Category: Computer Security

Flawed Cisco firewalls used to target government networks

April 26, 2024/in Computer Security

A Cisco Talos investigation has uncovered a state-affiliated cyber espionage campaign exploiting two Cisco zero days to plant malware on critical government networks.

The campaign, known as ArcaneDoor, targets perimeter network devices, using them to gain a foothold on the target network, at which point they can start distributing malware, stealing information, and spreading throughout the organization.

Cisco said perimeter network devices are the perfect intrusion point for espionage-focused threat actors, due to their position as a throughpoint for vast amounts of data coming in and out of the network.

Researchers first became aware of the campaign in January 2024, finding evidence that the group, being tracked as UAT4356 or STORM-1849, had been testing and developing exploits to target the two zero days since at least July 2023.

While Cisco was unable to identify the initial attack vector used by the group, it said it has issued two fixes for two vulnerabilities exploited in the attacks.

What Cisco products were used in the attacks?

The two zero days exploited pertain to two Cisco firewall products, its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) solutions.

The first vulnerability, CVE-2024-20353, is a denial of service flaw that affects devices running one or both of Cisco’s ASA or FTD products, caused by incomplete error checking when parsing HTTP headers.

Cisco warned attackers can use crafted HTTP requests to a web server on a device, and if successful the attacker could cause a denial of service error when it reloads.

CVE-2024-20359, is a persistent local code execution vulnerability which if correctly leveraged could allow a local attacker to execute arbitrary code with root-level privileges.

Although the attacker would need administrator-level privileges to exploit the flaw, Cisco explained that because the injected code could persist across device reboots, it raised the Security Impact Rating (SIR) of its advisory from medium to high.

Focus on surveillance and post-compromise…

Source…

Governments issue alerts after ‘sophisticated’ state-backed actor found exploiting flaws in Cisco security boxes • The Register

April 25, 2024/in Computer Security

A previously unknown and “sophisticated” nation-state group compromised Cisco firewalls as early as November 2023 for espionage purposes — and possibly attacked network devices made by other vendors including Microsoft, according to warnings from the networking giant and three Western governments.

These cyber-spy campaigns, dubbed “ArcaneDoor” by Cisco, were first spotted in early January and revealed on Wednesday. And they targeted VPN services used by governments and critical infrastructure networks around the globe, according to a joint advisory issued by the Canadian Centre for Cyber Security (Cyber Centre), the Australian Signals Directorate’s Cyber Security Centre, and the UK’s National Cyber Security Centre (NCSC).

A Cisco spokesperson declined to comment on which country the snooping crew – tracked as UAT4356 by Talos and as STORM-1849 by Microsoft – is affiliated with. The disclosures, however, come as both Russian and China-backed hacking groups have been found burrowing into critical infrastructure systems and government agencies, with China specifically targeting Cisco gear.

The mysterious nation-state group “utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” according to a Talos report published today.

The attacks exploit two vulnerabilities, CVE-2024-20353 and CVE-2024-20359, in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, and the networking giant issued fixes for both on Wednesday, plus a fix for a related flaw.

CVE-2024-20353 is a high-severity vulnerability in the management and VPN web servers for Cisco ASA and FTD devices, and could allow an unauthenticated, remote attacker to cause the machines to reload unexpectedly, resulting in a denial of service (DoS) attack. It received an 8.6 CVSS rating.

Two other flaws, CVE-2024-20359 and CVE-2024-20358 received a 6.0 CVSS score, and could allow an authenticated local attacker to execute arbitrary code with root-level privileges. Exploiting either, however, requires administrator-level privileges.

Cisco says it hasn’t yet…

Source…

Can We Balance Security And Privacy? Thoughts 10 Years After Snowden

April 24, 2024/in Computer Security

Hi, I’m Matthias, cofounder of Tuta, a secure email service. We are innovation leaders in encrypted communication and collaboration.

getty

More than 10 years have passed since Edward Snowden revealed the worst surveillance scandal of the FBI and the NSA in U.S. history. His revelations sparked a vivid discussion—one that can be looked at with more precision now that the heated debate that started one decade ago has settled: How can we balance the security and privacy requirements of our modern societies?

Snowden brought some of the most intrusive surveillance programs of U.S. authorities to light, the most prominent ones being PRISM, XKeyscore and Boundless Informant. Once the public started to understand how much of their private data they willingly share online is being siphoned off, analyzed and scanned, the question arose whether this form of surveillance is required to keep citizens safe or violate citizens’ privacy rights without measurable benefit.

Balancing Security And Privacy—Is It Possible?

The delicate balance between security imperatives and the fundamental right to privacy must be discussed openly by every society. As an expert in encryption and cybersecurity, I am absolutely certain that the Snowden leaks not only exposed the extent of government surveillance but also underscored the urgent need for strong end-to-end encryption to protect the privacy of citizens and businesses alike. At the same time, encryption must not stand in the way of national security, which is what government authorities often claim it would do, but better ways to protect citizens are possible.

First of all, it’s essential to note that our internet as it exists today would not be possible without strong end-to-end encryption. We use it every day for online banking, sharing sensitive medical information, messaging or communicating via email. Encryption is the only technical measure we have to protect data online, not just from our own authorities to eavesdrop on it, but also from malicious attackers, economic espionage or state-sponsored surveillance of foreign countries such as China or Russia. Encryption is the very foundation of our modern web and the basis of any cybersecurity…

Source…

World’s 1st full-fledged cyber war raging since 2022

April 23, 2024/in Computer Security

Russia’s full-scale invasion of Ukraine in February 2022 marked the start of what should be termed – in view of the unprecedented scale and sophistication of the cyber operations that accompanied Russia’s military actions – the world’s first cyber war.

It gave the world insight into how cyber operations would be integrated with the physical battlefield going forward.

Moreover, Ukraine showcased to the international community not only the critical importance of robust cyber defenses but also the complexity involved in their implementation. This complexity arises from the coalition that extends beyond the support of Western governments to include the pivotal contributions of tech companies in strengthening Ukraine’s cyber defenses.

In the months leading up to Russia’s full-scale invasion of Ukraine in February 2022, a series of cyberattacks was launched against Ukrainian targets. On January 13 of that year, Microsoft detected and reported malware that was targeting the Ukrainian Government aand various non-profit organizations and IT companies.

That turned out to be part of a broader pattern of digital aggression attributed to Russia. The following day, Russia escalated its cyber war, conducting a significant cyberattack that affected various Ukrainian government institutions and resulted in dozens of government websites being controlled by hackers.

In response, NATO stepped up its support for Ukraine in the cyber domain, which included providing Ukraine with access to NATO’s system for sharing information about malicious software.

The cyberattacks continued into mid-February, culminating in a distributed denial of service (DDoS) attack that temporarily disabled the online services of several Ukrainian government departments, financial institutions and radio stations. The attacks took down Ukraine’s two largest banks, PrivatBank and Oschadbank. PrivatBank had to release a statement assuring the public that there was no threat to depositors’ funds.

These attacks were intended to create panic and confusion and to destabilize Ukraine and were attributed to Russia’s Ministry of Defense Intelligence Directorate (GRU). On February 24,…

Source…