Networking Archives - Page 63 of 65 - Appunti dalla rete

UI Expands Lab With Anechoic Chambers to Deliver Products Faster

Ubiquiti’s Salt Lake City-based engineering team has expanded its regulatory compliance and engineering development laboratory to include state-of-the-art anechoic chambers: the 10/5/3 m Multi-Axis Anechoic Chamber & the 3 m Anechoic Dome-Roofed Chamber.

This laboratory expansion gives us capabilities to speed up product development cycles, ensuring product quality and improving our time to market in a growing number of countries.

10/5/3 m Multi-Axis Anechoic Chamber

Chamber 1: Frankonia SAC-10 Plus Triton chamber with three measurement axes

The Frankonia SAC-10 Plus Triton chamber (19.21 m x 12.08 m x 8.18 m) is the top-of-the-line model from the manufacturer. It’s the only one of its kind in the world outside the manufacturer’s lab.

The specialized “Triton” form factor allows us to have three different emission and immunity test setups in place at once:

Test Axis 1: Low-frequency emissions compliant with ANSI C.63.4 + CISPR 16-1-4 (NSA)
Test Axis 2: High-frequency and RF emissions compliant with ANSI C.63.10 + CISPR 16-1-4 (SVSWR)
Test Axis 3: Radiated RF Immunity compliant with IEC/EN61000-4-3 (FU)

With this setup, our engineers can perform the required electromagnetic interference (EMI) and electromagnetic susceptibility (EMS) procedures with reduced setup changes, saving hours of time with each iterative test. Keeping the same setup in place reduces the time needed to complete the tests and makes them reproducible.

The Device Under Test (DUT) is placed on a non-reflective (styrofoam) table on top of a rotating turntable. Extensive test automation actuates the test equipment, antennas, and turntable while performing the required tests at all angles.

Anechoic chambers offer excellent isolation against interference from the surrounding environment. Carefully designed and positioned absorbers significantly remove radio frequency (RF) reflections. The SAC-10 Plus Triton chamber provides a 9 kHz to 40 GHz measurement frequency range. The metal exterior shielding provides over 100 dB of attenuation from the outside world.

How much is 100 dB attenuation in practice? Consider a case with a tower-top macro LTE base station that has high-gain antennas at a distance of 5 m from the chamber. To get service inside the chamber, the phone needs at least -100 dBm signal level. With a typical equipment setup, the signal level remains below -100 dBm inside the chamber and there is no LTE service.

3 m Dome-Roofed Anechoic Chamber

Chamber 2: Frankonia SAC-3 Plus 3 m chamber with AmpliFi on the rotating measurement table

The other newly constructed chamber, the Frankonia SAC-3 Plus L (9.23 m x 6.53 m x 6.00 m), is a versatile, fully compliant Electromagnetic Compatibility (EMC) testing room. We use this chamber for emissions and immunity testing in parallel with the larger SAC-10 chamber.

The dome-shaped roof design combined with RF absorbers minimizes reflections and offers excellent measurement performance. The SAC-3 chamber provides over 110 dB isolation from the outside world. Similar to the larger chamber room, the fully automated test routines control the turntable and antenna height, as well as run the test equipment.

Anechoic — No Reflections

Electromagnetic waves are absorbed by the pyramid-shaped structures

Anechoic chambers provide significantly reduced reflections and external interference levels, making measurements repeatable and accurate.

Electromagnetic waves propagate, reflect, and refract differently depending on the frequency and surrounding structures. The following techniques are important for RF and anechoic chamber designs.

Design techniques for RF and anechoic chambers

While our chambers provide a drastic reduction in RF reflections, they are not intended to be completely anechoic by design (i.e. semi-anechoic).

Performing measurements in an anechoic chamber have certain unique consequences. Multiple-input, multiple-output (MIMO) technology used in Wi-Fi relies on multiple spatial signal paths created by reflections. Performance measurements, for example, throughput, require adding metallic RF-reflecting materials inside the chamber. Even in a perfect interference-free environment, in the absence of reflections and multipath propagation, Wi-Fi throughputs are low.

Control Room Hosts Test Equipment

Control room with test equipment

When a chamber’s door is closed, engineers work in the shielded control room with test equipment next to the chamber and oversee test progress. This eliminates any potential source of emissions from interfering with testing. Cameras inside the chamber help ensure the test setup remains intact with automated DUT position and antenna adjustments.

Accredited Accuracy, Shorter Time to Market

Governments heavily regulate RF, EMC, and safety testing. The Federal Communications Commission (FCC); Innovation, Science and Economic Development Canada (ISED); European Union directives (CE Mark), regulate RF devices and potential interference to licensed operations respectively for the US, Canada and European Union.

Since all regions and countries have their own regulations, the resulting testing effort for each new product is significant. The Salt Lake City lab’s new accreditation by the National Voluntary Laboratory Accreditation Program (NVLAP) of the National Institute of Standards and Technology (NIST) means our engineers can perform a broad range of performance and regulatory compliance tests quickly expediting product’s time-to-market.

