Blog

Using DNS-layer security to detect and prevent ransomware attacks

This year has seen a dramatic uptick in ransomware attacks, with high-profile incidents like the Colonial Pipeline attack or the Kaseya attack dominating news cycles. The frequency and cost of these attacks have prompted many cybersecurity professionals to investigate more robust ransomware protection solutions, like DNS-layer security. But how can you make sure your organization’s security posture is as effective as possible? That’s the question we set out to answer during our Black Hat 2021 session: Using DNS-layer security to detect and block dangerous campaigns.

At Cisco Umbrella, we’ve seen plenty of cyberattacks play out across vulnerable networks. Using the data we’ve gathered while researching emerging threats – including the recent wave of ransomware attacks – our team has developed a set of solutions that maximize our use of recursive DNS servers to improve security across networks. We’re confident that this approach to DNS-layer security can help keep your network safe from bad actors as well.

Did you miss our talk? Don’t worry – you can view the recorded session online or read the highlights below:

Observing DNS-layer activity can help you identify sophisticated threats

The Domain Name System (DNS) allows clients to connect to websites, perform software updates, and use many of the applications organizations rely on. Unfortunately, the DNS layer is also one of the least secure aspects of many networks: DNS packets are rarely inspected by security protocols and they pass easily through unblocked ports. So, it only makes sense that today’s sophisticated threats – including ransomware attacks – tend to operate at the DNS layer.

Of course, just because most security teams pay little attention to DNS-layer activity doesn’t mean that you have to do the same. In fact, you can configure your recursive DNS servers to gather data useful for designing and implementing proprietary defense algorithms or performing threat hunting at scale. For example, the Cisco Umbrella DNS resolvers gather data:

  • From authoritative DNS logs that can reveal potential attacks through newly staged infrastructures, BulletProofHostings, and malicious domains, IPs, and ASNs
  • From user request patterns that can reveal in-progress attacks through compromised systems and command and control callbacks

While partnering with a prosumer DNS-layer security provider like Cisco Umbrella is always an option when it comes to data gathering, we go into more detail on configuring your own recursive DNS servers to gather this data during our presentation.

Understanding how ransomware attacks happen can help you either prevent or mitigate threats

While the exact tactics, techniques, and procedures (TTPs) vary from scenario to scenario, most ransomware attacks tend to follow the same basic flow:

  • A client navigates to a compromised domain on the Internet, accidentally downloading a weaponized file containing a malicious program
  • The file launches an event chain designed to establish a post-exploitation framework on the affected network
  • The malicious program moves laterally to other computers on the network
  • Multiple computers are infected by the ransomware program, which encrypts all business-critical data

Starting in 2020, most ransomware attacks have added another step to the process: data exfiltration. Before encryption, the program transports business-critical data from the client’s network to the threat actor using DNS tunnels. This allows the threat actor to place additional leverage on their victim – instead of simply losing their data, companies find themselves facing the prospect of having that data leaked online or sold to the highest bidder on the dark web.

What’s more, since ransomware attacks can take as little as five hours to execute, detecting an in-progress attack can be difficult unless you have a strong DNS-layer security system designed to recognize these attacks.

Popular tools used in ransomware attacks rely on DNS-layer activity

Earlier, we mentioned how most ransomware attackers make use of the fact that network administrators don’t secure DNS-layer activity. In fact, we’ve observed that some of the most common attack frameworks rely heavily on DNS tunneling, both to gain a foothold across the network and to allow the threat actor to exfiltrate data or execute command and control attacks.

Examples of the attacks that make use of DNS tunneling techniques include:

  • The DNS beacon that originated in the CobaltStrike penetration testing tool used in most high profile ransomware attacks
  • Supply-Chain attack SUNBURST used DNS tunnelling during post-exploitation
  • APT group OilRig heavily leverages Data exfiltration through DNS tunnels in its cyber espionage campaigns

In our presentation, we go into more detail on the way these frameworks have been used by threat actors in the past and how they might be used in the future. But the common element these frameworks share – the use of DNS activity – is enough to suggest that DNS-layer security may become more important than ever as we prepare for upcoming attacks.

The strongest ransomware protection combines attack prevention and attack mitigation tactics

We’ve talked a lot about how the data gathered from recursive DNS servers can help identify threats. But DNS-layer security goes further than information gathering; a strong security posture should also help protect networks from attacks. At Cisco Umbrella, we configure our recursive DNS servers to do this in two ways: by preventing clients from connecting to suspicious domains – stopping attacks before they start – and by detecting unusual DNS-layer activity that could indicate an in-progress attack – allowing security teams to isolate infected systems and mitigate the damage.

