Understanding Process Injection:

Process injection is a technique often used by cyber attackers to execute malicious code within the memory space of a legitimate process. By doing so, they can evade detection and gain unauthorized access to system resources. Traditionally, this method involves three key steps: allocating memory in the target process, writing the malicious code into this allocated space, and then executing the code to carry out the attack.

The Role of Windows Thread Pools:

Central to this new technique is the exploitation of Windows thread pools. Thread pools in Windows are integral for managing worker threads, which are used to perform various tasks in the background. These pools efficiently manage the execution of multiple threads, reducing the overhead associated with thread creation and destruction. In legitimate scenarios, thread pools enhance the performance and responsiveness of applications. Windows thread pools are a system feature used to manage multiple threads efficiently. These pools allow for the execution of worker threads that perform tasks in the background, optimizing the use of system resources. Thread pools are integral to the Windows operating system and are used by various applications for performing asynchronous tasks.

SafeBreach’s research delves into how these thread pools can be manipulated for malicious purposes. By exploiting the mechanisms that govern thread pool operations, attackers can inject malicious code into other running processes, bypassing traditional security measures. This technique presents a significant challenge to existing EDR solutions, which are typically designed to detect more conventional forms of process injection. Here are some examples of such manipulations:

1. Inserting Malicious Work Items:
   • Attackers can insert malicious work items into the thread pool. These work items are essentially tasks scheduled to be executed by the pool’s worker threads. By inserting a work item that contains malicious code, an attacker can execute this code under the guise of a legitimate process.
2. Hijacking Worker Threads:
   • An attacker might hijack the worker threads of a thread pool. By taking control of these threads, the attacker can redirect their execution flow to execute malicious code. This method can be particularly effective because worker threads are trusted components within the system.
3. Exploiting Timer Queues:
   • Windows thread pools use timer queues to schedule tasks to be executed at specific times. An attacker could exploit these timer queues to schedule the execution of malicious code at a predetermined time, potentially bypassing some time-based security checks.
4. Manipulating I/O Completion Callbacks:
   • Thread pools handle I/O completion callbacks, which are functions called when an I/O operation is completed. By manipulating these callbacks, an attacker can execute arbitrary code in the context of a legitimate I/O completion routine.
5. Abusing Asynchronous Procedure Calls (APCs):
   • While not directly related to thread pools, attackers can use Asynchronous Procedure Calls, which are mechanisms for executing code asynchronously in the context of a particular thread, in conjunction with thread pool manipulation to execute malicious code.
6. Worker Factory Manipulation:
   • The worker factory in a thread pool manages the worker threads. By manipulating the worker factory, attackers can potentially control the creation and management of worker threads, allowing them to execute malicious tasks.
7. Remote TP_TIMER Work Item Insertion:
   • This involves creating a timer object in the thread pool and then manipulating it to execute malicious code. The timer can be set to trigger at specific intervals, executing the malicious code repeatedly.
8. Queue Manipulation:
   • Attackers can manipulate the queues used by thread pools to prioritize or delay certain tasks. By doing so, they can ensure that their malicious tasks are executed at a time when they are most likely to go undetected.

These examples illustrate the versatility and potential stealth of using Windows thread pools for malicious purposes. The exploitation of such integral system components poses a significant challenge to cybersecurity defenses, requiring advanced detection and prevention mechanisms. The following thread pool work items that can be scheduled in Windows. Here’s how each one could potentially be vulnerable to attacks:

1. Worker Factory Start Routine Overwrite: Overwriting the start routine can redirect worker threads to execute malicious code.
2. TP_WORK Insertion: By inserting TP_WORK objects, attackers could run arbitrary code in the context of a thread pool thread.
3. TP_WAIT Insertion: Manipulating wait objects can trigger the execution of malicious code when certain conditions are met.
4. TP_IO Insertion: By intercepting or inserting IO completion objects, attackers could execute code in response to IO operations.
5. TP_ALPC Insertion: Attackers could insert ALPC (Advanced Local Procedure Call) objects to execute code upon message arrival.
6. TP_JOB Insertion: Jobs can be associated with malicious actions, executed when certain job-related events occur.
7. TP_DIRECT Insertion: Direct insertion allows immediate execution of code, which can be abused for running malware.
8. TP_TIMER Insertion: Timers can be used by attackers to schedule the execution of malicious payloads at specific times.

These vulnerabilities generally stem from the fact that thread pools execute callback functions, which attackers may manipulate to point to their code, thus achieving code execution within the context of a legitimate process.

Implications for Endpoint Detection and Response (EDR) Solutions

The research by SafeBreach Labs tested the newly discovered Pool Party variants against five leading EDR solutions: Palo Alto Cortex, SentinelOne EDR, CrowdStrike Falcon, Microsoft Defender For Endpoint, and Cybereason EDR. The result was startling, as none of the tested EDR solutions were able to detect or prevent the Pool Party attack techniques. This underscores the need for ongoing innovation in cybersecurity defense mechanisms to keep pace with evolving threats. The exploitation of Windows thread pools for process injection, as highlighted in the SafeBreach article, has significant implications for Endpoint Detection and Response (EDR) solutions. These implications necessitate a reevaluation and enhancement of current EDR strategies:

1. Challenge to Traditional Detection Methods:
   • Traditional EDR solutions often rely on signature-based detection and known behavioral patterns to identify threats. However, the manipulation of Windows thread pools represents a more sophisticated attack vector that may not be easily detected through these conventional methods. This calls for an advancement in detection technologies.
2. Need for Deeper System Monitoring:
   • EDR solutions must now consider deeper system monitoring, particularly focusing on the internals of operating systems like thread pool activities, thread creation, and execution patterns. This level of monitoring can help in identifying anomalies that are indicative of thread pool exploitation.
3. Enhancing Behavioral Analysis Capabilities:
   • EDR systems need to enhance their behavioral analysis capabilities to detect unusual activities that could signify a threat. This includes monitoring for irregularities in thread pool usage, unexpected execution of code within thread pools, and other anomalies that deviate from normal system behavior.
4. Integration of Advanced Heuristics:
   • Integrating advanced heuristics and machine learning algorithms can help EDR solutions become more proactive in detecting new and sophisticated attack methods. These technologies can learn from evolving attack patterns and adapt their detection mechanisms accordingly.
5. Improving Response Strategies:
   • In addition to detection, EDR solutions must improve their response strategies to such threats. This includes automated containment measures, quick eradication of threats, and efficient recovery processes to minimize the impact of an attack.
6. Collaboration and Threat Intelligence Sharing:
   • EDR vendors and cybersecurity experts need to collaborate and share threat intelligence actively. By understanding the latest attack trends and techniques, such as those involving thread pool exploitation, EDR solutions can be better equipped to protect against them.
7. Educating Users and Administrators:
   • EDR solutions should also focus on educating users and system administrators about these new threats. Awareness can play a crucial role in early detection and response to sophisticated attacks.
8. Regular Updates and Patch Management:
   • Continuous updating and patch management are crucial. EDR solutions must ensure that they are updated with the latest threat definitions and that they can identify vulnerabilities in systems that need patching or updates.
9. Zero Trust Approach:
   • Implementing a zero trust approach can be beneficial. EDR solutions should treat every process and thread as a potential threat until verified, ensuring strict access controls and monitoring at all levels.
10. Forensic Capabilities:
    • Enhancing forensic capabilities is essential for post-incident analysis. Understanding how an attack was carried out, including thread pool exploitation, can provide valuable insights for strengthening EDR strategies.

In summary, the exploitation of Windows thread pools for process injection presents a complex challenge for EDR solutions, necessitating a shift towards more advanced, intelligent, and comprehensive cybersecurity strategies.

