image
A recent phishing campaign targeting Coinbase users shows thieves are getting cleverer about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts. A Google-translated version of the now-defunct Coinbase phishing site, coinbase.com.password-reset[.]com Coinbase is the world's second-largest cryptocurrency exchange, with roughly 68 million users from over 100 countries. The now-defunct phishing domain at issue — coinbase.com.password-reset[.]com — was targeting Italian Coinbase users (the site's default language was Italian). And it was fairly successful, according to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security. Holden's team managed to peer inside some poorly hidden file directories associated with that phishing site, including its administration page. That panel, pictured in the redacted screenshot below, indicated the phishing attacks netted at least 870 sets of credentials before the site was taken offline. The Coinbase phishing panel. Holden said each time a new victim submitted credentials at the Coinbase phishing site, the administrative panel would make a loud "ding" — presumably to alert whoever was at the keyboard on the other end of this phishing scam that they had a live one on the hook. In each case, the phishers…

Source

image
In the wake of the SolarWinds attack last year, President Biden issued an executive order in May advocating for mandatory software bills of materials, or SBOMs, to increase software transparency and counter supply-chain attacks. For reference, SBOMs are machine-readable documents that provide a definitive record of the components used to build a software product, including open-source software. As a security professional, I am encouraged by the SBOM mandate because it is a step towards providing greater transparency for the software that all organizations must buy and use. Since the executive order, software makers and buyers have been trying to make sense of how SBOMs support supply-chain security. Undoubtedly, many see it as a headache, but I believe it is a sensible safeguard. Part of our problem around supply chains is that we trust in them too much. We have learned the benefits of a zero-trust security model and applied this concept to our networks and endpoints, but we haven’t quite figured out how to do this for our supply chains. We still rely heavily upon time-consuming questionnaires that perpetuate the continued reliance on trust as the foundation for supply-chain security. The reason that we need things like SBOMs is because we can’t trust our supply chains, and thus we need it to be transparent. SBOMs provide a stepping stone towards achieving this transparency and allow us to start moving towards a zero-trust approach for software supply chains. Rachel…

Source

image
Users of OpenSea, the world’s largest digital-collectible marketplace, have found their cryptocurrency wallets ripped off thanks to cyberattackers weaponizing security bugs that allowed them to highjack user accounts. The attacks revolved around boobytrapped art files, which circulated in the form of “free gifts.” That’s according to Check Point Research, whose researchers looked into a series of claims that cryptocurrency balances were going poof for both market shoppers and merchants. OpenSea is a peer-to-peer marketplace for virtual goods – a bit like the Etsy of non-fungible tokens (NFTs) and crypto collectibles. NFTs are a way to take reproduceable digital items such as photos, videos, audio and art files, and turn them into unique items; marketplaces use blockchain technology to establish a verified and public proof of ownership for such items. OpenSea has benefitted from the NFT boom, racking up $3.4 billion in transaction volume just in August. Cybercriminals are of course drawn to such money hubs like moths to a flame – and they have been true to form with OpenSea, according to Check Point. To uncover how the wallet-draining attacks were carried out, researchers focused on reports that they began with a target being offered a free NFT gift or a link to OpenSea Art. For instance, one victim confirmed to CPR that he interacted with an airdropped NFT object prior to the wallet theft. “So, we decided to check what will happened if we would create malicious art that…