These are the most common test requirements:

RF parameters
- RF performance, limits, and requirements for transmitters
Radiated and conducted emissions
- Limits unintentional emissions across various frequency bands and test mode
Radiated and conducted immunity
- Test for product susceptibility to external radio energy, ensuring product reliability
Static discharge, surge, and fast transient immunity
- Ensures that various magnitudes and types of voltage and current spikes can be withstood by the product without degradation of performance or abnormal behavior
Product safety
- Tests to ensure international safety standards are met or exceeded to reduce the hazard to humans and the environment
  
  Source :
  https://blog.ui.com/2019/12/04/ui-expands-lab-with-anechoic-chambers-to-deliver-products-faster/

Examining Emerging Backdoors

Next up in our “This didn’t quite make it into the 2021 Threat Report, but is still really cool” series: New backdoors!

Backdoors are a crucial component of a website infection. They allow the attackers ongoing access to the compromised environment and provide them a “foot in the door” to execute their payload. We see many different types of backdoors with varying functionality.

When our malware research team is provided with a new backdoor they need to write what’s called a “signature” to ensure that we detect and remove it in future security scans. Signatures need names, and over the years we’ve developed something of a taxonomy naming system for all of the different malware that we come across.

In this article we’re going to explore all the different categories of signatures for newly-discovered backdoors throughout the year 2021.

How do Backdoors Work?

HTTP requests to websites typically fall into one of the following categories:

POST – sending data to a website
GET – requesting data from a website
COOKIE – data (such as session data) saved from a website
REQUEST – a conjunction of all/any of the three

We see all sorts of different backdoors while cleaning up compromised websites. Sometimes they use one of these types of requests, or a combination of multiple different types.

We’ve broken all newly generated signatures from 2021 down for further analysis into the following categories:

A graph showing the distribution of new backdoor signatures generated in 2021.

Uploaders

By far the most common type of backdoor found in 2021 was an uploader: That is, a PHP script that allows the attackers to upload any file that they want. These malicious files allow anyone with the correct URL path, parameters and (occasionally) access credentials to upload whichever files they want to the web server. Typically, bad actors use these backdoors to upload a webshell, spam directory, dropper, or other type of file giving them full control over the environment.

To avoid detection, attackers are always tweaking their malware by using new methods of obfuscation or concealing backdoors within legitimate-looking images, core files, plugins, or even themes — this can make malicious file uploaders difficult to detect during a casual site review.

Once an attacker has identified a vulnerable environment that they can get a foothold in, planting the uploader is often the next step. After that they have enough access to upload more complicated access points such as a webshell.

Of course there are legitimate uploader scripts, as many websites require functionality to allow users to upload photos or other content to the website. To mitigate risk, secure uploader scripts contain strict rules on how they are able to behave:

Only certain file types/extensions are allowed (usually image, or document files)
May require authorisation cookies to be set
May place files in a restricted directory with PHP execution disabled
May disable direct access and instead need to be called by the existing CMS structure

Malicious uploaders, on the other hand, have no such restrictions as they are designed to upload malicious files and PHP scripts.

WebShells

Webshells are a classic type of malware that have been used by attackers for many years. They are administrative dashboards that give the attacker full access to the files and often provide a large amount of information about the hosting environment including operating system, PHP settings, web server configurations, file management, and SQL connections.

The classic FilesMan shell continues to be very popular with attackers. In 2021 we generated 20 new signatures related to new filesman variants alone, not including hack tools which grab filesman shells from remote servers.

Interestingly, a lot of malicious web shells provide far superior functionality than a lot of file managers provided by web hosting providers.

Misc RCE

Sometimes remote code execution backdoors are a little more complicated, or just rely on more basic/generic $_REQUEST calls. This is a PHP global array that contains the content of GET, POST and COOKIE inputs. The content of these variables could be anything and the attacker can fill them — e.g. with the payload — which is then processed. Sometimes the entire payload code is stored there and only very simple code snippets are injected into legitimate files. Such a snippet only loads and executes the content of these variables.

Other times, RCE backdoors make use of multiple different functions and request types.

Generic

Not falling into any particular category are our collection of “generic” backdoors. They tend to use a mixture of different functions and methods to maintain backdoor access to the environment. Some are heavily obfuscated and others are mostly in plain text, but what unites them is that they don’t rely on any one technique to backdoor the environment in which they reside.

FILE_GET_CONTENTS

The PHP function file_get_contents fetches a local file or remote file. As far as backdoors are concerned, attackers misuse this function to grab malicious files located on other websites or servers and add it to the victim’s website. This allows them to host the actual malicious content elsewhere, while maintaining all of the same functionality on the victim environment.

Here we have a very simple backdoor using file_get_contents to grab a backdoor from a malicious server. The actual address is obfuscated through use of a URL shortening service:

The footprint of this malware is very small as the payload resides elsewhere, but the functionality is potentially huge.

