Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cybersecurity news. Show all posts
QR code attack
browser isolation C2 bypass command-and-control Cyber Security cybersecurity news malicious communication Mandiant research QR code attack

Mandiant Uncovers QR Code Exploit to Bypass Browser Isolation

 


Mandiant researchers have discovered an innovative method to circumvent browser isolation technology by leveraging QR codes to establish command-and-control (C2) operations. This finding highlights potential vulnerabilities in existing web browser security measures.

Understanding Browser Isolation

Browser isolation is a widely adopted security strategy where local browser requests are routed through remote browsers hosted in cloud environments or virtual machines. By executing web scripts and content remotely, this approach ensures that malicious code does not impact local devices. Only the visual representation of the web page is transmitted back to the local browser, offering strong protection.

Traditionally, C2 servers use HTTP for communication. However, browser isolation filters out malicious traffic, rendering such methods ineffective. Mandiant's new technique showcases a way to bypass these restrictions, emphasizing the need for enhanced security protocols.

The Role of QR Codes in the Exploit

Command-and-control channels enable attackers to communicate with compromised systems for remote access and data exfiltration. Browser isolation serves as a defense mechanism, executing browser activity in a secure sandboxed environment, preventing malicious scripts embedded in HTTP responses from reaching the local system.

The innovative method discovered by Mandiant involves encoding commands within QR codes displayed on webpages. Since browser isolation preserves visual elements, the encoded QR codes can successfully return to the originating client. Malware on the compromised device then decodes the QR codes to execute instructions.

Proof-of-Concept and Limitations

Mandiant demonstrated this exploit on Google Chrome using Cobalt Strike's External C2 feature. Although functional, the attack has several limitations:

  • Data Size Restrictions: QR codes can transmit a maximum of 2,189 bytes per stream, further reduced by interpretation issues.
  • Latency: The data transfer rate is approximately 438 bytes per second, making it unsuitable for large payloads or high-speed communication.
  • Bandwidth Constraints: These factors limit the efficiency of the exploit for large-scale operations.

Additional Defenses and Mitigation

Mandiant's study did not account for additional security measures such as domain reputation checks, URL scanning, and data loss prevention, which could mitigate this attack. The real-world feasibility of the exploit depends on bypassing these defenses.

Despite its limitations, the QR code method poses a risk, particularly in security-critical environments. Administrators should take proactive measures, including:

  • Monitoring for unusual traffic patterns.
  • Detecting headless browsers operating in automation mode.

Conclusion

While the QR code exploit demonstrates the ingenuity of attackers, it also underscores the importance of continuous improvement in browser isolation technologies. Organizations must remain vigilant and adopt comprehensive security strategies to mitigate emerging threats.

Read more »
VPNs Security
Cyber incidents cybersecurity news Data Theft Cases Latest Cybersecurity news Security threats Technology VPNs Security

The Rise of VPNs: A Tool for Privacy or a False Promise

 

Today, Virtual Private Networks (VPNs) have become omnipresent. Millions around the world use VPNs, and they are often promoted by influencers as essential tools for privacy. Their rise in popularity stems from the idea that they offer online privacy by hiding your browsing activities and making you anonymous on the internet. 

Despite the marketing, the reality is less reassuring. VPN providers frequently fail to deliver the level of privacy and protection that users expect. 

How VPNs Work 

A VPN works by channelling your internet traffic through an encrypted tunnel to a VPN server. This prevents your internet service provider (ISP) from tracking your online activities, such as websites visited or apps used. However, this does not make you anonymous. Instead, it shifts the trust from your ISP to the VPN provider. This raises an important question: why trust a VPN provider more than your ISP? 

Trust Issues with VPN Providers 

The truth is, that VPN providers cannot always be trusted. Free VPN services, in particular, are notorious for collecting and selling user data to third-party advertisers, posing privacy risks. Even paid VPN services, which claim to protect privacy by not logging data, have often been found to break those promises. In some cases, VPNs with “no-log” policies were later discovered storing data, which was leaked or shared with law enforcement. 

Verifying Privacy Claims 

A significant issue with VPN providers is the difficulty in verifying their privacy claims. Often, the only assurance users have is the provider’s word, and that’s rarely enough. Numerous VPN companies have been caught logging user data, breaking the trust they have established with their customers. 


