Weekly Cybersecurity Roundup #13
“Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge.” – Bruce Schneier
.NET Core vulnerability lets attackers evade malware detection
A vulnerability in the .NET Core library allows malicious programs to be launched while evading detection by security software.
This vulnerability is caused by a Path Traversal bug in Microsoft’s .NET Core library that allows malicious garbage collection DLLs to be loaded by users with low privileges.
This bug affects the latest stable release (3.1.x versions) of .NET Core. A fix is not currently available and could let attackers execute malicious code on a system without being readily detected by antivirus and EDR products.
Sodinokibi Ransomware Operators hit electrical energy company Light S.A.
Sodinokibi ransomware (aka REvil) operators have breached the Brazilian-based electrical energy company Light S.A. and are demanding a $14 million ransom.
The company issued comments to a local newspaper confirming the attack,
Light S.A. admitted the intrusion to a local newspaper, but it did provide technical details of the security breach either disclose the type of ransomware that infected its systems.
“The company claims to have been the victim of a virus attack, but what motivated this attack has been kept confidential: hackers have invaded the system and sent a virus that encrypts all Windows system files.” reads the post published by the newspaper.
How Police Secretly Took Over a Global Phone Network for Organized Crime
Something wasn't right. Starting earlier this year, police kept arresting associates of Mark, a UK-based alleged drug dealer. Mark took the security of his operation seriously, with the gang using code names to discuss business on custom, encrypted phones made by a company called Encrochat. For legal reasons, Motherboard is referring to Mark using a pseudonym.
Because the messages were encrypted on the devices themselves, police couldn't tap the group's phones or intercept messages as authorities normally would. On Encrochat, criminals spoke openly and negotiated their deals in granular detail, with price lists, names of customers, and explicit references to the large quantities of drugs they sold, according to documents obtained by Motherboard from sources in and around the criminal world.
Lazarus Group Adds Magecart to the Mix
The Lazarus Group, state-sponsored hackers affiliated with North Korea, has added digital payment-card skimming to their repertoire, researchers said, using Magecart code.
Lazarus members are targeting online payments made by American and European shoppers. Among the victims is Claire’s, the fashion accessory chain that was attacked in June, according to an analysis from Sansec issued on Monday.
Researchers said that the infrastructure used in the attacks is the same that has been seen in previous Lazarus operations; and that “distinctive patterns in the malware code were identified that linked multiple hacks to the same actor.”
Brave Browser leaves behind History even after clearing it
The Chromium-based web Brave Browser is not your safest bet for a quick browsing session following by hitting the cleaning button to clear out the history.
Brave browser has been caught by a user leaving traces of history, as reported by a user on Github, and later someone posted it on Reddit.
Company web names hijacked via outdated cloud DNS records
US security researcher Zach Edwards recently tweeted about finding 250 company website names that had been taken over by cybercriminals.
He didn’t name the brands, but insists that the organisations affected include banks, healthcare companies, restaurant chains, civil rights groups and more.
The issue here is that the websites themselves haven’t been hacked, but their DNS entries have.
These attacks, known as DNS hijacks, happen when crooks don’t actually break into and take over a site itself, but instead simply change the “internet signposts” that point to it.
As you probably know, DNS, short for domain name system, is the distributed, global name-to-number database that automatically turns human-friendly server names such as
nakedsecurity DOT sophos DOT com
into computer-friendly IP numbers that are needed to send and receive network packets on the internet.
Citrix Issues Critical Patches for 11 New Flaws Affecting Multiple Products
Citrix yesterday issued new security patches for as many as 11 security flaws that affect its Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WAN Optimization edition (WANOP) networking products.
Successful exploitation of these critical flaws could let unauthenticated attackers perform code injection, information disclosure, and even denial-of-service attacks against the gateway or the authentication virtual servers.
Citrix confirmed that the aforementioned issues do not impact other virtual servers, such as load balancing and content switching virtual servers.
Among the affected Citrix SD-WAN WANOP appliances include models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.
First look: Microsoft's Project Freta detects Linux malware for free
Microsoft Research has announced a cloud-based malware detection service called Project Freta to detect rootkits, cryptominers, and previously undetected malware strains lurking in your Linux cloud VM images.
Mike Walker, Senior Director of New Security Ventures at Microsoft, stated, “Project Freta is a roadmap toward trusted sensing for the cloud that can allow enterprises to engage in regular, complete discovery sweeps for undetected malware,” in a blog post released by the company.
Malware detection strategies rely on “sensors,” i.e., certain activities happening on a system based on a limited dataset, predicting the presence of a malware strand. However, this model is outrun by malware creators who, from time to time, find innovative ways to evade these predictive, sensor-based technologies.
The datasets collected so far on cyberattacks focus on what was detected by these “sensors” rather than what was missed. Project Feta aims to solve this problem by reversing the dataset.