KrofekSecurity – Page 17

Breaking News: Uber Slapped with €290 Million GDPR Fine by Dutch Regulator

26. August 202426. August 2024 Zapier Sistemc

The Dutch DPA Fines Uber for Data Privacy Violations

The Dutch Data Protection Authority (DPA) has set a record by issuing Uber a hefty fine of €290 million, totaling $324 million in U.S. dollars. This substantial penalty was imposed due to Uber’s apparent non-compliance with the stringent data protection regulations set by the European Union (E.U.), specifically when transmitting sensitive driver data to the United States.

Violation of European Union Data Protection Standards

In its investigation, the Dutch DPA uncovered that Uber had been transferring the personal data of European taxi drivers to the U.S. without taking adequate precautions to protect this information in line with the E.U. data protection standards. This oversight led to the imposition of the significant fine on the company.

The €290 million penalty serves as a strong warning to organizations handling personal data within the European Union, highlighting the severe consequences of failing to adhere to data protection regulations.

The Dutch DPA’s decision sends a clear message to companies operating within the E.U. that data privacy violations will not be tolerated, and substantial fines will be imposed on those found breaching these regulations.

Importance of Safeguarding Sensitive Data

Ensuring the security and privacy of sensitive data, especially when it involves personal information, is crucial for any organization. Failure to protect this data can not only result in severe financial penalties, as seen in the case of Uber, but also damage the trust and reputation of the company among its customers and stakeholders.

Companies must implement robust data protection measures, including encryption, access controls, and regular security audits, to safeguard sensitive information and comply with data protection laws and regulations.

Lessons for Organizations Handling Personal Data

The fine imposed on Uber by the Dutch DPA serves as a valuable lesson for organizations handling personal data, emphasizing the importance of prioritizing data protection and implementing stringent security measures to prevent violations and safeguard data privacy.

Organizations must conduct thorough assessments of their data processing activities, ensure compliance with relevant data protection laws, and prioritize the security of personal data to avoid facing similar fines and penalties.

Conclusion

The record €290 million fine imposed on Uber by the Dutch DPA underscores the significance of complying with data protection standards, particularly within the European Union. Organizations must prioritize data privacy, implement robust security measures, and adhere to regulatory requirements to protect sensitive information and avoid facing substantial fines and reputational damage.

Unpacking Slack Hacks: 6 Strategies for Securing Sensitive Data in Collaborative Environments

26. August 202426. August 2024 Zapier Sistemc

Disney’s Data Breach: A Wake-Up Call for Enhanced Security Measures

In a digital era where sensitive and critical data are constantly circulating through everyday business channels, the importance of robust security measures cannot be overstated. The recent data breach at Disney serves as a stark reminder of the potential consequences of lax security protocols. NullBulge, a notorious hacktivist group, infiltrated Disney’s internal Slack messaging channels, resulting in the theft of over 1.2 terabytes of confidential data.

The Impact of the Breach

The repercussions of the breach were severe, exposing Disney to significant risks and implications. The stolen data encompassed a wide range of sensitive information, raising concerns about the compromise of intellectual property, client details, and internal communications. Such a breach not only jeopardizes the organization’s reputation but also subjects it to legal repercussions and financial losses.

The Role of Encryption

One glaring issue highlighted by this incident is the inadequacy of encryption protocols employed by companies to safeguard their data. Basic security measures may no longer suffice in the face of increasingly sophisticated cyber threats. Encryption plays a vital role in protecting data both at rest and in transit, shielding it from unauthorized access and ensuring confidentiality.

The Importance of Proactive Security Measures

The Disney data breach underscores the critical need for proactive security measures in today’s digital landscape. Organizations must stay vigilant and continuously assess their security posture to detect and mitigate vulnerabilities before they are exploited. Implementing robust authentication mechanisms, conducting regular security audits, and fostering a culture of cybersecurity awareness are essential steps in fortifying defenses against potential attacks.

Lessons Learned and Moving Forward

As companies grapple with the aftermath of data breaches like the one experienced by Disney, there are valuable lessons to be learned to prevent similar incidents in the future. Strengthening encryption practices, enhancing employee training on cybersecurity best practices, and investing in advanced threat detection technologies are pivotal strategies to bolster resilience against cyber threats.

Conclusion

The data breach at Disney serves as a sobering reminder of the dangers posed by inadequate security measures in protecting sensitive information. By heeding the lessons from such incidents and proactively fortifying their defenses, organizations can mitigate risks and safeguard their critical data from malicious actors. In an era where cyber threats loom large, prioritizing robust security measures is imperative to ensure business continuity and protect valuable assets.

Research unveils more than 20 Supply Chain Weaknesses in MLOps Platforms

26. August 202426. August 2024 Zapier Sistemc

Cybersecurity Researchers Warn of Machine Learning Software Supply Chain Risks

Cybersecurity researchers have raised red flags on the security risks within the machine learning (ML) software supply chain. They have identified over 20 vulnerabilities that could potentially be exploited to target MLOps platforms, indicating a pressing need for enhanced security measures in this domain.

These vulnerabilities are categorized into two main types: inherent and implementation-based flaws. The exploitation of these flaws can lead to grave consequences, such as arbitrary code execution and unauthorized access to sensitive data.

The Dangers of Inherent and Implementation-Based Flaws

Inherent flaws refer to vulnerabilities that are present in the design or architecture of the ML software itself. These flaws can be leveraged by malicious actors to compromise the integrity of the system and exploit its functionalities for nefarious purposes.

On the other hand, implementation-based flaws stem from errors or oversights in the coding and deployment of the ML software. These flaws provide attackers with entry points to manipulate the software and gain unauthorized access, posing a significant threat to the security of MLOps platforms.

Implications of the Vulnerabilities

The presence of these vulnerabilities in MLOps platforms raises concerns about the overall security of the machine learning ecosystem. Given the increasing reliance on ML technologies in various industries, the exploitation of these vulnerabilities could have far-reaching consequences, including data breaches, system disruptions, and financial losses.

To mitigate these risks, cybersecurity experts emphasize the importance of implementing robust security measures throughout the ML software supply chain. This includes conducting thorough security assessments, implementing secure coding practices, and regularly updating and patching vulnerable software components.

Recommendations for Enhancing Security in the ML Software Supply Chain

In light of these vulnerabilities, organizations utilizing MLOps platforms are advised to take proactive steps to enhance the security of their systems. Some key recommendations include:

1. Conducting Regular Security Audits:

Organizations should regularly assess the security posture of their MLOps platforms to identify and address potential vulnerabilities proactively.

2. Implementing Secure Coding Practices:

Developers should follow best practices for secure coding to minimize the risk of introducing vulnerabilities during the development process.

3. Monitoring for Security Threats:

Continuous monitoring of MLOps platforms for potential security threats can help organizations detect and respond to incidents in a timely manner.

4. Collaborating with Security Experts:

Engaging with cybersecurity professionals can provide organizations with valuable insights and expertise to strengthen their security defenses against evolving threats.

By adopting these recommendations and prioritizing cybersecurity measures, organizations can better protect their MLOps platforms from malicious actors and safeguard the integrity of their machine learning operations.

Critical Flaws in Traccar GPS System Expose Users to Remote Attacks

26. August 202426. August 2024 Zapier Sistemc

Traccar GPS Tracking System Vulnerabilities Overview

Two critical security vulnerabilities have recently been uncovered within the Traccar open-source GPS tracking system. These vulnerabilities could pose a significant risk, potentially allowing unauthorized parties to carry out remote code execution on affected systems. It is crucial for users of the Traccar system to be aware of these vulnerabilities and take appropriate measures to mitigate the associated risks.

Path Traversal Vulnerabilities

The vulnerabilities in question are classified as path traversal flaws. Path traversal vulnerabilities typically involve an attacker manipulating user input to access files or directories outside the intended scope of an application. In this case, the path traversal vulnerabilities in the Traccar system could be leveraged by malicious actors to execute arbitrary code on the targeted system.

Impact of Vulnerabilities

The potential impact of these vulnerabilities is particularly concerning, as remote code execution could allow an attacker to take full control of the affected system. This could lead to a variety of malicious activities, such as stealing sensitive data, disrupting operations, or using the compromised system as a launching pad for further attacks.

Exploitation and Mitigation

Guest Registration and Default Configuration

One key factor that could exacerbate the risk posed by these vulnerabilities is the default configuration of the Traccar system. Specifically, if guest registration is enabled, as it is by default in Traccar 5 and Horizon3.ai, attackers may have a more straightforward path to exploiting the vulnerabilities and achieving remote code execution.

Recommended Actions

To mitigate the risks associated with these vulnerabilities, users of the Traccar GPS tracking system are strongly advised to take the following actions:

– Disable guest registration: By disabling guest registration, users can limit the attack surface and reduce the likelihood of unauthorized access to the system.
– Update to the latest version: It is essential to ensure that the Traccar system is running the most up-to-date version available, as vendors often release patches to address security vulnerabilities.
– Monitor for suspicious activity: Regularly monitoring system logs and network traffic can help detect any signs of exploitation or unauthorized access, allowing for timely intervention.

Conclusion

In conclusion, the discovery of path traversal vulnerabilities in the Traccar GPS tracking system underscores the importance of proactive IT security practices. By staying informed about potential security threats, promptly applying patches and updates, and implementing robust access controls, organizations can enhance their security posture and reduce the risk of falling victim to malicious attacks.

NUMOZYLOD Malware izkorišča MSIX namestitvenike za izvajanje nevarne kodep

26. August 202426. August 2024 admin Leave a comment

Recentna kampanja zlonamerne programske opreme z uporabo trojaniziranih MSIX installerjev

Znano je, da so zlonamerne kampanje vedno bolj usmerjene v čim bolj prikrite metode napada, katerih cilj je velika skupnost nič hudega slutečih uporabnikov. V recentno odkriti kampanji je bil zaznan porast trojaniziranih MSIX installerjev, ki ciljajo uporabnike, ki iščejo poslovno programsko opremo.

Zlonamerna skupina “eugenfest” in NUMOZYLOD

Kampanjo izvaja zlonamerna skupina “eugenfest” z uporabo PowerShell skripta z imenom NUMOZYLOD. Ta skript se uporablja za prenos dodatnih zlonamernih programov na računalniške sisteme žrtev.

NUMOZYLOD je del MaaS (Malware-as-a-Service) operacije, ki distribuira različne zlonamerne programe, vključno z ICEDID, REDLINESTEALER, CARBANAK, LUMMASTEALER in ARECHCLIENT2. To poudarja vedno večji trend sodelovanja med napadalci v podzemni ekonomiji, kjer si delijo specializirana orodja in storitve za čim večjo učinkovitost napadov.

Izraba MSIX kot distribucijske metode

Nedavna preiskava je razkrila, da napadalci izkoriščajo MSIX kot prikrito metodo za združevanje in distribucijo zlonamernih programov skupaj z zakonito programsko opremo. Preiskava je pokazala sofisticirano uporabo MSIX paketov, kjer je bila struktura paketa, vključno z datotekami AppxManifest.xml, config.json, StartingScriptWrapper.ps1 in VFS mapami, skrbno načrtovana za izvajanje zlonamernega PowerShell skripta in pridobitev začetnega dostopa na ciljanih sistemih.

Uporaba malvertizinga za distribucijo trojaniziranih MSIX installerjev

Napadalna skupina UNC4536 uporablja tehniko malvertizinga za distribucijo trojaniziranih MSIX installerjev priljubljenih programov, ki vsebujejo zlonamerno kodo, kot je NUMOZYLOD. Ta se izvaja s pomočjo frameworka Package Support (PSF) med procesom namestitve.

Napadalci izkoristijo zmožnost PSF za izvajanje skriptov pred ali po zagonu glavne aplikacije. S tem lahko prikrito namestijo zlonamerno kodo na sisteme žrtev, tako da dodajo konfiguracijske elemente, imenovane startScript in endScript.

Sofisticirana struktura in analitika trojaniziranih MSIX datotek

Analiza trojaniziranih MSIX datotek je razkrila zelo sofisticirano tehniko napada. Struktura paketa, vključno z AppxManifest.xml, config.json, StartingScriptWrapper.ps1 in VFS mapami, je bila skrbno načrtovana za izvajanje zlonamernega PowerShell skripta.

Napadalci so uporabili zmožnost ‘runFullTrust’ za obhod varnostnih kontrol in izvajanje z višjimi privilegiji. Prav tako je VFS mapa vsebovala datoteke za prihodnje faze napada, kot je orodje za dešifriranje prenesenih kod. Trojanizirane MSIX datoteke so bile distribuirane s pomočjo malvertizing kampanj, ki so ciljale nič hudega sluteče uporabnike.

Ovitek je opazno izvedel zlonamerni PowerShell skript “Refresh2.ps1” (NUMOZYLOD), določen v config.json

NUMOZYLOD in distribucija zlonamernih programov

UNC4536, distribuiter zlonamerne programske opreme, uporablja NUMOZYLOD za dostavo različnih programskih kod svojim “poslovnim partnerjem.” V kampanjah so opazili dve specifični različici NUMOZYLOD, ki sta distribuirali CARBANAK in LUMMASTEALER.

V kampanji CARBANAK je NUMOZYLOD zbiral informacije o gostitelju, prenesel CARBANAK in ga izvedel s pomočjo ugrabljanja vrstnega reda iskanja DLL. Medtem ko je v kampanji LUMMASTEALER močno zamaskirana različica NUMOZYLOD dostavila LUMMASTEALER.

Zmogljive tehnike zamaskiranja

NUMOZYLOD uporablja večplastne tehnike zamaskiranja za izogibanje zaznavi. Kljub tem tehnikam lahko analitiki z analizo beleženja blokov PowerShell skriptov in dogodkov AMSI dešifrirajo zlonamerno programsko opremo in prepoznajo njeno zlonamerno vedenje.

Najprej onemogoči AMSI za obhod varnostnih ukrepov, nato prenese in izvrši sekundarno kodo s strežnika C2, identificirano kot LUMMASTE

Unveiling NGate: The Android Malware That’s Cloning Contactless Payment Cards

26. August 202426. August 2024 Zapier Sistemc

Cybersecurity researchers discover new Android malware targeting contactless payment data

In recent news, cybersecurity experts have detected a new strain of malware designed to steal contactless payment information from physical credit and debit cards using Android devices. This devious malware allows attackers to intercept victims’ payment data and transfer it to a device under their control, enabling them to carry out various fraudulent activities.

NGate: The new Android malware identified by Slovak cybersecurity firm

Referred to as NGate by the Slovak cybersecurity company that tracked its activities, this malicious software has been identified as part of a sophisticated crimeware campaign that specifically targeted three major banks in Czechia. The developers behind NGate have strategically engineered the malware to infiltrate Android devices and extract sensitive payment data, posing a significant threat to users who rely on contactless payment methods.

The cunning tactics employed by cybercriminals through NGate underscore the ever-evolving landscape of cybersecurity threats, emphasizing the critical importance of remaining vigilant and implementing robust security measures to safeguard personal and financial information.

The Impact of NGate Malware

The NGate malware poses a severe risk to individuals who utilize contactless payment technology, as it enables threat actors to gather payment details from physical cards and exploit them for illicit purposes. By compromising Android devices, attackers can intercept and transmit sensitive information without the victims’ knowledge, potentially resulting in financial losses and identity theft.

Furthermore, the targeted nature of the NGate campaign against specific banks in Czechia highlights the deliberate and calculated approach taken by cybercriminals to maximize their profits and circumvent security defenses. This development serves as a stark reminder of the constant threat posed by sophisticated malware variants and the need for proactive cybersecurity measures to mitigate risks effectively.

Protecting Against Android Malware Attacks

To safeguard against the increasing prevalence of Android malware and similar threats, users are advised to adopt the following security practices:

1. Regularly update device software and applications to patch vulnerabilities and enhance protection against malware infections.
2. Exercise caution when downloading apps from third-party sources and only install applications from trusted sources.
3. Enable security features such as two-factor authentication and device encryption to secure personal data and prevent unauthorized access.
4. Install reputable antivirus software and conduct routine scans to detect and remove malicious software from Android devices.
5. Stay informed about emerging cybersecurity threats and trends to stay ahead of potential risks and take proactive measures to protect personal information.

By implementing these proactive security measures and remaining vigilant against the evolving tactics of cybercriminals, users can fortify their defenses against Android malware attacks and minimize the risk of falling victim to malicious activities targeting contactless payment data.

Unveiling the Stealthy Linux Malware ‘sedexp’ Concealing Credit Card Skimmers with Udev Rules

25. August 202425. August 2024 Zapier Sistemc

The Stealthy Linux Malware Sedexp Unveiled

Cybersecurity experts have recently unearthed an insidious new strain of Linux malware known as sedexp. This malicious software employs a rather unorthodox method to secure its position on compromised devices while discreetly concealing credit card skimmer code. The discovery of this malware was credited to the vigilant efforts of Aon’s Stroz Friedberg incident response services team, who have codenamed the threat as sedexp. This financially driven threat actor has been meticulously fine-tuning this stealthy malware since the start of 2022.

A Cloak of Persistence and Concealment

Sedexp’s distinguishing feature lies in its ability to establish a persistent foothold on Linux systems through a method that diverges from conventional malware tactics. Its sophisticated approach allows it to remain undetected for prolonged periods, amplifying the risk it poses to infected systems. This stealthy trait enables sedexp to operate surreptitiously, executing its malevolent activities under the radar.

A Nefarious Objective

At the core of sedexp’s design is its purpose to conceal credit card skimmer code. By flying under the radar and maintaining a low profile, the malware can harvest sensitive financial information without arousing suspicion. This insidious functionality further underscores the malicious intent behind sedexp, highlighting the threat it poses to both individuals and organizations.

The Cat-and-Mouse Game of Cybersecurity

The emergence of sedexp underscores the perpetual cat-and-mouse game between cybercriminals and cybersecurity professionals. As threat actors continue to evolve their tactics to evade detection and maximize their malicious objectives, cybersecurity experts must remain vigilant and adaptive to counter these emerging threats effectively. The discovery of sedexp serves as a sobering reminder of the ever-evolving landscape of cybersecurity and the critical importance of staying ahead of threat actors.

Staying Ahead of the Curve

To defend against sophisticated threats like sedexp, organizations and individuals must prioritize robust cybersecurity measures. This includes implementing strong access controls, regularly updating software and systems, conducting thorough security audits, and educating users on best practices for maintaining a secure digital environment. By adopting a proactive and comprehensive approach to cybersecurity, individuals and organizations can fortify their defenses against malware strains like sedexp and mitigate the associated risks effectively.

Collaboration and Information Sharing

In the realm of cybersecurity, collaboration and information sharing play a pivotal role in combating evolving threats. By fostering a community-driven approach to cybersecurity, experts can collectively pool their knowledge and resources to identify, analyze, and neutralize new malware strains like sedexp. This collaborative effort is essential in enhancing overall cyber resilience and equipping stakeholders with the insights needed to stay one step ahead of threat actors.

In conclusion, the discovery of sedexp highlights the intricate challenges that cybersecurity professionals face in safeguarding digital assets against evolving threats. By maintaining vigilance, embracing innovation, and fostering collaboration, the cybersecurity community can effectively thwart malicious actors and uphold the integrity of the digital landscape.

MegaMedusa: Orodje DDoS, ki v svetu hekerjev vzbuja vihar

25. August 202425. August 2024 admin Leave a comment

Pro-palestinska in pro-muslimanska hektivistična skupina RipperSec dosega nove “mege” kibernetske napade s svojim orodjem MegaMedusa

Pro-palestinska in pro-muslimanska malezijska hektivistična skupina RipperSec, ustanovljena junija 2023, je na svojem Telegram kanalu zbrala več kot 2.000 naročnikov.

RipperSec sodeluje z mednarodnimi skupinami, kot so Tengkorak Cyber Crew in Stucx Team, in se ukvarja s kibernetskimi napadi, kot so vdori v podatke, uničevanje spletnih strani in napadi z razpršeno zavrnitvijo storitve (DDoS).

Njihove glavne tarče so države, ki jih zaznavajo kot podpornike Izraela, s ciljem motiti operacije, opozarjati nase in izražati solidarnost s palestinskimi in muslimanskimi vzroki.

Kibernetska skupina RipperSec je prevzela odgovornost za 196 DDoS napadov na Izrael, Indijo, ZDA, Združeno kraljestvo in Tajsko med januarjem in avgustom 2024.

MegaMedusa, javno dostopno spletno orodje za DDoS napade, ki ga je razvila RipperSec, je bilo uporabljeno za izvedbo teh napadov. Izveden z uporabo Node.js, izkorišča svoje asinhrone in neblokirajoče I/O zmogljivosti za učinkovito upravljanje več omrežnih povezav, kar ga naredi močno orožje za obsežne DDoS napade.

Primarno je napadala vladne, izobraževalne, poslovne in finančne spletne strani, kar kaže na prednost kritične infrastrukture.

