Did he betray his #country because he was pissed off at his colleagues ?
Zero-Day Vulnerabilities Are on the Rise
news.movim.eu / Schneier · Wednesday, 27 April - 18:40 · 1 minute
2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That’s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We’ve tracked publicly known in-the-wild 0-day exploits in this spreadsheet since mid-2014.
While we often talk about the number of 0-day exploits used in-the-wild, what we’re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.
In 2021, Mandiant Threat Intelligence identified 80 zero-days exploited in the wild, which is more than double the previous record volume in 2019. State-sponsored groups continue to be the primary actors exploiting zero-day vulnerabilities, led by Chinese groups. The proportion of financially motivated actors — particularly ransomware groups — deploying zero-day exploits also grew significantly, and nearly 1 in 3 identified actors exploiting zero-days in 2021 was financially motivated. Threat actors exploited zero-days in Microsoft, Apple, and Google products most frequently, likely reflecting the popularity of these vendors. The vast increase in zero-day exploitation in 2021, as well as the diversification of actors using them, expands the risk portfolio for organizations in nearly every industry sector and geography, particularly those that rely on these popular systems.
News article .
Hacking Alexa through Alexa’s Speech
news.movim.eu / Schneier · Monday, 7 March - 04:24
An Alexa can respond to voice commands it issues. This can be exploited :
The attack works by using the device’s speaker to issue voice commands. As long as the speech contains the device wake word (usually “Alexa” or “Echo”) followed by a permissible command, the Echo will carry it out, researchers from Royal Holloway University in London and Italy’s University of Catania found. Even when devices require verbal confirmation before executing sensitive commands, it’s trivial to bypass the measure by adding the word “yes” about six seconds after issuing the command. Attackers can also exploit what the researchers call the “FVV,” or full voice vulnerability, which allows Echos to make self-issued commands without temporarily reducing the device volume.
It does require proximate access, though, at least to set the attack up:
It requires only a few seconds of proximity to a vulnerable device while it’s turned on so an attacker can utter a voice command instructing it to pair with an attacker’s Bluetooth-enabled device. As long as the device remains within radio range of the Echo, the attacker will be able to issue commands.
Research paper .
Details of an NSA Hacking Operation
news.movim.eu / Schneier · Wednesday, 2 March - 20:35
Pangu Lab in China just published a report of a hacking operation by the Equation Group (aka the NSA). It noticed the hack in 2013, and was able to map it with Equation Group tools published by the Shadow Brokers (aka some Russian group).
…the scope of victims exceeded 287 targets in 45 countries, including Russia, Japan, Spain, Germany, Italy, etc. The attack lasted for over 10 years. Moreover, one victim in Japan is used as a jump server for further attack.
News article .
France ties Russia’s Sandworm to a multiyear hacking spree
news.movim.eu / ArsTechnica · Wednesday, 17 February, 2021 - 01:26
The Russian military hackers known as Sandworm , responsible for everything from blackouts in Ukraine to NotPetya, the most destructive malware in history , don't have a reputation for discretion. But a French security agency now warns that hackers with tools and techniques it links to Sandworm have stealthily hacked targets in that country by exploiting an IT monitoring tool called Centreon—and appear to have gotten away with it undetected for as long as three years.
On Monday, the French information security agency ANSSI published an advisory warning that hackers with links to Sandworm, a group within Russia's GRU military intelligence agency, had breached several French organizations. The agency describes those victims as "mostly" IT firms and particularly web hosting companies. Remarkably, ANSSI says the intrusion campaign dates back to late 2017 and continued until 2020. In those breaches, the hackers appear to have compromised servers running Centreon, sold by the firm of the same name based in Paris.
A Windows Defender vulnerability lurked undetected for 12 years
news.movim.eu / ArsTechnica · Saturday, 13 February, 2021 - 12:10
Just because a vulnerability is old doesn't mean it's not useful. Whether it's Adobe Flash hacking or the EternalBlue exploit for Windows , some methods are just too good for attackers to abandon, even if they're years past their prime. But a critical 12-year-old bug in Microsoft's ubiquitous Windows Defender antivirus was seemingly overlooked by attackers and defenders alike until recently. Now that Microsoft has finally patched it, the key is to make sure hackers don't try to make up for lost time.
The flaw, discovered by researchers at the security firm SentinelOne, showed up in a driver that Windows Defender—renamed Microsoft Defender last year—uses to delete the invasive files and infrastructure that malware can create. When the driver removes a malicious file, it replaces it with a new, benign one as a sort of placeholder during remediation. But the researchers discovered that the system doesn't specifically verify that new file. As a result, an attacker could insert strategic system links that direct the driver to overwrite the wrong file or even run malicious code.
Microsoft is seeing a big spike in Web shell use
news.movim.eu / ArsTechnica · Friday, 12 February, 2021 - 13:19
Security personnel at Microsoft are seeing a big increase in the use of Web shells, the light-weight programs that hackers install so they can burrow further into compromised websites.
The average number of Web shells installed from August, 2020 to January of this year was 144,000, almost twice that for the same months in 2019 and 2020. The spike represents an acceleration in growth that the same Microsoft researchers saw throughout last year.
A Swiss Army knife for hackers
The growth is a sign of just how useful and hard to detect these simple programs can be. A Web shell is an interface that allows hackers to execute standard commands on Web servers once the servers have been compromised. Web shells are built using Web-based programming languages such as PHP, JSP, or ASP. The command interfaces work much the way browsers do.