Mitigation

Mitigating threats that involve the exploitation of Windows thread pools for process injection requires a multi-faceted approach, combining advanced technological solutions with proactive security practices. Here are some potential measures and recommendations:

1. Enhanced Detection Algorithms:
   • Endpoint Detection and Response (EDR) solutions should incorporate advanced algorithms capable of detecting anomalous behaviors associated with thread pool manipulation. This includes unusual activity patterns in worker threads and unexpected changes in thread pool configurations.
2. Deep System Monitoring:
   • Implement deep monitoring of system internals, especially focusing on thread pools and worker thread activities. Monitoring should include the creation of work items, modifications to timer queues, and the execution patterns of threads.
3. Regular Security Audits:
   • Conduct regular security audits of systems to identify potential vulnerabilities. This includes reviewing and updating the configurations of thread pools and ensuring that security patches and updates are applied promptly.
4. Advanced Threat Intelligence:
   • Utilize advanced threat intelligence tools to stay informed about new vulnerabilities and attack techniques involving thread pools. This intelligence can be used to update defensive measures continuously.
5. Employee Training and Awareness:
   • Educate IT staff and employees about the latest cybersecurity threats, including those involving thread pool exploitation. Awareness can help in early detection and prevention of such attacks.
6. Behavioral Analysis and Heuristics:
   • Implement security solutions that use behavioral analysis and heuristics to detect unusual patterns that might indicate thread pool exploitation. This approach can identify attacks that traditional signature-based methods might miss.
7. Zero Trust Architecture:
   • Adopt a zero trust architecture where systems do not automatically trust any entity inside or outside the network. This approach can limit the impact of an attack by restricting access and permissions to essential resources only.
8. Regular Software Updates:
   • Ensure that all software, especially operating systems and security tools, are regularly updated. Updates often include patches for known vulnerabilities that could be exploited.
9. Isolation of Sensitive Processes:
   • Isolate sensitive processes in secure environments to reduce the risk of thread pool manipulation affecting critical operations. This can include using virtual machines or containers for added security.
10. Incident Response Planning:
    • Develop and maintain a robust incident response plan that includes procedures for dealing with thread pool exploitation. This plan should include steps for containment, eradication, recovery, and post-incident analysis.

By implementing these measures, organizations can strengthen their defenses against sophisticated attacks that exploit Windows thread pools, thereby enhancing their overall cybersecurity posture.

The post How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks appeared first on Information Security Newspaper | Hacking News.

• The study focuses on the Sierra Wireless AirLink cellular routers, crucial for connecting OT/IoT networks to the internet.
• These routers are used in various critical infrastructure sectors, including manufacturing, healthcare, government, energy, transportation, and emergency services.
• Sierra Wireless, OpenNDS, and Nodogsplash have patched several vulnerabilities, but challenges remain due to the abandonment of projects like TinyXML​​.

Flaws and Examples

The vulnerabilities are grouped into five impact categories​​:

1. Remote Code Execution (RCE): Attackers can take full control of a device by injecting malicious code.
2. Cross-Site Scripting (XSS): This allows for the injection of malicious code on clients browsing the ACEmanager application, potentially leading to credential theft.
3. Denial of Service (DoS): These vulnerabilities can be used to crash ACEmanager, rendering it unreachable or causing it to restart automatically.
4. Unauthorized Access: This involves design flaws like hardcoded credentials and private keys, which could allow attackers to perform man-in-the-middle attacks or recover passwords.
5. Authentication Bypasses: These allow attackers to bypass the authentication service of the captive portal and directly connect to the protected WiFi network.

Severity of Vulnerabilities: Among these 21 vulnerabilities, one is of critical severity, nine have high severity, and eleven have medium severity. These vulnerabilities could allow attackers to steal credentials, take control of a router by injecting malicious code, persist on the device, and use it as an initial access point into critical networks.

Affected Sectors: The affected devices are found in multiple critical infrastructure sectors. These include manufacturing, healthcare, government and commercial facilities, energy and power distribution, transportation, water and wastewater systems, retail, emergency services, and vehicle tracking. Additionally, these routers are used to stream video for remote surveillance and connect police vehicles to internal networks.

Extent of Exposure: Over 86,000 vulnerable routers are exposed online. Notably, less than 10% of these exposed routers have been confirmed to be patched against known vulnerabilities found since 2019, which indicates a large attack surface. Moreover, 90% of devices exposing a specific management interface (AT commands over Telnet) have reached the end of their life, meaning they cannot receive further patches​​.

Specific examples include:

• CVE-2023-40458: ACEmanager enters an infinite loop when parsing malformed XML documents, leading to DoS.
• CVE-2023-40459: A NULL-pointer dereference in ACEmanager during user authentication, leading to limited DoS.
• CVE-2023-40460: Attackers can upload HTML documents to replace legitimate web pages in ACEmanager, leading to XSS attacks.
• CVE-2023-40461 and CVE-2023-40462: Issues with uploading client certificates and client TLS keys in ACEmanager, enabling JavaScript code injection.
• CVE-2023-40463: Hardcoded hash of the root password in ALEOS, allowing unauthorized root access.
• CVE-2023-40464: Default SSL private key and certificate in ALEOS, enabling impersonation and traffic sniffing/spoofing​​.

Mitigation or Workaround

• Patching is essential. Sierra Wireless has released updated ALEOS versions containing fixes.
• Change default SSL certificates.
• Disable unnecessary services like captive portals, Telnet, and SSH.
• Deploy web application firewalls to protect against web-based vulnerabilities.
• Use OT/IoT-aware intrusion detection systems to monitor network connections​​.

Conclusion

• Vulnerabilities in OT/IoT network infrastructure are a major concern and are often left unpatched.
• Less than 10% of routers exposed online are patched against known vulnerabilities.
• Embedded devices lag in addressing vulnerabilities and implementing exploit mitigations.
• Incomplete fixes can lead to new issues, as seen with CVE-2023-40460, originating from an incomplete fix for a previous vulnerability.
• Manufacturers need to understand and address the root causes of vulnerabilities for effective long-term solutions​​.

The post Over 86,000 Routers at Risk – Is Yours One of Them? Shocking Vulnerabilities in Widely Used OT/IoT Routers appeared first on Information Security Newspaper | Hacking News.

These vulnerabilities were discovered by the Binarly Research team and have far-reaching consequences:

1. Discovery and Impact: LogoFAIL vulnerabilities affect various vendors’ system firmware during the device boot process, not being specific to any silicon type. They impact the entire firmware ecosystem, including Independent BIOS vendors (IBVs) like AMI, Insyde, and Phoenix. This implies that a broad range of consumer and enterprise devices could be at risk​​. Imagine a scenario where a large electronics manufacturer uses firmware from an Independent BIOS Vendor (IBV) like AMI for its laptops. If this firmware contains the vulnerable image parsing libraries identified in LogoFAIL, then all these laptops, regardless of their specific models or configurations, could potentially be at risk. This would mean millions of devices across the globe could be vulnerable to these security flaws.
2. Operation of Vulnerabilities: These vulnerabilities enable attackers to store malicious logo images on the EFI System Partition (ESP) or in unsigned sections of a firmware update. During the boot process, when these images are parsed, the vulnerability can be triggered, allowing attackers to execute arbitrary payloads. This can lead to the bypassing of critical security features like Secure Boot and hardware-based Verified Boot mechanisms, including Intel Boot Guard, AMD Hardware-Validated Boot, or ARM TrustZone-based Secure Boot​​. For example, an attacker could craft a malicious logo image and insert it into the EFI System Partition on a victim’s laptop. When the laptop is booted, the firmware parses this image, unknowingly triggering the vulnerability. This could allow the attacker to bypass the laptop’s Secure Boot mechanism, effectively undermining one of the key security features that is supposed to ensure only trusted software is loaded during the boot process.
3. Implications: LogoFAIL vulnerabilities can completely compromise the system’s security, making “below-the-OS” security measures like Secure Boot ineffective. This level of compromise allows attackers to gain deep control over affected systems. The vulnerabilities offer a different attack surface on the ESP partition, allowing for data-only exploitation by modifying the logo image​​.Consider a highly secure workstation used in a government facility, which relies on Secure Boot for security. If this workstation is affected by LogoFAIL, an attacker could exploit these vulnerabilities to gain control over the system even before the operating system loads. This could potentially allow the attacker to manipulate or disable other security measures, essentially gaining unrestricted access to the system and the sensitive data it contains.