Remote Code Execution Backdoors

Not to be confused with remote code execution vulnerabilities, these backdoors are crafted to take whatever command is issued to it by the attacker and execute it in the victim’s environment. These PHP backdoors are often more complex than uploaders and allow the attackers more leeway in terms of how they can interact with the victim website.

If a request is sent that matches the parameters of the backdoor it will execute whichever command the attacker instructs so long as it doesn’t get blocked by any security software or firewall running within the environment.

Here’s another example of a quite well hidden RCE backdoor in a Magento environment:

A well-hidden RCE backdoor in a Magento environment

Attackers make heavy use of the eval function which executes the command in the victim environment.

FILE_PUT_CONTENTS

These backdoors utilise the PHP function file_put_contents which will write the instructed content to a file on the victim environment.

Here is an example of such a backdoor lodged in a WordPress configuration file wp-config.php:

This backdoor writes the specified malicious content into the file structure of the victim website given the correct parameters in the attacker’s request, allowing them to infect other files on the server with the content of their choice.

cURL

The curl() function facilitates the transmission of data. It can be used maliciously to download remote code which can be executed or directly displayed. This way, malware authors are able to create a small backdoor that only has this curl functionality implemented while the payload itself can be downloaded from a remote source.

It has many uses, and as such can be misused in many ways by attackers. We have seen it used frequently in credit card skimmers to transmit sensitive details to exfiltration destinations. It can also be used in RCE backdoors:

Since the attackers have crafted a backdoor to (mis)use curl, and they control the parameters under which it will function, in this way they are able to send or receive malicious traffic to and from the website, depending on how the backdoor is designed.

Authentication Bypass

These types of backdoors are most often seen in WordPress environments. They are small PHP scripts which allow the attacker to automatically log in to the administrator panel without needing to provide any password.

As long as they include the database configuration file in the script then they are able to set the necessary cookies for authorization, as seen in this example here:

A backdoor which bypasses normal authentication

The existence of such backdoors presents a case that additional authentication requirements should be employed within website environments. Protecting your admin panel with our firewall’s protected page feature is a great way to do this.

If you’re not a user of our firewall there are a lot of other ways that your admin panel can be protected.

Basic RCE via POST

Backdoors that take input through POST requests are quite common and many of the backdoor types that we’ve seen contain such functionality. Some of them, however, are quite small and rely exclusively on POST requests.

The example below shows one such backdoor, coupled with basic password protection to ensure that the backdoor is not used by anybody that does not have access to the password.

A basic remote code execution backdoor which uses POST

Fake Plugins

Another tactic that we’ve seen attackers use is the use of fake plugins. This is frequently used as a payload to deliver spam and malware, since WordPress will load the components present in the ./wp-content/plugins directory.

We’ve also seen attackers use these plugins as backdoors to maintain access to compromised environments.

A fake plugin in a WordPress environment

Since admin panel compromises are a very common attack vector, the usage of fake/malicious backdoor plugins is quite popular with attackers.

System Shell Backdoors

Attackers have also written malware that interacts with the hosting environment itself and will attempt to run shell commands via PHP scripts in the environment. This is not always possible, depending on the security settings of the environment, but here’s an example of one such backdoor:

If system() is disabled in the environment then these will not work, so the functionality of such backdoors will be limited by the security settings in the host.

COOKIE Based Backdoors

Some malware creators use COOKIES as a storage for various data. These can be decryption keys used to decode an otherwise inaccessible payload, or even the entire malicious payload itself.

CREATE_FUNCTION

The create_function() is often used by malware instead of (or in conjunction with) the eval() function to hide the execution of the malicious code. The payload is encapsulated inside the crafted custom function, often with an obfuscated name to make the functionality less clear.

This function is then called somewhere else within the code, and thus the payload is evaluated. Backdoors have been found to abuse this to place their payload back on the infected website after it was removed.

A backdoor which creates a malicious function in the victim environment

RCE via GET

Backdoors have also been seen using GET requests for input, rather than POST requests. In the example below we can see that the backdoor will execute the malicious payload if a GET request contains a certain string.

A remote code execution backdoor which uses GET

This allows the attackers to restrict the usage of the backdoor to only those who know the exact parameters to specify in the malicious GET request to the website. If the correct parameters are given then the backdoor will execute its intended function.

Database Management Backdoors

Most often attackers will misuse tools such as Adminer to insert malicious content into the victim website’s database, but occasionally we have seen them craft their own database management tools. This allows them to insert admin users into the website as well as inject malicious JavaScript into the website content to redirect users to spam or scam websites or steal credit card information from eCommerce environments.

Conclusion & Mitigation Steps

Backdoors play a crucial role for the attackers in a huge number of website compromises. Once the attackers are able to gain a foothold into an environment their goal is to escalate the level of access they have as much as possible. Certain vulnerabilities will provide them access only to certain directories. For example, a subdirectory of the wp-content/uploads area of the file structure.

Often the first thing they will do is place a malicious uploader or webshell into the environment, giving them full control over the rest of the website files. Once that is established they are able to deliver a payload of their choosing.

If default configurations are in place in a standard WordPress/cPanel/WHM configuration a single compromised admin user on a single website can cause the entire environment to be infected. Attackers can move laterally throughout the environment by the use of symlinks even if the file permissions/ownership are configured correctly.

Malicious actors are writing new code daily to try to evade existing security detections. As security analysts and researchers it’s our job to stay on top of the most recent threats and ensure that our tools and monitoring detect it all.

Throughout the year 2021 we added hundreds of new signatures for newly discovered backdoors. I expect we’ll also be adding hundreds more this year.

If you’d like us to help you monitor and secure your website from backdoors and other threats you can sign up for our platform-agnostic website security services.

Source :
https://blog.sucuri.net/2022/05/examining-emerging-backdoors.html

Massive WordPress JavaScript Injection Campaign Redirects to Ads

Our remediation and research teams regularly find malicious redirects on client sites. These infections automatically redirect site visitors to third-party websites with malicious resources, scam pages, or commercial websites with the intention of generating illegitimate traffic.

As outlined in our latest hacked website report, we’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone.

Since these PublicWWW results only show detections for simple script injections, we can assume that the scope is significantly larger.

Investigating Obfuscated JavaScript in WordPress Sites

We recently investigated a number of WordPress websites complaining about unwanted redirects. Interestingly enough, they were found to be related to a new wave of this massive campaign and were sending website visitors through a series of website redirects to serve them unwanted ads.

The websites all shared a common issue — malicious JavaScript had been injected within their website’s files and the database, including legitimate core WordPress files such as:

./wp-includes/js/jquery/jquery.min.js
./wp-includes/js/jquery/jquery-migrate.min.js

Once the website had been compromised, attackers had attempted to automatically infect any .js files with jQuery in the names. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…”

However, it was clear that the attackers had taken some measures to evade detection and had obfuscated their malicious JavaScript with CharCode, as seen below.

Malicious JavaScript injection obfuscated with CharCode

Once deobfuscated, the true behavior of the injection emerged.

Deobfuscated malicious JavaScript redirects site visitors on page load

This JavaScript was appended under the current script or under the head of the page where it was fired on every page load, redirecting site visitors to the attacker’s destination.

Malicious Chain of Redirects

To accomplish these redirects, the malicious injection creates a new script element with the legendarytable[.]com domain as the source.

The code from the legendarytable[.]com domain then calls to a second external domain — local[.]drakefollow[.]com — which calls from links[.]drakefollow[.]com, redirecting the site visitor to one of many different domains including:

bluestringline[.]com
browntouchmysky[.]com
redstringline[.]com
whitetouchmysky[.]com
gregoryfavorite[.]space
gregoryfavorite[.]top
pushnow[.]net/

At this point, it’s a free for all. Domains at the end of the redirect chain may be used to load advertisements, phishing pages, malware, or even more redirects.

From a site visitor’s perspective, they’ll simply see the following malware page before landing on the final destination.

This page tricks unsuspecting users into subscribing to push notifications from the malicious site. If they click on the fake CAPTCHA, they’ll be opted in to receive unwanted ads even when the site isn’t open — and ads will look like they come from the operating system, not from a browser.

These sneaky push notification opt-in maneuvers also happen to be one of the most common ways attackers display “tech support” scams, which inform users that their computer is infected or slow and they should call a toll-free number to fix the problem.

Detecting Malicious JavaScript via SiteCheck

Client-side redirects are initiated by the site visitors’ browser once the infected web page has been loaded. Since this particular infection is found client-side, remote website scanners like SiteCheck can help scan a website and identify this malware.

Here’s an example of a SiteCheck results page for this specific campaign.

SiteCheck results for malicious Javascript injection

At the time of writing, PublicWWW has reported 322 websites impacted by this new wave for the malicious drakefollow[.]com domain. Considering that this count doesn’t include obfuscated malware or sites that have not yet been scanned by PublicWWW, the actual number of impacted websites is likely much higher.

Conclusion & Mitigation Steps

Our team has seen an influx in complaints for this specific wave of the massive campaign targeting WordPress sites beginning May 9th, 2022, which has impacted hundreds of websites already at the time of writing.

It has been found that attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts. We expect the hackers will continue registering new domains for this ongoing campaign as soon as existing ones become blacklisted.

If you believe that your website has been infected with malicious JavaScript or you have found unwanted redirects to spam or ads on your site, you can use our free remote website scanner to detect the malware.

Website owners who have identified malware on their website can leverage the instructions found in our hacked WordPress cleanup guide — and, as always, we’re happy to help clean up an infection if you need a hand.

Source :
https://blog.sucuri.net/2022/05/massive-wordpress-javascript-injection-campaign-redirects-to-ads.html

Ferrari subdomain hijacked to push fake Ferrari NFT collection

One of Ferrari’s subdomains was hijacked yesterday to host a scam promoting fake Ferrari NFT collection, according to researchers.

