2021

Extremely critical vulnerability in Apache Log4j popular library-CVE-2021-44228

KNikhil Cyber Attack Comments Off

Reading Time: 2 minutes

Log4j is popular java library used as logging framework in most of the application. This framework is vulnerable to remote code execution (RCE) vulnerability in Apache Log4j 2. It is also known as log4shell: 0 day exploit.

All versions of Log4j2 versions >= 2.0-beta9 and <= 2.14.1 are affected by this vulnerability.

Attacker will send the specially crafted request and a log statement to endpoint with protocol (HTTP, TCP, etc) that logs out the string from that request. The log4j vulnerability is triggered by this payload and the server makes a request to hacker controlled website via “Java Naming and Directory Interface” (JNDI)

This response contains a path to a remote Java class file which is injected into the server process, this injected payload triggers a second stage, and allows an attacker to execute arbitrary code. The important thing to understand is that the vulnerability gets triggered if the logged string contains any untrusted strings in any part of the logged data.

This way Unauthenticated, remote hacker could exploit this vulnerability and achieve RCE to a server running a vulnerable version of log4j. Many applications use Log4j for logging functionality, Many services are vulnerable to this exploit. Cloud services like Apple iCloud, have already been found to be vulnerable.

Mitigation: The simplest and most effective protection method is to install the most recent version of the library, 2.15.0.

If for some reason updating the library is not possible, Apache Foundation recommends using one of the mitigation methods. In case of Log4J versions from 2.10 to 2.14.1, they advise setting the log4j2.formatMsgNoLookups system property, or setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.

To protect earlier releases of Log4j (from 2.0-beta9 to 2.10.0), the library developers recommend removing the JndiLookup class from the classpath: zip -q -d log4j-core – *. Jar org / apache / logging / log4j / core / lookup / JndiLookup .class.

Found this article interesting? Follow HackersIdentity on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Microsoft launches cybersecurity skilling program that aims to skill over 1 lakh learners by 2022.

KYogesh Cyber Security Comments Off

Reading Time: < 1 minutes

Industry’s first comprehensive cybersecurity skilling program to empower India’s workforce for a career in security. This initiative aims to skill 1 lakh learners by 2022.

As digital adoption continue to rise, the need of cybersecurity landscape has evolved significantly, and huge demand for skilled security professionals. To address this skills gap and empower India’s workforce for a career in cybersecurity, Microsoft launched a first of its kind cybersecurity skilling program that aims to skill over 1 lakh learners by 2022.

The program is designed to give learners hands-on experience in the fundamentals of security, compliance, and identity. Microsoft will conduct these courses along with its strategic consortium of partners including Cloudthat, Koenig, RPS, and Synergetics Learning. The course modules are designed to support all levels of learners, regardless of where they are in their cybersecurity journey.

Microsoft has introduced four new security, compliance, and identity certifications, of which the accredited certification for Fundamentals will be offered at zero-cost for any individual who attends the associated training through this initiative. Additionally, in collaboration with its partners, Microsoft, offers learners deeply discounted offers on the rest of the advanced role-based certifications to drive deep skills for addressing cybersecurity challenges.

Learners can apply for the course: https://www.microsoft.com/en-in/campaign/MS-IndiaSkillingInitiative/SecuritySkilling.aspx

Found this article interesting? Follow HackersIdentity on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Go Daddy data breach exposes over 1 million customer details in managed WordPress hosting environment

KYogesh Data Breach Comments Off

Reading Time: < 1 minutes

Web-hosting giant GoDaddy has confirmed another data breach, this time affecting at least 1.2 million of its customers.

In an official statement it says On November 17, 2021, they discovered unauthorized third-party access to our Managed WordPress hosting environment.

They identified suspicious activity in their Managed WordPress hosting environment and after that they immediately began an investigation with the help of an IT forensics firm and contacted law enforcement.

