Researchers are warning about a dangerous wave of unwiped, secondhand core-routers found containing corporate network configurations, credentials, and application and customer data.

Cameron Camp had purchased a Juniper SRX240H router last year on eBay, to use in a honeypot network he was building to study remote desktop protocol (RDP) exploits, and attacks on Microsoft Exchange and industrial control systems (ICS) devices. When the longtime security researcher at Eset booted up the secondhand Juniper router, to his surprise it displayed a hostname.

After taking a closer look at the device, Camp contacted Tony Anscombe, Eset's chief security evangelist, to alert him to what he found on the router. "This thing has a whole treasure trove of Silicon Valley A-list software company information on it," Camp recalls telling Anscombe.

"We got very, very concerned," Camp says.

Camp and Anscombe decided to test their theory that this could be the tip of the iceberg for other decommissioned routers still harboring information from their previous owners' networks. They purchased several more decommissioned core routers — four Cisco Systems ASA 5500, three Fortinet FortiGate, and 11 Juniper Networks SRX Series Services Gateway routers.

After dropping a few from the mix after one failed to power up and another two were actually mirrored routers from a former cluster, they found that nine of the remaining 16 held sensitive core networking configuration information, corporate credentials, and data on corporate applications, customers, vendors, and partners. The applications exposed on the routers were from big-name software vendors used in many enterprises: Microsoft Exchange, Lync/Skype, PeopleSoft, Salesforce, Microsoft SharePoint, Spiceworks, SQL, VMWare Horizon View, voice over IP apps, File Transfer Protocol (FTP), and Lightweight Directory Access Protocol (LDAP) applications.

These network backbone devices in essence contained digital blueprints of the previous owner organizations' networks, including Border Gateway Protocol (BGP), Routing Information Protocol (RIP), and Open Shortest Path First (OSPF) routing information. The researchers "found complete layouts of various organizations' inner workings" that, in the hands of threat actors, would provide a network topology map for attack, according to the Eset researchers' white paper on the router research, released Tuesday.

The routers contained one or more set of IPSec or VPN credentials, or hashed root passwords, and each had sufficient data for the researchers to identify the actual previous owner/operator of the device. Nearly 90% included router-to-router authentication keys and details on applications connected to the networks, some 44% had network credentials to other networks (such as a supplier or partner), 33% included third-party connections to the network, and 22% harbored customer information.

"I have the entire network topology of their core infrastructure, both internal and external, like cloud assets," for example, Camp says.

Camp says the discovery was a far cry from the malware he typically studies, and a lot less work for an attacker who happened upon one of these unwiped routers. "I don't need a zero day, I have your router," quips Camp.

Abscombe and Camp say they hope to alert enterprises on the proper disposal of critical network routers when they present their findings at the RSA Conference next week.

"They are the intersection upon everything that happens in your organization," Camp says of core routers. "Everything touches the router," including many cloud services, he adds.

Recycled and repurposed computing equipment traditionally has been a fraught area. Hard drives, mobile devices, and printers over the years have been found improperly cleansed of sensitive data. In 2019, a study conducted by Rapid7 found just two out of 85 devices had been properly wiped before they were handed off to secondhand sellers or recycling services. But decommissioned and unwiped routers pose a deeper level of security risk due to the vast amount of infrastructure information they hold.

**'Creepy' Interface**

Among the organizations whose information was exposed were a manufacturing company, a US law firm, managed services providers, an open source software firm, an events company, a telecommunications equipment supplier, a global data company, and a creative services company. Eset did not disclose the names of the organizations, but the researchers confirmed that they contacted all of them.

The Silicon Valley software vendor was quick to respond, even awarding Camp a bug bounty that he then donated to the Electronic Freedom Foundation and the Tor Project. But that was the researchers' easiest disclosure.

"Once we stepped outside of the tech \[sector\], it was incredibly different" and harder to disclose our findings, Anscombe notes. The other organizations didn't have processes or even people available to handle the disclosure information, he says.

Meanwhile, one of the unwiped routers contained what Camp describes as a "creepy" remote administration interface.

"I was never sure if it was on purpose, but it was creepy, very low-level access, and from one of the countries with flags that we're \[the US\] not happy with right now," he says. "It could be totally legit or that could be really bad. It was a little edgy to me."

**How to Securely Dispose of a Core Router**

So how do you wipe a router that you want to retire? The good news is most routers are fairly easy to securely decommission, and the big three — Cisco, Fortinet, and Juniper — on their websites provide detailed guidelines for restoring devices to their factory default settings.

With Juniper routers, for example, wiping the device is simple: "Going to config setting and type 'delete,' hit 'Y' \[to confirm\] and now that router doesn't know who it is anymore," Camp says. The entire wiping process takes less than five minutes, including the post-deletion reboot.

And if your organization already had disposed of routers that weren't properly wiped, Eset recommends rotating cryptographic keys in case an attacker were to get their hands on your old router and attempt to gain trusted access to your network. Zero trust can help here as well, they say.

But that's still no guarantee that a malicious actor who buys your old router still couldn't use it to target your organization. "Even if somebody goes and changes the credentials of the accounts being cached in router, potentially \[the attacker has\] got the app lists, so \[they\] can tell what apps are run internally locally or in the cloud," Abscombe says.

