Thousands of Systems Turned Into Proxy Exit Nodes via Malware

Threat actors have been observed deploying a proxy application on Windows and macOS systems that were infected with malware.

The post Thousands of Systems Turned Into Proxy Exit Nodes via Malware appeared first on SecurityWeek.

Why You Need Continuous Network Monitoring?

Changes in the way we work have had significant implications for cybersecurity, not least in network monitoring. Workers no longer sit safely side-by-side on a corporate network, dev teams constantly spin up and tear down systems, exposing services to the internet. Keeping track of these users, changes and services is difficult – internet-facing attack surfaces rarely stay the same for long. But

CISA Releases Cyber Defense Plan to Reduce RMM Software Risks

CISA has published a cyber defense plan outlining strategies to help critical infrastructure organizations reduce the risks associated with RMM software.

The post CISA Releases Cyber Defense Plan to Reduce RMM Software Risks appeared first on SecurityWeek.

Detecting “Violations of Social Norms” in Text with AI

Researchers are trying to use AI to detect “social norms violations.” Feels a little sketchy right now, but this is the sort of thing that AIs will get better at. (Like all of these systems, anything but a very low false positive rate makes the detection useless in practice.)

News article.

Manga Piracy Apps Stay Up on Google & Apple, Publisher Moves to Unmask Devs

Back in June, a law firm acting for Japanese manga publisher Kadokawa sent copyright complaints to both Google and Apple listing five apps offering allegedly infringing manga content. For reasons that aren't immediately clear, neither company took the apps down. With the assistance of a California court, Kadokawa now wants to identify the developers behind the apps.

From: TF, for the latest news on copyright battles, piracy and more.

Cybersecurity M&A Roundup for August 1-15, 2023

Twenty-five cybersecurity-related M&A deals were announced in the first half of August 2023.

The post Cybersecurity M&A Roundup for August 1-15, 2023 appeared first on SecurityWeek.

Russian Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks

An ongoing campaign targeting ministries of foreign affairs of NATO-aligned countries points to the involvement of Russian threat actors. The phishing attacks feature PDF documents with diplomatic lures, some of which are disguised as coming from Germany, to deliver a variant of a malware called Duke, which has been attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock,

Exploitation of Citrix ShareFile Vulnerability Spikes as CISA Issues Warning 

Exploitation of a Citrix ShareFile vulnerability tracked as CVE-2023-24489 has spiked as CISA added it to its ‘must patch’ catalog.

The post Exploitation of Citrix ShareFile Vulnerability Spikes as CISA Issues Warning appeared first on SecurityWeek.

Cleaning Products manufacturer Clorox Company took some systems offline after a cyberattack

Cleaning products manufacturer Clorox Company announced that it has taken some systems offline in response to a cyberattack. The Clorox Company is a multinational consumer goods company that specializes in the production and marketing of various household and professional cleaning, health, and personal care products. The cleaning product giant announced it was the victim of […]

The post Cleaning Products manufacturer Clorox Company took some systems offline after a cyberattack appeared first on Security Affairs.

CISA Adds Citrix ShareFile Flaw to KEV Catalog Due to In-the-Wild Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Citrix ShareFile storage zones controller to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active in-the-wild exploitation. Tracked as CVE-2023-24489 (CVSS score: 9.8), the shortcoming has been described as an improper access control bug that, if successfully exploited

OTE: OSINT Template Engine

OSINT Template Engine OSINT Template Engine is a research-grade tool for OSINT Information gathering & Attack Surface Mapping which uses customizable templates to collect data from sources. It allows for new template creation and...

The post OTE: OSINT Template Engine appeared first on Penetration Testing.

Callisto: An Intelligent Binary Vulnerability Analysis Tool

Callisto An Intelligent Automated Binary Vulnerability Analysis Tool Callisto is an intelligent automated binary vulnerability analysis tool. Its purpose is to autonomously decompile a provided binary and iterate through the pseudo code output looking...

The post Callisto: An Intelligent Binary Vulnerability Analysis Tool appeared first on Penetration Testing.

File sharing site Anonfiles shuts down due to overwhelming abuse

Anonfiles, a popular service for sharing files anonymously, has shut down after saying it can no longer deal with the overwhelming abuse by its users.

Anonfiles is an anonymous file-sharing site that allows people to share files anonymously without their activity being logged.

However, it soon became one of the most popular file-sharing services used by threat actors to share samples of stolen data, stolen credentials, and copyrighted material.

Five days ago, Anonfiles users began reporting that the service would time out when attempting to upload files.

As spotted by cybersecurity researcher g0njxa, the Anonfiles operators have now shut down the service, stating that their proxy provider recently shut them down and that they can no longer deal with the overwhelming amount of abusive material uploaded to the site.