Go Daddy immediately blocked the unauthorized third party from their system and investigation is ongoing, but they have determined that, beginning on September 6, 2021, the unauthorized third party used the vulnerability to gain access to the following customer information:

Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, then reset those passwords.
For active customers, sFTP and database usernames and passwords were exposed. Then reset both passwords.
For a subset of active customers, the SSL private key was exposed. Go Daddy will be issuing and installing new certificates for those customers.

Found this article interesting? Follow HackersIdentity on Facebook, Twitter and LinkedIn to read more exclusive content we post.

What is Pegasus

KYogesh Cyber Attack Comments Off

Reading Time: < 1 minutes

Pegasus is the spyware – that is developed, marketed and licensed to governments around the world by the Israeli company NSO Group.

What is Spyware

It has the capability to infect billions of phones running either iOS or Android operating systems.

Pegasus has evolved from using spear-phishing, a process where an attacker tricks the target to click on a malicious link sent via text message or email, to a more sophisticated method of attack called zero-click attacks. This new form of attack has made the software one of the most dangerous spyware that threatens individual’s privacy.

To gain entry, the software identifies zero-day vulnerabilities, meaning flaws in the OS that are not identified yet and hence have not been patched. Instead of exploiting human error, it banks on flaws in the software and hardware system to gain access to a device.

All the hacker does is simply make a WhatsApp call and that initiates access to the OS by launching the code. After planting the malware, Pegasus alters call log so that the user has no knowledge of what happened.

VAPT

KYogesh Cyber Attack Comments Off

Reading Time: 2 minutes

An analysis of criminal forums revealed information regarding top trending Common Vulnerabilities and Exposures (CVEs) among cybercriminals. According to researchers, criminal discussions in underground forums reveal information about the most talked-about CVEs.

Analysis of CVEs

The below analysis by Cognyte is an outcome of examining 15 cybercrime forums from January 2020 to March 2021.

The top six, also the most famous among cybercriminals, CVEs are CVE-2020-1472 (aka ZeroLogon), CVE-2020-0796 (aka SMBGhost), CVE-2019-19781, CVE-2019-0708 (aka BlueKeep), CVE-2017-11882, and CVE-2017-0199.
According to the report, most of the discovered CVEs were exploited by nation-state hackers and cybercriminals; for example, ransomware gangs and global attack campaigns aimed at different industries.
The researchers discovered that ZeroLogon, SMBGhost, and BlueKeep were among the most talked-about vulnerabilities among cybercriminals between January 2020 and March 2021.
Moreover, a nine-year-old CVE-2012-0158 was exploited during the onset of the COVID-19 pandemic, which manifests that organizations are still lagging behind in taking these threats seriously.

Recent exploit incidents

The above-mentioned vulnerabilities have been used by several attackers to target their victims in the past few months.

In May, APT29, the threat actors allegedly associated with the Russian Foreign Intelligence Service, were observed leveraging several vulnerabilities, including the Citrix flaw CVE-2019-19781, to target its victims.
In April, Prometei, a persistent cryptocurrency mining botnet was observed exploiting Microsoft Exchange vulnerabilities—CVE-2021-27065 and CVE-2021-26858—to target victim networks to install malware.
Around the same time, a new Chinese APT Backdoor PortDoor was observed exploiting several vulnerabilities in Microsoft’s Equation Editor, including CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.

Conclusion

The recent analysis provides another great insight into cybercriminals’ interest in the CVEs. This information could help organizations to identify flaws exploited in the wild and help security professionals address the potential weaknesses by applying appropriate security patches.

China accused of cyber-attack on Microsoft Exchange servers

KYogesh Cyber Attack Comments Off

Reading Time: 3 minutes

US and EU have accused China of carrying out a major cyber-attack earlier this year.

The attack targeted Microsoft Exchange servers, affecting at least 30,000 organisations globally.

Western security services believe it signals a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns Chinese cyber-behaviour is escalating.

