112786232
submission
itwbennett writes:
Researchers from IoT security firm Armis 'have found 11 serious vulnerabilities in VxWorks, the world's most popular real-time operating system (RTOS) that powers over 2 billion devices including enterprise network firewalls and routers, industrial controllers and medical equipment,' writes Lucian Constantin for CSO. Wind River has released patches to the affected VxWorks versions that are still supported and has said in a press release that these vulnerabilities only impact 'a small subset' of its customer base, primarily 'enterprise devices located at the perimeter of organizational networks that are internet-facing such as modems, routers, and printers, as well as some industrial and medical devices.' However, Armis estimates the flaws expose over 200 million 'mission-critical' devices. What makes many of these flaws particularly dangerous, says Constantin, is that they can take over devices remotely by just sending network packets. The researchers plan to demonstrate three real-world attack scenarios against a SonicWall firewall, a Xerox printer and a patient monitor at the upcoming Black Hat USA security conference.
110541648
submission
itwbennett writes:
Slashdot readers will remember several instances where MongoDB data stores were left publicly exposed: here and here and here, for example. A new version of Mongo DB, released today, introduces a new feature to help protect that data: field-level encryption (FLE), which 'protects sensitive information stored in a database even if attackers compromise the database itself or the server it runs on,' writes Lucian Constantin for CSOonline. 'This means that even if the server is compromised, or if the database is left exposed to the internet with weak or default administrative credentials, attackers won't be able to steal any sensitive information that has been encrypted. However, FLE will not prevent data destruction attacks that are possible if attackers gain administrative access to a database.'
109923148
submission
itwbennett writes:
At the Hack in the Box conference in Amsterdam last month, researchers presented a toolkit that automates phishing attacks in a way that defeats two-factor authentication (2FA). "[The toolkit] has two components: A transparent reverse-proxy called Muraena and a Docker container for automating headless Chromium instances called NecroBrowser," explains Lucian Constantin. "Once a victim lands on a phishing site powered by Muraena, the login process works exactly as on the real website. The user is asked for their 2FA code. After they provide it and authentication is completed, the proxy steals the session cookie.... Muraena can automatically pass the collected session cookies to its second component, the NecroBrowser, which can immediately start abusing them." The toolkit has been released on GitHub.
109467518
submission
itwbennett writes:
Researchers at security consultancy UpGuard have found that IT services provider HCL Technologies left sensitive data, including names, usernames and passwords of new employees, as well as customer project information, exposed online. ‘The most sensitive stuff was on an HR portal and had a report for new hires, and it was very clearly being actively used,’ said Greg Pollock, vice president of product at UpGuard. ‘Fifty-four people had been onboarded during the time period when I had found this.’ In addition to the HR portal, a portal used to share project information with customers was also affected, writes CSO’s JM Porup. ‘Beyond the usability nightmare of a 2,000-item dropdown menu, the project details exposed included customer sensitive information such as internal analysis reports, weekly customer reports and installation reports,’ says Porup.
109163348
submission
itwbennett writes:
At the Hack in the Box conference in Amsterdam this week, researchers Peter Bosch and Trammell Hudson presented a new attack against the Boot Guard feature of Intel's reference UEFI implementation, Tianocore. The attack, which can give an attacker full, persistent access, involves replacing a PC's SPI flash chip with one that contains rogue code, reports Lucian Constantin for CSO. 'Even though such physical attacks require a targeted approach and will never be a widespread threat, they can pose a serious risk to businesses and users who have access to valuable information,' writes Constantin. Intel has patches available for Tianocore, but as we all remember from the Meltdown and Spectre vulnerabilities, distributing UEFI patches isn't an easy process.
108012330
submission
itwbennett writes:
Last month, as reported in Slashdot, the Department of Homeland Security’s Office of Inspector General issued an alert that FEMA had released personally identifiable information of 2.3 million disaster survivors to a contractor that administers the agency's emergency lodging program, and in doing so had violated the Privacy Act of 1974 and DHS policy. In the OIG's report the contractor's name was redacted, but since 2005 there has been just one official provider of emergency lodging services, Wichita, Kansas-based Corporate Lodging Consultants, Inc. (CLC), reports Cynthia Brumfield for CSO. 'According to the GSA’s Federal Procurement Data System (FPDS), CLC has since October 2007 (the earliest entry in the FPDS database) provided lodging services to thirteen different government agencies and 26 sub-agencies of the federal government, including FEMA, which is the largest government client by a wide margin.' While it's unknown whether those other agencies also unnecessarily supplied personally identifiable information to CLC, Dave Kennedy, CEO of cybersecurity firms TrustedSec and Binary Defense, believes that 'Other government agencies should be conducting the same investigation [as FEMA]' because more data may be at risk.
107674630
submission
itwbennett writes:
The popular e-commerce platform Magento has released 37 security issues affecting both the commercial and open-source versions, four of which are critical. 'Of those, one SQL injection flaw is of particular concern for researchers because it can be exploited without authentication,' writes Lucian Constantine for CSO. Researchers from Web security firm Sucuri 'have already reverse-engineered the patch [for that flaw] and created a working proof-of-concept exploit for internal testing' says Constantin. 'The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their ecommerce websites,' the researchers warn in a blog post.