What makes the scam particularly interesting is the fact that the luxury carmaker had earlier announced plans to launch NFTs in partnership with tech firm Velas.

The Ethereum wallet associated with the cryptocurrency scam appears to have collected a few hundred dollars before the hacked subdomain was shut down.

Ferrari’s site featured ‘Mint your Ferrari’ crypto scam

On Thursday, ethical hacker and bug bounty hunter Sam Curry reported seeing one of Ferrari’s subdomains forms.ferrari.com hosting a fake NFT (Non-Fungible Token) scam.

An NFT, or Non-Fungible Token, is data stored on a cryptocurrency blockchain that a digital certificate has signed to prove that it is unique and cannot be copied.

Last year, Ferrari announced plans to launch NFT products in partnership with tech firm Velas, making this scam all very convincing.

The crypto scam titled “Mint your Ferrari” enticed visitors to buy NFT tokens, falsely touting that Ferrari introduced “a collection of 4,458 horsepower [sic] NFTs on the Ethereum network.”https://platform.twitter.com/embed/Tweet.html?creatorScreenName=BleepinComputer&dnt=false&embedId=twitter-widget-0&features=eyJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3R3ZWV0X3Jlc3VsdF9taWdyYXRpb25fMTM5NzkiOnsiYnVja2V0IjoidHdlZXRfcmVzdWx0IiwidmVyc2lvbiI6MX19&frame=false&hideCard=false&hideThread=false&id=1522037756754550784&lang=en&origin=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fferrari-subdomain-hijacked-to-push-fake-ferrari-nft-collection%2F&sessionId=3ea6c8cb6e39f794149bacd26675e44783eff546&siteScreenName=BleepinComputer&theme=light&widgetsVersion=c8fe9736dd6fb%3A1649830956492&width=550px

Additional investigation by Curry and security engineer who goes by the moniker d0nut revealed that attackers exploited an Adobe Exeprience Manager flaw to hack the subdomain and host their crypto scam.

“After looking a bit deeper… it seems this was an Adobe Experience Manager exploit. You can still find the remnants of the unhacked site by dorking around a bit,” wrote Curry.

BleepingComputer has reached out to Ferrari for comment before publishing and we await a response.

Over $800 collected before domain takedown

Keen-eyed Twitter user root@rebcesp observed the Ethereum wallet had collected a little over $800 of funds ever since the scam went up.https://platform.twitter.com/embed/Tweet.html?creatorScreenName=BleepinComputer&dnt=false&embedId=twitter-widget-1&features=eyJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3R3ZWV0X3Jlc3VsdF9taWdyYXRpb25fMTM5NzkiOnsiYnVja2V0IjoidHdlZXRfcmVzdWx0IiwidmVyc2lvbiI6MX19&frame=false&hideCard=false&hideThread=true&id=1522042363367112704&lang=en&origin=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fferrari-subdomain-hijacked-to-push-fake-ferrari-nft-collection%2F&sessionId=3ea6c8cb6e39f794149bacd26675e44783eff546&siteScreenName=BleepinComputer&theme=light&widgetsVersion=c8fe9736dd6fb%3A1649830956492&width=550px

The Ethereum wallet address associated with the scam is shown below, with the wallet balance having dropped today to approximately $130, as seen by BleepingComputer.0xD88e1C6EC0a2479258A6d2aB59D9Ae5F2874bC44

Thankfully, Etherscan has flagged the wallet address as reports emerged of suspicious activity linked to the wallet.

BleepingComputer observed the hacked Ferrari subdomain has now been taken down and throws an HTTP 403 error code:

**Ferrari Forms subdomain shut down** (BleepingComputer)

The mainstream attention garnered by NFTs can be attributed to their rapid adoption by artists selling their digital art for cryptocurrency at popular websites such as Rarible and OpenSea.

Just recently, an artist known as Beeple sold an NFT digital picture for $69 million in Christie’s auction.

As such, NFT scams and thefts are one of the newest forms of cryptocurrency fraud on the rise.

Just this week, BleepingComputer reported seeing Pixiv and DeviantArt artists being targeted by NFT job offers to push malware.

Last month popular NFT marketplace Rarible was targeted by scammers and malware authors.

It’s tempting to dismiss these crypto scams thinking no one falls for them, but, similar crypto scams have been hugely successful and generated hundreds of thousands of dollars in the past.

In 2018 crypto scammers had made $180K in a single day. In 2021, Twitter suffered a massive attack with threat actors walking away with $580K in a week. And, in February last year, we saw another incidence of crypto scammers making at least $145,000.

By September last year, Bitcoin.org had been hacked with attackers having successfully stolen $17,000 from unwary users in a similar scam.