Ransomware protection that prevents attacks

Using DNS-layer security to prevent ransomware attacks from occuring in the first place is an approach that many organizations favor, and with good reason: This tactic prevents any post-exploitation losses.

While the algorithms used by traditional recursive DNS servers will flag certain risky domains, this built-in defense often leaves much to be desired. It evaluates the domain’s age and reputation when determining whether a client should be allowed to connect to it, but allows bad actors to bypass these DNS-layer security protocols using staged domains in good repute.

At Cisco Umbrella, we work around this shortcoming by configuring our recursive DNS servers to flag any anomalous domains for deeper review before allowing clients to connect. This approach weeds out many more dangerous domains, minimizing the window of time in which a user is vulnerable from around 24 hours to mere minutes.

While the Cisco Umbrella team provides this service as part of our DNS-layer security offerings, we also discuss how you can configure your own resolvers to behave similarly in our presentation.

Ransomware protection that identifies in-progress attacks

While preventing the initial compromise may be the ideal form of protection, this approach is not a silver bullet. The tactics employed by threat actors constantly evolve, making it possible for certain ransomware attacks to slip past even the most tightly woven nets. This is why your DNS-layer security solution should also contain protocols that help it detect in-progress attacks.

For those looking to secure DNS activity, this involves incorporating a system that flags any anomalous DNS tunneling in a network. As mentioned earlier, most ransomware attacks make use of DNS tunneling to establish both bi-directional and unidirectional communication between an attacker and the systems on your network. If the DNS activity isn’t secure, this allows the threat actor to stay under the radar until their attack is nearly executed. But if your DNS-layer security solution carefully monitors network DNS activity, you can start mitigating the effects of an attack before they become catastrophic.

Cisco Umbrella offers DNS-layer security that helps protect clients from threats now and in the future

At Cisco Umbrella, we strive to offer customers the best protection possible by combining multiple detection and remediation techniques that help them prepare for the threats coming their way. This includes reactive DNS-layer security algorithms, real-time heuristics, and real-time behavioral detection. What’s more, we strive for as much transparency as possible, providing our clients with real-time statistics which we used when deciding to block connection to a domain.

Want to learn more about how Cisco Umbrella makes use of DNS-layer security to protect clients from ransomware attacks? Listen to our full Black Hat 2021 presentation!

Source :
https://umbrella.cisco.com/blog/using-dns-layer-security-for-ransomware-attack-detection-prevention

Ransomware Gangs Exploiting Windows Print Spooler Vulnerabilities

Ransomware operators such as Magniber and Vice Society are actively exploiting vulnerabilities in Windows Print Spooler to compromise victims and spread laterally across a victim’s network to deploy file-encrypting payloads on targeted systems.

“Multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward,” Cisco Talos said in a report published Thursday, corroborating an independent analysis from CrowdStrike, which observed instances of Magniber ransomware infections targeting entities in South Korea.

While Magniber ransomware was first spotted in late 2017 singling out victims in South Korea through malvertising campaigns, Vice Society is a new entrant that emerged on the ransomware landscape in mid-2021, primarily targeting public school districts and other educational institutions. The attacks are said to have taken place since at least July 13.

Since June, a series of “PrintNightmare” issues affecting the Windows print spooler service has come to light that could enable remote code execution when the component performs privileged file operations –

  • CVE-2021-1675 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on June 8)
  • CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on July 6-7)
  • CVE-2021-34481 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-36936 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-36947 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-34483 – Windows Print Spooler Elevation of Privilege Vulnerability (Patched on August 10)
  • CVE-2021-36958 – Windows Print Spooler Remote Code Execution Vulnerability (Unpatched)

CrowdStrike noted it was able to successfully prevent attempts made by the Magniber ransomware gang at exploiting the PrintNightmare vulnerability.

Vice Society, on the other hand, leveraged a variety of techniques to conduct post-compromise discovery and reconnaissance prior to bypassing native Windows protections for credential theft and privilege escalation.

Specifically, the attacker is believed to have used a malicious library associated with the PrintNightmare flaw (CVE-2021-34527) to pivot to multiple systems across the environment and extract credentials from the victim.