That gives the attacker just enough intel to plan a targeted attack, according to Abscombe. "If I know they're running \[a specific version of\] Exchange and that version had a CVE and they had not applied the patch … I suddenly know things about their network that can make them vulnerable," he says.

If you buy a secondhand core router, and, like the researchers, find that it still contains the previous owner's information, Eset recommends disconnecting the router and moving it to a secured area and contacting your regional CISA office. They also say it's best to document your purchase process as a precaution for insurance or legal purposes.

Recycled Core Routers Expose Sensitive Corporate Network Info

More than half of the enterprise routers researchers bought secondhand hadn’t been wiped, exposing sensitive info like login credentials and customer data.

You know that you're supposed to wipe your smartphone or laptop before you resell it or give it to your cousin. After all, there's a lot of valuable personal data on there that should stay in your control. Businesses and other institutions need to take the same approach, deleting their information from PCs, servers, and network equipment so it doesn't fall into the wrong hands. At the RSA security conference in San Francisco next week, though, researchers from the security firm ESET will present findings showing that more than half of secondhand enterprise routers they bought for testing had been left completely intact by their previous owners. And the devices were brimming with network information, credentials, and confidential data about the institutions they had belonged to.

The researchers bought 18 used routers in different models made by three mainstream vendors: Cisco, Fortinet, and Juniper Networks. Of those, nine were just as their owners had left them and fully accessible, while only five had been properly wiped. Two were encrypted, one was dead, and one was a mirror copy of another device. 

All nine of the unprotected devices contained credentials for the organization's VPN, credentials for another secure network communication service, or hashed root administrator passwords. And all of them included enough identifying data to determine who the previous owner or operator of the router had been. 

Eight of the nine unprotected devices included router-to-router authentication keys and information about how the router connected to specific applications used by the previous owner. Four devices exposed credentials for connecting to the networks of other organizations—like trusted partners, collaborators, or other third parties. Three contained information about how an entity could connect as a third party to the previous owner's network. And two directly contained customer data.

“A core router touches everything in the organization, so I know all about the applications and the character of the organization—it makes it very, very easy to impersonate the organization,” says Cameron Camp, the ESET security researcher who led the project. “In one case, this large group had privileged information about one of the very large accounting firms and a direct peering relationship with them. And that’s where to me it starts to get really scary, because we’re researchers, we’re here to help, but where are the rest of those routers?" 

The big danger is that the wealth of information on the devices would be valuable to cybercriminals and even state-backed hackers. Corporate application logins, network credentials, and encryption keys have high value on dark web markets and criminal forums. Attackers can also sell information about individuals for use in identity theft and other scamming. 

Details about how a corporate network operates and the digital structure of an organization are also extremely valuable, whether you're doing reconnaissance to launch a ransomware attack or plotting an espionage campaign. For example, routers may reveal that a particular organization is running outdated versions of applications or operating systems that contain exploitable vulnerabilities, essentially giving hackers a road map of possible attack strategies. And the researchers even found details on some routers about the physical building security of the previous owners' offices.

Since secondhand equipment is discounted, it would potentially be feasible for cybercriminals to invest in purchasing used devices to mine them for information and network access and then use the information themselves or resell it. The ESET researchers say that they debated whether to release their findings, because they didn't want to give cybercriminals new ideas, but they concluded that raising awareness about the issue is more pressing. 

“One of the big concerns I have is that, if somebody evil _isn’t_ doing this, it's almost hacker malpractice, because it would be so easy and obvious,” Camp says.

Eighteen routers is a tiny sample out of the millions of enterprise networking devices circulating around the world on the resale market, but other researchers say they've repeatedly seen the same issues in their work as well.

“We’ve purchased all sorts of embedded devices online on eBay and other secondhand sellers, and we’ve seen a lot that have not been digitally wiped,” says Wyatt Ford, engineering manager at Red Balloon Security, an internet-of-things security firm. “These devices can contain troves of information that can be used by bad actors in targeting and carrying out attacks.”

As in the ESET findings, Ford says that Red Balloon researchers have found passwords and other credentials and personally identifying information. Some data like usernames and configuration files are usually in plaintext and easily accessible, while passwords and configuration files are often protected because they are stored as scrambled cryptographic hashes. But Ford points out that even hashed data is still potentially at risk.  

“We’ve taken password hashes found on a device and cracked them offline—you’d be surprised how many people still base their passwords off their cats,” he says. “And even things that seem innocuous like source code, commit history, network configurations, routing rules, et cetera—they can be used to learn more about an organization, its people, and its network topology.”

The ESET researchers point out that organizations may think they're being responsible by contracting with outside device-management firms. e-waste disposal companies, or even device-sanitization services that claim to wipe big batches of enterprise devices for resale. But in practice, these third parties may not be doing what they claim. And Camp also notes that more organizations could take advantage of encryption and other security features that are already offered by mainstream routers to mitigate the fallout if devices that haven't been wiped end up loose in the world.

Camp and his colleagues tried to contact the old owners of the used routers they bought to warn them that their devices were now out in the wild spewing their data. Some were grateful for the information, but others seemed to ignore the warnings or offered no mechanism through which researchers could report security findings.

“We used trusted channels that we had to some companies, but then we found a lot of other companies are far more difficult to get a hold of,” Camp says. “Frighteningly so.”