Source :
https://www.bleepingcomputer.com/news/security/ferrari-subdomain-hijacked-to-push-fake-ferrari-nft-collection/

This World Password Day consider ditching passwords altogether

Did you know that May 5, 2022, is World Password Day?¹ Created by cybersecurity professionals in 2013 and designated as the first Thursday every May, World Password Day is meant to foster good password habits that help keep our online lives secure. It might seem strange to have a day set aside to honor something almost no one wants to deal with—like having a holiday for filing your income taxes (actually, that might be a good idea). But in today’s world of online work, school, shopping, healthcare, and almost everything else, keeping our accounts secure is more important than ever. Passwords are not only hard to remember and keep track of, but they’re also one of the most common entry points for attackers. In fact, there are 921 password attacks every second—nearly doubling in frequency over the past 12 months.²

But what if you didn’t have to deal with passwords at all? Last fall, we announced that anyone can completely remove the password from their Microsoft account. If you’re like me and happy to ditch passwords completely, read on to learn how Microsoft is making it possible to start enjoying a passwordless life today. Still, we know not everyone is ready to say goodbye to passwords, and it’s not possible for all your online accounts. We’ll also go over some easy ways to improve your password hygiene, as well as share some exciting news from our collaboration with the FIDO Alliance about a new way to sign in without a password.

Free yourself with passwordless sign-in

Yes, you can now enjoy secure access to your Microsoft account without a password. By using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email, you can go passwordless with any of your Microsoft apps and services. Just follow these five steps:

Download and install Microsoft Authenticator (linked to your personal Microsoft account).
Sign in to your Microsoft account.
Choose Security. Under Advanced security options, you’ll see Passwordless account in the section titled Additional security.
Select Turn on.
Approve the notification from Authenticator.

Once you approve the notification, you’ll no longer need a password to access your Microsoft accounts. If you decide you prefer using a password, you can always go back and turn off the passwordless feature. Here at Microsoft, nearly 100 percent of our employees use passwordless options to log into their corporate accounts.

Strengthen security with multifactor authentication

One simple step we can all take to protect our accounts today is adding multifactor authentication, which blocks 99.9 percent of account compromise attacks. The Microsoft Authenticator app is free and provides multiple options for authentication, including time-based one-time passcodes (TOTP), push notifications, and passwordless sign-in—all of which work for any site that supports multifactor authentication. Authenticator is available for Android and iOS and gives you the option to turn two-step verification on or off. For your Microsoft Account, multifactor authentication is usually only needed the first time you sign in or after changing your password. Once your device is recognized, you’ll just need your primary sign-in.

Make sure your password isn’t the weak link

Rather than keeping attackers out, weak passwords often provide a way in. Using and reusing simple passwords across different accounts might make our online life easier, but it also leaves the door open. Attackers regularly scroll social media accounts looking for birthdates, vacation spots, pet names and other personal information they know people use to create easy-to-remember passwords. A recent study found that 68 percent of people use the same password for different accounts.³ For example, once a password and email combination has been compromised, it’s often sold on the dark web for use in additional attacks. As my friend Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft, likes to say, “Hackers don’t break in, they log in.”

Some basics to remember—make sure your password is:

At least 12 characters long.
A combination of uppercase and lowercase letters, numbers, and symbols.
Not a word that can be found in a dictionary, or the name of a person, product, or organization.
Completely different from your previous passwords.
Changed immediately if you suspect it may have been compromised.

Tip: Consider using a password manager. Microsoft Edge and Microsoft Authenticator can create (and remember) strong passwords using Password Generator, and then automatically fill them in when accessing your accounts. Also, keep these other tips in mind:

Only share personal information in real-time—in person or by phone. (Be careful on social media.)
Be skeptical of messages with links, especially those asking for personal information.
Be on guard against messages with attached files, even from people or organizations you trust.
Enable the lock feature on all your mobile devices (fingerprint, PIN, or facial recognition).
Ensure all the apps on your device are legitimate (only from your device’s official app store).
Keep your browser updated, browse in incognito mode, and enable Pop-Up Blocker.
Use Windows 11 and turn on Tamper Protection to protect your security settings.

Tip: When answering security questions, provide an unrelated answer. For example, Q: “Where were you born?” A: “Green.” This helps throw off attackers who might use information skimmed from your social media accounts to hack your passwords. (Just be sure the unrelated answers are something you’ll remember.)

Passwordless authentication is becoming commonplace

As part of a historic collaboration, the FIDO Alliance, Microsoft, Apple, and Google have announced plans to expand support for a common passwordless sign-in standard. Commonly referred to as passkeys, these multi-device FIDO credentials offer users a platform-native way to safely and quickly sign in to any of their devices without a password. Virtually unable to be phished and available across all your devices, a passkey lets you sign in simply by authenticating with your face, fingerprint, or device PIN.

In addition to a consistent user experience and enhanced security, these new credentials offer two other compelling benefits:

Users can automatically access their passkeys on many of their devices without having to re-enroll for each account. Simply authenticate with your platform on your new device and your passkeys will be there ready to use—protecting you against device loss and simplifying device upgrade scenarios.
With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running. For example, users can sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

These new capabilities are expected to become available across Microsoft, Apple, and Google platforms starting in the next year. This type of Web Authentication (WebAuthn) credential represents a new era of authentication, and we’re thrilled to join the FIDO Alliance and others in the industry in supporting a common standard for a safe, consistent authentication experience. Learn more about this open-standards collaboration and exciting passwordless capabilities coming for Microsoft Azure Active Directory in a blog post from Alex Simons, Vice President, Identity Program Management.