“Adversaries are constantly refining their approach to the ransomware attack lifecycle as they strive to operate more effectively, efficiently, and evasively,” the researchers said. “The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks.”

Source :
https://thehackernews.com/2021/08/ransomware-gangs-exploiting-windows.html

Bugs in Managed DNS Services Cloud Let Attackers Spy On DNS Traffic

Cybersecurity researchers have disclosed a new class of vulnerabilities impacting major DNS-as-a-Service (DNSaaS) providers that could allow attackers to exfiltrate sensitive information from corporate networks.

“We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google,” researchers Shir Tamari and Ami Luttwak from infrastructure security firm Wiz said.

Calling it a “bottomless well of valuable intel,” the treasure trove of information contains internal and external IP addresses, computer names, employee names and locations, and details about organizations’ web domains. The findings were presented at the Black Hat USA 2021 security conference last week.

“The traffic that leaked to us from internal network traffic provides malicious actors all the intel they would ever need to launch a successful attack,” the researchers added. “More than that, it gives anyone a bird’s eye view on what’s happening inside companies and governments. We liken this to having nation-state level spying capability – and getting it was as easy as registering a domain.”

The exploitation process hinges on registering a domain on Amazon’s Route53 DNS service (or Google Cloud DNS) with the same name as the DNS name server — which provides the translation (aka resolution) of domain names and hostnames into their corresponding Internet Protocol (IP) addresses — resulting in a scenario that effectively breaks the isolation between tenants, thus allowing valuable information to be accessed.

In other words, by creating a new domain on the Route53 platform inside AWS name server with the same moniker and pointing the hosted zone to their internal network, it causes the Dynamic DNS traffic from Route53 customers’ endpoints to be hijacked and sent directly to the rogue and same-named server, thus creating an easy pathway into mapping corporate networks.

“The dynamic DNS traffic we wiretapped came from over 15,000 organizations, including Fortune 500 companies, 45 U.S. government agencies, and 85 international government agencies,” the researchers said. “The data included a wealth of valuable intel like internal and external IP addresses, computer names, employee names, and office locations.”

While Amazon and Google have since patched the issues, the Wiz research team has also released a tool to let companies test if their internal DDNS updates are being leaked to DNS providers or malicious actors.

Source :
https://thehackernews.com/2021/08/bugs-in-managed-dns-services-cloud-let.html

PrintNightmare, Critical Windows Print Spooler Vulnerability

Updated July 1, 2021) See Microsoft’s new guidance for the Print spooler vulnerability (CVE-2021-34527) and apply the necessary workarounds. 

(Original post June 30, 2021) The CERT Coordination Center (CERT/CC) has released a VulNote for a critical remote code execution vulnerability in the Windows Print spooler service, noting: “while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675.” An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system.

CISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print. Additionally, administrators should employ the following best practice from Microsoft’s how-to guides, published January 11, 2021: “Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.” 

Source :
https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability

Windows Print Spooler Remote Code Execution Vulnerability

CVE-2021-34527On this pageSecurity Vulnerability

Released: 1 lug 2021Assigning CNA:Microsoft

MITRE CVE-2021-34527

Executive Summary

Microsoft is aware of and investigating a remote code execution vulnerability that affects Windows Print Spooler and has assigned CVE-2021-34527 to this vulnerability. This is an evolving situation and we will update the CVE as more information is available.

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attack must involve an authenticated user calling RpcAddPrinterDriverEx().

Please ensure that you have applied the security updates released on June 8, 2021, and see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.

Exploitability

The following table provides an exploitability assessment for this vulnerability at the time of original publication.Publicly DisclosedExploitedExploitability AssessmentYesYesExploitation Detected

Workarounds

Determine if the Print Spooler service is running (run as a Domain Admin)

Run the following as a Domain Admin:

Get-Service -Name Spooler

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

Option 1 – Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

Option 2 – Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

For more information see: Use Group Policy settings to control printers.

FAQ

Is this the vulnerability that has been referred to publicly as PrintNightmare?

Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability.

Is this vulnerability related to CVE-2021-1675?

This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.

Did the June 2021 update introduce this vulnerability?

No, the vulnerability existed before the June 2021 security update. Microsoft strongly recommends installing the June 2021 updates.

What specific roles are known to be affected by the vulnerability?

Domain controllers are affected. We are still investigating if other types of roles are also affected.

All versions of Windows are listed in the Security Updates table. Are all versions exploitable?

The code that contains the vulnerability is in all versions of Windows. We are still investigating whether all versions are exploitable. We will update this CVE when that information is evident.

Why did Microsoft not assign a CVSS score to this vulnerability?

We are still investigating the issue so we cannot assign a score at this time.

Why is the severity of this vulnerability not defined?

We are still investigating. We will make this information available soon.

Acknowledgements

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information.

Source :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Amazon Prime Day: Big Sales, Big Scams

Malicious actors taking advantage of important events is not a new trend. For example, a large number of tax-related scams pops up every tax season in the US, with threats ranging from simple phishing emails to the use of scare tactics that lead to ransomware. More recently,  Covid-19 has led to a surge in pandemic-related malicious campaigns, mostly arriving via email.

For many people, major online shopping events such as the annual Amazon Prime day — which falls on June 21 this year — presents a unique opportunity to purchase goods at heavily discounted prices. However, shoppers are not the only ones looking to benefit — cybercriminals are also looking to prey on unsuspecting victims via social engineering and other kinds of scams. Amazon Prime has experienced tremendous growth over the past two years. According to estimates, there were 150 million Prime members at the end of the fourth quarter of 2019, a number which grew to 200 million by the first quarter of 2021 — with around 105 million users in the US alone. This makes Amazon Prime customers a particularly lucrative target for malicious actors.

As Amazon Prime day approaches, we’d like to build awareness among the shopping public by showing some of the related scams we’ve observed over the past few months.

Amazon Prime Scams

In 2020, Amazon Prime day, which is usually held in June or July, was postponed to October due to Covid-19. That same month, the Australian Communications and Media Authority (ACMA) issued an alert warning the public that they had been receiving reports of scammers — impersonating Amazon Prime staff — calling their targets, claiming that they owed money to Amazon. They also warned the victim that funds would be taken from their bank account if they did not act immediately. Often, the goal of these scammers is to retrieve Amazon account details and personal data from their victims by asking them to go online and enter the relevant information.

A variation of this scam involves swindlers calling their targets and presenting them with a recorded message, allegedly from Amazon, notifying call recipients of an issue with their order — such as a lost package or an unfulfilled order. The victims would then be invited to either press the number “1” button on their phone or provided a number that they would need to call. As with the first scam, the goals are the same: gaining personal information.

Aside from phone call scams, malicious actors also use tried-and-tested email-based phishing tactics. One method uses fake order invoices with corresponding phony order numbers and even a bogus hotline number, which, once called, will prompt the recipient to enter their personal details.

Another technique involves the scammer notifying an Amazon Prime user of problems with their account: For example, a Twitter post from user VZ NRW – Phishing shows fake Amazon Prime message warning the recipient that their Prime benefits have allegedly been suspended due to a problem with the payment. The message also contains a fake phishing link that the user would have to click to resolve the issue.  

Figure 1. An example of an email scam, coming from “Amazon Prime” complete with a fake order ID and hotline number. Note the suspicious email address used by the sender containing a misspelled “Amazon.”

hotline number. Note the suspicious email address used by the sender containing a misspelled “Amazon.”

Malicious actors will also make use of fake websites and online forms — many of which are painstakingly crafted to match the official sites as much as possible. One phishing website asks users to confirm payment details by filling out certain information. However, despite looking authentic, the page contains plenty of red flags — for example, none of the outbound links actually work, and the forms used in the page requests more data than usual, including personal information that companies typically never ask users to provide.

A precursory search in VirusTotal using the strings “Amazon” and “Prime” reveal over a hundred PDF files, many of which contain movie names (membership in Amazon Prime also makes users eligible for Prime Video). These PDF files are hosted on various cloud services, with the link to these files typically distributed via malicious emails.

Figure 2. VirusTotal results using “Amazon” and “Prime” search strings

Upon opening some of these files, a Captcha button appears, which will activate a malicious redirection chain when clicked.

Figure 3. Captcha button that appears when clicking some of the VirusTotal samples.

While it’s easy to assume that most of these scammers are single individuals or small groups looking for a quick buck, there are certain threat actor groups that use sophisticated social engineering techniques for their campaigns, which includes Amazon users as a primary target.

The Heatstroke phishing campaign

We first encountered the phishing campaign known as Heatstroke back in 2019, noting that the group behind the campaign utilized complex techniques for both researching about and luring in their victims, which were primarily Amazon and Paypal users.

For example, compared to the webpage from the previous section, Heatstroke makes use of a phishing website with multiple working screens and subpages to try and mimic a legitimate website as much as possible. In addition, Heatstroke implements various obfuscation techniques such as forwarding the phishing kit content from another location or changing the landing page to bypass content filters.

Figure 4. Heatstroke’s infection chain, which they have been using since 2019

The threat actor has implemented some improvements over the past two years — such as expanded IP ranges and improvements to user agents and the kit’s “self-defense” mechanisms (coverage of scams, anti-bot, and IP protection services), as well as the addition of an API and kill date, after which the kit won’t work anymore. 

Heatstroke remains active with a well-maintained infrastructure in 2021. The threat actor largely uses the same techniques from the past. However, it might be a case of not fixing what isn’t broken, given how effective the previous campaigns proved to be.

Defending against scams

As exciting as Amazon Prime Day (and other similar shopping extravaganzas like Black Friday and Cyber Monday) is, the public should remain vigilant against potential scams, as cybercriminals are looking to capitalize on these types of events.

The following best practices and recommendations can help individuals avoid these kinds of scams:

  • Most reputable organizations will never ask for sensitive financial information over the phone. If a caller allegedly coming from Amazon or another company asks for strangely specific information such as credit card or bank account numbers, this is an automatic red flag.
  • Be wary of out-of-context emails. If you receive an email referencing an item you did not purchase, then it is highly likely that the email is a phishing attempt. Refrain from downloading attachments or clicking links in suspicious emails, as these can lead to malware infections.
  • Scan emails for typographical or grammatical mistakes. Legitimate emails will always be thoroughly checked and edited before being sent, therefore even small errors are possible signs of a malicious email.
  • Always double check the URL of a website to see if it matches up with the real one. For example, Amazon websites and subpages will always have a dot before “amazon.com” (for example, “support.amazon.com” versus “support-amazon.com”), therefore, even if a website copies the design of the legitimate one, a sketchy URL will often give it away as being malicious. In the same vein, email addresses should be scrutinized to see if they look suspicious or have any unusual elements.
  • Organizations are also encouraged to regularly check the awareness of employees on the latest cyberthreats via Trend Micro Phish Insight, a cloud-based security awareness service that is designed to empower employees to protect themselves and their organization from social engineering-based attacks.

Source :
https://www.trendmicro.com/en_us/research/21/f/amazon-prime-day-big-sales–big-scams.html

Wordfence is now a CVE Numbering Authority (CNA)

Today, we are excited to announce that Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes.

WordPress powers over 40% of the World Wide Web in 2021. By becoming a CNA, Wordfence expands our ability to elevate and accelerate WordPress security research. This furthers our goal of helping to protect the community of WordPress site owners and developers, and the millions of website users that access WordPress every day.

What is a CNA?

The acronym CNA stands for CVE Numbering Authority. A CNA is an organization that has the authority to assign CVE IDs to vulnerabilities for a defined scope. As a CNA, Wordfence can assign CVE IDs to WordPress Plugins, Themes, and Core Vulnerabilities.

What is a CVE?

CVE is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published to the CVE List. The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog.

What does this mean for Wordfence customers?

As the Wordfence Threat Intelligence team continues to produce groundbreaking WordPress security research, Wordfence can more efficiently assign CVE IDs prior to publicly disclosing any vulnerabilities that our team discovers. This means that a CVE ID will be immediately assigned with every vulnerability we discover rather than waiting for an assignment from an external CNA.

To report a vulnerability, even if there is uncertainty about the responsible disclosure process, proof of concept production, or mitigation review procedures, the Wordfence Threat Intelligence team is available to assist. Our highly credentialed team has expertise and experience in proper security disclosure and can assist in ensuring that adequate remediation of vulnerabilities, no matter the severity, are applied and verified. As the original researcher, you receive the CVE ID and public credit for your discovery. You will also receive thanks from the users and community that you have protected through your responsible disclosure. Please reach out to us and we will be happy to assist.

How to report vulnerabilities to Wordfence for CVE assignment and publication?

To report a vulnerability to Wordfence for a WordPress plugin, WordPress theme, or WordPress core, please reach out to security@wordfence.com with the vulnerability information. Please include the following details:

  • A concise description of the vulnerability.
  • A proof of concept – that is, how the vulnerability could potentially be exploited.
  • What software component in our scope is affected – namely, which plugin or theme is affected, or which part of WordPress core.
  • The version number(s) affected.
  • The name(s) of individuals you would like credited for the discovery – or indicate if you would like to remain anonymous.
  • Any other additional information as appropriate.

