România Cyber Center

🚨 Identity-based threats to SaaS apps are escalating! A robust Identity Threat Detection & Response (ITDR) system can prevent massive breaches, such as the Snowflake incident. 🔘 According to the US Cybersecurity and Infrastructure Security Agency (CISA), 90% of all cyberattacks begin with phishing, an identity-based threat. Throw in attacks that use stolen credentials, over-provisioned accounts, and insider threats, and it becomes quite clear that #identity is a primary #attack #vector. 🔘 To make matters worse, it's not just human accounts that are being targeted. #Threat actors are also hijacking non-human identities, including service accounts and #OAuth authorizations, and riding them deep into #SaaS applications. 🔘 When threat actors get through the initial defenses, having a robust Identity Threat Detection and Response (ITDR) system in place as an integral part of Identity Security can prevent massive breaches. Last month's Snowflake breach is a perfect example. Threat #actors took advantage of single-factor authentication to access the account. Once inside, the company lacked any meaningful threat detection capability, which enabled the threat actors to exfiltrate over 560 million customer records. 🔘 ITDR combines several elements to detect SaaS threats. It monitors events from across the SaaS stack, and uses login information, device data, and user behavior to identify behavioral anomalies that indicate a threat. Each anomaly is considered an indicator of compromise (IOC), and when those IOCs reach a predefined threshold, the #ITDR triggers an alert. 🔘 For example, if an admin downloads an unusual amount of data, ITDR would consider that to be an #IOC. However, if the downloading takes place in the middle of the night or is on an unusual computer, the combination of those IOCs may rise to be considered a threat. 🔘 Similarly, if a user logs in from a suspicious #ASN following brute-force login attempts, the ITDR classifies the login as a threat, which triggers an incident response. By using a rich data set from multiple applications, the ITDR can detect threats based on data from different applications. If a user is logged into one application from New York and a second application from Paris at the same time, it might appear as normal behavior if the ITDR was limited to reviewing event logs for a single #app. The power of SaaS ITDR comes from monitoring data from across the SaaS stack. 🔘 In a recent breach detected by Adaptive Shield, threat actors infiltrated an HR #payroll system and changed the account numbers for several employees' #bank accounts. Fortunately, the ITDR engines detected the anomalous actions, and the account #data was corrected before any #funds were transferred to the threat actors. #rcc #cybersecurity #cyberintelligence #dnsc #itdr #server #engines #number

🔴 Alert: U.S. authorities disrupt major Russian influence operation using AI. The campaign targeted multiple countries and exploited social media platform vulnerabilities. 🔘 The U.S. Department of Justice (DoJ) said it seized two internet domains and searched nearly 1,000 social media accounts that Russian threat actors allegedly used to covertly spread pro-#Kremlin #disinformation in the country and abroad on a large scale. 🔘 “The #social #media bot farm used elements of AI to create fictitious social media profiles — often purporting to belong to individuals in the United States — which the operators then used to promote messages in support of Russian government objectives," the #DoJ said. 🔘 The #bot #network, comprising 968 accounts on X, is said to be part of an elaborate scheme hatched by an employee of Russian state-owned media outlet RT (formerly Russia Today), sponsored by the Kremlin, and aided by an officer of Russia's Federal Security Service (FSB), who created and led an unnamed private #intelligence organization. 🔘 The developmental efforts for the bot farm began in April 2022 when the individuals procured online infrastructure while anonymizing their identities and locations. The goal of the organization, per the DoJ, was to further Russian interests by spreading disinformation through fictitious online personas representing #various nationalities. 🔘 The phony social media accounts were registered using private email servers that relied on two domains – mlrtr[.]com and otanmail[.]com – that were purchased from domain registrar Namecheap. X has since suspended the bot accounts for violating its terms of service. 🔘 The information operation -- which targeted the U.S., Poland, Germany, the Netherlands, Spain, Ukraine, and Israel -- was pulled off using an AI-powered software package dubbed Meliorator that facilitated the "en masse" creation and operation of said social media bot farm. 🔘 “Using this tool, #RT affiliates disseminated disinformation to and about a number of countries, including the United States, Poland, Germany, the Netherlands, Spain, Ukraine, and Israel," law enforcement agencies from Canada, the Netherlands, and the U.S. said. 🔘 Meliorator includes an administrator panel called #Brigadir and a backend tool called #Taras, which is used to control the authentic-appearing accounts, whose profile pictures and biographical information were generated using an open-source program called #Faker. 🔘 Each of these accounts had a distinct identity or "soul" based on one of the three bot archetypes: Those that propagate political ideologies favorable to the Russian government, like already shared messaging by other bots, and perpetuate disinformation shared by both bot and non-bot accounts. 🔘 While the software package was only identified on X, further analysis has revealed the threat actors' intentions to extend its functionality to cover other social media platforms. #rcc #cyberintelligence #cyberint

⚠️ Urgent: Palo Alto Networks has rolled out critical security updates to fix five vulnerabilities, including CVE-2024-5910, a severe authentication bypass flaw (CVSS 9.3). 🔘 Cataloged as #CVE-2024-5910 (CVSS score: 9.3), the #vulnerability has been described as a case of missing authentication in its #Expedition #migration tool that could lead to an admin account takeover. 🔘 “Missing authentication for a critical function in Palo Alto Networks Unit 42 Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition," the company said in an advisory. "Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue." 🔘 The flaw impacts all versions of Expedition prior to version 1.2.92, which remediates the #problem. Synopsys Cybersecurity Research Center's (CyRC) Brian Hysell has been credited with discovering and reporting the issue. 🔘 While there is no evidence that the vulnerability has been exploited in the wild, users are advised to update to the latest version to secure against potential threats. 🔘 As workarounds, Palo Alto Networks is recommending that network access to Expedition is restricted to authorized users, hosts, or networks. 🔘 Also fixed by the American cybersecurity firm is a newly disclosed flaw in the #RADIUS #protocol called #BlastRADIUS (CVE-2024-3596) that could allow a bad actor with capabilities to perform an adversary-in-the-middle (AitM) attack between Palo Alto Networks PAN-OS #firewall and a RADIUS #server to sidestep #authentication. 🔘 The vulnerability then permits the attacker to "escalate privileges to 'superuser' when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile," it said. The following products are affected by the shortcomings: - PAN-OS 11.1 (versions < 11.1.3, fixed in >= 11.1.3) - PAN-OS 11.0 (versions < 11.0.4-h4, fixed in >= 11.0.4-h4) - PAN-OS 10.2 (versions < 10.2.10, fixed in >= 10.2.10) - PAN-OS 10.1 (versions < 10.1.14, fixed in >= 10.1.14) - PAN-OS 9.1 (versions < 9.1.19, fixed in >= 9.1.19) - Prisma Access (all versions, fix expected to be released on July 30) 🔘 It also noted that neither #CHAP nor PAP should be used unless they are encapsulated by an encrypted #tunnel since the authentication protocols do not offer Transport Layer Security (TLS). They are not #vulnerable in cases where they are used in conjunction with a TLS tunnel. 🔘 However, it's worth noting that PAN-OS firewalls #configured to use EAP-TTLS with PAP as the authentication #protocol for a RADIUS server are also not susceptible to the #attack. #rcc #cybersecurity #cyberintelligence #cybercrime #cyberint #dnsc #alert

⚠️ Attention website operators! Starting Nov 1, 2024, Google Chrome will block sites using Entrust certificates due to security issues. 🔘 "Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted [certificate authority] owner," Google's #Chrome #security #team said. 🔘 To that end, the tech giant said it intends to no longer trust #TLS #server #authentication #certificates from #Entrust starting with #Chrome browser versions 127 and higher by default. However, it said that these settings can be overridden by Chrome users and enterprise customers should they wish to do so. 🔘 Google further noted that certificate authorities play a privileged and trusted role in ensuring encrypted connections between browsers and websites, and that Entrust's lack of progress when it comes to publicly disclosed incident reports and unrealized improvement commitments poses risks to the internet ecosystem. 🔘 The blocking action is expected to cover Windows, macOS, ChromeOS, Android, and Linux versions of the browser. The notable exception is Chrome for #iOS and #iPadOS, due to Apple's policies that don't permit the Chrome #Root #Store from being used. 🔘 As a result, users navigating to a website that serves a certificate issued by Entrust or AffirmTrust will be greeted by an interstitial message that warns them that their connection is not secure and isn't private. 🔘 Affected #website operators are urged to move to a publicly-trusted certificate authority owner to minimize disruption by October 31, 2024. According to Entrust's website, its solutions are used by #Microsoft, #Mastercard, #VISA, and #VMware, among others. 🔘 “While website operators could delay the impact of blocking action by choosing to collect and install a new TLS #certificate issued from Entrust before Chrome's blocking #action begins on November 1, 2024, website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store," Google said. #rcc #cybersecurity #cybercrime #cyberintelligence #cyberint #dnsc

⚠️ Attention developers — A new high-severity #prompt #injection #flaw (CVE-2024-5565) in Vanna AI library exposes #databases to #remote #code #execution. 🔘 The vulnerability, tracked as CVE-2024-5565 (CVSS score: 8.1), relates to a case of prompt injection in the "ask" #function that #could be #exploited to trick the library into executing arbitrary commands, supply chain security firm JFrog said. 🔘 Vanna is a #Python-based machine learning library that allows users to chat with their #SQL database to glean insights by "just asking questions" (aka prompts) that are translated into an equivalent SQL query using a large language model (LLM). 🔘 The rapid rollout of #generative #artificial #intelligence (AI) models in recent years has brought to the fore the risks of exploitation by #malicious #actors, who can weaponize the tools by providing adversarial inputs that #bypass the safety mechanisms built into them. 🔘 One such prominent class of attacks is prompt injection, which refers to a type of AI #jailbreak that can be used to disregard guardrails erected by #LLM providers to prevent the production of offensive, harmful, or illegal content, or carry out instructions that violate the intended purpose of the #application. 🔘 Such attacks can be indirect, wherein a system processes data controlled by a third party (e.g., incoming emails or editable documents) to launch a malicious payload that leads to an AI jailbreak. 🔘 They can also take the form of what's called a many-shot jailbreak or multi-turn jailbreak (aka Crescendo) in which the operator "starts with harmless dialogue and progressively steers the conversation toward the intended, prohibited objective." 🔘 This approach can be extended further to pull off another novel jailbreak attack known as #Skeleton #Key. 🔘 “This AI jailbreak technique works by using a multi-turn (or multiple step) strategy to cause a model to ignore its guardrails," Mark Russinovich, chief technology officer of Microsoft Azure, said. "Once guardrails are ignored, a model will not be able to determine malicious or unsanctioned requests from any other." 🔘 Skeleton Key is also different from Crescendo in that once the jailbreak is successful and the system rules are changed, the model can create responses to questions that would otherwise be forbidden regardless of the ethical and safety risks involved. 🔘 “When the Skeleton Key jailbreak is successful, a model acknowledges that it has updated its guidelines and will subsequently comply with instructions to produce any content, no matter how much it #violates its #original #responsible AI #guidelines," Russinovich said. 🔘 The latest findings from JFrog – also independently disclosed by Tong Liu – show how prompt injections could have severe impacts, particularly when they are tied to command execution. #rcc #cybersecurity #cyberintelligence #cyberalert #cybercrime #alert #dnsc

🔴 Alert: Popular #WordPress #plugins backdoored to create rogue admin accounts. Users advised to inspect sites, remove suspicious admins, and update affected plugins. 🔘 "The injected #malware attempts to create a new administrative #user #account and then sends those details back to the attacker-controlled server," WORDFENCE security researcher Chloe Chamberland CISSP, OSCP, OSWE said in a Monday alert. 🔘 “In addition, it appears the #threat #actor also #injected #malicious #JavaScript into the footer of #websites that appears to add #SEO #spam throughout the website." 🔘 The #admin accounts have the usernames "Options" and "PluginAuth," with the account information exfiltrated to the IP address 94.156.79[.]8. 🔘 It's currently not known how the unknown attackers behind the campaign managed to compromise the plugins, but the earliest signs of the #software #supply #chain #attack date back to June 21, 2024. 🔘 The plugins in question are no longer available for download from the WordPress plugin directory pending ongoing review: - Social Warfare 4.4.6.4 – 4.4.7.1 (Patched version: 4.4.7.3) - 30,000+ installs - Blaze Widget 2.2.5 – 2.5.2 (Patched version: N/A) - 10+ installs - Wrapper Link Element 1.0.2 – 1.0.3 (Patched version: N/A) - 1,000+ installs - Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5 (Patched version: N/A) - 700+ installs - Simply Show Hooks 1.2.1 (Patched version: N/A) - 4,000+ installs 🔘 Users of the aforementioned plugins are advised to inspect their sites for suspicious administrator accounts and delete them, in addition to removing any malicious #code. #rcc #cybersecurity #cyberalert #cyberint #cybercrime #cyberintelligence

🔴 RedJuliett, a suspected China-linked cyber group, target Taiwan and other countries in extensive #cyber #espionage #campaign, #exploiting #vulnerabilities in internet-facing #devices for #intelligence gathering. 🔘 Recorded Future's Insikt Group is tracking the activity under the name RedJuliett, describing it as a cluster that operates Fuzhou, China, to support Beijing's intelligence collection goals related to the East Asian country. It's also tracked under the names Flax Typhoon and Ethereal Panda. 🔘 Among other countries targeted by the adversarial collective include Djibouti, Hong Kong, Kenya, Laos, Malaysia, the Philippines, Rwanda, South Korea, and the U.S. 🔘 In all, as many as 24 victim organizations have been observed communicating with the threat actor infrastructure, including government agencies in Taiwan, Laos, Kenya, and Rwanda. It's also estimated to have targeted at least 75 Taiwanese entities for broader reconnaissance and follow-on exploitation. 🔘 “The group targets internet-facing appliances such as firewalls, load balancers, and enterprise virtual private network #VPN products for initial access, as well as attempting structured query language #SQL injection and directory traversal exploits against web and SQL applications," the company said in a new #report published today. 🔘 As previously documented by CrowdStrike and Microsoft, #RedJuliett is known to employ the open-source software #SoftEther to tunnel #malicious traffic out of victim networks and leverage living-off-the-land (LotL) techniques to fly under the #radar. The group is believed to be active since at least mid-2021. 🔘 “Additionally, RedJuliett used SoftEther to administer operational infrastructure consisting of both threat actor-controlled servers leased from virtual private server VPS providers and compromised infrastructure belonging to three Taiwanese universities," Recorded Future noted. 🔘 A successful initial access is followed by the deployment of the China Chopper web shell to maintain persistence, alongside other open-source web shells like #devilzShell, #AntSword, and #Godzilla. A few instances have also entailed the exploitation of a #Linux privilege escalation vulnerability known as #DirtyCow (CVE-2016-5195). 🔘 "RedJuliett is likely interested in collecting intelligence on Taiwan's economic policy and trade and diplomatic relations with other countries," it said. 🔘 “RedJuliett, like many other Chinese #threat actors, is likely targeting #vulnerabilities in internet-facing devices because these devices have #limited visibility and #security solutions available, and targeting them has proven to be an effective way to scale initial #access." #rcc #cybersecurity #cyberinteligence #cybercrime #cuberint #dnsc #alert