The Chinese Ministry of State Security (MSS) has also been accused of wider espionage activity and a broader pattern of “reckless” behaviour.

China has previously denied allegations of hacking and says it opposes all forms of cyber-crime.

The unified call-out of Beijing shows the gravity with which this case has been taken. Western intelligence officials say aspects are markedly more serious than anything they have seen before.

It began in January when hackers from a Chinese-linked group known as Hafnium began exploiting a vulnerability in Microsoft Exchange. They used the vulnerability to insert backdoors into systems which they could return to later.

The UK said the attack was likely to enable large-scale espionage, including the acquisition of personal information and intellectual property.

It was mainly carried out against specific systems which aligned with Hafnium’s previous targets, such as defence contractors, think tanks and universities.

“We believe that cyber-operators working under the control of Chinese intelligence learned about the Microsoft vulnerability in early January, and were racing to exploit the vulnerability before [it] was widely identified in the public domain,” a security source told the BBC.

If this had been all, it would have been just another espionage operation. But in late February something significant changed.

The targeted attack became a mass pile-in when other China-based groups began to exploit the vulnerability. The targets scaled up to encompass key industries and governments worldwide.

It had turned from targeted espionage to a massive smash-and-grab raid.

Western security sources believe Hafnium obtained advance knowledge that Microsoft intended to patch or close the vulnerability, and so shared it with other China-based groups to maximize the benefit before it became obsolete.

It was the recklessness of the decision to spread the vulnerability that helped drive the decision to call out the Chinese publicly, officials say.

The UK is also understood to have raised the issue of Chinese cyber-activity in private with Beijing over an extended period, including handing over dossiers of evidence.

Microsoft went public about the vulnerability on 2 March and offered a patch to close it. At this point, more hackers around the world had realized its value and piled in.

Around a quarter of a million systems globally were left exposed – often small or medium-sized businesses and organizations – and at least 30,000 were compromised.

Western governments accuse the MSS of using hackers for hire and want it to sever ties with them.

The UK Foreign Office said the Chinese government had “ignored repeated calls to end its reckless campaign, instead allowing state-backed actors to increase the scale of their attacks and act recklessly when caught”.

The White House said it reserved the right to take additional actions against China over its cyber activities.

The EU, meanwhile, said the hack had “resulted in security risks and significant economic loss for our government institutions and private companies”.

But Western spies are still struggling to understand why Chinese behavior has changed. If the hackers were authorized to escalate, it would suggest a step-change in what the country is willing to do and raise the fear that they no longer care about being caught.

That is partly why so many governments have joined together to signal their concerns. Japan, Australia, Canada and New Zealand have joined Nato in issuing a statement in “solidarity”.

The countries also called out wider Chinese behavior which it linked to two groups known as APT 40 and APT 31, which are believed to be linked to the MSS.

Despite the strong language, there are no signs of fresh sanctions against China. In contrast, new sanctions were placed on Russia for the recent SolarWinds campaign which many experts believe was less serious than the Microsoft Exchange campaign linked to China.

Some officials, however, hope China is more sensitive than Russia to international pressure.

The US Department of Justice has announced criminal charges against four MSS hackers which it said were linked to a long-term campaign targeting foreign governments and entities in key sectors in a least a dozen countries.

Ultimately, Western security sources believe the MSS is behind all the activity revealed today and hope co-ordinated international action will put pressure on their activities.

Data breaches

KYogesh Data Breach Comments Off

Reading Time: 2 minutes

Since a long time the Cost of a Data Breach Report is produced jointly between Ponemon Institute and IBM Security. The research is conducted independently by Ponemon Institute, and the results are sponsored, analyzed, reported and published by IBM Security.

The Cost of a Data Breach Report is a global report, combining results from 524 organizations across 17 countries and regions, and 17 industries to provide global averages.