Source

image
In less time than it takes to get a stuffed crust pizza delivered, a new group called SnapMC can breach an organization’s systems, steal their sensitive data, and demand payment to keep it from being published, according to a new report from NCC Group’s threat intelligence team — no ransomware required. Rather than disrupting business operations by locking down a target’s data and systems, SnapMC just focuses on straight-up extortion. However, this low-tech, ransomware-free approach to extortion on a compressed timeline relies on known vulnerabilities with patches readily available. “In the extortion emails we have seen from SnapMC have given victims 24 hours to get in contact and 72 hours to negotiate,” the report said. “These deadlines are rarely abided by, since we have seen the attacker to start increasing the pressure well before countdown hits zero.” The researchers weren’t able to link the group to any known threat actors and gave it the name for it’s speed (“Snap”) and its mc.exe exfiltration tool of choice. As evidence the group has the data, SnapMC provides victims with a list of the exfiltrated data. If they fail to engage in negotiations within the timeframe, the attackers threaten to publish the data and report the breach to customers and the media. Analysts said they’ve observed SnapMC successfully breaching unpatched and vulnerable VPNs using the CVE-2019-18935 remote code execution bug in Telerik UI for ASPX.NET, and webserver apps using SQL injections. VPN…

Source

image
Today is Microsoft’s October 2021 Patch Tuesday, and it delivers fixes for four zero-day vulnerabilities, one of which is being exploited in a far-reaching espionage campaign that delivers the new MysterySnail RAT malware to Windows servers. Microsoft reported a total of 74 vulnerabilities, three of which are rated critical. MysterySnail Exploits Win32K Bug Security researchers pointed to CVE-2021-40449, an elevation of privilege vulnerability in Win32k, as standing out from the crowd of patches, given that It’s been exploited in the wild as a zero-day. This summer, Kaspersky researchers discovered that the exploit was being used to elevate privileges and take over Windows servers as part of a Chinese-speaking advanced persistent threat (APT) campaign from the APT IronHusky. The exploit chain ended with a freshly discovered remote access trojan (RAT) dubbed MysterySnail being installed on compromised servers, with the goal of stealing data. Bharat Jogi, Qualsys senior manager of vulnerability and threat research, told Threatpost on Tuesday that if left unpatched, “MysterySnail has the potential to collect and exfiltrate system information from compromised hosts, in addition to other malicious users having the ability to gain complete control of the affected system and launch further attacks.” Jay Goodman, Automox director of product marketing, told Threatpost via email that these kinds of privilege elevation attacks “can be used to access beyond what the current user…

Source

image
Microsoft today issued updates to plug more than 70 security holes in its Windows operating systems and other software, including one vulnerability that is already being exploited. This month's Patch Tuesday also includes security fixes for the newly released Windows 11 operating system. Separately, Apple has released updates for iOS and iPadOS to address a flaw that is being actively attacked. Firstly, Apple has released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability (CVE-2021-30883) that is being leveraged in active attacks targeting iPhone and iPad users. Lawrence Abrams of Bleeping Computer writes that the flaw could be used to steal data or install malware, and that soon after Apple patched the bug security researcher Saar Amar published a technical writeup and proof-of-concept exploit that was derived from reverse engineering Apple's patch. Abrams said the list of impacted Apple devices is quite extensive, affecting older and newer models. If you own an iPad or iPhone — or any other Apple device — please make sure it's up to date with the latest security patches. Three of the weaknesses Microsoft addressed today tackle vulnerabilities rated "critical," meaning that malware or miscreants could exploit them to gain complete, remote control over vulnerable systems — with little or no help from targets. One of the critical bugs concerns Microsoft Word, and two others are remote code execution flaws in Windows Hyper-V, the virtualization component built…

Source

image
Researchers have discovered a zero-day exploit for Microsoft Windows that was being used to elevate privileges and take over Windows servers as part of a Chinese-speaking advanced persistent threat (APT) espionage campaign this summer. The exploit chain ended with a freshly discovered remote access trojan (RAT) dubbed MysterySnail being installed on compromised servers, with the goal of stealing data. Microsoft patched the bug (CVE-2021-40449) as part of its October Patch Tuesday updates, issued this week. According to a Tuesday analysis from Kaspersky researchers, the issue lurks in the Win32k kernel driver. It’s a use-after-free vulnerability, and “the root cause of this vulnerability lies in the ability to set user-mode callbacks and execute unexpected API functions during execution of those callbacks,” they explained. “The CVE-2021-40449 is triggered when the function ResetDC is executed a second time for the same handle during execution of its own callback.” This ultimately results in a dangling memory pointer that points to a previously destroyed Proactive Data Container (PDC) object, according to Kaspersky. That means that a malformed PDC object can be used to perform a call to an arbitrary kernel function, and from there allows attackers to read and write kernel memory. “It’s possible to use publicly known techniques to leak kernel addresses of currently loaded drivers/kernel modules,” researchers said. MysterySnail RAT in Action As mentioned, the cybercriminals…