The statement shown on Anonfiles site is reproduced in its entirety below:

"After trying endlessly for two years to run a file sharing site with user anonymity we have been tired of handling the extreme volumes of people abusing it and the headaches it has created for us.
Maybe it is hard to understand but after tens of million uploads and many petabytes later all work of handling abuse was automated through all available channels to be fast as possible.
We have auto banned contents of hundreds of thousands files.
Banned file names and also banned specific usage patterns connected to abusive material to the point where we did not care if we accidental delete thousands of false positive in this process.
Even after all this the high volume of abuse will not stop.
This is not the kind of work we imagine when acquiring it and recently our proxy provider shut us down.

This can not continue.

Domain 4sale.

[email protected]"

While Anonfiles was a useful file-sharing site for many, other users reported [1, 2, 3] that the site used shady advertisers that commonly redirected malware, tech support scams, and unwanted Google Chrome and Firefox browser extensions.

For example, when attempting to download a file from Anonfiles, users said you would often be first redirected to a site that downloaded an ISO file using the same name as the file you thought you were downloading.

However, these ISO files contained various malware, including information-stealing malware, remote access trojans, and ad clickers.

In 2021, CronUp researcher Germán Fernández warned that Anonfiles malvertising was pushing the RedLine Stealer malware, a notorious information-stealing malware that steals your credentials and cryptocurrency wallets.

Other malvertising campaigns seen by Fernández and Malwarebytes on Anonfiles pushed search hijacking extensions, Amadey botnet, Vidar stealer, and even STOP ransomware.

The Anonfiles operators are now looking for someone to purchase their domain, likely to launch their own file sharing service.

However, in the interim, the shutdown will cause many files used by cybersecurity researchers and threat actors alike to no longer be available.

CISA adds flaw in Citrix ShareFile to its Known Exploited Vulnerabilities catalog

US CISA added critical vulnerability CVE-2023-24489 in Citrix ShareFile to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added critical flaw CVE-2023-24489 (CVSS score 9.8) affecting Citrix ShareFile to its Known Exploited Vulnerabilities Catalog. Citrix ShareFile is a secure file sharing and storage platform designed for businesses and professionals to collaborate on documents, exchange […]

The post CISA adds flaw in Citrix ShareFile to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.

Researchers Harvest, Analyze 100K Cybercrime Forum Credentials

Researchers found that many Dark Web forums have stronger password rules than most government and military entities.

CISA warns of critical Citrix ShareFile flaw exploited in attacks

CISA is warning that a critical Citrix ShareFile secure file transfer vulnerability tracked as CVE-2023-24489 is being targeted by unknown actors, and has added the flaw to its catalog of known security flaws exploited in the wild.

Citrix ShareFile (also known as Citrix Content Collaboration) is a managed file transfer SaaS cloud storage solution that allows customers and employees to upload and download files securely.

The service also offers a 'Storage zones controller' solution that allows enterprise customers to configure their private data storage to host files, whether on-premise or at supported cloud platforms, such as Amazon S3 and Windows Azure.

On June 13th, 2023, Citrix released a security advisory on a new ShareFile storage zones vulnerability tracked as CVE-2023-24489 with a critical severity score of 9.8/10, which could allow unauthenticated attackers to compromise customer-managed storage zones.

"A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller," Citrix explains.

Cybersecurity firm AssetNote disclosed the vulnerability to Citrix, warning in a technical writeup that the flaw is caused by a few small errors in ShareFile's implementation of AES encryption.

"Through our research we were able to achieve unauthenticated arbitrary file upload and full remote code execution by exploiting a seemingly innocuous cryptographic bug," AssetNote researchers explain.

Using this flaw, a threat actor could upload a web shell to a device to gain full access to the storage and all its files.

CISA warns that threat actors commonly exploit these types of flaws and pose a significant risk to federal enterprises.

While CISA shares this same warning on many advisories, flaws impacting managed file transfer (MFT) solutions are of particular concern, as threat actors have heavily exploited them to steal data from companies in extortion attacks.

One ransomware operation, known as Clop, has taken a particular interest in targeting these types of flaws, using them in widescale data theft attacks since 2021, when they exploited a zero-day flaw in the Accellion FTA solution.

Since then, Clop has conducted numerous data-theft campaigns using zero-day flaws in SolarWinds Serv-U, GoAnywhere MFT, and, most recently, the massive attacks on MOVEit Transfer servers.

Active exploitation

As part of AssetNote's technical writeup, the researchers shared enough information for threat actors to develop exploits for the Citrix ShareFile CVE-2023-24489 flaw. Soon after, other researchers released their own exploits on GitHub.

On July 26th, GreyNoise began monitoring for attempts to exploit the vulnerability. After CISA warned about the flaw today, GreyNoise updated its report to say there had been a significant uptick in attempts by different IP addresses.