Due to pandemic there were rapid shift to remote work and leads to enormous data breaches. Organizations were focused on getting online and security become afterthought. Also security leaders struggling to maintain status que or compliance of organization.

The study identify the following trends among companies:

Healthcare breach cost: Healthcare industry topped in average total cost of a data breach with $7.3 million a 10% increase over the 2019 study. Similarly, the energy sector saw a 13% increase from 2019, to an average of $6.39 million in the 2020 study. Overall, 13 of 17 industries experienced an average total cost decline year over year, with the steepest drops coming in media, education, public sector and hospitality.

Stolen credentials: Stolen or compromised credentials were the most expensive cause of malicious data breaches. One in five companies (19%) that suffered a malicious data breach was infiltrated due to stolen or compromised credentials, increasing the average total cost of a breach for these companies by nearly $1 million to $4.77 million. Overall, malicious attacks registered as the most frequent root cause (52% of breaches in the study), versus human error (23%) or system glitches (25%).

Shift to cloud: Misconfigured clouds were a leading cause of breaches. Security complexity and cloud migration cost companies most. Undergoing an extensive cloud migration at the time of the breach increased the average cost of a breach by more than $267,000, to an adjusted average cost of $4.13 million.

Remote work: The report found that factors such as remote working has a significant impact on data breach response. Nearly 20% of organizations studied reported that remote work was a factor in data breach, and these

Breach up ending costing companies$4.96 million(nearly 15% more than the average breach)

Investment in incident response teams and plans reduced the data breach cost . companies with incident response team that also tested their incident response plan had an average breach cost of $3.25 million.

Ransomware

KYogesh Ransomware Comments Off

Reading Time: 2 minutes

Approximately three weeks later a Florida-based software vendor Kaseya which was hit by a widespread ransomware attack, the company now able manage to gets decryption key for REvil ransomware. One of the most hazardous attack in ransomware history world has seen.

The attacks, which exploited now-patched zero-days in the Kaseya Virtual Server Administrator (VSA) platform, affected Kaseya customers in 22 countries using the on-premises version of the platform. Many of which are managed service providers (MSPs) who use VSA to manage the networks of other businesses.

Around 60 direct customers and 1,500 downstream customers of those MSPs were also affected.

The VSA software is used by Kaseya customers to remotely monitor and manage software and network infrastructure.

It’s unclear if Kaseya paid any ransom amount or not. REvil members had demanded a ransom of $70 million an amount that was again negotiated to $50 million later. Or the abrupt appearance of decryption key suggest that it is possible this ransom may have been paid would have been negotiate to a lower price. but soon after, the ransomware gang mysteriously went off the grid, shutting down their payment sites and data leak portals.

Kaseya is working with Emsisoft to support their customer in recovery of systems and data. And Emsisoft has confirm that its decryption key is working and unlocking victims.

The lesson from the attack was Whenever an organization trusts third parties or vendors with the keys to their business, they are undertaking a serious risk. Its MSP/third party work when access has been given then they should protect their customers aggressively.

Found this article interesting? Follow HackersIdentity on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Cyber Attack

KYogesh Cyber Security Comments Off

Reading Time: 2 minutes

Type of cyber Attack

Malware: in which malicious software is used to attack information systems. Ransomware, spyware and Trojans are examples of malware. Depending on the type of malicious code, malware could be used by hackers to steal or secretly copy sensitive data, block access to files, disrupt system operations or make systems inoperable.
Phishing: in which hackers socially engineer email messages to entice recipients to open them. The recipients are tricked into downloading the malware contained within the email by either opening an attached file or embedded link.
Man-in-the-middle: or MitM, where attackers secretly insert themselves between two parties, such as individual computer users and their financial institution. Depending on the details of the actual attack, this type of attack may be more specifically classified as a man-in-the-browser attack, monster-in-the-middle attack or machine-in-the-middle attack. It is also sometimes called an eavesdropping attack.
DDoS: in which hackers bombard an organization’s servers with large volumes of simultaneous data requests, thereby making the servers unable to handle any legitimate requests.
SQL injection: where hackers insert malicious code into servers using the Structured Query Language programming language to get the server to reveal sensitive data.
Zero-day exploit: which happens when a newly identified vulnerability in IT infrastructure is first exploited by hackers.
Domain name system (DNS) tunneling: a sophisticated attack in which attackers establish and then use persistently available access — or a tunnel — into their targets’ systems.
Drive-by: or drive-by download, occurs when an individual visits a website that, in turn, infects the unsuspecting individual’s computer with malware.

