image
Cynet launched in December 2019 the State of Breach Protection 2020 Survey. Based on the responses from 1,536 individuals, they now share the survey report that includes common practices, priorities, and preferences of security leaders as they strive to secure their organization from a breach (download the full survey report here). One of the main challenges facing security executives is how to prepare and respond to threats they face in today’s continually changing landscape. They need to consider questions such as: Which attacks pose the greatest risk? What security products would best prepare them to face these threats; how to build a strong team of in-house security professionals, or alternatively, whether they are better off outsourcing the security operations, or finding a balance between the two? What level and kinds of automation can help them as part of their breach protection workflows? And more. The State of Breach Protection 2020 survey also provides information such as: Not consolidating gets in the way of achieving successful protection. According to the survey, organizations that deploy and utilize advanced security products find managing a multi-product security stack to be the biggest obstacle in achieving their goal protection level. The main focus of many organizations in 2020 is advanced protection projects. Most organizations that already deploy the basic AV, firewall, email security products, plan to add on EDR/EPP, Network traffic analysis or SIEM…

Source

image
A new variant of the Muhstik botnet has appeared, this time with scanner technology that for the first time can brute-force web authentication to attack routers using Tomato open-source firmware, researchers have found. Researchers at Palo Alto Networks’ Unit 42 discovered the new variant harvesting vulnerable routers and IoT devices in early December, they reported in a blog post Tuesday. Muhstik, showing a wormlike self-propagating capability that can infect Linux servers and IoT devices, has been active since March 2018. “The new Muhstik variant scans Tomato routers on TCP port 8080 and bypasses the admin web authentication by default credentials bruteforcing,” researchers wrote in their report. The default in this case being “admin:admin” and “root:admin.” “We captured the Tomato router web authentication brute-forcing traffic,” wrote Palo Alto researchers who co-authored the blog Cong Zheng, Yang Ji and Asher Davila. Tomato firmware, a Linux-based, non-proprietary malware known for its stability, VPN-pass through capability, and advanced quality-of-service control, is typically used by multiple router vendors and also installed manually by end users, researchers said. To estimate the infected volume of devices, researchers searched for fingerprints of Tomato routers in Shodan, which identified more than 4,600 Tomato routers exposed on the internet and thus vulnerable to the latest Muhstik attack. Indeed, botnet developers increasingly compromising IoT devices installed…

Source

image
When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll. Last week, Threatpost conducted a reader poll and almost 60 percent of 230 security pundits thought it was a “good idea” to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn’t a good idea. The debate comes on the heels of PoC code being released last week for an unpatched remote-code-execution vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The PoC exploits, which were published to showcase how the vulnerability in a system can be exploited, raised questions about the positive and negative consequences of releasing such code for an unpatched vulnerability. Some argued that the code can be used to test networks and pinpoint vulnerable aspects of a system, as well as motivate companies to patch, but others in the security space have argued that PoC code gives attackers a blueprint to launch and automate attacks. Security Motivator Many security experts point to the role of PoC code publication in motivating impacted companies and manufacturers to adopt more effective security measures. That was the argument of one such advocate, Dr. Richard Gold, head of security engineering at Digital Shadows, who said that PoC code enables security teams to test if their systems are exploitable or not. “Rather than…

Source

image
A prolific phishing gang known as 16Shop has added PayPal customers to its target set. According to researchers at the ZeroFOX Alpha Team, the latest version of the group’s phishing kit is designed with a number of features that are aimed to steal as much personally identifiable information (PII) as possible from users of the popular money-transfer service, including login credentials, geolocation, email address, credit-card information, phone number and more. In investigating the kit’s infrastructure, researchers uncovered that to establish contact, the kit sends a POST request to a command-and-control (C2) server, with a password, domain and path as a form of operational security. Stolen information is subsequently exfiltrated via SMTP to an attacker-controlled email inbox. It can be used to create phishing pages in English, Japanese, Spanish, German and Thai. The researchers were able to intercept traffic between the kit and the C2 server, and gain access to the server panel that 16Shop rents to users. They found that it’s so user-friendly that users could use it to deploy phishing pages without needing to understand any of the underlying protocols or technology. “Much like a SaaS [software-as-a-service] product, user experience and dashboard analytics are keys to success,” ZeroFOX said in a posting on the new kit, on Tuesday. “The 16Shop kit panel is professionally done, with reactive elements and data updating in real time. Whether its login credentials collected,…

Source

image
Citrix has quickened its rollout of patches for a critical vulnerability (CVE-2019-19781) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts. Several versions of the products still remain unpatched – but they will be getting a patch sooner than they were slated to. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24 (Friday of this week). Also, Citrix patched Citrix ADC and Citrix Gateway version 11.1 (with firmware update Refresh Build 11.1.63.15) and 12 (firmware update Refresh Build 12.0.63.13) on Jan. 19 — a day earlier than it had expected to. The versions that Citrix expects to patch on Jan. 24 include Citrix ADC and Citrix Gateway version 10.5 (with Refresh Build 10.5.70.x), 12.1 (Refresh Build 12.1.55.x), 13 (Refresh Build 13.0.47.x), as well as Citrix SD-WAN WANOP Release 10.2.6 (with Citrix ADC Release 11.1.51.615) and Citrix SD-WAN WANOP Release 11.0.3 (Citrix ADC Release 11.1.51.615). When it was originally disclosed in December, the vulnerability did not have a patch, and Citrix announced it would not be issuing fixes for the gateway products and ADC (formerly called NetScaler ADC), a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web, until “late January.” However, in the…