Source

image
A new threat actor, dubbed DEV-0343, has been spotted attacking U.S. and Israeli defense technology companies, Persian Gulf ports of entry and global maritime transportation companies with ties to the Middle East. The threat actor’s goal is Microsoft Office 365 account takeovers. Microsoft, which began tracking the activity in late July 2021, detailed the attacks in an alert released Monday, adding that the culprits appear to be bent on espionage and have ties to Iran. It stated cyberattackers are “conducting extensive password spraying” against Office 365 accounts. Password-spraying is the process of trying a list of user names and a series of different passwords against online accounts in hopes of finding a match and gaining access to password-protected accounts. In this case, the attackers typically mount attacks on “dozens to hundreds of accounts” within each targeted organization, Microsoft said, and have been seen trying thousands of credential combinations against each account. So far, the campaign has targeted about 250 specific organizations that use Microsoft’s cloud-based Office suite, with less than 20 of them suffering compromise, according to the company. However, “DEV-0343 continues to evolve their techniques to refine its attacks,” the computing giant warned. The attacks for now are being carried out using an emulated Firefox or Chrome browser, and rotating IP addresses hosted on a Tor proxy network, according to the analysis. On average, each attack uses…

Source

image
Apple on Monday rushed out a security update for iOS 15.0.2 and iPadOS 15.0.2 to fix a remote code-execution (RCE) zero-day vulnerability that’s being actively exploited. Within hours, a security researcher had picked the bug apart and published both proof-of-concept code and an explanation of the vulnerability, meaning that now’s a really good time to update your iOS device. A week and a half ago, Apple released iOS 15.0.1 to fix a slew of performance glitches, but iOS 15.0.2 is the first security update for the new OS. Monday’s patch addresses a memory-corruption zero day – tracked as CVE-2021-30883 – in IOMobileFrameBuffer, which is a kernel extension that acts as a screen framebuffer, allowing developers to control how the memory in a device uses the screen display. “An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited,” the company said. Attackers who get access to kernel privileges gain full control of an iOS device. Apple typically doesn’t choose to hand weapons to attackers. True to form, the company kept potential attack blueprints close to its vest: It didn’t release technical details for either the vulnerability nor the attack(s) that have exploited it. Not all are as cautious. Shortly after the patch was released, a security researcher named Saar Amar published both a technical explanation and proof-of-concept exploit code. He said that he thought that the bug is…

Source

image
As an information-security professional, would you feel ready to respond to a state attorney in the event of a cyber-incident? Around half (47 percent) of organizations polled for Kroll’s The State of Incident Response 2021 report said that their teams lack clarity around when to engage legal counsel about a potential incident. The potential impact of current and emerging cyber-incidents is so great that cybersecurity can no longer remain solely within the scope of an organization’s information-security team. The multi-layered nature of incident response demands input from resources across an organization, particularly legal. We’ll go through five key approaches for helping the infosec and legal teams work together in partnership, but first let’s review some general best practices. At least two in five organizations are currently ill-equipped to respond to the full legal requirements of handling an incident, while 43 percent are missing a clearly defined process to communicate with regulatory agencies. In many organizations, legal teams remain a significant blind spot within infosecurity programs. It is imperative that they ensure that these two key teams are aligned in advance of an incident taking place. Sharing Knowledge Around Data Privacy & Protection Every organization that digitally stores personal and/or sensitive information is required to implement data-privacy and protection measures. This involves input from both legal and infosec teams to ensure collaboration…

Source