cybercrime, known as a “Man in the Middle” attack, allows hackers to create a seemingly legitimate Wi-Fi network that unsuspecting users connect to, unknowingly handing over personal information. 

The Australian case involved a man who set up fake Wi-Fi networks at airports and on domestic flights to steal credentials. Hackers like him can easily disguise their operations with small devices, hidden in plain sight, that mimic legitimate networks. Travelers, eager for free Wi-Fi, often overlook warning signs and quickly connect without verifying the network’s authenticity. Once connected, they enter their credentials on fake login pages designed to collect sensitive information. The ease of executing these attacks, combined with users’ familiarity with free Wi-Fi, makes evil twin attacks increasingly common. 

Hackers don’t need high-tech equipment or skills—just motivation and a basic understanding of how to set up a convincing rogue network. Once personal details are collected, they can be used for further exploitation, like accessing social media or bank accounts. To protect against evil twin attacks, experts recommend using mobile hotspots instead of public Wi-Fi. By creating your own hotspot, you control the network and can set a secure password. A VPN is another helpful tool, as it encrypts data, making it unreadable even if intercepted. For travelers unable to avoid public Wi-Fi, it’s essential to be cautious, verify network names, and avoid entering sensitive information on unfamiliar networks. 

The Australian case highlights how few cybercriminals are caught, despite the frequent occurrence of evil twin attacks. Airlines and airports are not always equipped to handle such threats, so it falls on travelers to take responsibility for their own cybersecurity. In this case, the attacker managed to steal dozens of credentials before being apprehended, a rarity in the world of cybercrime.  

With public Wi-Fi so widely available and used, it’s critical for travelers to remain vigilant. Hackers only need a small percentage of users to fall for their trap to succeed. Next time you find yourself at an airport, think twice before connecting to free Wi-Fi—it might just be safer to bring your own network.

DDoS Attacks Can Be Mitigated by AI

A DDoS protection system is necessary since DDoS attacks are so common. Numerous media and web-based consumer platforms are supported by AI machine learning algorithms currently. AI does not need the ten-year development cycles of nuclear weapons or bombers to be deployed or even upgraded because it is mostly software running on commercial processors.

Along with speed and accuracy, the rate of false positives shows how effective your detection is; the smaller the number, the better. Up until recently, neutralizing a DDoS assault of 2Tbps in scale might also block 100Gbps to 200Gbps of valid network traffic due to the industry-accepted rate of 5% to 10% false positives.  

Investment may be necessary for the implementation of ML and AI technologies. Based on the expertise working across numerous sectors, researchers have found important factors that can make any AI/ML implementation much more effective, resulting in a successful deployment as opposed to AI technology remaining on the stand and improved return on investment.

Ways ML/AI technologies can be utilized

1. Finding operational challenges:

The first step to the successful adoption of any AI or ML solution is to pinpoint the business issues the organization is attempting to solve with AI/ML and secure support from all important stakeholders. The roadmap for getting there can be created by being clear about the preferred result and evaluating use cases motivated by business imperatives and quantitative success factors of an AI/ML implementation. 

2. Data accessibility:

To develop the AI/ML model, a sufficient database that is pertinent to the business challenge being addressed must be made available. Organizations may encounter circumstances where such data is not yet accessible. The company should next devise and carry out a plan to begin gathering pertinent data while concentrating on other business issues that can be helped by accessible data science. 

3. Adopting optimal algorithms to perform:

It is frequently preferable to use a model or method with fewer parameters. Examining model validity is a crucial stage in this process, can the chosen model provide rationales and explanations in simple English that can be understood. Reasons for judgments made by an expert or algorithm are necessary in some regulated businesses. . In such cases, model explainability packages like LIME or SHAP can offer explanations that are simple enough for humans to understand.

4. Approach to operationalization:

It is apparent that a successful deployment requires clarity regarding how the forecasts and insights from AI/ML fit into routine operations. The model scores and insights will be used in what ways by the organization? In the operational workflow, how does the AI/ML model fit? Will technology entirely replace parts of the present manual processes, or will it only be utilized to support the analysts' judgment? Will the solution be applied on-premises or in the cloud? A clear plan that answers these issues will help to ensure that the solution is implemented and does not remain on the back burner.

5. Educating, enabling, and skilling:

Building teams with specialists in multiple fields of the AI/ML domain is crucial, of course. Confirm that the resources and expertise necessary to support the functioning of the AI/ML solution are accessible. Any skills shortages should be filled by either retraining the current workforce or hiring fresh talent with the necessary qualifications.

AI/ML algorithms now make it possible to identify DDoS activity early and put in place quick, precise, and effective mitigation procedures to resist such attacks.

Experts can protect our networks from harmful DDoS attacks, keep the functioning of the service, and provide user protection online by integrating big data analytics and AI/ML into every phase of a thorough DDoS security strategy. 