Source

image
FTCODE, a PowerShell-based ransomware that targets Italian-language users, has added new capabilities, including the ability to swipe saved web browser and email client credentials from victims. Samples of the ransomware, which has been around since 2013, were recently observed in September 2019. After further analysis, researchers say new versions of the ransomware now aim to steal credentials from Internet Explorer and Mozilla Firefox, as well as email clients Mozilla Thunderbird, Google Chrome and Microsoft Outlook. “The FTCODE ransomware campaign is rapidly changing,” said researchers Rajdeepsinh Dodia, Amandeep Kumar and Atinderpal Singh with Zscaler, in an analysis last week. “Due to the scripting language it was written in, it offers multiple advantages to threat actors, enabling them to easily add or remove features or make tweaks much more easily than is possible with traditionally compiled malware.” It’s unclear how many victims have been targeted as part of FTCODE’s recent campaign; Threatpost has reached out to researchers for more details. Attack Chain The attack chain for FTCODE previously started with spam emails being sent to victims containing malicious macro documents, which when clicked downloaded the ransomware. However, in more recent campaigns, the bad actor has been sending victims links to VBScripts, which then download FTCODE. Once a user executes the VBScript, it in turn executes a PowerShell script, which then downloads and opens up a decoy image…

Source

image
An unpatched remote code-execution vulnerability in Internet Explorer is being actively exploited in the wild, Microsoft has announced. It’s working on a patch. In the meantime, workarounds are available. The bug (CVE-2020-0674) which is listed as critical in severity for IE 11 and up, and moderate for IE 9 and IE 10, exists in the way that the jscript.dll scripting engine handles objects in memory in the browser, according to Microsoft’s advisory, issued Friday. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user – meaning that an adversary could gain the same user rights as the current user. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” Microsoft explained. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” An attack could be carried out using a malicious website designed to exploit the vulnerability through IE, the advisory noted. Threat actors could lure victims to the site by sending an email, through watering-hole techniques, via malicious documents containing a web link and other social-engineering efforts. Darkhotel APT Active Attacks The in-the-wild attacks are likely the work of the Chinese APT known as Darkhotel, according to the researchers at Qihoo 360 who found the bug. “The impact [could be]…

Source

image
A hacker has published a list of credentials for more than 515,000 servers, home routers and other Internet of Things (IoT) devices online on a popular hacking forum in what’s being touted as the biggest leak of Telnet passwords to date, according to a published report. The leak—revealed in a report on ZDNet—demonstrates once again the inherent insecurity of the Telnet protocol as well as highlights persistent security flaws that could affect business networks as more and more so-called “smart” devices connect to the internet from home networks. The hacker compiled the list–which includes each device’s IP address, as well as a username and password for Telnet–by scanning the entire internet for devices that were exposing their Telnet port, according to the report. The bad actor then used factory-set default usernames and passwords and/or easy-to-guess password combinations to gain credentials, according to ZDNet. The list the hacker compiled is known as a “bot list,” which IoT botnet operations rely on to connect to devices and install malware. The hacker, who himself is a maintainer of a DDoS-for-hire—also known as a DDoS booter service–according to the report, had a vested interest in compiling such an extensive list because of a change in the way he conducts his business, according to ZDnet. The one spot of good news for those owning devices on the list is that all the credentials leaked by the hacker are dated October to November 2019, which means some of the devices…

Source

image
A Georgia man who co-founded a service designed to protect companies from crippling distributed denial-of-service (DDoS) attacks has pleaded to paying a DDoS-for-hire service to launch attacks against others. Tucker Preston, 22, of Macon, Ga., pleaded guilty last week in a New Jersey court to one count of damaging protected computers by transmission of a program, code or command. DDoS attacks involve flooding a target Web site with so much junk Internet traffic that it can no longer accommodate legitimate visitors. Preston was featured in the 2016 KrebsOnSecurity story DDoS Mitigation Firm Has History of Hijacks, which detailed how the company he co-founded — BackConnect Security LLC — had developed the unusual habit of hijacking Internet address space it didn't own in a bid to protect clients from attacks. Preston's guilty plea agreement (PDF) doesn't specify who he admitted attacking, and refers to the target only as "Victim 1." Preston declined to comment for this story. But that 2016 story came on the heels of an exclusive about the hacking of vDOS — at the time the world's most popular and powerful DDoS-for-hire service. KrebsOnSecurity exposed the co-administrators of vDOS and obtained a copy of the entire vDOS database, including its registered users and a record of the attacks those users had paid vDOS to launch on their behalf. Those records showed that several email addresses tied to a domain registered by then 19-year-old Preston had been used to create a…

Source

image
Researchers are warning of a new remote access trojan (RAT), dubbed JhoneRAT, which is being distributed as part of an active campaign, ongoing since November 2019, that targets victims in the Middle East. Once downloaded, the RAT gathers information on the victims’ computers and is also able to download additional payloads. Evidence shows that the attackers behind JhoneRAT have taken extra steps to ensure the RAT is being distributed to Arabic-speaking victims. Researchers note that the attackers have also made use of various cloud services, such as Google Drive and Google Forms, as part of the payload’s infection process. “The campaign shows an actor that developed a homemade RAT that works in multiple layers hosted on cloud providers,” said researchers with Cisco Talos in a Thursday analysis. “JhoneRAT is developed in Python but not based on public source code, as it is often the case for this type of malware. The attackers put great effort to carefully select the targets located in specific countries based on the victim’s keyboard layout.” The RAT is first spread to victims via malicious Microsoft Office documents. Threatpost has reached out to researchers to clarify whether those documents are spread via email or other methods. Researchers identified three malicious documents distributing JhoneRAT: the oldest, from November 2019, is called “Urgent.docx.” The second document is from the beginning of January 2019, named “fb.docx,” and contains usernames and passwords…

Source