MegaMedusa uporablja različne tehnike naključnosti za prikrivanje svojih napadnih zahtev, zaradi česar jih je težko zaznati in omiliti, vključno z naključno nastavitvijo glav, poti zahtevkov, metod, piškotkov, IP naslovov, TLS/SSL konfiguracij, nastavitev HTTP/2 in uporabe proxijev.

Poleg tega orodje podpira odprte proxije in ponuja združilnike za pridobivanje svežih seznamov proxijev iz javno dostopnih virov, zaradi česar je MegaMedusa močno orodje za izvajanje napadov z razpršeno zavrnitvijo storitve (DDoS).

MegaMedusa, orodje za DDoS napad, trdi, da obide varnostne izzive, vključno s CAPTCHAji, vendar je njena implementacija omejena, saj se primarno zanaša na naključnost in uporabo proxijev za izogibanje zaznavanju, namesto neposrednega reševanja CAPTCHAjev.

Medtem ko vključuje nekatere osnovne elemente ravnanja s CAPTCHAji, mu manjkajo napredne zmožnosti, kot so strojno učenje ali avtomatizacija brskalnika. Skupina RipperSec verjetno uporablja bolj dovršene različice MegaMeduse, kot kaže njihov oglasni video.

Spletni DDoS napadi uporabljajo proxije za prikrivanje izvora zahtev in zaobiti mehanizme zaznavanja. Proxiji delujejo kot posredniki, vzpostavljajo TCP povezavo s tarčo in posredujejo zahteve.

Knjžnice Node.js, kot je https-proxy-agent, poenostavljajo implementacijo proxijev, vendar MegaMedusa uporablja naravni pristop za večji nadzor, kar omogoča napadalcem ustvarjanje velikega števila zahtev iz različnih krajev, preobremenjevanje tarč in motenje storitev.

Izboljšave HTTP protokola, kot sta pipelining in multipleksiranje, so povečale učinkovitost napadov. Medtem ko je pipelining omejen z blokiranjem na začetku vrstice, multipleksiranje omogoča hkratne zahteve preko ene TCP povezave.

Ranljivosti, kot sta Rapid Reset HTTPS/2 in HTTP/2 Continuation, so izkoriščale te izboljšave za DDoS napade. Odprti in komercialni proxiji, pogosto kompromitirane naprave v rezidencah ali strežniki, napadalcem zagotavljajo rezidenčne IP naslove, kar omogoča izogibanje zaznavanju.

Hekerja so izkoristili slabo konfigurirane AWS .env datoteke za napade na 110.000 domen.

24. August 202425. August 2024 admin Leave a comment

Oblak na udaru: Hekerji izkoristili napačno konfigurirane AWS .env datoteke za obsežne napade

Napadalci so izkoristili izpostavljene okoljske spremenljivke v napačnih konfiguracijah AWS .env datotek, da so zaklenili podatke, shranjene v S3 vsebnikih. S pomočjo avtomatizacije so ciljali na več kot 100.000 domen.

Varnostni neuspehi opozarjajo na pomembnost robustne avtentikacije

Njihov uspeh je bil posledica več varnostnih neuspehov uporabnikov oblaka, vključno z uporabo dolgoročnih poverilnic in pomanjkanja arhitekture z najmanjšimi privilegiji. Ti primeri poudarjajo pomembnost robustne avtentikacije in nadzorov dostopa, šifriranja podatkov, varnega upravljanja konfiguracije ter celovitega spremljanja in beleženja v oblačnih okoljih za zmanjšanje takšnih napadov.

Sprva so napadalci pridobili dostop do okolj AWS organizacij in nato pregledali več kot 230 milijonov edinstvenih ciljev za občutljive podatke. Osredotočili so se na 110.000 domen in pridobili več kot 90.000 edinstvenih spremenljivk iz .env datotek, med katerimi je bilo 7.000 povezanih z oblačnimi storitvami in 1.500 povezanih z računi na družbenih omrežjih.

Večplastna infrastruktura omogočila učinkovitost napadov

Z uporabo večplastne infrastrukture so napadalci izkoristili VPS končne točke, omrežje Tor in VPN za izvidovanje, začetni dostop, lateralno premikanje in iztovor podatkov.

Igralci groženj izkoriščajo široko izpostavljenost .env datotek za pridobitev nepooblaščenega dostopa do občutljivih informacij. Te datoteke vsebujejo pogosto trdo kodirane poverilnice in javno gostujejo na nezavarovanih spletnih aplikacijah, zaradi česar so lahke tarče za napadalce.