The Wordfence Threat Intelligence team will review your findings and report back within 1-3 business days with a CVE ID assignment, or a request for additional information.

Community engagement and outreach at Wordfence has helped accelerate our efforts to secure the global WordPress community. Becoming a CNA has helped further this goal. Our team looks forward to expediting our own research and helping to encourage and enable new researchers to join the growing community of people who discover and responsibly disclose WordPress vulnerabilities. Together we can work towards a safer Web for all.

Source :
https://www.wordfence.com/blog/2021/06/wordfence-is-now-a-cve-numbering-authority-cna/

What is a WordPress Firewall and Do You Need One

The word firewall gives the impression that once installed on your WordPress site nothing will be able to attack it and you don’t need any other security measures applied. This is not true.

A firewall can only act on the WordPress site code level, it can not ever affect lower levels on your server such as blocking IP addresses and ports to your server. 

There is no WordPress plugin that can do that. 

So Why Then Have a WordPress Firewall At All?

Let’s break it down for you.

The WordPress firewall detects and blocks responses from malicious data.

What does that mean?

When data is transferred on your site, such as a user logging in or a blog post or image being displayed, the firewall hides this data from prying, malicious, eyes.

It applies a set of rules for incoming and outgoing traffic in order to protect your website.

It’s similar to an SSL, but an SSL only encrypts the data and then the firewall hides it.

A Firewall Has Several Methods To Protect Your Site

  • FIltering
    • This allows the filtering of traffic so that only legitimate users can access your site based upon rules that you set
  • Proxy
    • A proxy is like a security guard. It is the middleman that stops bad traffic from getting to your site
  • Inspection
    • A firewall allows you to set variables for trusted information. It then inspects all data coming in and if the key elements are not found agreeable in comparison to your set variables it doesn’t allow it through.

These methods are an important part of keeping your site secure. It helps drastically reduce the amount of attacks and malicious code injections that your security service/plugin needs to handle. 

What Are The Recommend Settings For Your Firewall

Most firewall and security plugins have a set standard for recommended settings, but there are a few items that are crucial to the success of its application:

  • Firewall Block Response
    • Specify how the security plugin will respond when the firewall detects malicious data.
  • Firewall White Listing and Ignore Options
    • Specify certain factors that completely bypass all Firewall checking.
    • These options should be used sparingly and with caution since you never want to white list anyone, even yourself, unless you really must.
  • Firewall Blocking Options
    • There are 9 firewall options that determine what data is checked on each page request. Depending on certain incompatibilities with other plugins, you may need to disable certain options to ensure maximum compatibility.
    • These firewall options are:
      • Include cookies
      • Directory traversal
      • WordPres terms
      • Field truncation
      • PHP code
      • Exe file uploads
      • Lead schemas

This might all seem overwhelming, but luckily for you our ShieldFREE and ShieldPRO have all of the above and more inside its robust feature list. It’s fully customizable and easy to use.

Keeping your site up and running is crucial for any business and having a reliable firewall plays a major part in that.

If you have any questions about the firewall or wish to request some features, please drop us a message in the comments section below, or contact us in our support center.

Source :
https://getshieldsecurity.com/blog/what-is-a-wordpress-firewall/

Google Chrome to Help Users Identify Untrusted Extensions Before Installation

Google on Thursday said it’s rolling out new security features to Chrome browser aimed at detecting suspicious downloads and extensions via its Enhanced Safe Browsing feature, which it launched a year ago.

To this end, the search giant said it will now offer additional protections when users attempt to install a new extension from the Chrome Web Store, notifying if it can be considered “trusted.”

Currently, 75% of all add-ons on the platform are compliant, the company pointed out, adding “any extensions built by a developer who follows the Chrome Web Store Developer Program Policies, will be considered trusted by Enhanced Safe Browsing.”

Enhanced Safe Browsing involves sharing real-time data with Google Safe Browsing to proactively safeguard users against dangerous sites. The company also noted that its integration with Safe Browsing’s blocklist API helped improve privacy and security, with the number of malicious extensions disabled by the browser jumping by 81%.

Also coming to Chrome is a new download protection feature that scans downloaded files for malware by using metadata about the downloaded file, alongside giving users the option to send the file to be scanned for a more in depth analysis.