Used Routers Often Come Loaded With Corporate Secrets

Categories: News
Categories: Ransomware
Tags: LockBit

Tags:  ransomware

Tags:  Patrick Wardle

Tags:  macOS ransomware

Tags:  first Mac ransomware

Tags:  Azim Khodjibaev

Tags:  BleepingComputer

Tags:  Mark Stockley

With plans to offer more ransomware, LockBit has just created a variant for macOS. But, as experts have pointed out, it's hardly ready for anything.



(Read more...)




The post LockBit ransomware on Mac: Should we worry? appeared first on Malwarebytes Labs.

News broke over the weekend that ransomware gang LockBit had begun targeting Mac users, triggering some concern in the Apple community. But have no fear: Apple security experts have dissected the ransomware, taking a deep dive into what it can and cannot do, and concluded that it is, actually, toothless.

"Yes, it can indeed run on Apple Silicon. That is basically the extent of its impact," said Patrick Wardle (@patrickwardle), known macOS cybersecurity expert and founder of the non-profit, Objective-See. "macOS users have nothing to worry about."

Here's why.

**The signature is invalid**

Using a utility called _codesign_, Wardle saw that the payload's signature value is "ad-hoc" compared to an Apple Developer ID. Because the signature is invalid, macOS won't execute it.

  
If you're brave enough to run the payload on your macOS, you'll be met with this message, says Wardle. (Source: Objective-See)

**The encryptor is likely a test file**

Azim Khodjibaev (@AShukuhi), a security researcher at Cisco Talos, floated the theory to BleepingComputer that the encryptors designed for macOS were "meant as a test and were never intended for development in live cyberattacks."

Wardle further confirmed this theory, stating the malware is far from complete. Indicators in the malware's code suggest it's Linux-based but compiled for macOS with basic configuration settings included. The code also shows its developers have yet to consider macOS's TCC (Transparency, Consent, and Control) and SIP (System Integrity Protection), two security features meant to protect user files and folders.

With TCC and SIP present, the ransomware will only be able to encrypt a little, if at all.

**The code is buggy and will crash**

Laying further credence to the test file theory, Wardle found the macOS payload contains a buffer overflow, which will cause it to crash when executed.

**No worries for now!**

Apple users can rest easy knowing that this macOS ransomware, as it is now, will hardly impact anyone. However, as Wardle quickly pointed out, this may be different in future releases.

"The fact that a large ransomware gang has apparently set its sights on macOS should give us pause for concern and also catalyze conversations about detecting and preventing this (and future) samples in the first place," he says in his blog.

With LockBit operating as a ransomware-as-a-service (RaaS) outfit, its ambition is to offer a range of ransomware. Currently, we have at least two available offerings: LockBit Black (based on BlackMatter's code) and LockBit Green (based on Conti's code). So expanding to target systems outside its repertoire is not only a logical move but also strategic.

"For most organizations, the main takeaway is Macs are probably safe, for now, but your Windows servers were always the prime target anyway," says Malwarebytes Security Evangelist Mark Stockley. However, Mark warned:

> "You're only safe until you're not, and there's no timeline on getting this working. We won't get a warning in advance, we'll just hear (probably from LockBit itself) that an organization with lots of Macs has been turned over. So...what are you going to do if you have lots of Macs in your organization? Wait for the horse to bolt and _then_ shut the door, or shut the door now?"

In an interview with BleepingComputer, LockBit's public-facing representative LockBitSupp says the Mac encryptor is "actively being developed."

LockBit was by far the most dominant ransomware in 2022, and hasn't slowed down in 2023, which is why it's one of the five threats you can't afford to ignore in the Malwarebytes 2023 State of Malware report.

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

LockBit ransomware on Mac: Should we worry?

Learning how to break the latest AI models is important, but security researchers should also question whether there are enough guardrails to prevent the technology's misuse.

Samsung has banned some uses of ChatGPT, Ford Motor and Volkswagen shuttered their self-driving car firm, and a letter calling for a pause in training more powerful AI systems has garnered more than 25,000 signatures.

Overreactions? No, says Davi Ottenheimer, the vice president of trust and digital ethics at Inrupt, a startup creating digital identity and security solutions. A pause is needed to develop better approaches to testing, not just of the security, but the safety of machine-learning and artificial-intelligence models. These include ChatGPT, self-driving vehicles, and autonomous drones.

A steady stream of security researchers and technologists have already found ways to circumvent protections placed on AI systems, but society needs to have broader discussions about how to test and improve safety, say Ottenheimer, who will give a presentation on the topic at the RSA Conference in San Francisco next week.

"Especially from the context of a pentest, I'm supposed to go in and basically assess \[an AI system\] for safety, but what's missing is that we're not making a decision about whether it is safe, whether the application is acceptable," he says. A server's security, for example, does not speak to whether the system is safe "if you are running the server in a way that's unacceptable ... and we need to get to that level with AI."

With the introduction of ChatGPT in November, interest in artificial intelligence and machine learning — already surging due to applications in the data science field — took off. The eerie capabilities of the large language model (LLM) to seemingly understand human language and to synthesize coherent responses has led to a surge in proposed applications based on the technology and other forms of AI. ChatGPT has already been used to triage security incidents,  and a more advanced LLM forms the core of Microsoft's Security Copilot.

Yet the generative pre-trained transformer (GPT) is just one form of AI model, and all of them can have significant problems with bias, false positives, and other issues.

