Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Unprotected server. Show all posts

NullMixer Campaign: A Threat to Cybersecurity

A new cybersecurity threat has recently emerged in the form of the NullMixer campaign, which is causing concern among experts. The campaign has been found to distribute new polymorphic loaders, a type of malware that poses a significant threat to cybersecurity. This malware has already targeted thousands of endpoints in various countries, including France and Italy, and is constantly evolving to become more advanced and sophisticated.

Bitdefender, a leading cybersecurity company, has been monitoring the NullMixer campaign closely. They report that the malware has evolved over time, becoming more advanced and sophisticated. The new polymorphic loaders have shifted the focus of the malware to Italian and French endpoints, indicating a targeted attack. 

According to Bitdefender, the enhanced NullMixer malware is particularly dangerous because it is polymorphic, which means that it can change its form and structure to avoid detection. The malware can also mutate to evade traditional signature-based antivirus software. As a result, it is difficult to detect and eliminate, making it a significant threat to cybersecurity.

The NullMixer campaign is a reminder of the importance of staying vigilant when it comes to cybersecurity. As cyber threats become more advanced and sophisticated, it is crucial to have up-to-date security measures in place. This includes installing and regularly updating antivirus software, implementing strong passwords, and training employees on best practices for avoiding phishing attacks.

In light of the NullMixer campaign, cybersecurity experts are urging individuals and organizations to be cautious when opening email attachments or clicking on links. They advise that if something seems suspicious or out of the ordinary, it is best to err on the side of caution and avoid clicking on it.

As cybersecurity expert Michael Covington notes, "The best defense against these types of attacks is to stay informed and vigilant. It is essential to keep up with the latest threats and trends in cybersecurity and to take proactive measures to protect yourself and your organization."

The NullMixer campaign with its advanced polymorphic loaders highlights the importance of being proactive and vigilant about cybersecurity. It is crucial to stay informed about the latest threats and trends in cybersecurity and to take necessary measures to protect oneself and organizations from cyber attacks. By being vigilant and implementing robust security measures, individuals and organizations can reduce the risk of becoming a victim of cybercrime.

By Attacking Healthcare, Education, and Government Systems, FritzFrog Botnet Grew Tenfold

 

The FritzFrog botnet, which has been active for over two years, has revived with an alarming infection rate, growing tenfold in just a month of attacking healthcare, education, and government networks via an unprotected SSH server. FritzFrog, a malware developed in Golang that was discovered in August 2020, is both a worm and a botnet that targets the government, education, and finance sectors. 

The malware fully assembles and executes the malicious payload in memory, making it volatile. Furthermore, because of its unique P2P implementation, there is no central Command & Control (C&C) server giving commands to FritzFrog. It is self-sufficient and decentralised. Despite FritzFrog's harsh brute-force tactics for breaching SSH servers, it is strangely efficient at targeting a network equitably. 

Guardicore Labs has been monitoring FritzFrog with its honeypot network for some time. "We started monitoring the campaign’s activity, which rose steadily and significantly with time, reaching an overall of 13k attacks on Guardicore Global Sensors Network (GGSN). Since its first appearance, we identified 20 different versions of the Fritzfrog binary," said the company in a report published in August 2020, authored by security researcher Ophir Harpaz.

Researchers at internet security firm Akamai discovered a new version of the FritzFrog malware, which has intriguing new features such as the use of the Tor proxy chain. The new botnet variation also reveals signs of its operators planning to enhance capabilities to target WordPress servers. 

Athough the Akamai global network of sensors identified 24,000 attacks, the botnet has claimed only 1,500 victims thus far. The majority of infected hosts are in China, although affected systems can also be found in a European TV network, a Russian healthcare organisation, and other East Asian universities. The perpetrators have included a filtering list to avoid low-powered devices like Raspberry Pi boards, and the malware also includes code that lays the basis for targeting WordPress sites. 

Given that the botnet is renowned for cryptocurrency mining, this feature is an odd inclusion. However, Akamai believes that the attackers have discovered new means of monetization, such as the deployment of ransomware or data leaks. This functionality is currently dormant while it is being developed. The researchers point out that FritzFrog is always in development, with bugs being resolved on a daily basis. 

FritzFrog targets any device that exposes an SSH server, therefore administrators of data centre servers, cloud instances, and routers must be careful, according to the researchers. Some security tips from Akamai include enabling system login auditing with alerting, monitoring the authorized_hosts file on Linux, configuring an explicit allow list for SSH login, and so on.

Experts Warn of Unsecured Prometheus Endpoints Leaking Sensitive Data

 

A massive unauthenticated scraping of publicly available and non-secured endpoints from previous versions of the Prometheus event monitoring and alerting service could be used to unintentionally expose critical data, according to the latest research.

