Tag Archive for: Exchange

Cloud Exchange: How to Secure Your Agency from Endpoint to Cloud

/in


Recent cyber attacks have proven, once again, that agencies are in a perimeter-less environment. In fact, Gartner estimates that 70% of all endpoint intrusions are done through a browser.

Over the last year, these browser-based attacks only increased as more employees worked remotely.

Tony D’Angelo, the vice president of U.S. public sector at Lookout, said bad actors recognized that employees would access network applications and data through mobile devices and virtual private network connections and applied attack vectors like credential harvesting and other methods to obtain passwords.

“Where a lot of these attacks start is particularly on the mobile endpoint, as we have so much telework occurring now. It’s that initial credential harvesting effort, which again, comes through a text or oftentimes some other elements of social media, trying to get you to put your username, your login password so they might load some spyware on the device,” D’Angelo said during Federal News Network’s Cloud Exchange. “Once they have those credentials, then they’re free to move inside the network. Oftentimes, it’s difficult to identify exactly where that attack came from. But when they’re in there and can create a whole host of problems.”

D’Angelo said as agencies move more and more data and applications to the cloud, they have to rethink how they can improve their data protections. He said any device that attaches to the network must be authorized, authenticated and secure in and of itself.

“There are things agencies can do to protect their data in the cloud. They can adopt technologies like cloud access security broker for commercial software applications and zero trust network access for legacy systems, and then effectively looking at a data loss prevention (DLP) wrapper are really good things that I think you’re going to see come out of this executive order and that you’re going to see agencies move there even more quickly,” he said.

Now that agencies are doing a better job providing access to a remote workforce, D’Angelo said these shifts…

Source…

Traffic Exchange Networks Distributing Malware Disguised as Cracked Software

/in


Cracked Software

An ongoing campaign has been found to leverage a network of websites acting as a “dropper as a service” to deliver a bundle of malware payloads to victims looking for “cracked” versions of popular business and consumer applications.

“These malware included an assortment of click fraud bots, other information stealers, and even ransomware,” researchers from cybersecurity firm Sophos said in a report published last week.

The attacks work by taking advantage of a number of bait pages hosted on WordPress that contain “download” links to software packages, which, when clicked, redirect the victims to a different website that delivers potentially unwanted browser plug-ins and malware, such as installers for Raccoon Stealer, Stop ransomware, the Glupteba backdoor, and a variety of malicious cryptocurrency miners that masquerade as antivirus solutions.

“Visitors who arrive on these sites are prompted to allow notifications; If they allow this to happen, the websites repeatedly issue false malware alerts,” the researchers said. “If the users click the alerts, they’re directed through a series of websites until they arrive at a destination that’s determined by the visitor’s operating system, browser type, and geographic location.”

Traffic Exchange Networks

Using techniques like search engine optimization, links to the websites appear at the top of search results when individuals search for pirated versions of a wide range of software apps. The activities, considered to be the product of an underground marketplace for paid download services, allows entry-level cyber actors to set up and tailor their campaigns based on geographical targeting.

Traffic exchanges, as the distribution infrastructure is also called, typically require a Bitcoin payment before affiliates can create accounts on the service and begin distributing installers, with sites like InstallBest offering advice on “best practices,” such as recommending against using Cloudflare-based hosts for downloaders, as well as using URLs within Discord’s CDN, Bitbucket, or other cloud platforms.

Traffic Exchange Networks
Traffic Exchange Networks

On top of that, the researchers also found some of the services that act as “go-betweens” to established malvertising networks that pay website publishers for…

Source…

Conti ransomware raiders exploit ‘ProxyShell’ Exchange bugs – Security

/in


Affiliates of the Conti ransomware criminals are exploiting the ProxyShell vulnerabilities in Microsoft’s Exchange Server to attack and remotely take over organisations’ networks, security researchers warn.

ProxyShell is an attack chain that can be used to remotely run arbitrary commands on unpatched on-premises Exchange Servers, without authentication.

Security vendor Sophos observed that Conti affiliates appear to have sped up their attacks considerably, deploying ransomware in just a few hours instead of waiting for weeks.

The ransomware criminals install multiple webshells on Exchange Servers, and quickly obtain domain administrator credentials for full network mapping and takeover, Sophos said.

In one attack, the Conti affiliates installed two webshells, the Cobalt Strike penetration testing tool, and the AnyDesk, Atera, Splashtop and Remote Utilities commercial remote access software.

Sophos added that within 48 hours of inital access to the victim’s networks, the Conti criminals had exfiltrated large amounts of data.

Five days after the initial intrusion, the Conti affiliates would deploy the ransomware, targeting network shares in particular, to encrypt the victim’s computers.

Sophos advised Exchange Server operators to patch their software as soon as possible, as the threat of further attacks is extremely high.

Source…

US officials, experts fear China ransacked Exchange servers for data to train AI systems • The Register

/in


In brief The massive attack on Microsoft Exchange servers in March may have been China harvesting information to train AI systems, according to US government officials and computer-security experts who talked to NPR.

The plundering of these Exchange systems was attributed to Chinese government cyber-spies known as Hafnium; Beijing denied any involvement.

It’s said the crew exploited four zero-days in Redmond’s mail software in a chain to hijack the servers and siphon off data. And what started small turned into what Chang Kawaguchi, CISO for Microsoft 365, told NPR this month was the fastest scale-up of a cyber-attack he’d ever seen.

US government officials, and those in the infosec industry, are apparently concerned that, given the wide range of organizations targeted – from big biz to shops, dentists, and schools – the Chinese government could be trying to train machine-learning systems on mountains of Americans’ messages, calendars, and files.

And this Exchange harvesting is on top of the huge databases of personal information already swiped from the US government and the private sector.

“The Chinese have more data than we have on ourselves,” William Evanina, a former director of the National Counterintelligence and Security Center, was quoted as saying.

“So you have the OPM data breach,” he continued, “you have an entire security clearance file for someone, you have Anthem records, you have his Marriott point record, credit cards, Equifax, his loans, his mortgages, his credit score. They know everything about you before they even bump you on a cruise or on a vacation.”

Evanina spoke more on the threat from China here [PDF] before the Senate intelligence committee at the start of August, if you’re interested.

We hope you’ve patched ProxyToken, aka CVE-2021-33766, in July’s Patch Tuesday patch from Microsoft for Exchange…

Source…