• chevron_right

      ZuoRAT Malware Is Targeting Routers

      news.movim.eu / Schneier · Thursday, 30 June, 2022 - 20:04

    Wired is reporting on a new remote-access Trojan that is able to infect at least eighty different targets:

    So far, researchers from Lumen Technologies’ Black Lotus Labs say they’ve identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

    The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.

    More details in the article.

    • chevron_right

      Zero-Day Vulnerabilities Are on the Rise

      news.movim.eu / Schneier · Wednesday, 27 April, 2022 - 18:40 · 1 minute

    Both Google and Mandiant are reporting a significant increase in the number of zero-day vulnerabilities reported in 2021.

    Google:

    2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That’s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We’ve tracked publicly known in-the-wild 0-day exploits in this spreadsheet since mid-2014.

    While we often talk about the number of 0-day exploits used in-the-wild, what we’re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.

    Mandiant:

    In 2021, Mandiant Threat Intelligence identified 80 zero-days exploited in the wild, which is more than double the previous record volume in 2019. State-sponsored groups continue to be the primary actors exploiting zero-day vulnerabilities, led by Chinese groups. The proportion of financially motivated actors­ — particularly ransomware groups — ­deploying zero-day exploits also grew significantly, and nearly 1 in 3 identified actors exploiting zero-days in 2021 was financially motivated. Threat actors exploited zero-days in Microsoft, Apple, and Google products most frequently, likely reflecting the popularity of these vendors. The vast increase in zero-day exploitation in 2021, as well as the diversification of actors using them, expands the risk portfolio for organizations in nearly every industry sector and geography, particularly those that rely on these popular systems.

    News article .

    • chevron_right

      Hacking Alexa through Alexa’s Speech

      Bruce Schneier · news.movim.eu / Schneier · Monday, 7 March, 2022 - 04:24

    An Alexa can respond to voice commands it issues. This can be exploited :

    The attack works by using the device’s speaker to issue voice commands. As long as the speech contains the device wake word (usually “Alexa” or “Echo”) followed by a permissible command, the Echo will carry it out, researchers from Royal Holloway University in London and Italy’s University of Catania found. Even when devices require verbal confirmation before executing sensitive commands, it’s trivial to bypass the measure by adding the word “yes” about six seconds after issuing the command. Attackers can also exploit what the researchers call the “FVV,” or full voice vulnerability, which allows Echos to make self-issued commands without temporarily reducing the device volume.

    It does require proximate access, though, at least to set the attack up:

    It requires only a few seconds of proximity to a vulnerable device while it’s turned on so an attacker can utter a voice command instructing it to pair with an attacker’s Bluetooth-enabled device. As long as the device remains within radio range of the Echo, the attacker will be able to issue commands.

    Research paper .

    • chevron_right

      Details of an NSA Hacking Operation

      Bruce Schneier · news.movim.eu / Schneier · Wednesday, 2 March, 2022 - 20:35

    Pangu Lab in China just published a report of a hacking operation by the Equation Group (aka the NSA). It noticed the hack in 2013, and was able to map it with Equation Group tools published by the Shadow Brokers (aka some Russian group).

    …the scope of victims exceeded 287 targets in 45 countries, including Russia, Japan, Spain, Germany, Italy, etc. The attack lasted for over 10 years. Moreover, one victim in Japan is used as a jump server for further attack.

    News article .

    • chevron_right

      France ties Russia’s Sandworm to a multiyear hacking spree

      WIRED · news.movim.eu / ArsTechnica · Wednesday, 17 February, 2021 - 01:26

    The logo of the French national cybersecurity agency Agence Nationale de la securite des systemes d

    Enlarge / The logo of the French national cybersecurity agency Agence Nationale de la securite des systemes d'information(ANSSI) taken at ANSSI headquarters in Paris. (credit: Eric Piermont | AFP | Getty Images)

    The Russian military hackers known as Sandworm , responsible for everything from blackouts in Ukraine to NotPetya, the most destructive malware in history , don't have a reputation for discretion. But a French security agency now warns that hackers with tools and techniques it links to Sandworm have stealthily hacked targets in that country by exploiting an IT monitoring tool called Centreon—and appear to have gotten away with it undetected for as long as three years.

    On Monday, the French information security agency ANSSI published an advisory warning that hackers with links to Sandworm, a group within Russia's GRU military intelligence agency, had breached several French organizations. The agency describes those victims as "mostly" IT firms and particularly web hosting companies. Remarkably, ANSSI says the intrusion campaign dates back to late 2017 and continued until 2020. In those breaches, the hackers appear to have compromised servers running Centreon, sold by the firm of the same name based in Paris.

    Read 8 remaining paragraphs | Comments

    index?i=Qh_QT7je9XQ:FeCiswh-Jl4:V_sGLiPBpWUindex?i=Qh_QT7je9XQ:FeCiswh-Jl4:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
    • chevron_right

      A Windows Defender vulnerability lurked undetected for 12 years

      WIRED · news.movim.eu / ArsTechnica · Saturday, 13 February, 2021 - 12:10

    A Windows Defender vulnerability lurked undetected for 12 years

    Enlarge (credit: Drew Angerer | Getty Images)

    Just because a vulnerability is old doesn't mean it's not useful. Whether it's Adobe Flash hacking or the EternalBlue exploit for Windows , some methods are just too good for attackers to abandon, even if they're years past their prime. But a critical 12-year-old bug in Microsoft's ubiquitous Windows Defender antivirus was seemingly overlooked by attackers and defenders alike until recently. Now that Microsoft has finally patched it, the key is to make sure hackers don't try to make up for lost time.

    The flaw, discovered by researchers at the security firm SentinelOne, showed up in a driver that Windows Defender—renamed Microsoft Defender last year—uses to delete the invasive files and infrastructure that malware can create. When the driver removes a malicious file, it replaces it with a new, benign one as a sort of placeholder during remediation. But the researchers discovered that the system doesn't specifically verify that new file. As a result, an attacker could insert strategic system links that direct the driver to overwrite the wrong file or even run malicious code.

    Read 8 remaining paragraphs | Comments

    index?i=XP6R2T2YOe0:9kJf17INqo4:V_sGLiPBpWUindex?i=XP6R2T2YOe0:9kJf17INqo4:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
    • chevron_right

      Microsoft is seeing a big spike in Web shell use

      Dan Goodin · news.movim.eu / ArsTechnica · Friday, 12 February, 2021 - 13:19

    Microsoft is seeing a big spike in Web shell use

    Enlarge (credit: Getty Images)

    Security personnel at Microsoft are seeing a big increase in the use of Web shells, the light-weight programs that hackers install so they can burrow further into compromised websites.

    The average number of Web shells installed from August, 2020 to January of this year was 144,000, almost twice that for the same months in 2019 and 2020. The spike represents an acceleration in growth that the same Microsoft researchers saw throughout last year.

    web-shell-yoy-640x321.jpg

    (credit: Microsoft)

    A Swiss Army knife for hackers

    The growth is a sign of just how useful and hard to detect these simple programs can be. A Web shell is an interface that allows hackers to execute standard commands on Web servers once the servers have been compromised. Web shells are built using Web-based programming languages such as PHP, JSP, or ASP. The command interfaces work much the way browsers do.

    Read 10 remaining paragraphs | Comments

    index?i=7gYYSCTs3ow:9492IbMeh_o:V_sGLiPBpWUindex?i=7gYYSCTs3ow:9492IbMeh_o:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA