Kategorie

Where does Red Hat go from here? Here's what Matt Hicks, CEO, and Paul Cormier, the chairman, have to say. According to Hicks, "We'll continue to invest a lot in security. That was the foundation that Red Hat was built on. That you can get open-source innovation and deploy it with trust. Nothing has changed with that other than we certainly secure a lot more software today."

300 restaurants and at least 50,000 payment cards compromised by two separate campaigns against MenuDrive, Harbortouch and InTouchPOS services.

Kaspersky security researchers have disclosed details of a brand-new ransomware family written in Rust, making it the third strain after BlackCat and Hive to use the programming language. Luna, as it's called, is "fairly simple" and can run on Windows, Linux, and ESXi systems, with the malware banking on a combination of Curve25519 and AES for encryption. "Both the Linux and ESXi Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

Původní titulek: Bezpečnostní díry v čínském zařízení pro sledování automobilů přes GPS umožňují zjištění polohy či vzdálené vypnutí motoru Miliony automobilů po celém světě ohrožují bezpečnostní nedostatky v oblíbeném GPS trackeru Micodus MV720, prodávaném na Amazonu, Aliexpressu, Ebayi, ...

The 8220 cryptomining group has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021. "8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors," Tom Hegel of SentinelOne Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

The popularity of web applications is constantly growing as businesses and corporations host several services through them. However, companies and businesses that do have web applications still face the threat of vulnerabilities. A vulnerability is a flaw in your system that hackers may exploit to obtain unauthorized access, run malicious code, install malware, and perhaps steal sensitive information. Remediating these attacks could be near impossible, especially since most small businesses, corporations, and even daily users lack the resources to fix several vulnerabilities at a time.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations. "Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

The Great Resignation – or the Great Reshuffle as some are calling it – and the growing skills gap have been dominating headlines lately. But these issues aren't new to the cybersecurity industry. While many are just now hearing about employee burnout, security teams have faced reality and serious consequences of burnout for years.  One of the biggest culprits? Alert overload.  The average The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.com

Introduction

In our crimeware reporting service, we analyze the latest crime-related trends we come across. If we look back at what we covered last month, we will see that ransomware (surprise, surprise!) definitely stands out. In this blog post, we provide several excerpts from last month’s reports on new ransomware strains.

Luna: brand-new ransomware written in Rust

Last month, our Darknet Threat Intelligence active monitoring system notified us of a new advertisement on a darknet ransomware forum.

As one can see from the advertisement, the malware is written in Rust and runs on Windows, Linux and ESXi systems. Armed with this knowledge, we went hunting for samples, finding a few via the Kaspersky Security Network (KSN).

Command line options available in Luna

Judging by the command line options available, Luna is fairly simple. The encryption scheme it uses, however, is not so typical, as it involves x25519 and AES, a combination not often encountered in ransomware schemes.

Both the Linux and ESXi samples are compiled using the same source code with some minor changes from the Windows version. For example, if the Linux samples are executed without command line arguments, they will not run. Instead, they will display available arguments that can be used. The rest of the code has no significant changes from the Windows version.

The advertisement states that Luna only works with Russian-speaking affiliates. Also, the ransom note hardcoded inside the binary contains spelling mistakes. For example, it says “a little team” instead of “a small team”. Because of this, we assume with medium confidence that the actors behind Luna are speakers of Russian. Since Luna is a freshly discovered group, there is still little data on its victimology, but we at Kaspersky are following Luna’s activity.

Luna confirms the trend for cross-platform ransomware: current ransomware gangs rely heavily on languages like Golang and Rust. A notable example includes BlackCat and Hive. The languages being platform agnostic, the ransomware written in these can be easily ported from one platform to others, and thus, attacks can target different operating systems at once. In addition to that, cross-platform languages help to evade static analysis.

Black Basta

Black Basta is a relatively new ransomware variant written in C++ which first came to light in February 2022. The malware, the infrastructure and the campaign were still in development mode at the time. For example, the victim blog was not online yet, but the Black Basta website was already available to victims.

Black Basta supports the command line argument “-forcepath” that is used to encrypt only files in a specified directory. Otherwise, the entire system, with the exception of certain critical directories, is encrypted.

Two months after the first encounter, in April, the ransomware had grown more mature. New functionality included starting up the system in safe mode before encryption and mimicking Windows Services for persistence reasons.

The safe-mode reboot functionality is not something we come across every day, even though it has its advantages. For example, some endpoint solutions do not run in safe mode, meaning the ransomware will not be detected and files in the system can be “easily” encrypted. In order to start in safe mode, the ransomware executes the following commands:

• C:\Windows\SysNative\bcdedit /set safeboot networkChanges
• C:\Windows\System32\bcdedit /set safeboot networkChanges

Earlier versions of Black Basta contained a different rescue note from the one currently used, which showed similarities to the ransom note used by Conti. This is not as odd as it may seem, because Black Basta was still in development mode at the time.