Data Breach: HR Consulting Giant Randstad Hit by Egregor Ransomware

 

Randstad NV, a multinational Human Resource consulting firm announced that they were hit by Windows Egregor ransomware. Ransomware operators while breaching the network of the staffing agency stole unencrypted files; 1% of which have been published by the threat actors as proof of the data breach. 
 
The data that has been made public is a 32.7MB archive which contains 184 files including legal documents, business files, accounting spreadsheets, and some financial reports. After the data was published by the ransomware operators, a security notification regarding the confirmation of the same was issued by Randstad. However, there is no clarity on whether the personal data of employees or clients was compromised during the attack. 

As per the sources, the attack impacted only a limited number of servers, disrupting their operations based in the US, France, Italy, and Poland. However, in other areas, the company continued its business operations without any interruption. 
 
Headquartered in Diemen, Netherlands, Randstad NV is a Dutch-based globally operated human resources giant that was founded in 1960 and currently operates in 39 countries and 5 continents. Reportedly, the company has trained over 350,000 candidates and helped around 2 million to find a job with their clients.

“Randstad NV (“Randstad”) recently became aware of malicious activity in its IT environment and an internal investigation into this incident was launched immediately with our 24/7 incident response team. Third-party cybersecurity and forensic experts were engaged to assist with the investigation and remediation of the incident,” Randstad disclosed. 
 
"To date, our investigation has revealed that the Egregor group obtained unauthorized and unlawful access to our global IT environment and to certain data, in particular related to our operations in the US, Poland, Italy and France," reads the statement published by the firm. 
 
"They have now published what is claimed to be a subset of that data. The investigation is ongoing to identify what data has been accessed, including personal data, so that we can take appropriate action with regard to identifying and notifying relevant parties,"

First identified earlier this year in September, Egregor ransomware has been observed to be rapidly escalating its threat activity by breaking into organizations and running the malware to encrypt their sensitive data. The initial infection vector employed by the attackers is still unknown, however, security researchers have anticipated it to be malicious links or spam emails. Some similarities such as obfuscation techniques, API calls, strings, and functions have been spotted between Egregor and Sekhmet. The sources say that the ransom note left after the attack is also identical in many ways.

Smominru Botnet Affecting Over 4,000 Windows Systems Every Day


Affecting Windows machines across the globe, Smominru has been labeled as one of the most rapidly spreading botnet malware, as per a report by data center and cloud security company, Guardicore Labs. The infection rate of this computer malware has been detected to be up to 47,000 machines per day and in the month of August alone, it compromised almost 90,000 computers, according to the report.

While attacking, Smominru compromises Windows PCs by using the NSA exploit, EternalBlue and brute-force on various services like RDP, TELNET, MS-SQL, and others. The malware is configured to steal the target's credentials and then install a cryptominer and Trojan module to compromise the network. After establishing a foothold, the malware moves laterally to affect as many systems as it potentially can inside the targeted organization.

Reportedly, the US, Russia, China, Taiwan, and Brazil witnessed the maximum number of attacks, however, other countries remain equally vulnerable to the computer malware which saw an upsurge in recent times. To exemplify, we can look at the largest network targeted and hence compromised by Smominru, which was a healthcare provider in Italy, it left a total of 65 hosts affected.

The unspecified and non-targeted nature of the attacks was notable as the compromised networks ranged from medical firms to higher-education institutions, the victims infected by the malware included cybersecurity companies as well.

It has been discovered that around 85% of the attacks are carried out on Windows 7 and Windows Server 2008 systems, while, some others are observed to be taking place on Windows XP, Windows Server 2012, and Windows Server 2003.

Seemingly, the failure of company administrators to timely patch their computer networks and servers is one of the primary reasons for the networks being compromised, although for a lot of organizations, the inability is a result of logistical scarcity, for others, it's simply due to negligence and not being regularly updated with the requirements of the sector.

Demand for teen hackers rises


Shivam Subudhi is 15 and lives in London. Three years ago, he was so inspired by the movies he was watching that featured hackers, he coded a simple port scanner revealing network doors that might let a hacker enter uninvited. "I decided to put my skills into practice for the first time," Subudhi says, "by pentesting my school network and website." Penetration testing is also known as ethical hacking and involves probing networks, systems, and sites looking for security vulnerabilities that could be exploited by an attacker. It was this activity that, unsurprisingly, brought Subudhi to the attention of the deputy headteacher. That teacher was also an IT enthusiast and introduced the budding hacker to the Cyber Discovery program; a £20 million ($24 million) U.K. government-backed scheme to teach kids how to be cybersecurity superheroes. Could your kid be next?

Teenage hackers sought by government Cyber Discovery program

Back in 2017, the U.K. government issued a tender to run a £20m Cyber Schools Programme as part of the National Cyber Security Strategy 2016-2021 created to reduce the cyber skills gap by encouraging young people to pursue a career in the profession. The SANS Institute bid for this contract was successful, having run similar programs in the U.S. and able to demonstrate the success of using a "gamified" learning model.

