Tag Archive for: Protocol

CheckMate ransomware targets popular file-sharing protocol

/in


The CheckMate ransomware operators have been targeting the Server Message Block (SMB) communication protocol used for file sharing to compromise their victims’ networks.

Unlike most ransom campaigns, CheckMate, discovered in 2022, has been quiet throughout its operations. To the best of our knowledge, it doesn’t operate a data leak site.

That’s quite unusual for a ransomware campaign since many prominent gangs brag about big targets and post them as victims on their data leak sites. They do this to raise the pressure for a victim to pay the ransom.

Cybernews research has recently detected new CheckMate activity. It turns out the gang has been actively targeting weakly-protected SMB shares.

After gaining access to SMB shares, threat actors encrypt all files and leave a ransom note demanding payment in exchange for the decryption key.

Gang linked to Russia

The ransomware gang is known to be operating Kupidon, Mars, and CheckMate ransomware. All three types of malicious programs were discovered in 2021-22 and are believed to be of Russian origin.

According to Cybernews researchers, the impact of ransomware can be significant and wide-ranging. Risks to victims include:

  • Financial loss
  • Data loss
  • Disruption of business operations
  • Reputation damage
  • Spread of malware
  • Legal and regulatory consequences

While we don’t have enough information on the average ransom amount the gang demands from its victims, some publicly shared ransom notes indicate the group might be relatively modest. Typical amounts demanded are around $15,000 for the decryptor.

That’s a relatively small demand by usual standards. According to the recent report by the cybersecurity firm Coveware, average ransom payments during the last quarter of 2022 were over $400,000.

The Cybernews investigation identified crypto wallet addresses associated with the CheckMate operators and found thousands of incoming transactions in the first quarter of 2023. However, we can’t say with certainty that those transactions came from CheckMate’s victims.

CheckMate transactions

Last year, QNAP, a network-attached storage (NAS) vendor, warned customers about the CheckMate ransomware activity going after internet-exposed SMB…

Source…

NSA Publishes Internet Protocol Version 6 (IPv6) Security Guidance

/in


The National Security Agency (NSA) published guidance today to help Department of Defense (DoD) and other system administrators identify and mitigate security issues associated with a transition to Internet Protocol version 6 (IPv6).

IPv6 Security Guidance” highlights how several security issues can surface in networks that are new to IPv6, or in early phases of the IPv6 transition. Networks new to IPv6 lack maturity in IPv6 configurations and tools, and dual-stacked networks, which run on IPv4 and IPv6 simultaneously, have an increased attack surface.

“The Department of Defense will incrementally transition from IPv4 to IPv6 over the next few years and many DoD networks will be dual-stacked,” said Neal Ziring, NSA Cybersecurity Technical Director. “It’s important that DoD system admins use this guidance to identify and mitigate potential security issues as they roll out IPv6 support in their networks.”

Read the full report here.

Read more at NSA

Source…

Transport Layer Security (TLS): Issues & Protocol

/in


Transport layer security (TLS) is the modern version of the now-deprecated secure socket layer (SSL) protocol. Due to multiple vulnerabilities within SSL, organizations require a more robust protocol to coincide with the increasing number of web-based technologies. For example, unlike SSL, TSL allows you to negotiate encryption on regular ports and protocols such as IMAP and POP. This enables secure communication over a wide range of ports and protocols.

This has led to TLS becoming the standard practice for transmitting data between web clients and servers. This cryptographic protocol secures your data with a layer of encryption as it is transmitted over the internet.

While TLS provides enhanced security in most situations, it still has its share of attacks by cybercriminals trying to gain access to an organization’s confidential data. It is important to learn how malicious actors use TLS to introduce malware, how these attacks infiltrate environments—with references to some well-known examples—and how Trend Micro Cloud One™ – Workload Security uses zero-config TLS inspection across data to protect your organization from malicious actors.

Various TLS Attack Methods

TLS is used to encrypt web and email communications, giving you an advantage over cybercriminals looking to access your data while in transmission. Since TLS is encrypted, there is a high chance that the information sent via the connection is not being inspected. This creates an attack vector for malware and can provide attackers access to your network without being blocked.

It is important to shine a light on the most notable TLS attacks and explore up-to-the-minute solutions.

Man-in-the-Middle (MITM) Attacks

This significant threat to organizations involves a malicious element “listening in” on communications between parties. These types of cyberattacks compromise data being sent and received, as interceptors don’t just have access to information but can also input their own data.

An example of a MITM attack is active eavesdropping. By taking advantage of a weakened network, often unsecured based on lack of a firewall or due to using a device outside of a professionally-managed environment,…

Source…

New Windows Search zero-day added to Microsoft protocol nightmare

/in


Windows cybersecurity

A new Windows Search zero-day vulnerability can be used to automatically open a search window containing remotely-hosted malware executables simply by launching a Word document.

The security issue can be leveraged because Windows supports a URI protocol handler called ‘search-ms’ that allows applications and HTML links to launch customized searches on a device.

While most Windows searches will look on the local device’s index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window.

For example, the popular Sysinternals toolset allows you to remotely mount live.sysinternals.com as a network share to launch their utilities. To search this remote share and list only files matching a particular name, you could use the following ‘search-ms’ URI:

search-ms:query=proc&crumb=location:%5C%5Clive.sysinternals.com&displayname=Searching%20Sysinternals

As you can see from the command above, the search-ms ‘crumb’ variable specifies the location to search, and the ‘displayname’ variable specifies the search title.

A customized search window will appear when this command is executed from a Run dialog or web browser address bar on Windows 7, Windows 10, and Windows 11, as shown below.

Windows Search on a remote file share
Windows Search on a remote file share
Source: BleepingComputer

Notice how the window title is set to the ‘Searching Sysinternals’ display name we specified in the search-ms URI.

Threat actors could use this same approach for malicious attacks, where phishing emails are sent pretending to be security updates or patches that need to be installed.

They can then set up a remote Windows share that can be used to host malware disguised as security updates and then include the search-ms URI in their phishing attachments or emails.

However, it would not be easy to get a user to click on a URL like this, especially when it displays a warning, as shown below.

Browser warning when launching URI protocol handlers
Browser warning when launching URI protocol handlers
Source: BleepingComputer

But Hacker House co-founder and security researcher Matthew Hickey found a way by combining a newly discovered Microsoft Office OLEObject flaw with the search-ms protocol handler to open a remote search window simply by…

Source…