Daily Archives: May 25, 2020

Why building backdoors into encryption won’t make us safer

For much of the last decade, technology companies have been in an uphill battle to save encryption, a battle that has seen an increasing number of skirmishes that tech companies often lose. Throughout this ongoing clash, governments across the world have been pushing to backdoor encryption in the name of combating child abuse and terrorism. The battle has come to a head several times in recent years, including when the FBI demanded Apple assist in … More

The post Why building backdoors into encryption won’t make us safer appeared first on Help Net Security.

IoT security: In 2020, action needs to match awareness

As the power of IoT devices increases, security has failed to follow suit. This is a direct result of the drive to the bottom for price of network enabling all devices. But small steps can greatly increase the overall security of IoT. A better IoT security story has to be one of the most urgent priorities in all of technology. That’s because IoT is one of the industry’s most compelling opportunities and squandering it due … More

The post IoT security: In 2020, action needs to match awareness appeared first on Help Net Security.

Reaching the Summit (VM maturity Level 5)

Only the truly committed ever reach the summit of anything. This sentiment holds true for vulnerability management. An organization cannot reach the summit without a serious commitment to fund and staff the program appropriately across the organization. Reaching ML:5 means tying the program to the business. Everyone must be aligned with the metrics and be […]… Read More

The post Reaching the Summit (VM maturity Level 5) appeared first on The State of Security.

How do I select a backup solution for my business?

42% of companies experienced a data loss event that resulted in downtime last year. That high number is likely caused by the fact that while nearly 90% are backing up the IT components they’re responsible for protecting, only 41% back up daily – leaving many businesses with gaps in the valuable data available for recovery. In order to select an appropriate backup solution for your business, you need to think about a variety of factors. … More

The post How do I select a backup solution for my business? appeared first on Help Net Security.

What hinders successful threat hunting?

As more organizations implement successful threat hunting operations, a SANS Institute survey finds that they are facing common challenges with employing skilled staff and collecting quality threat intelligence. “Without a sufficient number of skilled staff, high-quality intelligence, and the right tools to get visibility into the infrastructure, success with threat hunting will remain limited,” says survey author Mathias Fuchs. “A world where we’ll see a unified, widely accepted golden standard of threat hunting remains in … More

The post What hinders successful threat hunting? appeared first on Help Net Security.

Global DX spending to grow 10.4% in 2020

Spending on the digital transformation (DX) of business practices, products, and organizations will continue at a solid pace despite the challenges presented by the COVID-19 pandemic, IDC reveals. Global spending on DX technologies and services is forecast to grow 10.4% in 2020 to $1.3 trillion. While this is notably slower than the 17.9% growth in 2019, it remains one of the few bright spots in a year characterized by dramatic reductions in overall technology spending. … More

The post Global DX spending to grow 10.4% in 2020 appeared first on Help Net Security.

How to Protect the Future of IT

Working remotely, either from home or from elsewhere, isn’t something new. It has been used by many companies worldwide over the past decade. That said, it was typically restricted to only a couple days a month or to specific IT-savvy departments. But as we have seen throughout time, adversity and crisis lead to change and […]… Read More

The post How to Protect the Future of IT appeared first on The State of Security.

AppSealing Hybrid App Security 1.0 now also protects hybrid apps

The market leader in mobile app security AppSealing has announced the introduction of a new feature to its suite of security services. Now, it protects hybrid apps as well. It’s new and existing clients, which include industry bigwigs in the fields of fintech, gaming, OTT, ecommerce, etc., can add an AppSealing security layer between the native shell and the web app to secure their hybrid apps and protect their network infrastructure and their users’ devices … More

The post AppSealing Hybrid App Security 1.0 now also protects hybrid apps appeared first on Help Net Security.

Flying Cloud and Wireless Guardian partner to provide protection to patrons and facilities

Flying Cloud Technology announces it has entered into an OEM relationship with Wireless Guardian. Wireless Guardian is the world’s first forward-facing human threat detection system and the most effective investigative security solution for today’s high-tech environment. Providing protection to patrons and facilities, Wireless Guardian tracks both security and pandemic threats up to a mile outside the facility’s perimeter. “Flying Cloud is extremely happy to enter into this strategic partnership with Wireless Guardian. We feel that … More

The post Flying Cloud and Wireless Guardian partner to provide protection to patrons and facilities appeared first on Help Net Security.

SQL Server Security Basics

Security is of paramount importance in any IT context today, especially when you are looking to protect something as precious and potentially vulnerable to attack as an SQL server.

Here is a quick primer on the basic aspects of security which matters most for SQL server solutions, since the cost of a breach will vastly outweigh the effort of learning and following best practices.

Encryption

There is no doubt that encryption should be part of any modern DataOps strategy, particularly given the scope and scale of the threats that exist in the age of unfettered connectivity.

You can encrypt data stored on your SQL server, and indeed you should make sure that this is enabled as standard. You also need to take into account how the data is protected when it is in transit, when it might be exposed to exploitation while passing through public networks and devices.

There are different types of encryption to consider, with SSL encryption keeping data safe when it is on the move while cell-level encryption will allow comprehensive protection even while the data is cached on server RAM. The greater the level of encryption you choose, the more potential complications can arise, so it is a matter of balancing your needs against the risks.

Backup

All the security measures in the world will be for naught if your SQL server is breached, damaged or otherwise compromised in such a way that leaves the information it contains inaccessible or unrecoverable for some reason.

This is why a good SQL server backup solution needs to be factored into your security efforts, providing you with a lifeline to restore mission-critical data in the direst of circumstances.

There are quite a few points to consider when selecting a backup strategy. Opting for a differential backup, for example, will allow you to perform the backup process faster and without the same penalty in terms of storage requirements. A full backup will form the foundations of a differential backup as well as being used to underpin transaction log backups, which allow for time-specific restoration.

All backup varieties take time and require a commitment of hardware and network resources, while also posing a security risk in their own right, so remember not to overlook this aspect.

Access

Managing access to your SQL server is vital, not just in terms of taking control of which users and apps can retrieve data or make changes to the database, but also with regards to the physical hardware itself.

This is not something that will immediately seem obvious, especially at a time when more and more organizations are choosing to migrate to remotely hosted or hybrid cloud setups, but even if your IT resources feel nebulous, they are still founded on tangible servers.

If you are directly responsible for housing this hardware, restricting physical access to it is just as crucial as vetting digital access. Locking server rooms is a minimum; making sure that only employees with a legitimate reason to access them should also be part of your security protocols.

Updates

Although cybersecurity threats are growing and evolving all the time, software firms do a good job of fixing vulnerabilities and patching problems whenever they rear their heads.

This means that it is the responsibility of SQL server specialists to keep their software up to date, installing vital security patches as soon as possible. Failure to do so will leave you exposed unnecessarily and could lead to breaches that would have been entirely preventable. Both the SQL software and the OS it runs on need to be updated as a matter of urgency.

The post SQL Server Security Basics appeared first on CyberDB.

Cisco fixed a critical issue in the Unified Contact Center Express

Cisco has released several security patches, including one for a critical issue, tracked as CVE-2020-3280, in the call-center software Unified Contact Center Express.

Cisco released a set of security patches, including one for a critical flaw in its call-center software Unified Contact Center Express, tracked as CVE-2020-3280.

The CVE-2020-3280 vulnerability is a remote code execution issue that resides in the Java remote management interface for Unified CCE.

“A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.” reads the security advisory published by Cisco.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system.”

An unauthenticated, remote attacker could exploit the issue to execute arbitrary code as the root user on a vulnerable device.

The issue could be exploited by supplying a malformed Java object to a specific listener on an vulnerable system

Administrators should update their Unified CCE installs as soon as possible.

The good news is that Cisco is not aware of attacks in the wild that exploited the flaw.

Pierluigi Paganini

(SecurityAffairs – Unified CCE, hacking)

The post Cisco fixed a critical issue in the Unified Contact Center Express appeared first on Security Affairs.

Crooks hacked e-shops and threaten to sell SQL databases if ransom not paid

Threat actors are offering for sale more than two dozen SQL databases belonging to e-commerce websites for different countries.

Hackers are offering for sale more than two dozen SQL databases stolen from online shops from multiple countries.

Threat actors have compromised insecure servers exposed online and after copying the content of their websites they left a ransom note.

Some of the databases are dated as 2016, but data starts from March 28, 2020.

Crooks’ demand is BTC 0.06 ($485 at current price), they threaten to leak the content of the database if the victims don’t pay the ransom in 10 days.

The ransom notes observed in this campaign include a couple of wallets that received more than 100 transactions for a total of BTC 5.8 ($47,150 at current price).

“The number of abuse reports for these two wallets is over 200, the oldest being from September 20, 2019. The most recent one is from May 20 and this month alone there were nine reports, indicating that the actor is highly active.” reported BleepingComputer.

“It is important to note that the hacker may use more than the wallets found by BleepingComputer.”

The seller is offering 31 databases and gives a sample for the buyers to check the authenticity of the data.

Most of the listed databases are from online stores in Germany, others e-store hacked by threat actors are from Brazil, the U.S., Italy, India, Spain, and Belarus.

The hacked stores were running Shopware, JTL-Shop, PrestaShop, OpenCart, Magento v1 and v2 e-commerce CMSs.

The databases contain a total of 1,620,000 rows, exposed records include email addresses, names, hashed passwords (e.g. bcrypt, MD5), postal addresses, gender, dates of birth.

It isn’t the first time that crooks target unprotected databases, experts observed several attacks targeting unprotected MongoDB installs.

Pierluigi Paganini

(SecurityAffairs – SQL databases, hacking)

The post Crooks hacked e-shops and threaten to sell SQL databases if ransom not paid appeared first on Security Affairs.

Ragnar Ransomware encrypts files from virtual machines to evade detection

Ransomware encrypts from virtual machines to evade antivirus

Ragnar Locker deploys Windows XP virtual machines to encrypt victim’s files, the trick allows to evaded detection from security software.

Crooks always devise new techniques to evade detection, the Ragnar Locker is deploying Windows XP virtual machines to encrypt victim’s files while bypassing security measures.

The Ragnar Locker appeared relatively in the threat landscape, at the end of the 2019 it was employed in attacks against corporate networks. 

One of the victims of the ransomware is the energy giant Energias de Portugal (EDP), where the attackers claimed to have stolen 10 TB of files.

While many ransomware infections terminate security programs before encrypting,

This sample of Ragnar Locker terminates security programs and managed service providers (MSP) utilities to prevent them from blocking the attack.

“A new ransomware attack method takes defense evasion to a new level—deploying as a full virtual machine on each targeted device to hide the ransomware from view. In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine.” reads the report published by Sophos. “The attack payload was a 122 MB installer with a 282 MB virtual image inside—all to conceal a 49 kB ransomware executable.”

The attack chain starts with the creation of a tool folder that includes VirtualBox, a mini Windows XP virtual disk called micro.vdi, which is an image of a stripped-down version of the Windows XP SP3 OS (MicroXP v0.82). The image includes the 49 kB Ragnar Locker ransomware executable, the attack also includes several executables and scripts to prep the environment.

Ragnar Locker ransomware

The malware leverage a VirtualBox feature that allows the host operating system to share folders and drives as a network share inside a virtual machine.  The virtual machine mounts the shared path as a network drive from the \\VBOXSVR virtual computer to access their content.

“In addition to the VirtualBox files, the MSI also deploys an executable (called va.exe), a batch file (named install.bat), and a few support files. After completing the installation, the MSI Installer executes va.exe, which in turn runs the install.bat batch script.” continues the analysis. “The script’s first task is to register and run the necessary VirtualBox application extensions VBoxC.dll and VBoxRT.dll, and the VirtualBox driver VboxDrv.sys.”

The install.bat batch file allows the threat to scan for local drives and mapped network drives on the host and builds a configuration file that automatically shares them with the virtual machine.

The script also prepares an sf.txt file containing VirtualBox configuration settings to automatically share all of the drives on the computer with the virtual machine.

The attackers launch the Windows XP virtual machine using the SharedFolder directives created by their batch file that are accessible within the virtual machine. and the Ragnar Locker ransomware executable will automatically be present in the root of the C:\ drive.

When launched, all of these shared drives will now be accessible from within the virtual machine. Experts pointed you that the Ragnar Locker ransomware executable will automatically be present in the root of the C:\ drive.

Windows XP virtual machine
Windows XP virtual machine
(Source: Sophos)

Also included is a vrun.bat file that is located in the Startup folder so that it is launched immediately when the virtual machine starts.

This vrun.bat file, shown below, will mount each shared drive, encrypt it, and then proceed to the next drive shared with the virtual machine.

Mounting all the shared drives to encrypt
Mounting all the shared drives to encrypt

As the security software running on the victim’s host will not detect the ransomware executable or activity on the virtual machine, it will happily keep running without detecting that the victim’s files are now being encrypted.

It should be noted that if the victim was running Windows 10’s Controlled Folder Access anti-ransomware feature, it may have been protected from an attack like this as the operating system would have detected writes to the protected folders.

When done, the victim will find a custom ransom note on their computer explaining how their company was breached, and their files were encrypted.

Custom Ragnar Locker ransom note
(Source: Sophos)

The use of a virtual machine to encrypting a device’s files without being detected is an innovative approach.

As VirtualBox and a Windows XP virtual machine are not considered malicious, most security software will not be concerned that it is blissfully writing to all the data on the computer.

This attack illustrates how security software with behavioral monitoring is becoming more important to stem the tide of ransomware infections.

Only by detecting the unusual mass file writes, would this attack be detected.

Pierluigi Paganini

(SecurityAffairs – Ragnar Locker ransomware, hacking)

The post Ragnar Ransomware encrypts files from virtual machines to evade detection appeared first on Security Affairs.

Mercedes-Benz Data Leak: Embarrassing But Endurable

The Mistake Could Have Been Much Worse in an Era of Connected Vehicles
Last week, a curious data breach occurred: Almost 9 GB of software development documentation from Daimler AG, the parent company of Mercedes-Benz. In an era where software underpins vehicles, the leak could have been worse, but underscored how shared code repositories much be protected.

UK Data Breach Reports Decline

As GDPR Hits Second Anniversary, Regional Reporting Variations Continue
Britain's privacy watchdog reports it received 19% fewer data breach notifications in the first quarter than in the same period last year. While the decline may be attributed to more organizations better understanding when to report breaches, other countries have seen an increase in breach reports.

Maze ransomware operators leak credit card data from Costa Rica’s BCR bank

Maze ransomware operators published credit card details stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Maze ransomware operators have released credit card data stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Early May, Maze Ransomware operators claimed to have hacked the network of the state-owned Bank of Costa Rica Banco BCR and to have stolen internal data, including 11 million credit card credentials.

Banco BCR has equity of $806,606,710 and assets of $7,607,483,881, it is one of the most solid banks in Central America.

The hackers claim to have compromised the Banco BCR’s network in August 2019, and had the opportunity to exfiltrate its information before encrypting the files.

Maze Ransomware crew

According to Maze, the bank’s network remained unsecured at least since February 2020.

Anyway, the group explained that they did not encrypt the bank documents in February, because it “was at least incorrect during the world pandemic”.

The stolen data includes 4 million unique credit card records, and 140,000 allegedly belonging to USA citizens.

Now the Maze ransomware operators published a post on their leak site along with a spreadsheet (2GB in size) containing the payment card numbers from customers of Banco de Costa Rica (BCR).

MAze-BCR.jpg

The threat actors decided to leak the credit card number to lack of security measures implemented by the bank.

Security firm Cyble confirmed the data leak, over 2GB of data.

“Just like previously, the Cyble Research Team has verified the data leak, which consists of a 2GB CSV file containing details of various Mastercard and Visa credit cards or debit cards.” reads the post published by Cyble. “As per Cyble’s researchers, the Maze ransomware operators have made this data leak due to the Banco de Costa not taking the previous leaks seriously. Along with that, the Maze ransomware operators have threatened the BCR about this type of leak going to happen every week.”

Maze ransomware operators published screenshots showing unencrypted Visa or MasterCard credit card numbers, all the cards have been issued by BCR.

The BCR bank always denied that its systems have been hacked by the Maze gang.

“After multiple analyzes carried out by internal and external specialists in computer security, no evidence has been found to confirm that our systems have been violated. The permanent monitoring of our clients’ transactions confirms that none has been affected.” reads the last statement published by the bank.

Pierluigi Paganini

(SecurityAffairs – BCR, hacking)

The post Maze ransomware operators leak credit card data from Costa Rica’s BCR bank appeared first on Security Affairs.

New Tool Can Jailbreak Any iPhone and iPad Using An Unpatched 0-Day Bug

The hacking team behind the "unc0ver" jailbreaking tool has released a new version of the software that can unlock every single iPhone, including those running the latest iOS 13.5 version. Calling it the first zero-day jailbreak to be released since iOS 8, unc0ver's lead developer Pwn20wnd said "every other jailbreak released since iOS 9 used 1day exploits that were either patched in the next

3 hacking forums have been hacked and database have been leaked online

Three hacking forums Nulled.ch, Sinfulsite.com, and suxx.to have been hacked and their databases have been leaked online

Researchers from intelligence firm Cyble made the headlines again, this time they have discovered online the databases of three hacking forums. The three forums are Sinful SiteSUXX.TO and Nulled, they were all hacked.

These cybercrime forums are places of aggregations for hackers and cybercriminals, that could use them to participate in general discussion and sharing related resources.

hacking forums

Members of the forums share and sell data leaks, hacking tools, malware, tutorials, and much more. The databases appear to have been leaking in May 2020.

“Recently, the Cyble Research Team obtained the database leaks of these hacking forums which appear to have been leaking in May 2020. The Cyble’s researchers obtained-:

  • The databases of SUXX.TO and Nulled contains detailed information of their users, which appears to be dumped on 20 May 2020.
  • The full database of Sinful Site including the private messages, which appear to be dumped on 15 May 2020.

” reads the post published by security firm Cyble.

Cyble experts said that all the above databases have been indexed at AmIBreached data breach lookup service.

Pierluigi Paganini

(SecurityAffairs – data breach, cyber crime forums)

The post 3 hacking forums have been hacked and database have been leaked online appeared first on Security Affairs.