Credential-based attacks happen when hackers steal the credentials that IT workers use to access and manage systems and then use that information to illegally access computers to steal sensitive data or otherwise disrupt an organization and its operations.

How Can You Prevent A Cyber Attack?

There is no guaranteed way for any organization to prevent a cyber attack, but there are numerous cybersecurity best practices that organizations can follow to reduce the risk. Reducing the risk of a cyber attack relies on using a combination of skilled security professionals, processes and technology. Reducing risk also involves three broad categories of defensive action:

preventing attempted attacks from actually entering the organization’s IT systems;
detecting intrusions; and
disrupting attacks already in motion — ideally, at the earliest possible time.

Best practices include the following:

implementing perimeter defenses, such as firewalls, to help block attack attempts and to block access to known malicious domains;
- using software to protect against malware, namely antivirus software, thereby adding another layer of protection against cyber attacks;
- having a patch management program to address known software vulnerabilities that could be exploited by hackers;
- setting appropriate security configurations, password policies and user access controls;
- maintaining a monitoring and detection program to identify and alert to suspicious activity;
- creating incident response plans to guide reaction to a breach; and
- training and educating individual users about attack scenarios and how they as individuals have a role to play in protecting the organization.

Cybersecurity

KYogesh Cyber Security 1 Comment

Reading Time: 2 minutes

India Rank’s Among Top 10 In Global Cybersecurity Index 2020.

GCI-Global Cybersecurity Index is a yearly survey carried out by ITU (International telecommunication union) the united nations specialized agency for ICT’s. GCI was first launch in 2015. For year 2020 the index maps 82 questions on 194 members state cybersecurity commitments. And the ranking was measured on basis of five pillars:

Legal measures
Technical measures
Organizational measures
Capacity development measures
Co-operation measures

India rank’s in 10th position with score of 97.5.The list is topped by USA with score 100 followed by United Kingdom and Saudi Arabia in second position with score 99.54. India has also secured the fourth position in the Asia Pacific region underlining its commitments to cybersecurity.

Estonia ranked third with score 99.48. while Korea(Rep of),Singapore, Spain spotted at fourth with score 98.52 also fifth was secured by Russian Federation, United Arab Emirates, Malaysia with score 98.06.

Lithuania holds sixth position with score 97.93, Japan secured seventh with score 97.82.Eight and ninth would be Canada and France with score 97.67 and 97.6.

The goal of GCI is to help countries in identifying areas for improvement in the field of cybersecurity. As well as encourage them to take action towards those areas.

Cybersecurity is multidisciplinary field and its application involves all sector, industries and stakeholders both vertically and horizontally. In order to increase development of national capabilities efforts have to be made by political, economical, by law of enforcement, justice department, educational institutes, private sectors, Public-Private partnership, developers of technology and intra-state cooperation.

Finally India has worked relentlessly on all the five pillars over the last few years, resulting in significant improvement in its ranking. We hope GCI will also help in address the gap between developed and developing countries by encouraging knowledge, upskilling, and building competencies.

Extremely critical vulnerability in Apache Log4j popular library-CVE-2021-44228

Microsoft launches cybersecurity skilling program that aims to skill over 1 lakh learners by 2022.

Go Daddy data breach exposes over 1 million customer details in managed WordPress hosting environment

What is Pegasus

VAPT