Helping you stay secure year-round

Read more about Microsoft’s journey to provide passwordless authentication in a blog post by Joy Chik, Corporate Vice President of Identity. You can also read the complete guide to setting up your passwordless account with Microsoft, including FAQs and download links. And be sure to visit Security Insider for interviews with cybersecurity thought leaders, news on the latest cyberthreats, and lots more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Source :
https://www.microsoft.com/security/blog/2022/05/05/this-world-password-day-consider-ditching-passwords-altogether/

NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks

The National Institute of Standards and Technology (NIST) on Thursday released an updated cybersecurity guidance for managing risks in the supply chain, as it increasingly emerges as a lucrative attack vector.

“It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination,” NIST said in a statement.

The new directive outlines major security controls and practices that entities should adopt to identify, assess, and respond to risks at different stages of the supply chain, including the possibility of malicious functionality, flaws in third-party software, insertion of counterfeit hardware, and poor manufacturing and development practices.

The development follows an Executive Order issued by the U.S. President on “Improving the Nation’s Cybersecurity (14028)” last May, requiring government agencies to take steps to “improve the security and integrity of the software supply chain, with a priority on addressing critical software.”

It also comes as cybersecurity risks in the supply chain have come to the forefront in recent years, in part compounded by a wave of attacks targeting widely-used software to breach dozens of downstream vendors all at once.

According to the European Union Agency for Cybersecurity’s (ENISA) Threat Landscape for Supply Chain Attacks, 62% of 24 attacks documented from January 2020 to early 2021 were found to “exploit the trust of customers in their supplier.”

“Managing the cybersecurity of the supply chain is a need that is here to stay,” said NIST’s Jon Boyens and one of the publication’s authors. “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”

Source :
https://thehackernews.com/2022/05/nist-releases-updated-guidance-for.html

Chinese Hackers Caught Stealing Intellectual Property from Multinational Companies

An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019.

Dubbed “Operation CuckooBees” by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information.

Targets included technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.

“The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data,” the researchers said.

“In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company’s business units, network architecture, user accounts and credentials, employee emails, and customer data.”

Winnti, also tracked by other cybersecurity vendors under the names APT41, Axiom, Barium, and Bronze Atlas, is known to be active since at least 2007.

“The group’s intent is towards theft of intellectual property from organizations in developed economies, and with moderate confidence that this is on behalf of China to support decision making in a range of Chinese economic sectors,” Secureworks notes in a threat profile of the actor.

The multi-phased infection chain documented by Cybereason involves the exploitation of internet-facing servers to deploy a web shell with the goal of conducting reconnaissance, lateral movement, and data exfiltration activities.

It’s both complex and intricate, following a “house of cards” approach in that each component of the killchain depends on other modules in order to function, rendering analysis exceedingly difficult.

“This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order,” the researchers explained.

The data harvesting is facilitated by means of a modular loader called Spyder, which is used to decrypt and load additional payloads. Also used are four different payloads — STASHLOG, SPARKLOG, PRIVATELOG, and DEPLOYLOG — that are sequentially deployed to drop the WINNKIT, a kernel-level rootkit.

Crucial to the stealthiness of the campaign is the use of “rarely seen” techniques such as the abuse of Windows Common Log File System (CLFS) mechanism to stash the payloads, enabling the hacking group to conceal their payloads and evade detection by traditional security products.

Interestingly, parts of the attack sequence were previously detailed by Mandiant in September 2021, while pointing out the misuse of CLFS to hide second-stage payloads in an attempt to circumvent detection.

The cybersecurity firm attributed the malware to an unknown actor, but cautioned that it could have been deployed as part of a highly targeted activity.

“Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files,” Mandiant said at the time. “This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions.”

WINNKIT, for its part, has a compilation timestamp of May 2019 and has almost zero detection rate in VirusTotal, highlighting the evasive nature of the malware that enabled the authors to stay undiscovered for years.

The ultimate goal of the intrusions, the researchers assessed, is to siphon proprietary information, research documents, source code, and blueprints for various technologies.

“Winnti is one of the most industrious groups operating on behalf of Chinese state-aligned interests,” Cybereason said. “The threat [actor] employed an elaborate, multi-stage infection chain that was critical to enabling the group to remain undetected for so long.”

Source :
https://thehackernews.com/2022/05/chinese-hackers-caught-stealing.html

Google Releases First Developer Preview of Privacy Sandbox on Android 13

Google has officially released the first developer preview for the Privacy Sandbox on Android 13, offering an “early look” at the SDK Runtime and Topics API to boost users’ privacy online.

“The Privacy Sandbox on Android Developer Preview program will run over the course of 2022, with a beta release planned by the end of the year,” the search giant said in an overview.