Amazon Web Services in pomanjkljiva varnost

Nedavne kampanje so pokazale učinkovitost te tehnike, saj so napadalci uspešno pridobili dostopne ključe AWS IAM iz izpostavljenih .env datotek. Napadalci so izkoristili te poverilnice, da so pridobili začetni dostop do oblačnih okolij žrtev.

Na žalost niso imeli skrbniki dostopa do vseh virov, kar je napadalcem omogočilo stopnjevanje njihovih privilegijev. Z izkoriščanjem dovoljenja za ustvarjanje in spreminjanje IAM vlog in politik so ustanovili nove IAM vire z neomejenim dostopom.

Pred stopnjevanjem svojih privilegijev so napadalci uporabili GetCallerIdentity API za preverjanje identitete in dovoljenj, povezanih s kompromitiranimi poverilnicami.

Raba AWS API zahteva in Lambda funkcij

Sprva so uporabili AWS API zahteve ListUsers in ListBuckets za zbiranje informacij o ciljnem AWS računu. Nato so stopnjevali svoje privilegije z ustvarjanjem nove IAM vloge z AdministratorAccess in jo priložili vlogi.

Čeprav jim ni uspelo ustvariti infrastrukture skladov EC2, so uspešno ustvarili AWS Lambda funkcije z uporabo API klica CreateFunction20150331, ki so jih uporabili za izvajanje bash skripte, ki je iskala morebitne cilje v računu.

Ozaveščanje o tveganjih in najboljših praksah za varnost v oblaku

Kampanja za izsiljevanje v oblaku poudarja tveganja, povezana z zanemarjanjem najboljših praks za varnost v oblaku. Izpostavljene .env datoteke, ki vsebujejo občutljive informacije, kot so API ključi in poverilnice, lahko izkoristijo zlonamerni akterji.

Za zmanjšanje teh tveganj bi se organizacije morale izogibati shranjevanju .env datotek v sistem za nadzor različic, uporabljati okoljske spremenljivke, izvajati robustne nadzore dostopa, izvajati redne revizije in uporabljati orodja za upravljanje skrivnosti.

💡 Namig dneva: Redno preglejujte in posodabljajte varnostne konfiguracije vaših oblačnih storitev ter izogibajte shranjevanju pomembnih poverilnic v javno dostopnem formatu.

Analiza kampanje

Analiza kampanje, ki jo je izvedel Cyble je razkrila potencialne indikatorje kompromisa (IOC) v različnih kategorijah. En sam URL, povezan z lambda funkcijo, se morda zdi neškodljiv. Vendar je bilo označeno znatno število IP naslovov, med njimi Tor exit točke, VPS končne točke in VPN končne točke.

Ti IP naslovi sugerirajo, da kampanja morda izkorišča anonimne storitve in kompromitirane strežnike, da prikrije svoj izvor in dejavnost. Poleg tega je bil identificiran SHA256 hash za skripto z imenom Lambda.sh, ki se lahko uporabi za nadaljnjo preiskavo.

❕Če imate komentarje ali želite deliti svoje misli, prosimo, da jih pustite spodaj ali delite to novico na socialnih omrežjih!

Vir novice: cyberpress.org

Kitajski hekerji izkoriščajo danes najbolj ranljive ranljivosti

23. August 202423. August 2024 admin Leave a comment

Napaka v računalniški varnosti: Kitajski hackerji izkoriščajo zero-day napake

V zadnjih dneh so kitajski hackerji odkrili in izkoriščali zero-day napake v računalniških sistemih, kar predstavlja veliko grožnjo za uporabnike. Zero-day napake so napake, ki še niso znane in niso objavljene, kar pomeni, da jih ni mogoče preprečiti z uporabo standardnih varnostnih programov.

Razkritje ranljivosti

Napake so bile odkrite v različnih programih, vključno z Microsoft Office, Adobe Reader in Chrome. To pomeni, da so hekerji lahko izkoriščali te napake za dostop do osebnih podatkov in drugih občutljivih informacij. Ranjivosti so se zgodile zaradi napak v kodi, ki so omogočile hekerjem dostop do sistemov.