107244694
submission
itwbennett writes:
Researchers at security firm Trend Micro detected a custom backdoor in Slack that it believes 'with strong confidence... was part of a possible targeted attack campaign,' launched from a compromised website, the researchers said in their report. While attacks involving compromised websites aren't new, 'this is the first time researchers have seen Slack, a popular enterprise collaboration tool, being used in this way,' writes Lucian Constantin for CSO. 'The backdoor connects to a GitHub repository to download commands and then connects to a Slack private workspace set up by the attackers to post the output of those commands, along with the name of the computer the output was collected from. Finally, the malware uploads any stolen files to the file.io cloud storage service.'
107008626
submission
itwbennett writes:
Security researchers at Varonis have uncovered a new attack using a new version of the venerable Qbot malware that 'creates scheduled tasks and adds entries to the system registry to achieve persistence,' writes Lucian Constantin, reporting on the attack for CSO. 'The malware then starts recording all keystrokes typed by users, steals credentials and authentication cookies saved inside browsers, and injects malicious code into other processes to search for and steal financial-related text strings.' The researchers 'found logs showing 2,726 unique victim IP addresses,' writes Constantin, but because 'computers inside an organization typically access the internet through a shared IP address, the researchers believe the number of individually infected systems to be much larger.'
106981486
submission
itwbennett writes:
If you're running Elasticsearch 1.4.2 and lower, you should make sure your patches are up to date. That's because researchers from Cisco's Talos group have 'detected an increase in attacks targeting unsecured Elasticsearch clusters.' At least six different groups are responsible for the increase, each deploying different malware, but regardless of the method, the potential impact of a breach is huge because Elasticsearch is designed to work with big data and companies use it to process sensitive data. 'Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe,' the Talos researchers warned.
106734988
submission
itwbennett writes:
WootCloud researchers have discovered three new internet of things (IoT) botnets based on Mirai that exploit Polycom video conferencing systems. Like Mirai, the newly discovered botnets, dubbed Bushido, Hades and Yowai, 'also spread via Telnet by using brute-force password guessing techniques to access Polycom HDX and other devices,' writes Lucian Constantine for CSOonline. 'However, the exploitation of vulnerabilities in the firmware or administration interfaces is also a possible scenario, according to the WootCloud researchers.' In a phone interview with CSO, the WootCloud researchers warned that while there are perhaps thousands of Polycom HDX devices exposed to the internet, the far greater number of businesses that have deployed them on internal networks are also at risk. 'It only takes one exposed and misconfigured system to be compromised to spread the infection internally,' the researchers said. For its part, Polycom has today released an advisory warning of the vulnerabilities and best practices for mitigating the risk.
106034194
submission
itwbennett writes:
A new report by security researchers at Securonix warns of an increase in automated attacks against cloud infrastructure that combine more than one form of malware, often cryptomining, ransomware and botnet. 'In most cases, the focus of the attacks is on installing a second-stage payload for cryptomining and/or remote access,' the researchers said. 'In other cases, the malware propagates and infects the exposed services, removes data, and installs second-stage cryptomining and ransomware payloads.' Writing about the report for CSOonline, Lucian Constantin notes that, 'One of the most commonly used malware tools observed in attacks against cloud-hosted services is the XBash worm, which first appeared in May 2018. This malware is used to infect both Windows and Linux servers and deploys additional payloads depending on which OS is running.' XBash was in the news recently when it was found that the Rocke cybercriminal group, which uses an XBash variant, had started disabling cloud security and monitoring agents, Constantin adds.
104245462
submission
itwbennett writes:
The new APT, dubbed White Company by the researchers, is likely Middle Eastern but shows signs that former U.S. intelligence operatives may be involved, the researchers say. And it 'takes the cat-and-mouse game between attackers and defenders to a new level,' writes CSOonline's JM Porup. The malware goes to 'extraordinary lengths to evade detection and includes the ability to detect and hide from eight different antivirus products' but it also 'let itself be discovered by different antivirus vendors on preprogrammed dates, likely as a distraction tactic,' writes Porup.
102026532
submission
itwbennett writes:
CSO Online's Steve Ragan has written a handy Python script to help admins find phishing kits on their web servers. 'When you run Kit Hunter it searches web directories for phishing kits based on common kit elements located in the tag file,' says Ragan. 'Kit Hunter will search all the folders and sub-folders for .txt, .php, .htm, .html, .dat, and .htaccess files, and compare the contents of those files with the tags list. If there is a match, it logs the results.' Kit Hunter is available on GitHub https://github.com/SteveD3.
101929728
submission
itwbennett writes:
Reddit today announced that an attacker compromised staff accounts at the site's cloud and source code hosting providers. Backups, source code and various logs were exposed, as well as some user data, reports CSO's Steve Ragan. Users who maintained accounts on the website prior to 2007 may have been impacted, and Reddit is contacting those users. In a post on its site, the company said that the 'main attack was via SMS intercept.'