Setting Up Your Own 

VPN For those needing a VPN to bypass censorship or other specific purposes, experts recommend setting up a personal VPN server. By using services like Amazon Web Services, Google Cloud, or DigitalOcean, users can create and manage their own encrypted VPN server, giving them control of the private key to their data. This ensures that even the cloud provider cannot access your information.
Read more »
ransomware operations
AvNeutralizer tool corporate network security Cyber Security cyber threat cybersecurity news endpoint protection evasion FIN7 hacking group malware tools Phishing Attacks ransomware operations

FIN7 Hacking Group Sells Custom Tool "AvNeutralizer" to Evade Endpoint Protectiono

 

The notorious FIN7 hacking group has been identified selling a custom tool called "AvNeutralizer," designed to bypass detection by disabling enterprise endpoint protection software on corporate networks.

Believed to be a Russian hacking group active since 2013, FIN7 initially focused on financial fraud, hacking organizations, and stealing debit and credit card information. 

Subsequently, the group ventured into the ransomware domain and became linked with the DarkSide and BlackMatter ransomware platforms. The same threat actors are also suspected of being associated with the BlackCat ransomware operation, which recently conducted an exit scam after pilfering a ransom payment from UnitedHealth.

FIN7 is notorious for its sophisticated phishing and social engineering attacks, which they use to gain initial access to corporate networks. Their methods have included impersonating BestBuy to distribute malicious USB drives and developing custom malware and tools.

The group also created a fake security company called Bastion Secure to recruit pentesters and developers for ransomware attacks without the applicants realizing the true nature of their work.

FIN7 is tracked under various aliases, including Sangria Tempest, Carbon Spider, and the Carbanak Group.

According to a new report by SentinelOne, one of the custom tools developed by FIN7 is "AvNeutralizer" (also known as AuKill), which was first seen in attacks by the BlackBasta ransomware operation in 2022. At that time, BlackBasta was the only ransomware operation using the tool, leading researchers to believe there was a connection between the groups.

However, SentinelOne's historical data showed that the tool had been used in attacks by five other ransomware operations, indicating widespread distribution.

"Since early 2023, our telemetry data reveals numerous intrusions involving various versions of AvNeutralizer," explains SentinelOne researcher Antonio Cocomazzi. "About 10 of these are attributed to human-operated ransomware intrusions deploying well-known RaaS payloads, including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit."

Further investigation revealed that threat actors using the aliases "goodsoft," "lefroggy," "killerAV," and "Stupor" had been selling an "AV Killer" on Russian-speaking hacking forums since 2022, with prices ranging from $4,000 to $15,000. A 2023 report from Sophos detailed how AvNeutralizer/AuKill exploited the legitimate SysInternals Process Explorer driver to terminate antivirus processes on a device.

The threat actors claimed that this tool could disable any antivirus/EDR software, including Windows Defender and products from Sophos, SentinelOne, Panda, Elastic, and Symantec.

SentinelOne recently found that FIN7 had updated AvNeutralizer to use the Windows ProcLaunchMon.sys driver to hang processes, rendering them non-functional. "AvNeutralizer employs a combination of drivers and operations to create a failure in certain implementations of protected processes, ultimately causing a denial of service condition," explains SentinelOne.

"It uses the TTD monitor driver ProcLaunchMon.sys, available on default system installations, in conjunction with updated versions of the process explorer driver version 17.02 (17d9200843fe0eb224644a61f0d1982fac54d844), which has been fortified for cross-process operations abuse and is not currently blocked by Microsoft's WDAC list."

SentinelOne discovered additional custom tools and malware used by FIN7 that are not known to be sold to other threat actors, including Powertrash (a PowerShell backdoor), Diceloader (a lightweight C2-controlled backdoor), Core Impact (a penetration testing toolkit), and an SSH-based backdoor.

Researchers warn that FIN7's continuous evolution and innovation in tools and techniques, coupled with selling its software, make it a significant threat to enterprises worldwide. "FIN7's continuous innovation, particularly in its sophisticated techniques for evading security measures, showcases its technical expertise," concludes SentinelOne researcher Antonio Cocomazzi. "The group's use of multiple pseudonyms and collaboration with other cybercriminal entities makes attribution more challenging and demonstrates its advanced operational strategies."
Read more »
Subscribe to: Posts (Atom)