Tag Archive for: Wave

Palo Alto’s Unit 42 team reveals new wave of PAN-OS firewall hack attempts

/in


PAN-OS firewalls are facing an “increasing number of attacks”, though so far, signs of active command execution are rare.

Palo Alto’s PAN-OS firewalls are coming under increasing attack following the company’s disclosure of a command injection vulnerability on 12 April.

A few days later, the Australian Signals Directorate’s Australian Cyber Security Centre circulated a critical alert over the vulnerability, warning Australian organisations using Palo Alto’s firewalls to “act now” to mitigate the vulnerability, while Palo Alto said it was working on a hotfix.

Now, Palo Alto’s Unit 42 has shared more details of how the vulnerability – CVE-2024-3400, which could allow a threat actor to run arbitrary code on affected PAN-OS firewalls – is being actively exploited.

The big brains at Unit 42 have broken down the exploitation attempts into four discrete groups.

At level zero, we have threat actors simply probing customer networks and failing to make any kind of access. Unit 42 expected these attempts to have “little to no immediate impact” on organisations, and simply applying the available hotfix should remedy the situation.

Unit 42 rates level one as threat actors actively testing the vulnerability. In this case, “a zero-byte file has been created and is resident on the firewall. However, there is no indication of any known unauthorised command execution.”

Again, applying Palo Alto’s hotfix should do the trick.

In both cases, Unit 42 believes resetting the impacted device is unnecessary, as there is no indication of active compromise or data exfiltration.

At level two, however, Unit 42 is beginning to see “potential exfiltration” of data.

“A file on the device has been copied to a location accessible via a web request, though the file may or may not have been subsequently downloaded,” Unit 42 said in a blog post. “Typically, the file we have observed being copied is running_config.xml.”

Unit 42’s advice in this case is to both install the hotfix and perform a private data reset.

“Private data reset clears all logs and reverts the configuration to factory defaults,” Unit 42 said. “The system will restart…

Source…

WatchGuard Threat Lab Analysis Shows Surge in Evasive Malware Supercharging an Already Powerful Threat Wave

/in


Notable findings from the research also show resurgence of living-off-the-land attacks, continued cyberattack commoditization, and ransomware decline

SEATTLE, March 27, 2024 (GLOBE NEWSWIRE) — WatchGuard® Technologies, a global leader in unified cybersecurity, today announced the findings of its latest Internet Security Report, detailing the top malware trends and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers. Key findings from the data show a dramatic surge in evasive malware that fueled a large increase of total malware, threat actors targeting on-premises email servers as prime targets to exploit, and ransomware detections continuing to decline, potentially as a result of law enforcement’s international takedown efforts of ransomware extortion groups.

“The Threat Lab’s latest research shows threat actors are employing various techniques as they look for vulnerabilities to target, including in older software and systems, which is why organizations must adopt a defense-in-depth approach to protect against such threats,” said Corey Nachreiner, chief security officer at WatchGuard. “Updating the systems and software on which organizations rely is a vital step toward addressing these vulnerabilities. Additionally, modern security platforms that are operated by managed service providers can deliver the comprehensive, unified security that organizations need and enable them to combat the latest threats.”

Among the key findings, the latest Internet Security Report featuring data from Q4 2023 showed:

  • Evasive, basic, and encrypted malware all increased in Q4, fueling a rise in total malware. The average malware detections per Firebox rose 80% from the previous quarter, illustrating a substantial volume of malware threats arriving at the network perimeter. Geographically, most of the increased malware instances affected the Americas and Asia-Pacific.

  • TLS and zero-day malware instances also rise. Approximately 55% of malware arrived over encrypted connections, which was a 7% increase from Q3. Zero-day malware detections jumped to 60% of all malware detections, up from 22% the previous quarter. However, zero-day malware detections with TLS…

Source…

Remcos RAT Spreading Through Adult Games in New Attack Wave

/in


Jan 16, 2024NewsroomBotnet / Malware

Remcos RAT

The remote access trojan (RAT) known as Remcos RAT has been found being propagated via webhards by disguising it as adult-themed games in South Korea.

WebHard, short for web hard drive, is a popular online file storage system used to upload, download, and share files in the country.

While webhards have been used in the past to deliver njRAT, UDP RAT, and DDoS botnet malware, the AhnLab Security Emergency Response Center’s (ASEC) latest analysis shows that the technique has been adopted to distribute Remcos RAT.

Cybersecurity

In these attacks, users are tricked into opening booby-trapped files by passing them off as adult games, which, when launched, execute malicious Visual Basic scripts in order to run an intermediate binary named “ffmpeg.exe.”

This results in the retrieval of Remcos RAT from an actor-controlled server.

Remcos RAT

A sophisticated RAT, Remcos (aka Remote Control and Surveillance) facilitates unauthorized remote control and surveillance of compromised hosts, enabling threat actors to exfiltrate sensitive data.

This malware, although originally marketed by Germany-based firm Breaking Security in 2016 as a bonafide remote administration tool, has metamorphosed into a potent weapon wielded by adversaries actors to infiltrate systems and establish unfettered control.

Cybersecurity

“Remcos RAT has evolved into a malicious tool employed by threat actors across various campaigns,” Cyfirma noted in an analysis in August 2023.

“The malware’s multifunctional capabilities, including keylogging, audio recording, screenshot capture, and more, highlight its potential to compromise user privacy, exfiltrate sensitive data, and manipulate systems. The RAT’s ability to disable User Account Control (UAC) and establish persistence further amplifies its potential impact.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source…

Rising Wave of Hacking Attempts Targeting Sensitive Data on NHIS Servers

/in


The number of hacking attempts from abroad targeting the health insurance server, which contains personal, financial, and medical information, is on a steep rise. (Image courtesy of Yonhap)

The number of hacking attempts from abroad targeting the health insurance server, which contains personal, financial, and medical information, is on a steep rise. (Image courtesy of Yonhap)

SEOUL, Oct. 19 (Korea Bizwire) – The number of hacking attempts from abroad targeting the health insurance server, which contains personal, financial, and medical information, is on a steep rise.

According to data from the National Health Insurance Service (NHIS) on Wednesday, cyberattacks on NHIS servers have been on the rise since the NHIS implemented in-house security control in 2019. 

The number of cyberattack attempts detected by the NHIS over the past five years amounted to 1,781 in 2019, 3,684 in 2020, 3,489 in 2021, 8,429 in 2022, and 8,448 cases so far this year. 

At 98.3 percent, almost all of the cyberattack attempts are made from abroad. By country, China had the largest share, followed by the U.S., Netherlands, and Germany. Data on cyberattack attempts from North Korea is not compiled as North Korean IP addresses are originally interrupted at the NHIS communication server. 

Approximately 64.3 percent of the cyberattack attempts occurred during non-official work hours. According to the NHIS, all detected cyberattack attempts were interrupted, and a data breach has yet to occur.

The NHIS handles personal information, including ID numbers, financial information such as cards and accounts, and medical information, including medical checkups and recuperation allowances for 57 million individuals. 

To cope with the increase in cyberattacks and advancements in hacking techniques, the NHIS is working on several countermeasures, including expanding dedicated staff, mobilizing a multi-layered defense system, and operating a segregated Internet network.

Kevin Lee ([email protected])


Source…