A “multi-year effort,” Privacy Sandbox on Android aims to create technologies that’s both privacy-preserving as well as keep online content and services free without having to resort to opaque methods of digital advertising.

The idea is to limit sharing of user data with third-parties and operate without cross-app identifiers, including advertising ID, a unique, user-resettable string of letters and digits that can be used to track users as they move between apps.

Google originally announced its plans to bring Privacy Sandbox to Android earlier this February, following the footsteps of Apple’s App Tracking Transparency (ATT) framework.

Integral to the proposed initiative are two key solutions —

SDK Runtime, which runs third-party code in mobile apps such as software development kits (SDKs), including those for ads and analytics, in a dedicated sandbox, and
Topics API, which gleans “coarse-grained” interest signals on-device based on a user’s app usage that are then shared with advertisers to serve tailored ads without cross-site and cross-app tracking

To address criticisms that the model could possibly give Google an unfair advantage, the tech behemoth noted that the privacy-oriented systems will be developed as part of the Android Open Source Project (AOSP) to ensure transparency into the design and implementation of these solutions.

“Android will collaborate with the entire industry and app ecosystem on the journey to a more privacy-first mobile platform, and one which supports a rich diversity of value-exchange that benefits users, developers, and advertisers,” the company said.

Source :
https://thehackernews.com/2022/05/google-releases-first-developer-preview.html

Cloudflare Thwarts Record DDoS Attack Peaking at 15 Million Requests Per Second

Cloudflare on Wednesday disclosed that it acted to mitigate a 15.3 million request-per-second (RPS) distributed denial-of-service (DDoS) attack. The web infrastructure and website security company called it one of the “largest HTTPS DDoS attacks on record.”

“HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection,” Cloudflare’s Omer Yoachimik and Julien Desgats said. “Therefore it costs the attacker more to launch the attack, and for the victim to mitigate it.”

The volumetric DDoS attack is said to have lasted less than 15 seconds and targeted an unnamed Cloudflare customer operating a crypto launchpad.

Volumetric DDoS attacks are designed to overwhelm a target network/service with significantly high volumes of malicious traffic, which typically originate from a botnet under a threat actor’s control.

distributed denial-of-service (DDoS) attack

Cloudflare said the latest attack was launched from a botnet consisting of roughly 6,000 unique compromised devices, with 15% of the attack traffic emanating from Indonesia, followed by Russia, Brazil, India, Colombia, and the U.S.

“What’s interesting is that the attack mostly came from data centers,” Yoachimik and Desgats noted. “We’re seeing a big move from residential network Internet Service Providers (ISPs) to cloud compute ISPs.”

Record-setting DDoS attacks have become increasingly common in recent months. In August 2021, Cloudflare disclosed what it characterized as the largest application-layer attack ever seen, and, earlier this year, Microsoft revealed that it had prevented multiple DDoS attacks that crossed 2.4 terabits per second (Tbps).

In addition, cybersecurity firm Kaspersky revealed this week that the number of DDoS attacks hit an all-time high in the first quarter of 2022, jumping 4.5 times year-over-year, largely driven by Russia’s invasion of Ukraine.

“The DDoS attack landscape in Q1 was strongly influenced by the geopolitical situation: since the end of February, we have seen a surge in hacktivist activity and the emergence of a large number of spontaneous botnets that users connected to voluntarily,” the Russian company said.

Source :
https://thehackernews.com/2022/04/cloudflare-thwarts-record-ddos-attack.html

Unpatched DNS Related Vulnerability Affects a Wide Range of IoT Devices

Cybersecurity researchers have disclosed an unpatched security vulnerability that could pose a serious risk to IoT products.

The issue, which was originally reported in September 2021, affects the Domain Name System (DNS) implementation of two popular C libraries called uClibc and uClibc-ng that are used for developing embedded Linux systems.

uClibc is known to be used by major vendors such as Linksys, Netgear, and Axis, as well as Linux distributions like Embedded Gentoo, potentially exposing millions of IoT devices to security threats.

“The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device,” Giannis Tsaraias and Andrea Palanca of Nozomi Networks said in a Monday write-up.

DNS poisoning, also referred to as DNS spoofing, is the technique of corrupting a DNS resolver cache — which provides clients with the IP address associated with a domain name — with the goal of redirecting users to malicious websites.

The vulnerability in uClibc and uClibc-ng is the result of having a predictable transaction ID assigned to each DNS lookup and their static use of source port 53, effectively defeating source port randomization protections.

Successful exploitation of the bug could allow an adversary to carry out Man-in-the-Middle (MitM) attacks and corrupt the DNS cache, effectively rerouting internet traffic to a server under their control.

Nozomi Networks cautioned that the vulnerability could be trivially exploited in a reliable manner should the operating system be configured to use a fixed or predictable source port.

“The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them,” the researchers said.

Source :
https://thehackernews.com/2022/05/unpatched-dns-related-vulnerability.html