Apr 16, 2024NewsroomEncryption / Network Security

The maintainers of the PuTTY Secure Shell (SSH) and Telnet client are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys.

The flaw has been assigned the CVE identifier CVE-2024-31497, with the discovery credited to researchers Fabian Bäumer and Marcus Brinkmann of the Ruhr University Bochum.

“The effect of the vulnerability is to compromise the private key,” the PuTTY project said in an advisory.

“An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for.”

However, in order to obtain the signatures, an attacker will have to compromise the server for which the key is used to authenticate to.

In a message posted on the Open Source Software Security (oss-sec) mailing list, Bäumer described the flaw as stemming from the generation of biased ECDSA cryptographic nonces, which could enable the recovery of the private key.

“The first 9 bits of each ECDSA nonce are zero,” Bäumer explained. “This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques.”

“These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents.”

Besides impacting PuTTY, it also affects other products that incorporate a vulnerable version of the software –

• FileZilla (3.24.1 – 3.66.5)
• WinSCP (5.9.5 – 6.3.2)
• TortoiseGit (2.4.0.2 – 2.15.0)
• TortoiseSVN (1.10.0 – 1.14.6)

Following responsible disclosure, the issue has been addressed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. Users of TortoiseSVN are recommended to use Plink from the latest PuTTY 0.81 release when accessing an SVN repository via SSH until a patch becomes available.

Specifically, it has been resolved by switching to the RFC 6979 technique for all DSA and ECDSA key types, abandoning its earlier method of deriving the nonce using a deterministic approach that, while avoiding the need for a source of high-quality randomness, was susceptible to biased nonces when using P-521.

On top of that, ECDSA NIST-P521 keys used with any of the vulnerable components should be considered compromised and consequently revoked by removing them from authorized_keys files files and their equivalents in other SSH servers.

Mar 25, 2024The Hacker NewsData Breach / Password Security

In January 2024, Microsoft discovered they’d been the victim of a hack orchestrated by Russian-state hackers Midnight Blizzard (sometimes known as Nobelium). The concerning detail about this case is how easy it was to breach the software giant. It wasn’t a highly technical hack that exploited a zero-day vulnerability – the hackers used a simple password spray attack to take control of an old, inactive account. This serves as a stark reminder of the importance of password security and why organizations need to protect every user account.

Password spraying: A simple yet effective attack

The hackers gained entry by using a password spray attack in November 2023, Password spraying is a relatively simple brute force technique that involves trying the same password against multiple accounts. By bombarding user accounts with known weak and compromised passwords, the attackers were able to gain access to a legacy non-production test account within the Microsoft system which provided them with an initial foothold in the environment. This account either had unusual privileges or the hackers escalated them.

The attack lasted for as long as seven weeks, during which the hackers exfiltrated emails and attached documents. This data compromised a ‘very small percentage’ of corporate email accounts, including those belonging to senior leadership and employees in the Cybersecurity and Legal teams. Microsoft’s Security team detected the hack on January 12th and took immediate action to disrupt the hackers’ activities and deny them further access.

However, the fact that the hackers were able to access such sensitive internal information highlights the potential damage that can be caused by compromising even seemingly insignificant accounts. All attackers need is an initial foothold within your organization.

The importance of protecting all accounts

While organizations often prioritize the protection of privileged accounts, the attack on Microsoft demonstrates that every user account is a potential entry point for attackers. Privilege escalation means that attackers can achieve their goals without necessarily needing a highly privileged admin account as an entry point.

Protecting an inactive low-privileged account is just as crucial as safeguarding a high-privileged admin account for several reasons. First, attackers often target these overlooked accounts as potential entry points into a network. Inactive accounts are more likely to have weak or outdated passwords, making them easier targets for brute force attacks. Once compromised, attackers can use these accounts to move laterally within the network, escalating their privileges and accessing sensitive information.

Second, inactive accounts are often neglected in terms of security measures, making them attractive targets for hackers. Organizations may overlook implementing strong password policies or multi-factor authentication for these accounts, leaving them vulnerable to exploitation. From an attacker’s perspective, even low-privileged accounts can provide valuable access to certain systems or data within an organization.

Defend against password spray attacks

The Microsoft hack serves as a wake-up call for organizations to prioritize the security of every user account. It highlights the critical need for robust password protection measures across all accounts, regardless of their perceived significance. By implementing strong password policies, enabling multi-factor authentication, conducting regular Active Directory audits, and continuously scanning for compromised passwords, organizations can significantly reduce the risk of being caught out in the same way.

1. Active Directory auditing: Conducting regular audits of Active Directory can provide visibility into unused and inactive accounts, as well as other password-related vulnerabilities. Audits provide a valuable snapshot of your Active Directory but should always be complemented by ongoing risk mitigation efforts. If you’re lacking visibility into your organization’s inactive and stale user accounts, consider running a read-only audit with our free auditing tool that gives an interactive exportable report: Specops Password Auditor.
2. Robust password policies: Organizations should enforce strong password policies that block weak passwords, such as common terms or keyboard walks like ‘qwerty’ or ‘123456.’ Implementing long, unique passwords or passphrases is a strong defense against brute-force attacks. Custom dictionaries that block terms related to the organization and industry should also be included.
3. Multi-factor authentication (MFA): Enabling MFA adds an authentication roadblock for hackers to overcome. MFA serves as an important layer of defense, although it’s worth remembering that MFA isn’t foolproof. It needs to be combined with strong password security.
4. Compromised password scans: Even strong passwords can become compromised if end users reuse them on personal devices, sites, or applications with weak security. Implementing tools to continuously scan your Active Directory for compromised passwords can help identify and mitigate potential risks.

Continuously shut down attack routes for hackers

The Microsoft hack underscores the need for organizations to implement robust password protection measures across all accounts. A secure password policy is essential, ensuring that all accounts, including legacy, non-production, and testing accounts, aren’t overlooked. Additionally, blocking known compromised credentials adds an extra layer of protection against active attacks.

Specops Password Policy with Breached Password Protection offers automated, ongoing protection for your Active Directory. It protects your end users against the use of more than 4 billion unique known compromised passwords, including data from both known leaks as well as our own honeypot system that collects passwords being used in real password spray attacks.

The daily update of the Breached Password Protection API, paired with continuous scans for the use of those passwords in your network, equals a much more comprehensive defense against the threat of password attack and the risk of password reuse. Speak to expert today to find out how Specops Password Policy could fit in with your organization.

Feb 11, 2024NewsroomMalware / Cybercrime

The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called Warzone RAT.

The domains – www.warzone[.]ws and three others – were “used to sell computer malware used by cybercriminals to secretly access and steal data from victims’ computers,” the DoJ said.

Alongside the takedown, the international law enforcement effort has arrested and indicted two individuals in Malta and Nigeria for their involvement in selling and supporting the malware and helping other cybercriminals use the RAT for malicious purposes.

The defendants, Daniel Meli (27) and Prince Onyeoziri Odinakachi (31) have been charged with unauthorized damage to protected computers, with the former also accused of “illegally selling and advertising an electronic interception device and participating in a conspiracy to commit several computer intrusion offenses.”

Meli is alleged to have offered malware services at least since 2012 through online hacking forums, sharing e-books, and helping other criminals use RATs to carry out cyber attacks. Prior to Warzone RAT, he had sold another RAT known as Pegasus RAT.

Like Meli, Odinakachi also provided online customer support to purchasers of Warzone RAT malware between June 2019 and no earlier than March 2023. Both individuals were arrested on February 7, 2024.

Warzone RAT, also known as Ave Maria, was first documented by Yoroi in January 2019 as part of a cyber attack targeting an Italian organization in the oil and gas sector towards the end of 2018 using phishing emails bearing bogus Microsoft Excel files exploiting a known security flaw in the Equation Editor (CVE-2017-11882).

Sold under the malware-as-a-service (Maas) model for $38 a month (or $196 for a year), it functions as an information stealer and facilitates remote control, thereby allowing threat actors to commandeer the infected hosts for follow-on exploitation.

Some of the notable features of the malware include the ability to browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and activate the computer’s webcams without the victim’s knowledge or consent.

“Ave Maria attacks are initiated via phishing emails, once the dropped payload infects the victim’s machine with the malware, it establishes communication with the attacker’s command-and-control (C2) server on non-HTTP protocol, after decrypting its C2 connection using RC4 algorithm,” Zscaler ThreatLabz said in early 2023.

On one of the now-dismantled websites, which had the tagline “Serving you loyally since 2018,” the developers of the C/C++ malware described it as reliable and easy to use. They also provided the ability for customers to contact them via email (solmyr@warzone[.]ws), Telegram (@solwz and @sammysamwarzone), Skype (vuln.hf), as well as via a dedicated “client area.”

An additional contact avenue was Discord, where the users were asked to get in touch with an account with the ID Meli#4472. Another Telegram account linked to Meli was @daniel96420.

Outside of cybercrime groups, the malware has also been put to use by several advanced threat actors like YoroTrooper as well as those associated with Russia over the past year.

The DoJ said the U.S. Federal Bureau of Investigation (FBI) covertly purchased copies of Warzone RAT and confirmed its nefarious functions. The coordinated exercise involved assistance from authorities in Australia, Canada, Croatia, Finland, Germany, Japan, Malta, the Netherlands, Nigeria, Romania, and Europol.

The 2023/2024 Axur Threat Landscape Report provides a comprehensive analysis of the latest cyber threats. The information combines data from the platform’s surveillance of the Surface, Deep, and Dark Web with insights derived from the in-depth research and investigations conducted by the Threat Intelligence team.

Discover the full scope of digital threats in the Axur Report 2023/2024.

Overview

In 2023, the cybersecurity landscape witnessed a remarkable rise in cyberattacks.

One notable shift was the cyber risk integration with business risk, a concept gaining traction in boardrooms worldwide. As the magnitude of losses due to cyberattacks became evident, organizations started reevaluating their strategies.

Geopolitical factors played a significant role in shaping information security. The conflicts between nations like Russia and Ukraine had ripple effects, influencing the tactics of cybercriminals. It was a year where external factors intertwined with digital threats.

Ransomware attacks, once primarily focused on encryption, took a new turn. Threat actors prioritized data exposure, targeting organizations with hefty fines for data breaches. The stakes were higher than ever.

Artificial intelligence emerged as a potent weapon in cyberattacks. From deepfake videos featuring celebrities to automated social engineering, AI’s role in cybercrime has grown substantially.

One example is the fake videos promoting cryptocurrency scams using celebrities such as billionaire Elon Musk and Ethereum creator Vitalik Buterin. The videos use images of these executives at events, but the original lines are replaced by an AI-synthesized voice. The images are only altered to ensure lip sync, which is another function of this type of AI.

Hacktivist groups also made their mark, aligning with various sides during global conflicts. Their symbolic attacks posed risks to individuals and organizations, highlighting the need for vigilance in an interconnected world.

Let’s delve into the platform’s data, here synthesized into 7 key findings.

Key findings:

1. A Threefold Increase in Leaked Cards

The report indicates a troubling escalation in cyber threats. In 2023, a staggering 13.5 million credit and debit card details were leaked, tripling the number from the previous year. The United States tops the list, accounting for nearly half of all detected card leaks. This surge reflects the intensified activities on Deep & Dark Web channels, where such data are frequently traded.

Top 10 Countries with the Most Exposed Cards

2. Spotlight on Credential Leaks and Info Stealers

Credential leaks, although stable at 4.2 billion, have witnessed a shift with a surge in pastes and major leaks as sources. Notably, 15% of these exposed credentials can be considered corporate, highlighting the urgency of robust corporate cybersecurity measures.

Distinctively, credential stealer malware poses a significant threat by obtaining 98% of credentials in plain text, bypassing encryption hurdles. These stolen passwords are meticulously cataloged in log files, providing cybercriminals with insights into acquisition methods. Furthermore, credential stealers capture authorization tokens and cookies, potentially compromising multi-factor authentication.

Source of Credentials Leakage in 2023

3. Brand Misuse and Digital Fraud Panorama

Unconventional use of brand impersonation, such as in social media profiles, apps, and paid advertisements, led to 200,680 detections in 2023, a slight increase from the previous year.

Types of Brand Misuse in 2023

Explore the Threat Landscape Report for cutting-edge insights and solutions.

4. New Frauds: Evolving Tactics

The report has identified a series of novel tactics that demand our attention. Notably, threat actors now possess the capability to establish complete e-commerce stores within a matter of minutes, leveraging popular platforms.

Furthermore, the rise of “apphishing” scams has taken center stage, showcasing the increasing sophistication of contemporary cyber fraud. In these scams, malicious apps masquerade as legitimate browsers, loading cloned pages under the control of cybercriminals. This emerging trend highlights the need for heightened vigilance and innovative countermeasures to combat these evolving threats effectively.

5. Behind the Disruption Metrics: Takedown and Uptime

Last year, Axur executed 330,612 takedowns (the removal of a website or page from the internet) with a remarkable success rate, particularly in countering threats such as phishing (96.85%) and fake accounts (97.63%). The highlight of this process is the automated notification workflows that significantly reduce the time between incident identification and provider notifications.

For instance, Axur initiates notifications for phishing cases within 5 minutes, providing efficient handling for entities such as Shopify, Cloudflare, Namecheap, Hostinger, and GoDaddy, often within the same day. When addressing brand impersonation, accounts can be removed from platforms like Facebook and Instagram (typically within an average time of 41 minutes and 56 minutes, respectively) following notifications.

Takedown Response Time by Organization and Platform

6. Deep & Dark Web Insights: Monitoring the Underworld

The analysis of 133 million messages and posts on the Deep & Dark Web provided insights into the tactics and procedures of malicious agents, playing a crucial role in preventing cyber threats. This monitoring extends to messaging apps such as Telegram, WhatsApp, and Discord, as well as deep web forums and illicit marketplaces where cybercriminals trade leaked data, compromised computer access, and illicit services.

There are more than 529,965 incidents on monitored Deep & Dark Web sources, focusing on retail/e-commerce, financial institutions, and technology services sectors.

Most Targeted Sectors on the Deep & Dark Web in 2023

Notably, 374,592 incidents resulted from text detections, while 155,373 incidents were attributed to audio, video, or image detections. Multimedia content analysis is increasingly vital as it unveils hidden threats and enhances overall threat visibility.

7. Artificial Intelligence: A New Frontier in Cybercrime

Artificial Intelligence (AI) tools, beneficial for software and content creation, are now being used for malicious purposes. These tools enable scammers to craft more convincing narratives and interactions, enhancing the sophistication of fraud. On the other hand, Axur is pioneering the use of generative AI in cyber defense, launching Polaris.

Polaris: AI-powered platform to automate threat management

As the core of this AI-driven platform, a specialized Large Language Model sifts through vast data pools, delivering tailored, actionable insights directly aligned with the organization’s unique attack surface. This innovative approach not only streamlines the threat intelligence process but also ensures that security teams focus on strategic responses, enhancing productivity and decision-making.

Polaris signifies a departure from the overwhelming, fragmented nature of traditional threat management by offering a cohesive and focused perspective that facilitates swift, informed actions against potential threats, dramatically reducing analysis time and enhancing organizational response capability.

Your Automated Threat Intel Analyst: Begin Your 15-Day Polaris Trial Now

Conclusion

The Axur Report elucidates the intricate and evolving cyber threat landscape, particularly highlighting the vulnerabilities and challenges faced in the United States. The data presented underscores an urgent need for organizations to adapt and fortify their cybersecurity frameworks in response to the growing sophistication of cyber threats.