Exploitation

Threat actors can exploit the LogoFAIL vulnerabilities in the following ways:

1. Malicious Logo Images: Attackers can craft malicious logo images and place them on the EFI System Partition (ESP) or within unsigned sections of a firmware update. Since these images are parsed during the boot process, the malicious code within the images gets executed.
2. Bypassing Security Mechanisms: By exploiting these vulnerabilities, attackers can bypass critical security features like Secure Boot, Intel Boot Guard, and other hardware-validated boot mechanisms. This allows them to execute unauthorized code at a fundamental level of the device.
3. System Compromise: Once they bypass these security measures, attackers can potentially gain deep control over the system, undermining its security and potentially accessing sensitive information or installing further malware. This level of access can be particularly damaging as it occurs below the operating system level, making detection and remediation more challenging.

Mitigation

To mitigate the risks associated with the LogoFAIL vulnerabilities, several steps can be taken:

1. Firmware Updates: Regularly updating firmware is crucial. Manufacturers often release patches and updates to address known vulnerabilities. Keep all devices updated with the latest firmware versions provided by the manufacturer.
2. Vendor Communication: Stay informed about any security advisories or updates from device manufacturers. This can include checking for updates on their websites or subscribing to their security bulletins.
3. Security Solutions: Employ security solutions that monitor firmware integrity and detect anomalies at the firmware level.
4. Regular Audits: Conduct regular security audits of firmware to identify and mitigate potential vulnerabilities.
5. Best Practices: Follow cybersecurity best practices, including maintaining a secure and updated environment, and educating users about the importance of security in preventing malware infections.

These steps can significantly reduce the risk of exploitation of these vulnerabilities. This research underscores the seriousness of these vulnerabilities and their potential to affect a vast range of devices, highlighting the need for comprehensive security measures in firmware development and maintenance.

The post Inside LogoFAIL: The UEFI Firmware Flaw Compromising Millions of Devices appeared first on Information Security Newspaper | Hacking News.

If we only consider the financial damage of security incidents, the data shows that the cost of cybercrime is expected to double by 2027.

In 2023, the global cost of cybercrime worldwide is estimated at $11.50 trillion. In four years, the projected financial damage will likely total $23.82 trillion USD.

The technology security professionals use constantly changes. It evolves to keep up with emerging cyber exploits. And a large number of hacking threats.

The systems that businesses rely on change as well — increasing already large attack surfaces.

To protect their assets, companies need security experts who have the right skills to reduce the chance of a costly attack.

Most universities don’t have the time or funding to teach these skills to their students. For future cybersecurity professionals, this means that it takes longer than it should to get that first job out of college.

Open XDR innovator Stellar Cyber has launched the first program that helps students get hands-on cybersecurity experience.

How does the Stellar Cyber University Partnership Program help universities, students, and disadvantaged communities?

Helping Universities Free of Cost

“Stellar Cyber is proud to offer this comprehensive, collaborative education program free of charge for those training our cyber warriors of the future,” said Jim O’Hara, Chief Revenue Officer at Stellar Cyber.

When Stellar Cyber collaborates with a university on their new program, they offer:

• Access to technology, i.e. their Open XDR platform
• Instructor-led training for the use of the platform
• Mentorship through their network of cybersecurity professionals and partners

Stellar Cyber has been developing its Open XDR (Extended Detection and Response) platform for almost a decade.

Combining the functionality of several key cybersecurity solutions (including SIEM, TIP, IDS, NDR, and UEBA), the platform offers united security in one place.

Using machine learning and AI, it analyzes and correlates large volumes of data arriving from once-disconnected security tools.

Enrolled students use Stellar Cyber’s Open XDR in the university lab to seek threats and react to them before they escalate.

The platform is intuitive and created to facilitate security analysis for smaller businesses, but the instructions help students optimize this security solution.

Stellar Cyber also offers ready-made instruction-led training. Because it’s too costly for universities to alter their curriculum as often as they should.

As students use the platform and learn more about it, they also have access to coaching and experienced mentors who have a long history of working in the industry.

Preparing Students for Careers in Cybersecurity

After they obtain a degree, students often aren’t sure:

• Whether cybersecurity is the right career path for them
• What kind of opportunities do they have in this growing industry
• How to breach the gap between theoretical knowledge and practical skills

The program provides the students with insight into one aspect of cybersecurity, giving them a glimpse into the role of the security expert.

They’ll use the Open XDR platform to detect threats, investigate possible high-risk incidents, and respond with suitable measures.

During training and threat hunting, they get the skills that companies actively hiring security experts today genuinely need. With it, the program is bridging the gap between theory and practical skills common for new graduates.

“We are honored to do our part to help shrink the worldwide cybersecurity skills gap and provide security services to communities in need. It’s our objective to scale as broadly as possible and to assist universities as they prepare their graduates to enter the cybersecurity workforce.”

Besides technology, training, and mentorship, Stellar Cyber also offers a certificate. Stellar Cyber Certification Program is another way to separate themselves as job candidates once they complete their degree in cybersecurity.

Offering Enrolled Students Job Opportunities

The students who complete the program will be known as reliable future professionals who have the right skills and the practice to show for it.

Stellar Cyber has built a large network of partners and customers who need security professionals who are well-versed in the Open XDR platform.

“All too often, students graduate from college without being exposed to the fantastic career opportunities in the cybersecurity industry,” said Paul Levasseur, Vice President of Customer and Partner Enablement at Stellar Cyber.

Students who participate in the program will not only have a better understanding of what a security role entails and what kind of roles are available. 

They’ll also be linked with direct opportunities.

Having access to Stellar Cyber’s private LinkedIn group, they’ll be the first ones to know about the internship and hiring opportunities within the Stellar Cyber community.

Protecting Underserved Communities

The impact of this program goes beyond the universities and even after a grad career. Students get hands-on experience in the field by helping underserved communities that lack the technology that can safeguard them against evolving cybersecurity incidents. In most cases, such communities don’t have the resources to hire their own security operations team to manage their security.

The program changes that by protecting communities in need with the latest cybersecurity technology.

“Attackers look for targets that cannot easily defend themselves,” Levasseur added. “Our hope is to ensure that these previously underserved communities get the protection they deserve.”

How Can Universities Apply for the Program?

The partnership program is an invite-only opportunity, and it’s the first of its kind. Universities that do quality for it have to:

• Provide the students with a certificate or a degree in cybersecurity
• Utilize the Open XDR platform in their educational labs
• Allow Stellar Cyber to use their details for promotion purposes
• Agree to provide underserved organizations with security operations free of cost

Also, this is a great way to stand out as a university. That is, become an institution that provides the students with real-life experiences and programs that help them build foundations for a career in cybersecurity at the university.

The post Stellar Cyber Launches Field-Proven University Program, Provides SOC Services to Underserved Communities appeared first on Information Security Newspaper | Hacking News.

The Scenario

There is an Exchange Server 2019 Standard, installed on a Windows Server 2019 Standard. The server is a Hyper-V virtual machine, hosted on Windows Server 2022 Standard. 

The virtual machine got infected by ransomware, called BadRabbit, which came from a user computer and propagated to the network. This happened during the weekend. The ransomware encrypted most of the files on the Exchange Server. Also, the server virtual machine was giving a lot of issues and the Exchange Server was not responsive. Fortunately, since the EDB files were locked by the Exchange Server, these were not encrypted. Although this might be a good sign, the database can still be damaged since it didn’t shutdown properly and the temporary data could still not be committed. 

After isolating the server from the network and removing the ransomware files from all the computers, the server was investigated in a sandbox environment to remove any traces of the ransomware files. After a clean-up and getting go-ahead by the security team to reconnect the server with the network, there was an extensive amount of troubleshooting required to get the services running. Some of the operating system files were damaged. 

Restoring from backup was a solution, but only the weekly offsite backup was available. The Network Attached Storage (NAS) had the local daily backups that were infected as well. So, the local backups were not usable. Going back a week would mean a massive data and business loss. So, an alternative was needed.