JFrog researchers Andrey Polkovnychenko and Shachar Menashe stated in a report, "Due to the fact that authentication and encryption support is relatively new, many organizations that use Prometheus haven't yet enabled these features and thus many Prometheus endpoints are completely exposed to the Internet (e.g. endpoints that run earlier versions), leaking metric and label dat." 

Prometheus is an open-source system monitoring and alerting toolkit that collects and process metrics from various endpoints while also allowing for easy analysis of software metrics such as memory usage, network usage, and software-specific defined metrics such as the number of faulty logins to a web application. 

With the release of version 2.24.0 in January, support for Transport Layer Security (TLS) and basic authentication was added. 

The findings are the result of a methodical movement of publicly exposed Prometheus endpoints that were available on the Internet without any authentication. The metrics discovered were found revealing software versions and hostnames, which the researchers stated could be weaponized by intruders to perform an inspection of a target environment before exploiting a specific server or for post-exploitation methods like lateral movement. 

The following are some of the endpoints and information disclosed: 
  • /api/v1/status/config - Leakage of usernames and passwords provided in URL strings from the loaded YAML configuration file 
  • /api/v1/targets - Leakage of metadata labels, including environment variables as well as user and machine names, added to target machine addresses 
  • /api/v1/status/flags - Leakage of usernames when providing a full path to the YAML configuration file 
An attacker can use the "/api/v1/status/flags" endpoint to request the status of two administration interfaces — "web.enable-admin-api" and "web.enable-lifecycle" — and, if discovered manually enabled, exploit them to discard all saved metrics and, in the worst-case scenario, shut down the monitoring server. It's noteworthy that the two endpoints are disabled by default for security reasons of Prometheus 2.0. 

As per JFrog, around 15% of the Internet-facing Prometheus endpoints had the API management setting activated, and 4% had database management enabled. A total of around 27,000 hosts were found through a search on the IoT search engine Shodan. 

In addition to advising organisations to "query the endpoints [...] to help verify if sensitive data may have been exposed," the researchers stated that advanced users who require stronger authentication or encryption than what Prometheus provides can also set up a different network entity to manage the additional security.

A Security Researcher Discovers A Fully Unprotected Server On An Aerospace Company’s Network




A security researcher for security firm IOActive, discovered a completely unprotected server on an aerospace company’s network, apparently loaded with code designed in a way to keep running on the company's giant 737 and 787 passenger jets, left openly available and accessible to any individual who found it.

After a year Ruben Santamarta, the security researcher guarantees that the said leaked code has led him to further discover security flaws in one of the 787 Dreamliner's segments, somewhere down in the plane's multi-tiered system. Which he recommends that for a hacker, abusing those bugs could 'represent' one stage in a multi­stage attack that begins in the plane's in-flight entertainment system and stretches out to the highly protected, safe-critical systems like flight controls and sensors.

Despite the fact that the aerospace company Boeing, straight out denies that such an attack is even conceivable, it even rejects Santamarta's claims of having found a potential way to pull it off. Despite the fact that Santamarta himself concedes that he doesn't the possess the right evidence to affirm his claims, yet he along with the various avionics cybersecurity researchers who have inspected and reviewed his discoveries argue that while an all-out cyberattack on a plane's most sensitive frameworks 'remains a long way' from a material threat, the flaws revealed in the 787's code regardless speak to a rather troubled lacking of attention regarding cybersecurity from Boeing.


We don't have a 787 to test, so we can't assess the impact, we’re not saying it’s doomsday, or that we can take a plane down. But we can say: This shouldn’t happen," says Santamarta at the Black Hat security conference on the 8th of August in Las Vegas.

When Boeing investigated IOActive's claims they reasoned that there doesn't exist any genuine danger of a cyberattack and issued an announcement with respect to the issue ,” IOActive’s scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," the company's statement reads.

"IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we’re disappointed in IOActive’s irresponsible presentation."

The company spokesperson even said that while investigating IOActive's claims, Boeing had even put an actual Boeing 787 in "flight mode" for testing, and after that had its security engineers attempt to misuse the vulnerabilities that Santamarta had uncovered.

Boeing says it likewise counselled with the  Federal Aviation Administration and the Department of Homeland Security about Santamarta's attack. While the DHS didn't react to a solicitation for input, a FAA spokesperson wrote in a statement that it's  "satisfied with the manufac­turer’s assessment of the issue."

However there are quite a few security researchers who accept that, in light of Santamarta's discoveries alone, a hacker could make any impending threat to an aircraft or its passengers, other than that Santamarta's research, in spite of Boeing's dissents and affirmations, as indicated by them ought to be a reminder to everybody that aircraft security is a long way from a 'solved area of cybersecurity research.'