To navigate the complexities of the current cybersecurity landscape, organizations must focus on two pivotal strategies:

1. Comprehensive Monitoring and Swift Response:

The essence of robust cybersecurity lies in the extended monitoring of digital assets and the efficiency of response mechanisms. Organizations must ensure deep surveillance of their digital ecosystem, including tracking credential sources, monitoring the proliferation of fake profiles and apps, and vigilant oversight of Deep & Dark Web activities.

This thorough monitoring must be coupled with a quick and decisive response to minimize the exposure window of potential fraud and digital risks. By identifying and addressing threats promptly, organizations can significantly mitigate the impacts of cyber incidents.

2. Harnessing AI for Threat Intelligence and Automation:

Leveraging artificial intelligence is becoming not just beneficial but essential. As manual work is no longer viable, AI-driven technologies offer unparalleled advantages in scaling and automating the detection and neutralization of cyber threats. By adopting AI-powered advanced security solutions, organizations can enhance their threat monitoring and analysis capabilities.

This not only ensures a quick and informed response to cyber incidents but also strengthens the organization’s overall defense framework. Embracing a multi-layered security approach that combines proactive prevention with reactive strategies and AI’s analytical prowess ensures a more resilient defense against the increasingly sophisticated landscape of cyber threats.

Learn More About Axur

Axur is a cutting-edge External Threat Intelligence platform renowned for its end-to-end automation, top-tier takedown capabilities, and scalable intelligence. Empowering information security teams, Axur ensures safer digital experiences by detecting, inspecting, and containing threats across the external perimeter.

Picture a cybersecurity landscape where defenses are impenetrable, and threats are nothing more than mere disturbances deflected by a strong shield. Sadly, this image of fortitude remains a pipe dream despite its comforting nature. In the security world, preparedness is not just a luxury but a necessity. In this context, Mike Tyson’s famous adage, “Everyone has a plan until they get punched in the face,” lends itself to our arena – cyber defenses must be battle-tested to stand a chance.

Tyson’s words capture the paradox of readiness in cybersecurity: too often, untested cyber defenses can create a false sense of security, leading to dire consequences when real threats land a blow. This is where Breach and Attack Simulation (BAS), a proactive tool in any organization’s cybersecurity arsenal, comes into play.

When Cybersecurity Meets the Punch – The Assumption Problem

Assumptions are the hidden icebergs in cybersecurity’s vast ocean. Although we might believe our security controls are foolproof, the statistics paint another picture. According to the Blue Report 2023 by Picus, only 59% of attacks are prevented, just 37% detected, and a scant 16% triggered alerts. This data reveals an alarming truth: cybersecurity measures often fall short in real-world scenarios. Oftentimes, this shortcoming is due to complexities in configuration and a shortage of skilled professionals, which can lead to underperforming and misconfigured defenses. At the same time, traditional testing methods like penetration tests and red team exercises can’t fully gauge the effectiveness of an organization’s security. This can contribute to the often dangerous assumption that security controls are effective without continuously stress-testing them in real-world scenarios.

This chasm between perceived and actual security confirms the growing need for security validation through Breach and Attack Simulation (BAS) – a method of confronting these fallacies by rigorously validating defenses before attacks catch organizations off guard. Ultimately, BAS tightens the veil of cybersecurity across every potential breach.

Shifting the Mindset from Plan to Practice

Cultivating a proactive cybersecurity culture is akin to shadowboxing, putting theory into motion. Cyber threats morph as swiftly as clouds in a stormy sky, and simulations must be as dynamic as the threats they mimic. This cultural shift begins at the top, with leadership championing the embrace of continuous security validation through BAS. Only then can cybersecurity teams embed this practice-centric philosophy, sparring with simulations frequently and with intent.

The Mechanics of BAS

BAS is a reality check for your cybersecurity posture. At its core, BAS is the systematic, controlled simulation of cyberattacks across your production network. Each simulation is designed to mimic the behavior of actual attackers, cultivating preparedness for adversary tactics, techniques, and procedures (TTPs). According to the Red Report 2023, threat actors use an average of 11 different TTPs during an attack.