The Server Recovery and Rebuilding Process

The decision is taken to rebuild the Exchange Server and start from scratch, after we shut down or isolate the damaged server. Next, we need to get into the Active Directory Users and Computer to reset the computer account.

For the first part, we need to install a new virtual machine with the same IP address of the previous Exchange Server and retain the same computer name. This will help in the recovery process. Although the data resided on the Exchange Server, the configuration and setup are all in the Active Directory Schema (ADS). 

It’s important to note that the drive space, drive letters, and other things from the previous server documentation are same. Now, we need to re-install the Exchange Server with the same version and build number, but not in the conventional way. We need to run the setup.exe file with the following parameters.

Setup.exe /m:recoverserver

This process would take about 45 minutes depending on the performance of the server. This will re-install the Exchange Server and retain the same configuration of the previous server, which is pulled from the Active Directory Schema (ADS). After this, any custom connectors need to be re-created from scratch. The biggest problem is to retain data, without any loss or go back a week from the backup.

Copying the databases from the corrupt server and putting them in the same location and then restarting the services mean we would end up with the databases in Dirty Shutdown state. We can use the EseUtil to perform smooth recovery to clear out any small damages. But if transaction logs are lost and damaged, there is little we can do. Then, the option is to perform hard recovery. But it will mean data loss and no guarantee that it will work. Also, this process will take a lot of time and effort. So, the alternative is to use a third-party Exchange recovery software to recover the data.

How Stellar Repair for Exchange can help?

Since the copy of the databases or transaction logs could be damaged, using an Exchange recovery software, such as Stellar Repair for Exchange can shorten the recovery time. This means the users will get their data back faster.

With Stellar Repair for Exchange, we can easily open damaged Exchange Server mailbox databases from any version of Exchange Server, with or without an active Exchange Server. Here’s the process to recover data from EDB using the software:

• The process starts with selecting the EDB file and then choosing either Quick Scan or Extensive Scan.

• After scan, the software will present all the mailboxes and resources found in the database. The scan can also be saved for later use.

• The software will let you choose the resources. We can export directly to a live Exchange Server.

• After selecting the mailboxes to export, the details of the destination need to be set. The software automatically matches the mailboxes and also allows to match the mailboxes manually. It also allows to select the VIP resources to be processed first.

After this, the process will start. When the data is restored, the users will see their data in their mailboxes. 

ConclusionAbove, we have discussed the process to rebuild Exchange Server and recover the data after ransomware attack. Restoring the data from backup is not an ideal solution as it can result in data loss. Alternatively, we can use Stellar Repair for Exchange to reduce the recovery process time to a bare minimum and to protect the company data. The software can help in getting the services up and running in no time and with ease.

The post How to Rebuild your Exchange Server (After Ransomware Attack) using Stellar Repair for Exchange? appeared first on Information Security Newspaper | Hacking News.

The Alarming Emergence of Web Shells in Cyber Warfare

Web shells, a relatively obscure term outside cybersecurity circles, represent a formidable threat in the digital age. They are malicious scripts or programs that hackers deploy on compromised web servers, enabling remote access and control. The discovery of HrServ marks a significant escalation in this digital arms race. Typically, web shells are rudimentary in nature, but HrServ breaks this mold with its advanced capabilities and stealthy operations, setting a new benchmark for cyber threats.

Stumbling Upon ‘HrServ’

The journey to unearthing HrServ began with the routine analysis of suspicious files. Researchers stumbled upon ‘hrserv.dll,’ initially not appearing to deviate from the norm. However, closer inspection revealed its true nature. The web shell exhibited unprecedented features, including custom encoding methods for client communications and the ability to execute commands directly in the system’s memory, a tactic that significantly complicates detection.

Decoding HrServ’s Sophisticated Mechanics

HrServ’s infection chain starts with the creation of a scheduled task named ‘MicrosoftsUpdate,’ which further executes a batch file. This file then facilitates the copying of ‘hrserv.dll’ into the crucial System32 directory, effectively embedding the malware deep within the system. From here, HrServ springs to life, initiating an HTTP server and managing client-server communication with intricate custom encoding, involving Base64 and FNV1A64 hashing algorithms.

The Ingenious GET Parameter Technique

One of the most striking aspects of HrServ is its utilization of a GET parameter technique in its HTTP requests, specifically the parameter ‘cp.’ The GET parameter technique used in the HrServ web shell attack involves using specific parameters in the URL of an HTTP GET request to trigger various functions within the malware. In this case, the parameter named “cp” plays a critical role. Different values of this “cp” parameter lead to different actions being executed by the web shell. For example:

• GET with cp=0: Calls VirtualAlloc, copies a custom decoded NID cookie value, and creates a new thread.
• POST with cp=1: Creates a file and writes the custom decoded POST data to it.
• GET with cp=2: Reads a file using the custom decoded NID cookie value and returns it in the response.
• GET with cp=4 and 7: Returns Outlook Web App HTML data.
• POST with cp=6: Indicates a code execution process, copying decoded POST data to memory and creating a new thread.

This technique allows the malware to perform various actions based on the HTTP request it receives, making it a versatile and dangerous tool for attackers. The use of common parameters like those found in Google services could also help mask the malicious traffic, blending it with legitimate web traffic and making detection more challenging.

Mimicking Google’s Web Traffic Patterns

In a cunning move to evade detection, HrServ’s communication pattern is modeled to mimic Google’s web services. This resemblance is not accidental but a deliberate attempt to blend malicious traffic with legitimate web services, making it a needle in a digital haystack for network monitoring systems.

The Afghan Government Entity: A Sole Victim with Global Implications

Remarkably, the only known victim of HrServ, as per the available data, was a government entity in Afghanistan. This targeted approach hints at the possibility of state-sponsored cyber espionage, although the attribution remains unclear. The implications of such a sophisticated attack extend far beyond a single entity, posing a stark reminder of the vulnerabilities inherent in digital infrastructures worldwide.

Unraveling the Mystery: Who is Behind HrServ?

The origins and affiliations of the HrServ creators remain shrouded in mystery. However, certain clues point towards a non-native English-speaking group, deduced from language patterns and technical intricacies observed in the malware. Moreover, the use of specific parameters akin to those in Google services suggests a high level of sophistication and understanding of global web traffic patterns.

Looking Ahead: A Cybersecurity Challenge for the Future

The discovery of HrServ represents a watershed moment in the ongoing battle between cybercriminals and defenders. Its sophisticated design, evasive techniques, and targeted application signify a new era in cyber threats, one where traditional defense mechanisms may no longer suffice. As cybersecurity experts continue to dissect and understand HrServ, the digital world braces for future challenges, emphasizing the ever-evolving nature of cyber threats and the perpetual need for innovative defense strategies.

The post How hrserver.dll stealthy webshell can mimic Google’s Web Traffic to hide and compromise networks appeared first on Information Security Newspaper | Hacking News.

1. Obtaining Cryptocurrency through Illicit Means: Cyber criminals may acquire cryptocurrencies like Bitcoin through illegal activities such as hacking, ransomware attacks, online scams, or dark web transactions.
2. Creating Accounts on Exchanges: They create accounts on cryptocurrency exchanges like Binance. This often involves using fake or stolen identities to avoid detection, as legitimate exchanges require identity verification (Know Your Customer, KYC) for account creation.
3. Depositing the Illicit Funds: The acquired cryptocurrency is then deposited into their accounts on these exchanges. This step is critical in the laundering process as it moves the funds from a directly traceable source (like a ransomware payment) to a more mainstream financial network.
4. Layering through Transactions: To obscure the origin of the funds, criminals may engage in a series of complex transactions. This involves converting cryptocurrencies into other digital assets, trading across various pairs, or moving funds across multiple accounts and exchanges. The goal is to disassociate the illicit funds from their original source.
5. Using Tumblers/Mixers: In some cases, services known as tumblers or mixers are used. These services mix potentially identifiable or ‘tainted’ cryptocurrency funds with others, making it harder to trace back to the original source.
6. Withdrawing or Spending: Finally, the laundered funds are either withdrawn as fiat currency through the exchange or used to purchase goods and services directly with cryptocurrency, thereby entering the legitimate economy.

