Tag Archive for: widely

Malware infecting widely used security appliance survives firmware updates – Ars Technica

/in


Malware infecting widely used security appliance survives firmware updates

Threat actors with a connection to the Chinese government are infecting a widely used security appliance from SonicWall with malware that remains active even after the device receives firmware updates, researchers said.

SonicWall’s Secure Mobile Access 100 is a secure remote access appliance that helps organizations securely deploy remote workforces. Customers use it to grant granular access controls to remote users, provide VPN connections to organization networks, and set unique profiles for each employee. The access the SMA 100 has to customer networks makes it an attractive target for threat actors.

In 2021, the device came under attack by sophisticated hackers who exploited what was then a zero-day vulnerability. Security appliances from Fortinet and Pulse Secure have come under similar attacks in recent years.

Gaining long-term persistence inside networks

On Thursday, security firm Mandiant published a report that said threat actors with a suspected nexus to China were engaged in a campaign to maintain long-term persistence by running malware on unpatched SonicWall SMA appliances. The campaign was notable for the ability of the malware to remain on the devices even after its firmware received new firmware.

“The attackers put significant effort into the stability and persistence of their tooling,” Mandiant researchers Daniel Lee, Stephen Eckels, and Ben Read wrote. “This allows their access to the network to persist through firmware updates and maintain a foothold on the network through the SonicWall Device.”

To achieve this persistence, the malware checks for available firmware upgrades every 10 seconds. When an update becomes available, the malware copies the archived file for backup, unzips it, mounts it, and then copies the entire package of malicious files to it. The malware also adds a backdoor root user to the mounted file. Then, the malware rezips the file so it’s ready for installation.

“The technique is not especially sophisticated, but it does show considerable effort on the part of the attacker to understand the appliance update cycle, then develop and test a method for persistence,” the researchers wrote.

The persistence techniques…

Source…

74% of employees in South Africa say that robots should be more widely used in production, but fear robot hacking

/in


Kaspersky

Kaspersky

According to Kaspersky (www.Kaspersky.co.za) research, employees in South Africa believe that the better robots become at different tasks, the fewer jobs will remain for humans. The majority of local employees surveyed (74%) believe that robots should be more widely used across different industries, however, many fear robot hacking.

Today robotics are used together with industrial control systems and other information technology to handle production processes, replacing manual labour and improving efficiency, speed, quality and performance. Kaspersky conducted a study to learn the opinion of employees of manufacturing companies and other large organisations around the world about the consequences of automation and increased use of robots. The goal was to see what employees think about the security of robots and automated systems in their companies. The survey included respondents from Saudi Arabia, UAE, Turkey, Egypt, and South Africa.

Employees reported an increase in robotisation level in their companies over the last 2 years. 33% of employees from South Africa said their organisations already use robots, 39% of local organisations plan to use them in the near future.

Research showed that people expect job loss because of robotisation. The better robots become at different tasks, the fewer jobs will remain for humans. The majority of employees surveyed in South Africa (92%) believe robots will eventually replace humans in their industry. As robots are advancing in all market sectors, humans need to receive new knowledge and skills not to lose their job to robots. And they are ready to do so: among those who think that their jobs could be replaced by robots, the majority (75%) are willing to learn new skills or improve their existing skills and expertise. 

At the same time, many employees remain optimistic in view of robots taking away jobs. They think robot adoption will make humans’ roles safer and intellect-demanding, along with increasing the efficiency of production. 48% believe that enough new jobs will be created to counter the loss of jobs to robots. More jobs will emerge for programmers, data scientists, and engineers – these people will drive robot adoption in the…

Source…

Widely Used Bitcoin ATMs Have Major Security Flaws, Researchers Warn

/in


A m,an using a General Bytes cryptocurrency ATM in Palma de Mallorca, Spain in August 2021.

A man using a General Bytes cryptocurrency ATM in Palma de Mallorca, Spain in August 2021.
Photo: Carlos Alvarez (Getty Images)

Many of the Bitcoin ATMs that have popped up everywhere from gas stations and smoke shops to bars and malls across the U.S. have major security vulnerabilities that render them susceptible to hackers, according to a new report by security researchers with crypto exchange Kraken.

The website howmanybitcoinatms.com estimates there are over 42,000 active Bitcoin ATMs across the U.S., a massive surge from January 2021, when Reuters reported the site listed 28,000. Such ATMs allow users to buy cryptocurrency with cash or credit (though not always the reverse) and process sensitive financial data. Unlike when dealing with regular ATMs operated by banks, the distributed nature of cryptocurrency networks and a lack of regulations mean customers are likely to have less recourse if something goes disastrously wrong. Moreover, target markets for the devices include people who keep money in cryptocurrency rather than banks and people who don’t want their transfers to attract attention, whether for legitimate purposes or otherwise. Many are also located in dicey locations like liquor stores. Thus Bitcoin ATMs have been juicy targets for malware and scams in the past.

Kraken discovered a number of software and hardware flaws with the General Bytes BATMtwo (GBBATM2) model of ATMs. Coin ATM Radar estimates the manufacturer has provided nearly 23% of all crypto ATMs worldwide; in the U.S., that percentage is 18.5%, while in Europe, it is 65.4%.

For example, owners have installed many GBBATM2 units without changing the default admin QR code that serves as a password, meaning that anyone who obtains that code could possibly take control of it. Other issues Kraken wrote it found included a lack of secure boot mechanisms, meaning a hacker could trick a GBBATM2 into running malicious code, and “critical vulnerabilities in the ATM management system.”

The QR code issue is particularly serious, Kraken’s researchers wrote, because it found that the default code is shared across units. This is a bit like buying a new computer and forgetting to change the password to something…

Source…

Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware

/in


Threat actors are increasingly adopting Excel 4.0 documents as an initial stage vector to distribute malware such as ZLoader and Quakbot, according to new research.

The findings come from an analysis of 160,000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious.

password auditor

“The biggest risk for the targeted companies and individuals is the fact that security solutions still have a lot of problems with detecting malicious Excel 4.0 documents, making most of these slip by conventional signature based detections and analyst written YARA rules,” researchers from ReversingLabs said in a report published today.

Excel 4.0 macros (XLM), the precursor to Visual Basic for Applications (VBA), is a legacy feature incorporated in Microsoft Excel for backward compatibility reasons. Microsoft warns in its support document that enabling all macros can cause “potentially dangerous code” to run.

The ever-evolving Quakbot (aka QBOT), since its discovery in 2007, has remained a notorious banking trojan capable of stealing banking credentials and other financial information, while also gaining worm-like propagation features. Typically spread via weaponized Office documents, variants of QakBot have been able to deliver other malware payloads, log user keystrokes, and even create a backdoor to compromised machines.

password auditor

In a document analyzed by ReversingLabs, the malware not only tricked users into enabling macros with convincing lures, but also came with embedded files containing XLM macros that download and execute a malicious second-stage payload retrieved from a remote server. Another sample included a Base64-encoded payload in one of the sheets, which then attempted to download additional malware from a sketchy URL.

“Even though backward compatibility is very important, some things should have a life expectancy and, from a security perspective, it would probably be best if they were deprecated at some point in time,” the researchers noted. “Cost of maintaining 30 year old macros should be weighed against the security risks using such outdated technology brings.”

Source...


[the_ad_group id="27628"]