"SANS is by far the largest and most trusted provider of cybersecurity training in the world," James Lyne, CTO at the SANS Institute says, "so we have a wealth of experience, training content and expert instructors." In the first year the Cyber Discovery program saw some 23,000 youngsters from the U.K. aged between 14 and 18 taking part in the initial assessment phase, and around 12,000 qualifying to participate in the primary learning phases, "CyberStart Game" and "CyberStart Essentials." The following year, 29,000 took part and 14,000 qualified. Registration for the third year of Cyber Discovery is now open and Lyne anticipates a significant increase in participation, not least as the entry age has now dropped to 13.

Vulnerability in DHCP client let hackers take control of network

A critical remote code execution vulnerability that resides in the DHCP client allows attackers to take control of the system by sending malicious DHCP reply packets.

A Dynamic Host Configuration Protocol (DHCP) Client allows a device to act as a host requesting-configuration parameter, such as an IP address from a DHCP server and the DHCP client can be configured on Ethernet interfaces.

In order to join a client to the network, the packer required to have all the TCP/IP configuration information during DHCP Offer and DHCP Ack.

DHCP protocol works as a client-server model, and it is responsible to dynamically allocate the IP address if the user connects with internet also the DHCP server will be responsible for distributing the IP address to the DHCP client.

This vulnerability will execution the remote code on the system that connected with vulnerable DHCP client that tries to connect with a rogue DHCP server.

Vulnerability Details The remote code execution vulnerability exactly resides in the function of dhcpcore.dll called “DecodeDomainSearchListData” which is responsible for decodes the encoded search list option field value.

During the decoding process, the length of the decoded domain name list will be calculated by the function and allocate the memory and copy the decoded list.

According to McAfee research, A malicious user can create an encoded search list, such that when DecodeDomainSearchListData function decodes, the resulting length is zero. This will lead to heapalloc with zero memory, resulting in an out-of-bound write.

The vulnerability has been patched, and it can be tracked as CVE-2019-0547, The patch includes a check which ensures the size argument to HeapAlloc is not zero. If zero, the function exits.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

New MegaCortex ransomware targeting corporate networks

A new strain of ransomware called MegaCortex has been found targeting attacks against entities in the US, Canada, France, Netherlands, Ireland, and Italy. The ransomware uses both automated as well as manual components in an effort to infect as many victims as possible. It uses a complicated chain of events with some infections beginning with stolen credentials for domain controllers inside target networks.

The ransomware was reported by UK cyber-security firm Sophos after it detected a spike in ransomware attacks at the end of last week.

According to security researchers at Sophos, the cybercriminals operating the ransomware appear to be fans of the movie Matrix, as the ransom note “reads like it was written in the voice and cadence of Lawrence Fishburne’s character, Morpheus.”

The ransomware first began popping up in January. The ransomware has a few interesting attributes, including its use of a signed executable as part of the payload, and an offer of security consulting services from the malware author. Researchers said the ransomware often is present on networks that already are infected with the Emotet and Qakbot malware, but are not sure whether those tools are part of the delivery chain for MegaCortex.

Sophos said the ransomware appears to have been designed to target large enterprise networks as part of carefully planned targeted intrusions --in a tactic that is known as "big-game hunting."

“The malware also employs the use of a long batch file to terminate running programs and kill a large number of services, many of which appear to be related to security or protection, which is becoming a common theme among current-generation ransomware families,” Sophos researcher Andrew Brandt said in a report.

Ransomware, for the most part, targets individuals rather than enterprise networks. That has mainly to do with individuals being relatively easier targets than corporate machines, but some attackers have begun to move up the food chain. Corporate ransomware infections can be much more profitable and efficient, with larger payouts for criminals who can compromise an organization rather than dozens or hundreds of individual victims. MegaCortex seems to be part of that trend, targeting enterprises with a mix of techniques.

Morto ~ A new type of Worm spreading via RDP(Remote Desktop Protocol)

New type of worm is spreading via RDP (Remote Desktop Protocol). The worm is called Morto and it infects Windows workstations and servers. It uses a new spreading vector that we haven't seen before: RDP.

RDP stands for Remote Desktop Protocol. Windows has built-in support for this protocol via Windows Remote Desktop Connection. Once you enable a computer for remote use, you can use any other computer to access it.


When you connect to another computer with this tool, you can remotely use the computer, just like you'd use a local computer.

Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.

When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin123
111
123
369
1111
12345
111111
123123
123321
123456
654321
666666
888888
1234567
12345678
123456789
1234567890

Once you are connected to a remote system, you can access the drives of that server via Windows shares like \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Monto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it.

The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt

Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net

Some MD5 hashes include:
0c5728b3c22276719561049653c71b84
14284844b9a5aaa680f6be466d71d95b
58fcbc7c8a5fc89f21393eb4c771131d

F-secure detects Morto components as Backdoor:W32/Morto.A and Worm:W32/Morto.B

More discussion on the topic at Technet forums.