In a landmark legal development, Binance, the world’s largest cryptocurrency exchange, and its CEO Changpeng Zhao, popularly known as “CZ,” have agreed to a $4.3 billion settlement with U.S. authorities over charges of money laundering and other financial crimes. This settlement marks one of the most significant actions against a major player in the cryptocurrency industry.

Background of the Case: Founded in 2017, Binance quickly rose to prominence as a leading cryptocurrency exchange. However, its rapid growth and global operations caught the attention of U.S. regulators, leading to intense scrutiny over its compliance with anti-money laundering (AML) regulations and sanctions laws.

Changpeng Zhao’s Involvement: Changpeng Zhao, the charismatic and influential founder of Binance, found himself at the center of these legal challenges. Facing allegations of knowingly failing to implement an effective AML program and violating economic sanctions, Zhao appeared in a Seattle federal court to enter his plea. In a significant turn of events, he pleaded guilty to the charges and agreed to pay a $50 million fine to the Commodity Futures Trading Commission (CFTC).

Details of the Settlement: The $4.3 billion settlement, a figure unprecedented in the crypto industry, includes criminal fines and forfeiture amounts exceeding $2.5 billion. Binance’s admission of engaging in unlicensed money transmitting and sanctions violations underscores the severity of the charges. The settlement also involves agreements with the Department of Treasury’s Financial Crimes Enforcement Network (FinCEN), the Office of Foreign Assets Control (OFAC), and the CFTC.

Zhao pleaded guilty to a number of violations identified by the DOJ and other U.S. agencies. He appeared in a Seattle federal court to enter his plea and announced his resignation as CEO of Binance. Richard Teng, formerly Binance’s global head of regional markets, succeeded him as CEO​​. Binance admitted to engaging in anti-money laundering, unlicensed money transmitting, and sanctions violations. The settlement with the DOJ and other agencies, including FinCEN, OFAC, and the CFTC, amounted to approximately $4.3 billion. Of this, about $1.8 billion will be credited toward resolutions with these agencies. Zhao personally agreed to pay a $50 million fine to the CFTC​​.

The charges against Binance and Zhao included knowingly failing to register as a money services business and violating the Bank Secrecy Act by not implementing an anti-money laundering program. This was seen as a deliberate effort to profit from the U.S. market without adhering to U.S. laws. The exchange collected about $1.35 billion in trading fees from U.S. customers. Statements from U.S. Attorney General Merrick Garland and Secretary of Treasury Janet Yellen emphasized the necessity for all institutions, regardless of location, to comply with U.S. laws if they wish to benefit from the U.S. financial system​​.

Binance’s challenges were not limited to this case. The company has faced other issues, such as the collapse of FTX, a competitor, and the termination of a major acquisition deal by Binance.US, its American sister company, due to regulatory concerns. Moreover, Binance faced severed ties with Checkout.com over concerns related to anti-money laundering and compliance controls​​.

These developments reflect the complex and evolving regulatory landscape of the cryptocurrency industry, highlighting the need for major players like Binance to adhere strictly to legal and regulatory standards, especially in jurisdictions like the United States.

Leadership Changes and Future Compliance: Following the guilty plea, Zhao stepped down as CEO of Binance, a move signaling a new era for the exchange. Richard Teng, formerly the global head of regional markets at Binance, has been appointed as the new CEO. As part of its agreement, Binance is committed to overhauling its compliance program and will be under the supervision of an independent monitor for the next three years.

Industry and Regulatory Implications: This case represents a watershed moment for the cryptocurrency industry, highlighting the increasing regulatory focus on digital assets. U.S. Attorney General Merrick Garland emphasized that using new technology to break the law does not exempt companies from being held accountable. Secretary of Treasury Janet Yellen echoed this sentiment, insisting on adherence to U.S. laws for any institution benefiting from the U.S. financial system.

Conclusion: The Binance settlement serves as a stark reminder of the legal and regulatory complexities facing the cryptocurrency industry. As digital assets continue to intersect with mainstream finance, this case may set a precedent for how regulatory agencies across the globe approach compliance and enforcement in the crypto sphere.

The post Binance’s 4.3 Billion-Dollar Blunder: How cyber criminals launder money via Binance? appeared first on Information Security Newspaper | Hacking News.

Discovery of Advanced Attack Techniques

Bitdefender’s research team, working in conjunction with their in-house research institute Bitdefender Labs, has identified previously unknown methods that cybercriminals could use to escalate a breach from a single endpoint to a network-wide level. These techniques, if exploited, could lead to severe consequences such as ransomware attacks or massive data exfiltration.

The attack progression involves several key stages, starting from a single compromised machine. Once inside the system, attackers could potentially:

• Move across cloned machines within the network, especially if they are equipped with GCPW.
• Gain unauthorized access to the Google Cloud Platform through custom permissions.
• Decrypt locally stored passwords, extending their reach beyond the initially compromised machine.

These findings were responsibly disclosed to Google. However, Google has stated that these issues will not be addressed directly, as they fall outside their designated threat model. This decision reflects Google’s risk assessment and security priorities.

The Dual Role of Google Credential Provider for Windows (GCPW)

At the heart of these vulnerabilities is the Google Credential Provider for Windows (GCPW), a tool designed to streamline access and management within Google’s ecosystem. GCPW serves two primary functions:

1. Remote Device Management: Similar to Mobile Device Management (MDM) systems like Microsoft Intune, GCPW allows administrators to remotely manage and control Windows devices connected to Google Workspace. This includes enforcing security policies, deploying software updates, and managing device settings without needing a VPN connection or domain registration.
2. Single-Sign On (SSO) Authentication: GCPW facilitates SSO for Windows devices using Google Workspace credentials. This integration provides a seamless login experience, enabling users to access their devices with the same credentials used for Google services like Gmail, Google Drive, and Google Calendar.

The Operational Mechanism of GCPW

Understanding GCPW’s functioning is crucial in comprehending the vulnerabilities. Here’s a breakdown of its operational process:

• Local Service Account Creation: Upon installing GCPW, a new user account named ‘gaia’ is created. This account, not intended for regular user interactions, serves as a service account with elevated privileges.
• Credential Provider Integration: GCPW integrates a new Credential Provider into the Windows Local Security Authority Subsystem Service (lsass), a critical component responsible for handling security operations and user authentication in Windows.
• Local User Account Creation: GCPW facilitates the creation of new local user accounts linked to Google Workspace accounts whenever a new user authenticates with the system.
• Logon Procedure: These Google Workspace users are logged in using their newly created local profiles, where a refresh token is stored to ensure continuous access without repeated authentication prompts.

Uncovered Attack Methods

Bitdefender’s research sheds light on specific attack vectors that exploit the functionalities of GCPW:

Golden Image Lateral Movement:

• Virtualized Environment Challenge: In environments that use cloned virtual machines (VMs), such as Virtual Desktop Infrastructure (VDI) or Desktop as a Service (DaaS) solutions, the installation of GCPW on a base machine means that the ‘gaia’ account and its password are cloned across all VMs.
• Attack Implication: If an attacker discovers the password of one ‘gaia’ account, they can potentially access all machines that have been cloned from the same base image.
• Scenario: Imagine a company, “Acme Corp,” uses a Virtual Desktop Infrastructure (VDI) where multiple virtual machines (VMs) are cloned from a single ‘golden image’ for efficiency. This image has Google Credential Provider for Windows (GCPW) pre-installed for ease of access.
  • Attack Example:
• An attacker, Alice, manages to compromise one of Acme Corp’s VMs. During her exploration, she discovers that the VM has GCPW installed.
• She learns that the ‘gaia’ account password created during the GCPW setup is identical across all cloned VMs because they were derived from the same golden image.
• By extracting the ‘gaia’ account password from the compromised VM, Alice can now access all other VMs cloned from the same image. This allows her to move laterally across the network, potentially accessing sensitive information or deploying malware.

Unauthorized Access Token Request:

• Exploitation of OAuth Tokens: GCPW stores an OAuth 2.0 refresh token within the user’s session, maintaining access to the broader Google ecosystem. Attackers gaining access to this token can request new Access Tokens with varied permissions.
• Scope of Abuse: The permissions granted by these tokens can enable attackers to access or manipulate a wide range of user data and Google services, effectively bypassing multi-factor authentication (MFA) processes.
• Scenario: At a different company, “Beta Ltd.,” employees use their Google Workspace credentials to log into their Windows machines, facilitated by GCPW.

Attack Example:

• Bob, a cybercriminal, gains initial access to a Beta Ltd. employee’s computer through a phishing attack.
• Once inside the system, Bob finds the OAuth 2.0 refresh token stored by GCPW. This token is meant to maintain seamless access to Google services without repeated logins.
• With this token, Bob crafts a request to Google’s authentication servers pretending to be the legitimate user. He requests new Access Tokens with broad permissions, like access to emails or cloud storage.
• Using these tokens, Bob can now access sensitive data in the employee’s Google Workspace environment, like emails or documents, bypassing any multi-factor authentication set up by the company.

Password Recovery Threat:

• Plaintext Credential Risk: GCPW’s mechanism of saving user passwords as encrypted LSA secrets, intended for password resetting, presents a vulnerability. Skilled attackers could decrypt these credentials, allowing them to impersonate users and gain unrestricted account access.

Scenario: A small business, “Gamma Inc.,” uses GCPW for managing their Windows devices and Google Workspace accounts.

Attack Example:

• Carla, an experienced hacker, targets Gamma Inc. She successfully breaches one of the employee’s systems through a malware-laden email attachment.
• After gaining access, Carla locates the encrypted LSA secret stored by GCPW, which contains the user’s Google Workspace password.
• Using advanced decryption techniques, she decrypts this password. Now, Carla has the same access privileges as the employee, not just on the local machine but across all Google services where the employee’s account is used.
• This enables Carla to impersonate the employee, access company emails, manipulate documents, or even transfer funds if the employee has financial privileges.

Google’s Stance and Security Implications

Google’s decision not to address these findings, citing their exclusion from the company’s specific threat model, has stirred a debate in the cybersecurity community. While Google’s risk

The post Your Google Cloud Security Might Be at Risk. Hacking GCP via Google Workspace flaw appeared first on Information Security Newspaper | Hacking News.

Let’s consider a hypothetical example to understand the implications of CVE-2023-36052:

Suppose a development team uses Azure CLI for managing their Azure resources and automates their deployment process using GitHub Actions. During their routine operations, they execute various Azure CLI commands which generate logs. These logs, by default, include plaintext credentials such as usernames and passwords.

An external attacker, aware of this vulnerability, could access the public repository where the team’s GitHub Actions are configured. By examining the CI/CD logs published there, the attacker could find and extract these plaintext credentials. With these credentials, the attacker could gain unauthorized access to the team’s Azure resources, potentially leading to data breaches, unauthorized modifications, or even service disruptions.

This scenario underscores the critical nature of CVE-2023-36052, where seemingly benign logs could inadvertently become a source of significant security breaches. The mitigation steps provided by Microsoft, including updating Azure CLI and implementing best practices for log management and key rotations, are essential to prevent such unauthorized access.

Mitigation

Microsoft implemented several measures to address this vulnerability. These include:

1. Azure CLI Update: Advising customers to update Azure CLI to the latest release.
2. Securing Logs: Avoiding exposure of Azure CLI output in logs or publicly accessible locations and implementing guidance for masking environment variables.
3. Regularly Rotating Keys and Secrets: Encouraging regular rotation of keys and secrets.
4. Reviewing Security Best Practices: Providing guidance on secrets management for Azure services and GitHub Actions, and ensuring GitHub repositories are private unless necessary to be public.
5. Securing Azure Pipelines: Offering guidance for securing Azure Pipelines.
6. Enhancing Default Configurations: Introducing a new default configuration in Azure CLI to prevent accidental disclosure of sensitive information. This included restricting the presentation of secrets in output from update commands and broadening credential redaction capabilities across GitHub Actions and Azure Pipelines.

Workaround

Without patching, the primary alternative way to mitigate the risks associated with CVE-2023-36052 involves several best practices and security measures:

1. Secure Logging Practices: Ensure that logs do not contain sensitive information. This might involve custom scripts or tools to filter out or obfuscate credentials and other sensitive data before they are logged.
2. Access Control on Logs: Restrict access to CI/CD logs. Ensure that only authorized personnel can view these logs, and they are not publicly accessible.
3. Frequent Credential Rotation: Regularly change credentials and secrets to reduce the window of opportunity for an attacker to use compromised credentials.
4. Monitoring and Alerting: Implement monitoring to detect unusual access patterns or usage of credentials, which might indicate a compromise.
5. Environment Segmentation: Segregate development, testing, and production environments. Limit the scope of what each environment can access to minimize potential damage.

However, these measures are more complex and potentially less effective than updating the Azure CLI to a patched version. Patching directly addresses the vulnerability at its source, providing a more comprehensive and straightforward solution.

The post Azure CLI stores credentials in plaintext in logs. A easy technique to hack cloud environments appeared first on Information Security Newspaper | Hacking News.

In this guide, we will explore the world of NDR, compare it to traditional security measures, and discuss its advantages and integration possibilities with existing security infrastructure.

Understanding NDR Security and Its Functionality

To understand the comparisons, we need to grasp what is NDR security and how it works. NDR is a proactive cybersecurity approach that detects and responds to network threats instantly. Unlike traditional security measures that primarily rely on perimeter defenses, NDR monitors network traffic, identifies anomalies, and swiftly responds to potential threats. By leveraging advanced analytics and machine learning, NDR is capable of detecting both known and unknown threats, making it a robust solution in today’s ever-evolving threat landscape.

NDR solutions typically utilize a combination of signature-based detection, behavior analysis, and threat intelligence to provide comprehensive visibility into network activities. This visibility extends beyond the traditional boundaries of the network, encompassing cloud environments, remote devices, and IoT devices.

Through continuous monitoring and analysis, NDR enables security teams to gain insights into network behavior, detect suspicious activities, and mitigate potential risks before they escalate. This proactive and holistic approach sets NDR apart from conventional security measures, offering a more dynamic and adaptive defense mechanism.

Exploring the Role of NDR in Cybersecurity

In the realm of cybersecurity, NDR plays a pivotal role in fortifying the defense posture of organizations against a myriad of threats. By continuously monitoring network traffic and analyzing patterns, NDR serves as a vigilant guardian, capable of identifying anomalies and potential indicators of compromise. This real-time visibility and threat detection are instrumental in thwarting advanced persistent threats (APTs), insider threats, and zero-day attacks that may evade traditional security controls.

Moreover, NDR’s ability to provide contextual insights into network activities empowers security teams to make informed decisions and prioritize response efforts. This contextual awareness enables rapid incident response, containment of threats, and comprehensive forensic investigations. In essence, NDR not only acts as a proactive shield against cyber threats but also as a strategic enabler for enhancing the overall cybersecurity posture of organizations.

NDR vs. Traditional Security Solutions

Understanding NDR requires comparing it with traditional security solutions to highlight its unique value. Traditional measures like firewalls, IDS, and antivirus focus on perimeter defense, preventing unauthorized access and filtering known threats. However, these solutions have limitations in detecting and responding to sophisticated threats that exploit network vulnerabilities.

In contrast, NDR takes a proactive stance by continuously monitoring network traffic, analyzing behavior patterns, and detecting anomalies indicative of potential threats. This real-time threat detection capability allows NDR to identify advanced threats, including insider threats, lateral movement within the network, and stealthy attack techniques. By extending its visibility beyond the network perimeter, NDR provides a comprehensive view of network activities, enabling security teams to detect and respond to threats that may bypass traditional security measures.

Advantages of NDR over Other Security Measures

The advantages of NDR over traditional security measures are manifold, stemming from its proactive and dynamic approach to threat detection and response. Firstly, NDR’s ability to detect both known and unknown threats, including zero-day exploits and polymorphic malware, sets it apart from signature-based security solutions. This capability is crucial in combating emerging threats that may evade traditional security controls.

Furthermore, NDR’s focus on behavior analysis and anomaly detection enables it to identify insider threats and lateral movement within the network, which are often challenging for traditional security solutions to detect. This proactive stance against insider threats is particularly significant in today’s interconnected and dynamic work environments, where the traditional network perimeter is increasingly porous.

Additionally, NDR’s scalability and adaptability make it well-suited for modern network architectures, including cloud environments and remote workforce scenarios. As organizations embrace digital transformation and distributed work models, the need for a security solution that can effectively monitor and protect diverse network environments becomes increasingly critical. NDR’s ability to seamlessly integrate with these modern network paradigms positions it as a versatile and future-ready security solution.

NDR Integration with Existing Security Infrastructure

One of the key considerations for organizations evaluating NDR is its integration with existing security infrastructure. NDR is designed to complement and enhance the efficacy of traditional security measures rather than replace them. By integrating with SIEM (Security Information and Event Management) platforms, endpoint detection and response (EDR) solutions, and threat intelligence feeds, NDR enriches the overall security posture of an organization.

The integration of NDR with existing security infrastructure fosters a synergistic relationship, where the strengths of each solution are leveraged to create a more robust defense mechanism. For instance, NDR’s real-time threat detection capabilities can provide valuable insights to SIEM platforms, enriching the correlation and analysis of security events. Similarly, the contextual visibility provided by NDR can enhance the efficacy of EDR solutions in identifying and mitigating endpoint-based threats.

The Future of NDR in Cybersecurity

As the cybersecurity landscape continues to evolve, the future of NDR holds significant promise in addressing the escalating challenges posed by sophisticated threats. The convergence of NDR with artificial intelligence (AI) and machine learning (ML) technologies is expected to further enhance its capabilities in detecting and responding to complex threats. The integration of AI-driven analytics will empower NDR to discern subtle patterns indicative of potential threats, enabling more precise and proactive threat detection.

Moreover, the proliferation of IoT devices, cloud adoption, and remote work trends necessitate a security solution that can adapt to the evolving network paradigms. NDR, with its focus on continuous monitoring and behavior analysis, is well-positioned to cater to the security needs of these dynamic environments. The agility and scalability of NDR make it a viable candidate for safeguarding modern networks against a spectrum of threats, ranging from traditional malware to sophisticated, orchestrated attacks.

Conclusion

The emergence of NDR represents a paradigm shift in cybersecurity, offering a proactive and dynamic approach to threat detection and response. By comparing NDR with traditional security measures, it becomes evident that NDR’s real-time visibility, behavior analysis, and contextual insights provide a unique vantage point in combating modern cyber threats. The advantages of NDR, including its ability to detect unknown threats, mitigate insider risks, and seamlessly integrate with existing security infrastructure, position it as a formidable ally in the cybersecurity arsenal.

As organizations navigate the complex cybersecurity landscape, embracing NDR as a complementary layer to traditional security measures can enhance their resilience against a diverse range of threats. The future of NDR holds promise in harnessing advanced technologies to fortify its capabilities and adapt to the evolving cybersecurity challenges. By staying abreast of these developments and leveraging NDR’s potential, organizations can proactively safeguard their networks and data assets in an increasingly interconnected digital ecosystem.

The post How NDR Compares with Other Security Solutions? appeared first on Information Security Newspaper | Hacking News.

1. Initial Access

• Example: A phishing email is sent to an employee in the OT/ICS environment. The email contains a seemingly harmless document that, when opened, executes a PowerShell script (a native Windows tool) to create a backdoor.

2. Lateral Movement

• Example: Once inside the network, attackers might use legitimate system administration tools like Windows Management Instrumentation (WMI) or Remote Desktop Protocol (RDP) to move laterally across the network, searching for critical OT/ICS components.

3. Elevation of Privileges

• Example: Attackers might use built-in tools like Netstat to identify security software or firewall settings and then use other native scripts or commands to disable these defenses, or to elevate their access privileges within the system.

4. Discovery and Information Gathering

• Example: Tools like Tasklist or Systeminfo (native to Windows) are used to gather information about the system, such as running processes, installed software, or network configurations relevant to the OT/ICS environment.

5. Exploitation and Manipulation

• Example: In an ICS environment, attackers might use standard industrial communication protocols like Modbus or DNP3 (which are legitimate and essential for normal operations) to send malicious commands to control systems, potentially disrupting physical processes like power generation or water treatment.

6. Persistence and Exfiltration

• Example: Attackers could use standard data transfer tools like FTP or even Windows BITS (Background Intelligent Transfer Service) to exfiltrate stolen data, or to maintain persistence by regularly updating malware or downloading additional tools.

7. Cleanup

• Example: To erase their tracks, attackers might use native cleanup tools or scripts to delete logs or any evidence of their activities, making detection and forensics much more difficult.

In late 2022, a significant cyber-physical incident occurred in Ukraine, attributed to the Russia-linked threat actor Sandworm. This event targeted Ukrainian critical infrastructure and utilized a multi-event cyber attack strategy, incorporating innovative techniques to impact industrial control systems (ICS) and operational technology (OT). The Sandworm actor employed OT-level living-off-the-land (LotL) techniques, likely causing a substation’s circuit breakers to trip and resulting in an unplanned power outage. This outage coincided with mass missile strikes across Ukraine’s critical infrastructure. Additionally, Sandworm executed a second disruptive event by deploying a new variant of CADDYWIPER malware in the victim’s IT environment.

This attack exemplifies the latest advancements in Russia’s cyber-physical attack capabilities, particularly visible since Russia’s invasion of Ukraine. The techniques used indicate a maturing offensive OT arsenal, capable of identifying novel OT threat vectors, developing new capabilities, and leveraging various types of OT infrastructure for attacks. Utilizing LotL techniques likely reduced the time and resources required for the cyber-physical attack. Although the initial intrusion point remains undetermined, the rapid development of the OT component of this attack suggests the actor’s ability to swiftly create similar capabilities against other OT systems globally.

Sandworm, active since at least 2009, is a versatile threat actor conducting espionage, influence, and attack operations, primarily supporting Russia’s Main Intelligence Directorate (GRU). The group’s primary focus has been Ukraine, where it has orchestrated disruptive and destructive attacks using wiper malware, especially during Russia’s re-invasion in 2022. However, Sandworm’s activities extend globally, underlining the Russian military’s extensive ambitions and interests in various regions. The group’s global threat activity and novel OT capabilities necessitate proactive measures from OT asset owners to mitigate potential risks.

As per mandiant research, the 2022 intrusion began or prior to June 2022, culminating in two disruptive events on October 10 and 12. Sandworm accessed the OT environment via a hypervisor hosting a SCADA management instance for a substation, potentially having SCADA system access for up to three months. On October 10, Sandworm used an optical disc (ISO) image, “a.iso,” to execute a native MicroSCADA binary, likely for malicious control commands to switch off substations. The attackers, got into the operational technology (OT) system through a key piece of software (a hypervisor) that managed the control system (SCADA) of a power substation. This means they had access to the system that controls how the power substation works. For up to three months, they could have been inside this system without being detected. On October 10, they used a special file (an ISO image named “a.iso”) to run a command in the control system that was likely intended to turn off power substations.

This case underscores the evolving nature of cyber threats, particularly in critical infrastructure sectors. The increasing sophistication and rapid development of such attacks highlight the need for enhanced cybersecurity measures, continuous monitoring, and preparedness against novel and complex cyber threats in OT and ICS environments.

In OT/ICS environments, such LotL attacks are particularly concerning because they:

• Are harder to detect due to the use of legitimate tools.
• Can cause significant physical and operational damage.
• May bypass traditional security measures that don’t account for malicious use of native tools.

Defending against such attacks requires a combination of robust cybersecurity practices, including employee training, network segmentation, constant monitoring for anomalous behaviors, and regular updating and patching of all systems.

The post How Living-off-the-land (LotL) technique is used to hack into power grids & cause power outages appeared first on Information Security Newspaper | Hacking News.

User and Entity Behavior Analytics, commonly referred to as UEBA, is a cybersecurity concept that utilizes machine learning, algorithms, and statistical analyses to detect abnormal behavior or instances within a network that may indicate a potential security threat. Unlike traditional security systems, UEBA focuses on user behavior to establish a baseline and then identify any deviations from this norm.

UEBA is not limited to monitoring user behavior. It also tracks the activities of machines, devices, and other entities within a network. Therefore, it can detect threats from both inside and outside an organization. Whether it’s a malicious insider trying to steal sensitive data or a botnet attack from an external source, UEBA can efficiently identify these threats and alert security teams in real-time.

The power of UEBA lies in its ability to analyze vast amounts of data and identify patterns that humans may overlook.

Differences Between UEBA and Traditional Security Systems

Traditional security systems mainly rely on predefined rules and signatures to detect threats. They are effective in identifying known threats but often fail to detect new or sophisticated attacks. On the contrary, UEBA, with its behavior-based approach, can identify even unknown threats by detecting deviations from normal behavior patterns.

Moreover, traditional security systems often generate a lot of false positives. This is because they treat every deviation from predefined rules as a potential threat, which may not always be the case. UEBA, however, can minimize false positives by understanding the context of network behavior. It can differentiate between truly malicious activities and benign anomalies, thereby reducing the workload of security teams.

Another significant difference is that traditional security systems are reactive, meaning they respond to threats after they have occurred. In contrast, UEBA is proactive. It can predict potential threats based on behavioral patterns and take preventive measures to mitigate them. This proactive approach can significantly reduce the risk of security breaches and data leaks.

Key Components of UEBA Systems

Data Aggregation and Integration

UEBA systems aggregate and integrate data from a wide variety of sources, including network traffic, log files, threat intelligence feeds, and more. This enables them to have a holistic view of network activities and identify potential threats more accurately.

The power of UEBA lies in its ability to handle both structured and unstructured data. It can analyze text files, emails, social media posts, and even voice and video files. This capability allows it to detect a broad range of threats, from unauthorized access to sensitive data to subtle signs of insider threats.

Behavioral Profiling

Behavior profiling is another critical component of UEBA. It involves creating a baseline of normal behavior for each user and entity within a network. This baseline is continuously updated as the system learns more about the network’s behavior patterns.

Once the baseline is established, UEBA systems can easily identify any deviations from the norm. For instance, if a user starts accessing data they have never accessed before, or if a machine starts communicating with an unknown IP address, these activities will be flagged as anomalies.

Anomaly Detection

As mentioned earlier, anomaly detection is at the heart of UEBA. It involves identifying events or behaviors that deviate significantly from the established baseline. This could be anything from a sudden spike in network traffic to unusual login attempts at odd hours.

Anomaly detection in UEBA is powered by advanced machine learning algorithms. These algorithms are capable of learning from historical data, identifying patterns, and predicting future behavior. This enables UEBA systems to detect both known and unknown threats.

Risk Scoring

Risk scoring is the final component of UEBA. After detecting anomalies, UEBA systems assign a risk score to each of them based on their potential threat level. This helps security teams prioritize their response efforts.

Risk scoring is not a one-size-fits-all process. It takes into account various factors, such as the sensitivity of the data involved, the potential impact of the threat, and the behavior history of the user or entity involved. This makes it a highly effective tool for threat detection and prevention.

Use Cases for UEBA

Insider Threat Detection

One of the most potent threats to an organization’s cybersecurity comes from within – the insider threat. Insiders, whether malicious or negligent, have legitimate access to sensitive information, making it challenging to prevent unauthorized access or misuse. UEBA, through its advanced analytics capabilities, can help in detecting such threats. 

By continuously monitoring and analyzing user behavior, UEBA can identify anomalous patterns indicative of a potential inside attack. For instance, a sudden increase in data downloads by a particular user or unusual access to sensitive information might signal an insider threat. Through its proactive alert mechanism, UEBA can flag such anomalies, enabling swift action and mitigating potential damage.

Compromised Account Identification

Account compromise is another major cybersecurity concern. Cybercriminals often gain access to an organization’s system by stealing user credentials. Once they have access, they can cause significant damage, from data breaches to financial loss. 

UEBA can play a crucial role in identifying compromised accounts. By establishing a baseline of normal user behavior, UEBA can identify deviations from this norm. Suppose a user who usually logs in during office hours suddenly starts accessing the system at odd hours. In that case, it could be an indication of a compromised account. UEBA’s dynamic profiling and real-time analytics enable the timely detection of such anomalies, allowing organizations to respond promptly.

Data Exfiltration Prevention

Data is the lifeblood of any business. Therefore, preventing data exfiltration is of paramount importance. UEBA can assist in this regard by monitoring the flow of data within an organization. 

By understanding the normal data transfer patterns, UEBA can detect any unusual data movement that might indicate a potential exfiltration attempt. For example, an unusual spike in data transfer to an external IP address could be a sign of a data exfiltration attempt. By alerting the security team in real-time, UEBA plays a critical role in preventing data loss.

Advanced Persistent Threat Detection

Advanced Persistent Threats (APTs) are long-term targeted attacks where the attacker infiltrates a network and remains undetected for a prolonged period. This stealthy approach allows them to steal sensitive information or disrupt operations over time. 

UEBA can help detect such threats by analyzing network behavior and identifying unusual patterns. With its ability to correlate events across multiple systems, UEBA can detect subtle signs of an APT, such as low and slow data exfiltration or anomalous logins, triggering a proactive response.

Tips for Implementing UEBA Solutions

Here are a few tips that can help you effectively implement UEBA in your organization.

Integration with Existing Security Infrastructure

Implementing UEBA effectively requires careful integration with the existing security infrastructure. UEBA is not a standalone solution but complements other security measures like Security Information and Event Management (SIEM), Data Loss Prevention (DLP), and Endpoint Detection and Response (EDR). Therefore, it’s crucial to ensure seamless integration of UEBA with these systems for a holistic security approach. Furthermore, UEBA solutions should be able to ingest and analyze data from a variety of sources, including network traffic, logs, and threat intelligence feeds, to provide a comprehensive view of the security landscape.

Setting Baselines and Continuous Learning

One of the most significant advantages of UEBA is its ability to learn and adapt. By setting a baseline of normal behavior, UEBA can identify anomalies that might indicate potential threats. However, this requires continuous learning and adjustment. As user behavior changes over time, the baseline should also evolve. Therefore, it’s essential to ensure that your UEBA solution is capable of continuous learning and can adjust its baseline dynamically. Moreover, the effectiveness of UEBA also depends on the quality of data it receives. Therefore, it’s critical to feed your UEBA solution with high-quality, relevant data for accurate results.

Addressing Privacy and Ethical Considerations

While UEBA provides significant security benefits, it also raises certain privacy and ethical concerns. UEBA involves continuous monitoring of user behavior, which can be perceived as invasive. Therefore, it’s crucial to address these concerns from the outset. Organizations should establish clear policies about what data will be collected, how it will be used, and who will have access to it. Moreover, they should ensure compliance with data protection regulations and respect user privacy. It’s also advisable to maintain transparency with employees about the use of UEBA and its benefits to the organization and their own security.

User Training and Awareness

Finally, the success of UEBA implementation largely hinges on user training and awareness. Users should be made aware of the importance of security and their role in maintaining it. Training programs should be conducted to familiarize users with security best practices and the implications of their actions. Furthermore, users should be encouraged to report any unusual activity, thereby contributing to the effectiveness of UEBA.

Conclusion

In conclusion, UEBA is a powerful tool that can significantly enhance an organization’s security posture. By unlocking the power of UEBA, organizations can proactively detect and mitigate a wide range of threats, from insider threats to APTs. However, effective implementation of UEBA requires careful integration with existing systems, continuous learning, addressing privacy concerns, and user awareness. With these considerations in mind, organizations can leverage the full potential of UEBA and bolster their cybersecurity defenses.

Author Bio: Gilad David Maayan

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Check Point, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.

LinkedIn: https://www.linkedin.com/in/giladdavidmaayan/

The post What Is UEBA? appeared first on Information Security Newspaper | Hacking News.