"GreyNoise observed a significant spike in attacker activity the day CISA added CVE-2023-24489 to their Known Exploited Vulnerabilities Catalog," warns GreyNoise.

At this time, GreyNoise has seen attempts to exploit or check if a ShareFile server is vulnerable from 72 IP addresses, with the majority from South Korea and others in Finland, the United Kingdom, and the United States.

Attempts to exploit CVE-2023-24489
Source: GreyNoise

While no publicly known exploitation or data theft has been linked to this flaw, CISA now requires Federal Civilian Executive Branch (FCEB) agencies to apply patches for this bug by September 6th, 2023.

However, due to the highly targeted nature of these bugs, it would be strongly advised that all organizations apply the updates as soon as possible.

Dig Security State of Cloud Data Security 2023 Report Finds Exposed Sensitive Data in More Than 30% of Cloud Assets

67% of Federal Government Agencies Are Confident in Meeting Zero Trust Executive Order Deadline

Call for Applications Open for DataTribe's Sixth Annual Cybersecurity Startup Challenge

Beyond Identity Launches Passkey Adoption Tool, The Passkey Journey

‘Z-Library ‘Fugitives’ Should Be Brought to Trial in The United States’

The U.S. has responded to a motion to dismiss submitted a few weeks ago by two arrested operators of Z-Library. According to the prosecution, the Russian defendants are fugitives because they continue to protest their extradition to the United States. As such, they should not be allowed to request a dismissal from the U.S. judicial system they are trying to avoid.

From: TF, for the latest news on copyright battles, piracy and more.

Google released first quantum-resilient FIDO2 key implementation

Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich.

FIDO2 is the second major version of the Fast IDentity Online authentication standard, and FIDO2 keys are used for passwordless authentication and as a multi-factor authentication (MFA) element.

Google explains that a quantum-resistant FIDO2 security key implementation is a crucial step towards ensuring safety and security as the advent of quantum computing approaches and developments in the field follow an accelerating trajectory.

"As progress toward practical quantum computers is accelerating, preparing for their advent is becoming a more pressing issue as time passes," explains Google.

"In particular, standard public key cryptography, which was designed to protect against traditional computers, will not be able to withstand quantum attacks."

With quantum computers being actively developed, there is concern that they will soon be used to more efficiently and quickly crack encryption keys, making encrypted information accessible to governments, threat actors, and researchers.

To protect against quantum computers, a new hybrid algorithm was created by combining the established ECDSA algorithm with the Dilithium algorithm.

Dilithium is a quantum-resistant cryptographic signature scheme that NIST included in its post-quantum cryptography standardization proposals, praising its strong security and excellent performance, making it suitable for use in a wide array of applications.

Comparison of performance and size of quantum-resistant schemes
(eprint.iacr.org)

This hybrid signature approach that blends classic and quantum-resistant features wasn't simple to manifest, Google says. Designing a Dilithium implementation that's compact enough for security keys was incredibly challenging.

Its engineers, however, managed to develop a Rust-based implementation that only needs 20KB of memory, making the endeavor practically possible, while they also noted its high-performance potential.

The hybrid signature schema was first presented in a 2022 paper and recently gained recognition at the ACNS (Applied Cryptography and Network Security) 2023, where it won the "best workshop paper" award.

This new hybrid implementation is now part of the OpenSK, Google's open-source security keys implementation that supports the FIDO U2F and FIDO2 standards.

The tech giant hopes that its proposal will be adopted by FIDO2 as a new standard and supported by major web browsers with large user bases.

The firm calls the application of next-gen cryptography at the internet scale "a massive undertaking" and urges all stakeholders to move quickly to maintain good progress on that front.

Last week, Google introduced a quantum-resistant hybrid cryptography mechanism called X25519Kyber768 in Chrome 116, which encrypts TLS connections.

This move came in anticipation of the risk of future quantum computers having the capacity to decrypt today's data, addressing the "Harvest Now, Decrypt Later" threat.

A massive phishing campaign using QR codes targets the energy sector

A phishing campaign employing QR codes targeted a leading energy company in the US, cybersecurity firm Cofense reported. Starting from May 2023, researchers from Cofense discovered a large-scale phishing campaign using QR codes in attacks aimed at stealing the Microsoft credentials of users from multiple industries One of the organizations targeted by hackers is a […]

The post A massive phishing campaign using QR codes targets the energy sector appeared first on Security Affairs.

Mirai Common Attack Methods Remain Consistent, Effective

While relatively unchanged, the notorious IoT botnet still continues to drive DDoS.

The Gulf's Dizzying Tech Ambitions Present Risk & Opportunity

Threats and opportunities are abound for the UAE and Gulf states, so can they deal with being a cybersecurity stronghold?