Tag: Alerts | SpinSafe

Governments issue alerts after ‘sophisticated’ state-backed actor found exploiting flaws in Cisco security boxes • The Register

April 25, 2024/in Computer Security

A previously unknown and “sophisticated” nation-state group compromised Cisco firewalls as early as November 2023 for espionage purposes — and possibly attacked network devices made by other vendors including Microsoft, according to warnings from the networking giant and three Western governments.

These cyber-spy campaigns, dubbed “ArcaneDoor” by Cisco, were first spotted in early January and revealed on Wednesday. And they targeted VPN services used by governments and critical infrastructure networks around the globe, according to a joint advisory issued by the Canadian Centre for Cyber Security (Cyber Centre), the Australian Signals Directorate’s Cyber Security Centre, and the UK’s National Cyber Security Centre (NCSC).

A Cisco spokesperson declined to comment on which country the snooping crew – tracked as UAT4356 by Talos and as STORM-1849 by Microsoft – is affiliated with. The disclosures, however, come as both Russian and China-backed hacking groups have been found burrowing into critical infrastructure systems and government agencies, with China specifically targeting Cisco gear.

The mysterious nation-state group “utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” according to a Talos report published today.

The attacks exploit two vulnerabilities, CVE-2024-20353 and CVE-2024-20359, in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, and the networking giant issued fixes for both on Wednesday, plus a fix for a related flaw.

CVE-2024-20353 is a high-severity vulnerability in the management and VPN web servers for Cisco ASA and FTD devices, and could allow an unauthenticated, remote attacker to cause the machines to reload unexpectedly, resulting in a denial of service (DoS) attack. It received an 8.6 CVSS rating.

Two other flaws, CVE-2024-20359 and CVE-2024-20358 received a 6.0 CVSS score, and could allow an authenticated local attacker to execute arbitrary code with root-level privileges. Exploiting either, however, requires administrator-level privileges.

Cisco says it hasn’t yet…

Source…

Fake WordPress security alerts are being used to send malware

December 5, 2023/in Computer Security

If you are a WordPress site admin, be wary of incoming emails – one could be a phishing message looking to infect your site with malicious plugins.

This is the warning given out by WordPress security experts Wordfence and PatchStack, which have found WordPress site admins receiving emails impersonating the legitimate wordpress.com site.

In the emails, the admins were warned of a new (but actually bogus) remote code execution (RCE) flaw and were urged to immediately install a plugin to defend their site from hackers. The non-existent flaw is tracked as CVE-2023-45124, the fraudsters claim.

Injecting WordPress sites with ads

Gullible admins that click the “Download Plugin” button are then redirected to a fake landing page where they can review, and download, the “plugin”. The reviews are a mix of five-star, four-star, and even one-star ratings, to add legitimacy to the whole ordeal. The site also claims the plugin has had more than 500,000 downloads, and comes with reviews that are a mix of praise and critique.

The plugin does a number of malicious things to the infected WordPress instance. Firstly, it creates a hidden admin user, giving the attacker administrative privileges, but also exfiltrates important information about the website to the plugin’s operators, and downloads a backdoor that comes with file management features, an SQL client, a PHP console, and more. Finally, it tries to remain hidden and out of sight, which means admins need to manually search on the site’s root directory for it, in order to find and remove the malware.

While the malicious plugin’s end goal is still unclear at this time, researchers speculate that it could be used to inject unwanted ads on the compromised website. In some scenarios, plugins such as this one were used to redirect visitors to different sites, steal sensitive data, and more.

Via BleepingComputer

More from TechRadar Pro

Source…

HHS alerts health care sector to ransomware, data extortion gang

November 4, 2023/in Internet Security

The Department of Health and Human Services recently released an advisory to help health care organizations protect their systems and networks from 8Base, a ransomware and data extortion gang targeting small- and medium-sized organizations in health care and other sectors. Recommendations include prioritizing cybersecurity best practices, from regularly updating and patching systems to educating employees to avoid and report phishing emails and malicious attachments.

“This emerging ransomware group appears primarily focused on data extortion rather than data encryption at this point,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Their rapid rise and large number of attacks indicates this group may be a rebranding of a former group or contain elements of a former ransomware group. I have observed a general trend in which ransomware attackers claim to be ‘penetration testers’ performing a ‘service’ and discussion of ‘vulnerability reports’ for the victim, raising the possibility that these hackers may be affiliated with ‘legitimate’ cybersecurity firms in non-cooperative foreign jurisdictions or have formal cybersecurity training. These data extortion attacks highlight the need to ensure that protected health information (PHI) within our networks, especially PHI outside the electronic medical record, is fully mapped and encrypted at rest and in transit.”

For more information on this or other cyber and risk issues, contact Riggi at [email protected]. For the latest cyber and risk resources and threat intelligence, visit aha.org/cybersecurity.

Source…

Disturbing trend of malware being spread to Android devices through fake alerts

October 18, 2023/in Computer Security

Malicious actors have once again found a new way to exploit unsuspecting victims. Recently, Italian cybersecurity researchers at D3Labs uncovered a disturbing trend of malware being spread to Android devices through fake volcano eruption alerts. These criminals are exploiting the IT-Alert service, a public alert system used by the Italian government to disseminate crucial information during emergency situations.

Deceptive Strategy

To lure unsuspecting victims into downloading malicious software, the cybercriminals created a deceptive website that mimicked the IT Alert service. This fake website warned users about the possibility of volcanic eruptions and the potential for a national earthquake. It urged visitors to download an app that would help them monitor the situation in their region. Importantly, this ruse was directed exclusively at Android users, as the website redirected to the actual IT Alert website when accessed via a desktop browser or an iOS device.

Malicious Payload

Once a user fell for this trick and clicked on the download button, a file labeled “IT-Alert.apk” was downloaded to their device. This innocuous-seeming file, however, contained the SpyNote malware. SpyNote is a notorious strain of malware known for targeting financial institutions and is typically sold via Telegram by its creator, who goes by the alias CypherRat.

Infiltrating User Devices

After the malware is installed, it prompts users to grant permission for the app to run in the background. This seemingly innocent request opens the door to malicious actors gaining full control over the victim’s smartphone, thanks to its accessibility services. With this control, these malevolent actors can monitor, manage, and even modify the device’s resources and features, along with enabling remote access capabilities.

This insidious technique also makes it incredibly challenging for victims to uninstall the application, update already uninstalled apps, or install new ones, further complicating the removal of the malware.

Spying and Data Theft

SpyNote’s capabilities are vast and invasive. It can independently manipulate…

Source…

Tag Archive for: Alerts

Deceptive Strategy

Malicious Payload

Infiltrating User Devices

Spying and Data Theft