Rescue notes comparison

To ascertain that there was indeed no code overlap between Conti and the earlier versions of Black Basta, we fed a few samples to the Kaspersky Threat Attribution Engine (KTAE). Indeed, as shown below, only the strings overlap. There is thus no overlap in code per se.

Overlap with Conti ransomware

Black Basta for Linux

In another report we wrote last month, we discussed the Black Basta version for Linux. It was specifically designed to target ESXi systems, but it could be used for general encryption of Linux systems as well, although that would be a bit cumbersome.

Just like the version for Windows, the Linux version supports only one command line argument: “-forcepath”. When it is used, only the specified directory is encrypted. If no arguments are given, the “/vmfs/volumes” folder is encrypted.

The encryption scheme for this version uses ChaCha20 and multithreading to speed up the encryption process with the help of different processors in the system. Given that ESXi environments typically use multiple CPUs to execute a VM farm, the malware’s design, including the chosen encryption algorithm, allows the operator to have the environment encrypted as soon as possible. Prior to encrypting a file, Black Basta uses the chmod command to get access to it in the same context as the user level.

Black Basta targets

Analysis of the victims posted by the Black Basta group revealed that to date, the group has managed to attack more than forty different victims within a very short time it had available. The victim blog showed that various business sectors were affected including manufacturing, electronics, contractors, etc. Based on our telemetry, we could see other hits across Europe, Asia and the United States.

Conclusion

Ransomware remains a big problem for today’s society. As soon as some families come off the stage, others take their place. For this reason, it is important to stay on top of all developments in the ransomware ecosystem, so one can take appropriate measures to protect the infrastructure.

A trend, which we also discussed in our previous blog post, is that ESXi systems are increasingly targeted. The aim is to cause as much damage as possible. Luna and Black Basta are no exceptions. We expect that new variants will support encryption of VMs by default as well.

For questions or more information about our crimeware reporting service, please contact crimewareintel@kaspersky.com.

Russian threat actors capitalized on the ongoing conflict against Ukraine to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch distributed denial-of-service (DDoS) attacks against Russian sites. Google Threat Analysis Group (TAG) attributed the malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

The Russian state-sponsored hacking collective known as APT29 has been attributed to a new phishing campaign that takes advantage of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems. "These campaigns are believed to have targeted several Western diplomatic missions between May and June 2022," Palo Alto Networks Unit 42 said in a TuesdayRavie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

Linus Torvalds says Retbleed has been addressed in the Linux kernel, but code complexity means the release will be delayed by a week to give more time for testing.

Posted by Matthew Maurer and Mike Yu, Android team

To help keep Android users’ DNS queries private, Android supports encrypted DNS. In addition to existing support for DNS-over-TLS, Android now supports DNS-over-HTTP/3 which has a number of improvements over DNS-over-TLS.

Most network connections begin with a DNS lookup. While transport security may be applied to the connection itself, that DNS lookup has traditionally not been private by default: the base DNS protocol is raw UDP with no encryption. While the internet has migrated to TLS over time, DNS has a bootstrapping problem. Certificate verification relies on the domain of the other party, which requires either DNS itself, or moves the problem to DHCP (which may be maliciously controlled). This issue is mitigated by central resolvers like Google, Cloudflare, OpenDNS and Quad9, which allow devices to configure a single DNS resolver locally for every network, overriding what is offered through DHCP.

In Android 9.0, we announced the Private DNS feature, which uses DNS-over-TLS (DoT) to protect DNS queries when enabled and supported by the server. Unfortunately, DoT incurs overhead for every DNS request. An alternative encrypted DNS protocol, DNS-over-HTTPS (DoH), is rapidly gaining traction within the industry as DoH has already been deployed by most public DNS operators, including the Cloudflare Resolver and Google Public DNS. While using HTTPS alone will not reduce the overhead significantly, HTTP/3 uses QUIC, a transport that efficiently multiplexes multiple streams over UDP using a single TLS session with session resumption. All of these features are crucial to efficient operation on mobile devices.

DNS-over-HTTP/3 (DoH3) support was released as part of a Google Play system update, so by the time you’re reading this, Android devices from Android 11 onwards1 will use DoH3 instead of DoT for well-known2 DNS servers which support it. Which DNS service you are using is unaffected by this change; only the transport will be upgraded. In the future, we aim to support DDR which will allow us to dynamically select the correct configuration for any server. This feature should decrease the performance impact of encrypted DNS.

Performance

DNS-over-HTTP/3 avoids several problems that can occur with DNS-over-TLS operation:

• As DoT operates on a single stream of requests and responses, many server implementations suffer from head-of-line blocking3. This means that if the request at the front of the line takes a while to resolve (possibly because a recursive resolution is necessary), responses for subsequent requests that would have otherwise been resolved quickly are blocked waiting on that first request. DoH3 by comparison runs each request over a separate logical stream, which means implementations will resolve requests out-of-order by default.
• Mobile devices change networks frequently as the user moves around. With DoT, these events require a full renegotiation of the connection. By contrast, the QUIC transport HTTP/3 is based on can resume a suspended connection in a single RTT.
• DoT intends for many queries to use the same connection to amortize the cost of TCP and TLS handshakes at the start. Unfortunately, in practice several factors (such as network disconnects or server TCP connection management) make these connections less long-lived than we might like. Once a connection is closed, establishing the connection again requires at least 1 RTT.