**Exploiting Robots Is Easy**

These shortcomings, and a general lack of explainability in AI models, means that any model can be attacked in ways that the creators may not have imagined, Inrupt's Ottenheimer will say in his RSA Conference presentation, Pentesting AI: How to Hunt a Robot. If AI models are quickly adopted without adequate study, they may make their way into critical application, where they could be attacked or fail spectacularly, he says.

"It's actually super easy to make them fail," Ottenheimer says. "Most people are looking at it as, 'Can I fool it in this one area?' but that's not the discussion you should be having, because — oh my god — you're using this technology in a totally inappropriate way."

Recent research demonstrates how simple attacking AI can be. Asking ChatGPT to mimic specific people, also known as assigning it a persona, can result in the AI model breaking its guardrails, according to a team of researchers from the Allen Institute for AI, the Georgia Institute of Technology, and Princeton University. The researchers had ChatGPT assume a variety of personas, and even a general persona — such as a "bad person" — can result in the large language model using toxic language, the team stated in a paper published on April 11.

With a plethora of products already shipping using ChatGPT, the researchers warn that it can unexpectedly result in harmful behavior.

"We hope that our findings inspire the broader AI community to rethink the efficacy of current safety guardrails and develop better techniques that lead to robust, safe, and trustworthy AI systems," the researchers stated in their paper.

**Time to Turn Off the Tech & Do a Reset**

Ottenheimer breaks down AI tests into six categories based on the traditional CIA triad: Confidentiality, integrity, and availability. False positives, for example, can lead to significant costs for society, such as emergency responders who are overtaxed because skiers' Apple watches are dialing 9-1-1 due to jarring runs down slopes. The academic research on using personas to jailbreak ChatGPT's content protections is similar to other research, which created a persona DAN (Do Anything Now) that allowed users to bypass safeguards.

Companies and researchers need to find ways to do a hard reset of such systems, to purge any toxic inputs, but at the same time teach the AI to take such actions in the future.

"You actually have to reset it, such that the harms don't happen again, or you have to reset it in a way that the harms can be undone," Ottenheimer says.

Finally, the threat to privacy is a significant threat as well as large language models use a vast data set, typically copied from the Internet, without the permissions of the publishers of that data. Italy has given OpenAI until the end of April to find ways to protect people's data and allow correction or deletion. And the efforts may grow as the European Data Protection Board (EDPB) has launched a task force dedicated to studying the issue and fostering cooperation.

Pen Testers Need to Hack AI, but Also Question Its Existence

A little preconference reconnoitering of upcoming seminars, keynotes, and track sessions makes plotting your days easier. Here's one attendee's list.

San Francisco's Moscone Center will soon be overrun by cybersecurity's biggest conference of the year. Next week, RSAC 2023 will bring together the best and brightest cybersecurity leaders and innovators from around the world to partake in a packed schedule of introductions, meetings, and cocktail parties — not to mention a laundry list of panel sessions led by the biggest names in the industry covering just about every topic in the field.

It can be difficult to decide which sessions to pick out of RSAC 2023's list of 500-plus options. This is why it's important to plan in advance and select sessions strategically.

**My Top Five Picks**

As a founder of an early-stage data security company, I've focused my selection on sessions that will be most useful to my company-building journey. This includes those that might help hone my value propositions and product direction as well as any that could keep me ahead of my field's top trends. After careful consideration, here are my top five picks.

****Achieving Privacy and Data Protection Through Careful Design****

Monday, April 24

**Why you should attend:** This session promises an interactive discussion about privacy-by-design and other solutions that both prevent privacy harm and deliver business value. This underscores a larger trend in enterprise need for security and protection solutions to offer at least one business-related value proposition beyond ROI for risk aversion. I'm hoping that this session will provide new insight into how enterprise data security postures and business needs converge.

****The Perfect Storm: Preparing Today for the Future State of Cloud Security****

Monday, April 24

**Why you should attend:** The CSA Summit is one of RSA's largest events, taking place as a series of sessions over the course of one day. Exploring the themes of resilience, compliance, state of the art, and confidential computing, the summit will cover all angles of the cloud's increasing mission-critical role in keeping businesses productive. Keen on staying ahead of the market, the panel I'm particularly interested in will predict the future threat landscape of cloud security and corresponding enterprise needs. Given that cloud data stores house the majority of today's enterprise data, this is a session data security entrepreneurs can't miss.

****Cyber Defense Matrix Learning Lab****

Thursday, April 27

**Why you should attend:** This session will feature an overview of the Cyber Defense Matrix (CDM) by its creators. The CDM was developed to help cybersecurity leaders better contextualize and organize their security programs. Understanding it can provide direct insight into how cybersecurity customers think as well as the decision-making processes they use. I recommend this session to anyone looking to build a product message that will resonate with their target audience.

****The Path Forward for the United States' Data Security and Privacy Gap****

Wednesday, April 26

**Why you should attend:** In another interactive discussion, attendees will have the opportunity to explore how data security and privacy converge, as well as discover emerging federal compliance trends. Security and privacy are often conflated, and this can cause confusion when it comes to delegating clear risk owners. In addition to discussing updates in federal policies for each field, this session will provide insight into the latest best practice interpretations of their relationship and boundaries.

****Cybersecurity as a Strategic Asset****

Wednesday, April 26

**Why you should attend:** I recommend this session for entrepreneurs who want a look into how cybersecurity actually operates within an organization. This is key to understanding how cybersecurity responsibilities and stakeholders are delegated, as well as how cybersecurity culture forms, to design a seamless integration process for your product.

**Final Thoughts**

In truth, between all the shoulder-rubbing, I believe the audience chair of these sessions is the perfect place to seek refuge for recharging my social battery. These sessions can also be easy opportunities to meet peers who share my interests. I hope these sessions will prove useful and interesting for you, too!

Top 5 Data Security RSAC 2023 Sessions to Attend

Microsoft zero-days, dark web forum takedowns and Pentagon leaks on Discord in this week's newsletter.

Thursday, April 13, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

Law enforcement organizations across the globe notched a series of wins over the past few weeks against online forums for cybercriminals.

On March 23, the FBI announced it disrupted the online cybercriminal marketplace BreachForums, known for being a place where users could buy and sell stolen user information. They also arrested a 20-year-old suspected of being the site’s founder and main administrator.

Then last week we had “Operation Cookie Monster” in which several international agencies worked together to take down Genesis Market, a similar dark web forum, arresting dozens of suspected users and administrators.

These arrests and network operations are important in that they disrupted sites that were known for highly sensitive information and served as a place for some of the most prolific cyber criminals to make money. The U.S. Department of Justice estimated that Genesis Market was responsible for the sale of data on more than 1.5 million compromised computers around the world containing over 80 million account access credentials. And the U.K.’s National Crime Agency (NCA) said credentials were available for as little as 70 cents to hundreds of dollars depending on the stolen data available.

But the user base for these sites was also huge (after all, someone had to be buying those credentials). At the time of its takedown, BreachForums had 340,000 members, according to the FBI. And reporting on Operation Cookie Monster stated that Genesis Market had 59,000 registered users.

So while it’s great that these sites have been disrupted, I can’t help but assume that two more sites are going to pop up to service these cyber criminals. It’s impossible for any agency to arrest 340,000 people, so even if a handful of administrators are restricted from accessing the internet for a while, the other 339,000 people are going to be looking for a new home.

Some of the same agencies celebrated in March 2021 that they disrupted Emotet, one of the most infamous botnets ever. As anyone who follows security news will know, Emotet didn’t actually go anywhere and was recently rebooted as recently as last month, according to our research.

RaidForums, a forefather of BreachForums, was also disrupted in April 2022, along with the arrest of several administrators and accomplices.

All of this is not to discount the great strides made in the past few weeks in disrupting these marketplaces and taking them offline. But a lot of these headlines are sounding familiar to me after a few years, so it’s important to remember that we as a security community can’t take our foot off the gas and assume that because there were a few big wins that dark web forums are just going to go away forever.

**The one big thing**

Microsoft’s Patch Tuesday for April included another zero-day vulnerability in the Windows Common Log File System Driver. CVE-2023-28252, which could allow an attacker to obtain SYSTEM privileges, is actively being exploited in the wild, according to Microsoft. The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible. Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969.

**Why do I care?**

Security researchers say that the vulnerability has already been exploited in Nokoyawa ransomware attacks, so it’s important to patch this issue as soon as possible. The Nokoyawa ransomware is known for targeting 64-bit Windows systems in double extortion attacks in which the actors encrypt targets’ files and then threaten to leak them unless the ransom is paid.

**So now what?**

Microsoft has a patch available, so all Windows users should update now if they haven’t already. Talos also has new Snort detection coverage available for CVE-2023-28252 and other vulnerabilities disclosed as part of Patch Tuesday.

**Top security headlines of the week**

**A trove of classified military documents and images leaked on several social media channels** over the past week, including potentially sensitive information on Russia’s invasion of Ukraine and China’s military plans. The images first surfaced in a Discord channel, eventually making their way onto the Telegram messaging app, the popular forum 4Chan and then broader social media sites like Twitter. The U.S. Department of Justice and the Pentagon have since launched a formal investigation into the leaks. Ukrainian officials have blamed Russian actors for the leaks, trying to cast doubt on the authenticity of the images, while Russia accused Western governments of trying to spread disinformation. (Bellingcat, New York Times)

**Apple released patches for two zero-day vulnerabilities** targeting current and older versions of iOS, iPadOS, macOS and Safari that attackers were exploiting in the wild. The vulnerabilities, CVE-2023-28206 and CVE-2023-28205, could lead to arbitrary code execution. CVE-2023-28206 specifically could allow an adversary to execute code with kernel privileges. Apple initially patched the issue in current iPhones and other devices and followed up a few days later with fixes for older hardware like the iPhone 8. This was the third instance of Apple patching a zero-day vulnerability since the start of the year. (SC Media, Security Week)

**The FBI warned users again this week against plugging their phones in public charging stations** at common spaces like airports, hotels and shopping centers. The agency stated that threat actors have found ways to use the public USB ports to “introduce malware and monitoring software onto devices." Instead, the Federal Communications Commission suggests users carry their own USB cables and charging blocks to plug directly into outlets rather than relying on or trusting a cable. However, the tweet from the FBI’s Denver office did not offer examples of any recent attacks that would have prompted a fresh warning. (Axios, NBC News)

**Can’t get enough Talos?**

*   How threat actors are using AI and other modern tools to enhance their phishing attempts
*   How do you hunt cybersecurity threats in a war zone? Like this
*   Cisco unveils latest security trends from Cisco Talos report at GISEC 2023
*   Researcher Spotlight: Giannis Tziakouris first learned how to fix his family’s PC, and now he’s fixing networks all over the globe

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Talos Incident Response: On Air** **(April 27)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** f3d5815e844319d78da574e2ec5cd0b9dd0712347622f1122f1cb821bb421f8f  
**MD5:** a2d60b5c01a305af1ac76c95e12fdf4a  
**Typical Filename:** KMSAuto.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

Threat Source newsletter (April 13, 2023) — Dark web forum whac-a-mole

Talos also alerted Lenovo that the clock’s hardcoded root password is weak and easily guessed or cracked.