“If you choose to send the file, Chrome will upload it to Google Safe Browsing, which will scan it using its static and dynamic analysis classifiers in real time,” Google said. “After a short wait, if Safe Browsing determines the file is unsafe, Chrome will display a warning.”

Despite the file being labeled as potentially dangerous, users still have the option to open the file without scanning. Should users opt to scan the file, the company said the uploaded files are deleted from Safe Browsing a short time after scanning.

While it didn’t specify the exact timeframe for when this removal would happen, in accordance with Google Chrome Privacy Whitepaper, the company “logs the transferred data in its raw form and retains this data for up to 30 days” for all Safe Browsing requests, after which only anonymized statistics are retained.

The new features are available starting with Chrome 91, the version of the browser that was released on May 26. Users can turn on Enhanced Safe Browsing by visiting Settings > Privacy and security > Security > Enhanced protection.

Source :
https://thehackernews.com/2021/06/google-chrome-to-help-users-identify.html

Hackers Breached Colonial Pipeline Using Compromised VPN Password

The ransomware cartel that masterminded the Colonial Pipeline attack early last month crippled the pipeline operator’s network using a compromised virtual private network (VPN) account password, the latest investigation into the incident has revealed.

The development, which was reported by Bloomberg on Friday, involved gaining an initial foothold into the networks as early as April 29 through the VPN account, which allowed employees to access the company’s networks remotely.

The VPN login — which didn’t have multi-factor protections on — was unused but active at the time of the attack, the report said, adding the password has since been discovered inside a batch of leaked passwords on the dark web, suggesting that an employee of the company may have reused the same password on another account that was previously breached.

It’s, however, unclear how the password was obtained, Charles Carmakal, senior vice president at the cybersecurity firm Mandiant, was quoted as saying to the publication. The FireEye-owned subsidiary is currently assisting Colonial Pipeline with the incident response efforts following a ransomware attack on May 7 that led to the company halting its operations for nearly a week.

DarkSide, the cybercrime syndicate behind the attack, has since disbanded, but not before stealing nearly 100 gigabytes of data from Colonial Pipeline in the act of double extortion, forcing the company to pay a $4.4 million ransom shortly after the hack and avoid disclosure of sensitive information. The gang is estimated to have made away with nearly $90 million during the nine months of its operations.

The Colonial Pipeline incident has also prompted the U.S. Transportation Security Administration to issue a security directive on May 28 requiring pipeline operators to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours, in addition to mandating facilities to submit a vulnerability assessment identifying any gaps in their existing practices within 30 days.

The development comes amid an explosion of ransomware attacks in recent months, including that of Brazilian meat processing company JBS last week by Russia-linked REvil group, underscoring a threat to critical infrastructure and introducing a new point of failure that has had a severe impact on consumer supply chains and day-to-day operations, leading to fuel shortages and delays in emergency health procedures.

As the ransom demands have ballooned drastically, inflating from thousands to millions of dollars, so have the attacks on high-profile victims, with companies in energy, education, healthcare, and food sectors increasingly becoming prime targets, in turn fueling a vicious cycle that enables cybercriminals to seek the largest payouts possible.

The profitable business model of double extortion — i.e., combining data exfiltration and ransomware threats — have also resulted in attackers expanding on the technique to what’s called triple extortion, wherein payments are demanded from customers, partners, and other third-parties related to the initial breach to demand even more money for their crimes.

Worryingly, this trend of paying off criminal actors has also set off mounting concerns that it could establish a dangerous precedent, further emboldening attackers to single out critical infrastructure and put them at risk.

REvil (aka Sodinokibi), for its part, has begun incorporating a new tactic into its ransomware-as-a-service (RaaS) playbook that includes staging distributed denial-of-service (DDoS) attacks and making voice calls to the victim’s business partners and the media, “aimed at applying further pressure on the victim’s company to meet ransom demands within the designated time frame,” researchers from Check Point disclosed last month.

“By combining file encryption, data theft, and DDoS attacks, cybercriminals have essentially hit a ransomware trifecta designed to increase the possibility of payment,” network security firm NetScout said.

The disruptive power of the ransomware pandemic has also set in motion a series of actions, what with the U.S. Federal Bureau of Investigation (FBI) making the longstanding problem a “top priority.” The Justice Department said it’s elevating investigations of ransomware attacks to a similar priority as terrorism, according to a report from Reuters last week.