  In unreliable networks, DoH3 may even outperform traditional DNS. While unintuitive, this is because the flow control mechanisms in QUIC can alert either party that packets weren’t received. In traditional DNS, the timeout for a query needs to be based on expected time for the entire query, not just for the resolver to receive the packet.

Field measurements during the initial limited rollout of this feature show that DoH3 significantly improves on DoT’s performance. For successful queries, our studies showed that replacing DoT with DoH3 reduces median query time by 24%, and 95th percentile query time by 44%. While it might seem suspect that the reported data is conditioned on successful queries, both DoT and DoH3 resolve 97% of queries successfully, so their metrics are directly comparable. UDP resolves only 83% of queries successfully. As a result, UDP latency is not directly comparable to TLS/HTTP3 latency because non-connection-oriented protocols have a different notion of what a "query" is. We have still included it for rough comparison.

Memory Safety

The DNS resolver processes input that could potentially be controlled by an attacker, both from the network and from apps on the device. To reduce the risk of security vulnerabilities, we chose to use a memory safe language for the implementation.

Fortunately, we’ve been adding Rust support to the Android platform. This effort is intended exactly for cases like this — system level features which need to be performant or low level (both in this case) and which would carry risk to implement in C++. While we’ve previously launched Keystore 2.0, this represents our first foray into Rust in Mainline Modules. Cloudflare maintains an HTTP/3 library called quiche, which fits our use case well, as it has a memory-safe implementation, few dependencies, and a small code size. Quiche also supports use directly from C++. We considered this, but even the request dispatching service had sufficient complexity that we chose to implement that portion in Rust as well.

We built the query engine using the Tokio async framework to simultaneously handle new requests, incoming packet events, control signals, and timers. In C++, this would likely have required multiple threads or a carefully crafted event loop. By leveraging asynchronous in Rust, this occurs on a single thread with minimal locking4. The DoH3 implementation is 1,640 lines and uses a single runtime thread. By comparison, DoT takes 1,680 lines while managing less and using up to 4 threads per DoT server in use.

Safety and Performance — Together at Last

With the introduction of Rust, we are able to improve both security and the performance at the same time. Likewise, QUIC allows us to improve network performance and privacy simultaneously. Finally, Mainline ensures that such improvements are able to make their way to more Android users sooner.

Acknowledgements

Special thanks to Luke Huang who greatly contributed to the development of this feature, and Lorenzo Colitti for his in-depth review of the technical aspects of this post.

1. Some Android 10 devices which adopted Google Play system updates early will also receive this feature. ↩

2. Google DNS and Cloudflare DNS at launch, others may be added in the future. ↩

3. DoT can be implemented in a way that avoids this problem, as the client must accept server responses out of order. However, in practice most servers do not implement this reordering. ↩

4. There is a lock used for the SSL context which is accessed once per DNS server, and another on the FFI when issuing a request. The FFI lock could be removed with changes to the C++ side, but has remained because it is low contention. ↩

Four newly discovered attack paths could lead to PII exposure, account takeover, even organizational data destruction.

Threat actors offer victims what appear to be investment services from legitimate companies to lure them into downloading malicious apps aimed at defrauding them.

Dramatický nárůst kybernetických nájezdů na e-mailové servery hlásí bezpečnostní experti, kteří stojí za systémem Turris Sentinel. Zatímco v lednu zachytili 328 milionů útoků na elektronické poštovní schránky, v dubnu a květnu to byla skoro už miliarda každý měsíc.

Cybersecurity researchers have taken the wraps off a previously undocumented spyware targeting the Apple macOS operating system. The malware, codenamed CloudMensis by Slovak cybersecurity firm ESET, is said to exclusively use public cloud storage services such as pCloud, Yandex Disk, and Dropbox for receiving attacker commands and exfiltrating files. "Its capabilities clearly show that the Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

Two client-side risks dominate the problems with data loss and data exfiltration: improperly placed trackers on websites and web applications and malicious client-side code pulled from third-party repositories like NPM.  Client-side security researchers are finding that improperly placed trackers, while not intentionally malicious, are a growing problem and have clear and significant privacy The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.com

Linux kernel developers have addressed the Retbleed speculative execution bug in older Intel and AMD silicon, but the fix wasn't straightforward, so emperor penguin Linus Torvalds has delayed delivery of the next version by a week.

A new method devised to leak information and jump over air-gaps takes advantage of Serial Advanced Technology Attachment (SATA) or Serial ATA cables as a communication medium, adding to a long list of electromagnetic, magnetic, electric, optical, and acoustic methods already demonstrated to plunder data. "Although air-gap computers have no wireless connectivity, we show that attackers can use Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com