Odkritje teh ranljivosti pomeni, da morajo biti uporabniki posebej pozorni na varnostne nastavitve in uporabljati najnovejše različice programov. Prav tako morajo uporabljati varnostne programe, kot so antivirusi in požarni zidovi, da bi preprečili dostop hekerjev.

Kitajska hakerska skupina

Kitajski hekerji so znani po svoji agresivni in sofisticirani metodi, kar pomeni, da morajo uporabniki biti še posebej pozorni na varnostne nastavitve in uporabljati najnovejše različice programov. Prav tako morajo uporabljati varnostne programe, kot so antivirusi in požarni zidovi, da bi preprečili dostop hekerjev.

Kitajska hakerska skupina, odgovorna za te napade, je pokazala visoko raven znanja in načrtovanja, kar je še dodatno zapletlo situacijo. Njihova zmožnost, da prepoznajo in izkoristijo napake pred objavo varnostnih popravkov, pomeni, da so zaznane grožnje veliko bolj nevarne kot običajno.

Ukrepi za zaščito

Za uporabnike to pomeni, da morajo biti še bolj pozorni na varnostne nastavitve in uporabljati najnovejše različice programov. Prav tako morajo uporabljati varnostne programe, kot so antivirusi in požarni zidovi, da bi preprečili dostop hekerjev. Redno posodabljanje programske opreme je ključnega pomena, saj proizvajalci izdajajo popravke, ki lahko zaprejo te ranljivosti.

Poleg tega je priporočljivo uporabljati dvostopenjsko avtentikacijo (2FA), ki zagotavlja dodatno raven zaščite. Tudi redno preverjanje neobičajnih aktivnosti na vaši napravi in v vaših računih lahko pomaga zgodaj zaznati potencialne vdore. Prav tako je pomembno, da ne odpirate sumljivih povezav ali prilog v elektronski pošti, saj lahko te vsebujejo zlonamerno programsko opremo.

💡 Namig dneva: Redno posodabljajte svojo programsko opremo in vklopite dvofaktorsko avtentikacijo za zaščito vaših računov.

Oglaševanje in javna obvestila

Javna obvestila od pristojnih organizacij, kot so Microsoft, Adobe in Google, prav tako igrajo pomembno vlogo pri zaščiti uporabnikov. Te organizacije so že izdale varnostne popravke, vendar nekatere ranljivosti še vedno ostajajo. Zato je pomembno, da uporabniki sledijo navodilom teh organizacij in redno posodabljajo svoje sisteme.

Učinkovitost varnostnih programov

V preteklosti smo pogosto videli, da so učinkoviti varnostni programi rešili situacijo, vendar tokrat ni dovolj. Zato je ključnega pomena, da se zavedamo pomembnosti varnostnih posodobitev in jih redno izvajamo. Delujoči požarni zidovi in posodobljeni antivirusi še vedno ostajajo prva linija obrambe, vendar je potrebno dodati še druge ukrepe za celovito zaščito.

Za boljšo zaščito pred takšnimi napadi obstaja tudi možnost uporabe VM (Virtual Machine) tehnologije, ki oddvojujeta operacijski sistem od glavnega sistema. S tem se zmanjša tveganje za posredni dostop preko ranljivosti v programski opremi. Prav tako se priporoča uporaba vrstnega reda za dostop do informacij, kar pomeni, da imajo uporabniki dostop samo do tistih virov, ki jih resnično potrebujejo.

Zaključek

Situacija, v kateri so se znašli uporabniki po svetu zaradi zero-day napak, je resna in zahteva takojšnje ukrepanje. Kitajski hekerji zmorejo izkoristiti vsakršno priložnost, zato moramo biti vsi uporabniki še posebej pazljivi. Redna posodobitev programske opreme, uporaba naprednih varnostnih rešitev in upoštevanje javnih obvestil so koraki, ki jih moramo upoštevati, da bi zagotovili varnost svojih podatkov in informacij.

V tem negotovem obdobju je ključnega pomena, da sodelujemo z organizacijami, ki skrbijo za informacijsko varnost, poslušamo njihove nasvete in ne podcenjujemo nevarnosti, ki jih prinašajo zero-day napake.

URL izvora novice: https://cybersecuritynews.com/chinese-hackers-exploiting-zero-day/

❕Če imate komentarje ali želite deliti svoje misli, prosimo, da jih pustite spodaj ali delite to novico na socialnih omrežjih!