For example, an APT attack scenario begins with initial breach methods, such as exploiting software vulnerabilities or phishing emails with malicious attachments. Then, it moves deeper, attempting lateral movements within the network, escalating privileges where possible, and trying to exfiltrate simulated sensitive data. In this scenario, the objective is to replicate an entire attack lifecycle with fidelity, all while analyzing how your security controls respond at each step.

What’s more, BAS isn’t just a one-off exercise. It’s an ongoing process that adapts as the threat landscape evolves. As new malware variants, TTPs, exploit techniques, APT campaigns, and other emerging threats come to light, they are incorporated into the BAS tool’s threat intelligence library. This ensures that your organization can defend itself against the potential threats of today and tomorrow.

Following each simulation, BAS tools provide comprehensive analytics and insightful reports. These contain crucial details on how the intrusion was (or wasn’t) detected or prevented, the time it took for the security controls to respond, and the effectiveness of the response.

Armed with this data, cybersecurity professionals can better prioritize their response strategies, focusing on the most pressing gaps in their organizational defense first. They can also fine-tune existing security controls with easy-to-apply prevention signatures and detection rules that can improve their ability to detect, prevent, or react to cyber threats.

Integrating the BAS Punch into Your Cyber Strategy

Imagine that BAS is a consistent pulse reinforcing your security measures. Effectively incorporating BAS into your organization’s defenses begins with critical analysis to determine how it complements your cybersecurity architecture.

Step 1: Tailor BAS to Your Needs

Customizing BAS for your organization starts with understanding the threats you’re most likely to face – because a bank’s primary cybersecurity concerns differ from a hospital’s. Choose simulations that reflect the most relevant threats to your industry and technical infrastructure. Modern BAS tools can generate customized simulation playbooks with cyber threats most likely to affect your organization.

Step 2: Create a Simulation Schedule

Consistency is key. Run BAS simulations regularly, not just as a one-time event but as an integral part of your cybersecurity strategy. Establish a cadence – whether daily, weekly, monthly, or in real-time following significant IT or threat landscape changes – to remain a step ahead of adversaries who continuously refine their tactics.

Step 3: Apply the Insights

The true value of BAS lies in the actionable insights derived from simulation results. Advanced BAS platforms provide practical recommendations, such as prevention signatures and detection rules that can be directly incorporated into security controls – including IPS, NGFW, WAF, EDR, SIEM, SOAR, and other security solutions – to strengthen your security posture immediately.

Step 4: Measure and Refine

Define quantitative success metrics to evaluate the impact of BAS on your organization’s cybersecurity. This can include the ratio of blocked/logged/alerted attacks to all attacks, the number of addressed defensive gaps, or improvements in detection and response times. Continuously refine your BAS process based on these performance indicators to ensure your defenses get sharper with each iteration.

Ready to Fortify Your Cyber Defenses with the Pioneer of BAS Technology?

As we unpack the parallels between a boxer’s defense and an organization’s security posture, one mantra echoes true: surviving the first punch is about resilience through relentless practice. Here, we have demonstrated the critical role BAS plays in cultivating a proactive approach to the unpredictability of cyber threats.

Picus Security pioneered Breach and Attack Simulation (BAS) technology in 2013 and has helped organizations improve their cyber resilience ever since. With Picus Security Validation Platform, your organization can expect unparalleled visibility into its security posture, so you can hone your defenses against even the most sophisticated cyberattacks.

With Picus, you’re not just reacting; you’re proactively countering cyber threats before they impact your operations. Organizations must throw the first punch, challenging and strengthening their defenses for when the real fight begins. So, gear up; it’s time to put your cyber defenses to the test. Visit us at picussecurity.com to book a demo or explore our resources.

Note: This article was written by Dr. Suleyman Ozarslan, co-founder and VP of Picus Labs at Picus Security, where simulating cyber threats and empowering defenses are our passions.