Thursday, April 13, 2023 10:04

_Kelly Leuschner and Thorsten Rosendahl discovered this vulnerability._

Cisco Talos researchers recently discovered a vulnerability in the Lenovo Smart Clock Essential that could allow an attacker to completely take over the device if they have access to the network the clock is connected to.

TALOS-2023-1692 (CVE-2023-0896) exists because the smart clock does not change its hardcoded credentials once it's set up and connected to the network. Therefore, an attacker could use a specially crafted command line argument to gain full control of the device using SSH or telnet if they already have network access.

Talos also alerted Lenovo that the clock’s hardcoded root password is weak and easily guessed or cracked. Even on low-end hardware, and with a basic dictionary, the brute force took less than a second.

The default username is “root” and the default password is “123456”.

The clock includes a built-in microphone to accept voice commands and connects to the popular Amazon Alexa smart home system and AI assistant.

The file system is accessible and offers enough room to install undesired software/services.

Cisco Talos worked with Lenovo to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Lenovo Group Ltd. Smart Clock Essential, version 4.9.113. Talos tested and confirmed this version of the clock could be exploited by this vulnerability. Users should update to Lenovo Smart Clock Essential software version 90 or later to fix this vulnerability, according to Lenovo. (The version information can be checked in your Alexa App under “Devices.”)

The following Snort rule will detect exploitation attempts against this vulnerability: 61094. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Hard-coded password vulnerability could allow attacker to completely take over Lenovo Smart Clock

Tools like ChatGPT aren't making social engineering attacks any more effective, but it does make it faster for actors to write up phishing emails.

Thursday, April 13, 2023 00:04

*   Phishing attacks are increasingly more targeted and customized than in the past.
*   The proliferation of additional communications channels such as mobile devices and social media provides attackers with new avenues to phish users.
*   The technology behind phishing attacks evolves as necessary for cybercriminals to bypass content filters and successfully transmit and display the phishing content to the victims.
*   Artificial Intelligence (AI) apps provide attackers with the means to generate highly customized content that makes phishing lures even more convincing.

Cybercriminals often find it easier to trick users into compromising their own security rather than utilizing exploits or highly technical attacks to break into networks. Deceiving users to convince them into divulging sensitive information or take inappropriate actions is known as “social engineering” and this tactic can be extremely effective, regardless of whatever technological defenses have been deployed. As a result, social engineering has become a mainstay in cybercriminals’ arsenals.

Social engineering can take many forms. However, by far the most popular type of contemporary social engineering is phishing. Phishing is the practice of sending victims fraudulent communications that appear to come from a reputable source. It is most often performed through email though other communications platforms such as phone calls and text messages on mobile devices, social media, or chat rooms can also play host to phishing attacks.

The goal of a phishing attack is to steal sensitive data like credit card and/or login information or to install malware on the victim's machine. Phishing has evolved considerably over the past dozen-or-so years. We now have many different subtypes of phishing, including spear phishing (targeting specific users in phishing attacks), whaling (phishing specific high-profile users who have considerable resources or access privileges), smishing (phishing users via SMS messages), quishing (phishing using QR codes) and vishing (telephone-based phishing).

**Phishing attacks have become more targeted**

The earliest phishing attacks, such as those conducted via instant messaging applications like AOHell, intentionally cast a broad net, aiming to snare as many victims as possible. However, phishing in this way has become less effective over time. In order for a phishing attack to succeed, an attacker must first deliver their phishing messages to the victims, and sending a large volume of similar-looking phishing messages to a large number of recipients attracts a considerable amount of attention from security devices and personnel.

On the other hand, only sending a handful of phishing emails is orders of magnitude more difficult for network defenders to prevent. This is the idea behind spear phishing: Attackers narrow the phishing target pool down to a smaller desired group of victims who can be sent a more customized phishing attack. The smaller volume of email increases the odds the message will be successfully delivered to the users and will not be filtered out or flagged by network security devices, and customization raises the likelihood the recipient will view the email as legitimate.

**More locations for phishing**

The proliferation of mobile devices and social media applications has provided phishers with multiple vehicles besides email in which to conduct their attacks. Phishers have been known to use applications such as LinkedIn, Instagram, Facebook, Telegram, Discord, Twitter and other social media apps to transmit phishing messages to victims. We also now regularly receive phishing messages transmitted over SMS and even using QR codes.  

A phishing link to “metamask.lc” is tweeted in reply to a tweet from the real @MetaMask Twitter account.‌ ‌

An example of an SMS phish using a link shortener to hide the true destination URL.

Not all phishing happens online. Some phishers now take a hybrid approach where phishing emails are transmitted, but rather than containing a link to a phishing website or malware, the email contains a phone number that the victim is meant to call where the victim can then be further socially engineered over the telephone.