Stating that the FBI is looking at ways to disrupt the criminal ecosystem that supports the ransomware industry, Director Christopher Wray told the Wall Street Journal that the agency is investigating nearly 100 different types of ransomware, most of them traced backed to Russia, while comparing the national security threat to the challenge posed by the September 11, 2001 terrorist attacks.

Update: In a Senate committee hearing on June 8, Colonial Pipeline CEO Joseph Blount said that the ransomware attack that disrupted gasoline supply in the U.S. started with the attackers exploiting a legacy VPN profile that was not intended to be in use. “We are still trying to determine how the attackers gained the needed credentials to exploit it,” Blunt said in his testimony.

Besides shutting down the legacy VPN profile, Blunt said extra layers of protection have been implemented across the enterprise to bolster its cyber defenses. “But criminal gangs and nation states are always evolving, sharpening their tactics, and working to find new ways to infiltrate the systems of American companies and the American government. These attacks will continue to happen, and critical infrastructure will continue to be a target,” he added.

Source :
https://thehackernews.com/2021/06/hackers-breached-colonial-pipeline.html

New TLS Attack Lets Attackers Launch Cross-Protocol Attacks Against Secure Sites

Researchers have disclosed a new type of attack that exploits misconfigurations in transport layer security (TLS) servers to redirect HTTPS traffic from a victim’s web browser to a different TLS service endpoint located on another IP address to steal sensitive information.

The attacks have been dubbed ALPACA, short for “Application Layer Protocol Confusion – Analyzing and mitigating Cracks in tls Authentication,” by a group of academics from Ruhr University Bochum, Münster University of Applied Sciences, and Paderborn University.

“Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session,” the study said. “This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.”

TLS is a cryptographic protocol underpinning several application layer protocols like HTTPS, SMTP, IMAP, POP3, and FTP to secure communications over a network with the goal of adding a layer of authentication and preserving integrity of exchanged data while in transit.

ALPACA attacks are possible because TLS does not bind a TCP connection to the intended application layer protocol, the researchers elaborated. The failure of TLS to protect the integrity of the TCP connection could therefore be abused to “redirect TLS traffic for the intended TLS service endpoint and protocol to another, substitute TLS service endpoint and protocol.”

Given a client (i.e., web browser) and two application servers (i.e., the intended and substitute), the goal is to trick the substitute server into accepting application data from the client, or vice versa. Since the client uses a specific protocol to open a secure channel with the intended server (say, HTTPS) while the substitute server employs a different application layer protocol (say, FTP) and runs on a separate TCP endpoint, the mix-up culminates in what’s called a cross-protocol attack.

At least three hypothetical cross-protocol attack scenarios have been uncovered, which can be leveraged by an adversary to circumvent TLS protections and target FTP and email servers. The attacks, however, hinge on the prerequisite that the perpetrator can intercept and divert the victim’s traffic at the TCP/IP layer.

Put simply, the attacks take the form of a man-in-the-middle (MitM) scheme wherein the malicious actor entices a victim into opening a website under their control to trigger a cross-origin HTTPS request with a specially crafted FTP payload. This request is then redirected to an FTP server that uses a certificate that’s compatible with that of the website, thus spawning a valid TLS sessionn.

Consequently, the misconfiguration in TLS services can be exploited to exfiltrate authentication cookies or other private data to the FTP server (Upload Attack), retrieve a malicious JavaScript payload from the FTP server in a stored XSS attack (Download Attack), or even execute a reflected XSS in the context of the victim website (Reflection Attack).

All TLS servers that have compatible certificates with other TLS services are expected to be affected. In an experimental setup, the researchers found that at least 1.4 million web servers were vulnerable to cross-protocol attacks, with 114,197 of the servers considered prone to attacks using an exploitable SMTP, IMAP, POP3, or FTP server with a trusted and compatible certificate.

To counter cross-protocol attacks, the researchers propose utilizing Application Layer Protocol Negotiation (ALPN) and Server Name Indication (SNI) extensions to TLS that can be used by a client to let the server know about the intended protocol to be used over a secure connection and the hostname it’s attempting to connect to at the start of the handshake process.

The findings are expected to be presented at Black Hat USA 2021 and at USENIX Security Symposium 2021. Additional artifacts relevant to the ALPACA attack can be accessed via GitHub here.

Source :
https://thehackernews.com/2021/06/new-tls-attack-lets-attackers-launch.html