**Evasion tactics help bypass security devices and fool users**

Security devices are constantly monitoring the network for signs of phishing content and then marking the content as fraudulent or even discarding phishing messages altogether. Today, a successful cybercriminal must find ways around the anti-phishing security technology in place. There are several ways today’s cybercriminals attempt this:

*   Placing text information or links inside images.
*   Using large attachments that cannot be scanned due to their size.
*   HTML smuggling.
*   Using various attachment file types (.doc, .one, .lnk, password-protected .zip).
*   Hiding phishing links behind link-shortening services.
*   Varying the phishing message content by including hidden garbage text pulled from books.
*   Using links to lookalike domain names, known as typosquatting, or domain names that have specially crafted subdomains, ex. www.office.com.login.evilbadguy.com.
*   Transmitting messages from compromised legitimate accounts.
*   Using the browser-in-the-browser technique.

**More convincing phishing lures**

Contemporary phishing lures tend to fall into two basic categories. Many phishing messages attempt to replicate transactional messages, for example, an invoice or receipt for a purchase. Other phishing messages tend to target victims who are eager for news about specific topics, such as current events, natural disasters or the latest celebrity gossip.

With readily accessible open-source information and publicly available breach data, there can be a substantial trove of sensitive information concerning individuals/groups that is freely available online to attackers who are motivated enough to search. This information can be used to customize phishing emails and make phishing content even more relevant to the victims.

To aid in customizing phishing content, attackers are increasingly turning to AI apps such as ChatGPT that can be used to generate phishing content that sounds quite convincing. Fortunately, the designers of ChatGPT have built some guardrails so that attackers cannot simply ask ChatGPT to generate a phishing lure.

However, by phrasing the question a little differently, ChatGPT will help generate convincing content for use in phishing attacks.

Over the past few years, we have seen how some attackers, such as those behind Emotet, have leveraged existing email threads to compel targets to open attachments or click links. Using AI applications similar to ChatGPT, those malicious emails could be customized based on the context of those prior threads.

Voice cloning is another piece of AI technology that is expected to play a role in future phishing attacks. Deepfake technology has already progressed to the point that users can be fooled by a familiar voice over the telephone and once deepfake tools become more widely available, we expect attackers to deploy this as an additional mechanism to phish users.

**Protecting users from today’s phishing attacks**

Of course, as phishing content becomes easier to generate and customize to a specific victim, it becomes increasingly harder to defend. Educating users about how to recognize a phishing attack can be helpful. Additionally, deploying multi-factor authentication such as Cisco Duo is a solid defense that can thwart phishing attacks. Understanding regular network traffic patterns using products like Cisco Secure Network Analytics can help your network security personnel recognize unusual activity that could be related to a successful phishing attack. It is also a good idea to have your email delivered through a secure gateway such as Cisco Secure Email that can scan the email contents for phishing, malware and other email-based attacks. DNS security products such as Cisco Umbrella can help prevent users from navigating to or downloading content from phishing domains.

How threat actors are using AI and other modern tools to enhance their phishing attempts

If attackers use your stolen login information or set up wire transfers, you might be out of luck.

Banking laws designed to protect Federal Deposit Insurance Corp. (FDIC)-insured accounts contain loopholes that strip consumers of coverage against certain cyberattacks.

Less than a month before the US Consumer Financial Protection Bureau hit Wells Fargo & Co. with the largest financial civil penalty ever for mismanagement of car loans, mortgages, and bank accounts In December 2022, a Wells Fargo customer suffered an account takeover of his consumer checking account that cost him $45,000. Well Fargo chose not to reimburse that customer, Kartik Gada, CFO and chief economist at a San Francisco-area company.

Documents show the attackers breached Gada's cell phone account, then accessed his bank login credentials from the phone's backup data. The attackers changed the bank login information, added the ability to send wire transfers and Zelle money transfers to the checking account, then used two traditional wire transfers to move $45,000 to a New York-based bank. The thieves then removed the funds from the other bank's account by the thieves. Wells Fargo maintained that since the attackers obtained Gada's valid bank login credentials, that was sufficient to deny reimbursing Gada.

Account takeovers are not uncommon. A Marina del Rey couple faced a similar attack but had their funds returned to them by Wells Fargo at roughly the same time as the Gada attack. However, the modus operandi of the attackers was different, as were the results.

Gada tells Dark Reading that Well Fargo denied his request to funds to be returned because the bank claims he "failed to protect his password security." Gada says a bank representative told him that while it acknowledged the attack, it still declined to reimburse him.

In the final resolution letter Wells Fargo sent to Gada, the bank wrote, "According to the Online Access Agreement, you are responsible for keeping your username and password confidential, and for actions taken by anyone using the Service after signing in with your username and password, or any other Wells Fargo approved authentication control, except as otherwise provided by law or regulation. We are entitled to rely and act upon instructions received under your username and password."

**Inadequate Bank Oversight**

Jay Hack, a partner at the New York law firm Gallet Dreyer & Berkey, LLP, says the bank's "procedures for due diligence with respect to customers is obviously failing and the filtering software to filter out suspicious transactions is obviously failing. This transaction has all of the conditions of being a theft."

Once the bank's systems recognized the change in how the customer had been using the personal checking account and the swift changes to the account the night of the account takeover, the bank's monitoring software should have alerted authorities, he asserts. There are two possible reasons why it might not have done so, he notes. The first is the software was misconfigured to not "kick out suspicious transactions." Another is that even if the alert was noted, it could have been ignored.

A major bank, Hack says, should have software that identifies account takeovers and unusual actions — such as changing passwords and then adding and immediately using wire transfer capabilities — and kicks out an alert.

**Finessed Legal Justifications**

Wells Fargo ignored multiple requests by Dark Reading to comment on its decision not to compensate Gada. It also would not comment on why the bank's security controls did not flag the anomalies occurring on the account and why no bank employee tried to confirm the unusual changes to the account before processing the transactions.

While the Comptroller of the Currency's office and the Consumer Financial Protection Bureau both declined to discuss the specifics of Gada's situation, both organizations directed Dark Reading to documents concerning the Electronic Fund Transfer Act and Regulation E. One carve-out that Wells Fargo used as a reason to deny compensating the customer is that the attackers implemented wire-transfer capabilities, which specifically is not covered under Regulation E.

Wells Fargo's response to the breach was to redefine the personal checking account as a brokerage account due to the attackers' actions and subsequently told the client different rules applied to the brokerage account, Gada said. The bank chose to follow Universal Commercial Code (UCC) 4A-202, which addresses wire transfers and has different "good faith" rules than does Regulation E. A short PowerPoint description of the regulations can be found on the FDIC's website.

Wells Fargo's position is that a customer is responsible for losses if the attackers use a wire transfer to steal money from the customer's checking account. Should the attackers have chosen a different approach, such as a money transfer application such as Zelle or PayPal or an Automated Clearing House (ACH) transfer, the FDIC would have required the bank to reimburse Gada under Regulation E.

The bank chose not to address why the victim of a crime would be subject to UCC 4A, which requires an agreement between the bank and the customer. As the attackers caused the change in account status and not Gada, this raised the question of whether this was a legal contract between the customer and bank.

Hack says that banks can get away with such denials because the cost of litigation is often far higher than the consumer's loss. It does not become profitable for specialty law firms to file lawsuits until the customer's losses are $1 million or more, he notes.

When Banking Laws Don't Protect Consumers From Cybertheft

Categories: Exploits and vulnerabilities
Categories: News
Tags: Microsoft

Tags:  Apple

Tags:  Google

Tags:  Adobe

Tags:  Cisco

Tags:  SAP

Tags:  Mozilla

Tags:  CVE-2023-28252

Tags:  CVE-2023-28231

Tags:  CVE-2023-21554

Tags:  Word

Tags:  Publisher

Tags:  Office

One fixed vulnerability is being actively exploited by a ransomware gang and many others were fixed in this month's Patch Tuesday updates.



(Read more...)




The post Update now! April’s Patch Tuesday includes a fix for one zero-day appeared first on Malwarebytes Labs.

Posted: April 12, 2023 by

It’s Patch Tuesday again. Microsoft and other vendors have released their monthly updates. Among a total of 97 patched vulnerabilities there is one actively exploited zero-day.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The actively exploited zero day is listed as CVE-2023-28252.

CVE-2023-28252 is an elevation of privilege (EoP) vulnerability in the Windows Common Log File System (CLFS) driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges, which is the highest level of privilege on Windows systems. This is the type of vulnerability that we can expect to see chained with other vulnerabilities. Once an attacker has access, EoP vulnerabilities allow them to exploit that access to the fullest.

CISA has already added the CVE-2023-28252 Windows zero-day to its catalog of Known Exploited Vulnerabilities, which means federal (FCEB) agencies have until May 2, 2023 to patch against it.

Given the reach and simplicity of exploitation, this vulnerability is bound to be very popular among cybercriminals, and so it should be patched as soon as possible. CLFS is present in all Windows versions and so is the vulnerability. Exploitation does not require any user interaction and the vulnerability is already in use by at least one ransomware gang.

Another vulnerability to keep an eye on is CVE-2023-28231, a DHCP Server Service remote code execution (RCE) vulnerability. It is rated as critical with a CVSS score of 8.8 out of 10. Even though the attacker would need access to the network to successfully exploit this vulnerability, Microsoft has it listed as “Exploitation more likely.”

Another one that Microsoft deems more likely to be exploited is CVE-2023-21554, an RCE vulnerability in Microsoft Message Queuing (MSMQ) with a CVSS score of 9.8 out of 10. To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side.

A few others we can expect to see, especially in the form of email attachments, are several RCE vulnerabilities in Microsoft Office, Word, and Publisher \[2\]. All these vulnerabilities require the user to open a malicious file. So this is something we can typically expect to see a lot in phishing campaigns.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates for several products:

*   Digital Editions
*   InCopy 
*   Acrobat and Reader
*   Substance 3D Stager
*   Dimension 
*   Substance 3D Designer

Apple released emergency updates for two known-to-be-exploited vulnerabilities.

Cisco released security updates for multiple products.

Google has released updates for the Chrome browser and for Android.

Mozilla has released security advisories for vulnerabilities affecting multiple Mozilla products:

*   Firefox 112, Firefox for Android 112, Focus for Android 112
*   Firefox ESR 102.10
*   Thunderbird 102.10

SAP has released its April 2023 updates.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

Tag

#cisco