🔴 Beware: A new adware, #AdsExhaust, is targeting #Meta #Quest app seekers with malicious downloads, manipulating browsers, and generating unauthorized revenue through sophisticated techniques. 🔘 "The adware is capable of exfiltrating screenshots from #infected #devices and interacting with browsers using simulated keystrokes," cybersecurity firm eSentire said in an #analysis, adding it identified the activity earlier this month. 🔘 “These functionalities allow it to automatically click through advertisements or redirect the browser to specific URLs, generating revenue for the #adware operators." 🔘 The initial #infection #chain involves surfacing the #bogus #website ("oculus-app[.]com") on #Google search results pages using search engine #optimization (SEO) poisoning techniques, prompting unsuspecting site visitors to #download a #ZIP archive ("oculus-app.EXE.zip") containing a Windows batch #script. 🔘 The batch script is designed to fetch a #second batch script from a command-and-control (C2) #server, which, in turn, contains a command to retrieve another batch file. It also creates scheduled tasks on the machine to run the batch scripts at different times. 🔘 This step is followed by the download of the legitimate app onto the compromised host, while simultaneously additional Visual Basic Script (VBS) files and #PowerShell scripts are dropped to gather #IP and system information, capture screenshots, and exfiltrate the data to a remote server ("us11[.]org/in.php"). 🔘 The response from the server is the PowerShell-based AdsExhaust adware that checks if Microsoft's #Edge browser is running and determines the last time a user input occurred. 🔘 “If Edge is running and the system is idle and exceeds 9 minutes, the script can inject clicks, open new tabs, and navigate to URLs embedded in the script," #eSentire said. "It then randomly scrolls up and down the opened page." 🔘 It's suspected that this behavior is intended to trigger elements such as ads on the web page, especially considering AdsExhaust performs random clicks within specific coordinates on the #screen. 🔘 The adware is also capable of closing the opened browser if mouse movement or user interaction is detected, creating an overlay to conceal its activities to the victim, and searching for the word "Sponsored" in the currently opened Edge browser tab in order to click on the ad with the goal of inflating ad revenue. 🔘 Furthermore, it's equipped to fetch a list of keywords from a remote server and perform Google searches for those keywords by launching Edge #browser sessions via the Start-Process PowerShell command. 🔘 “AdsExhaust is an adware threat that cleverly manipulates user interactions and hides its activities to generate unauthorized revenue," the Canadian company noted. #rcc #cybersecurity #alert #cyberint #cybercrime #cyberintelligence #keys

🔴 New Threat Alert! Chinese-speaking #SneakyChef hackers are targeting government entities worldwide and AI-focused organizations with sophisticated #SugarGh0st and #SpiceRAT #malware. 🔘 "SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries' Ministries of Foreign Affairs or embassies," Cisco Talos Intelligence Group researchers Chetan Raghuprasad and Chi En (Ashley) S. said in an analysis published today. 🔘 Activities related to the hacking crew were first highlighted by the cybersecurity company in late November 2023 in connection with an attack campaign that singled out South Korea and Uzbekistan with a custom variant of Gh0st RAT called SugarGh0st. 🔘 A subsequent analysis from Proofpoint last month uncovered the use of SugarGh0st #RAT against U.S. organizations involved in artificial intelligence efforts, including those in academia, private industry, and #government #service. It's tracking the #cluster under the name UNK_SweetSpecter. 🔘 Talos said that it has since observed the same malware being used to likely focus on various government entities across Angola, India, Latvia, Saudi Arabia, and Turkmenistan based on the lure documents used in the spear-phishing campaigns, indicating a widening of the scope of the countries targeted. 🔘 In addition to leveraging attack chains that make use of Windows Shortcut (LNK) files embedded within RAR archives to deliver SugarGh0st, the new wave has been found to employ a self-extracting #RAR archive (SFX) as an initial infection vector to launch a #Visual #Basic #Script (VBS) that ultimately executes the malware by means of a loader while simultaneously displaying the decoy #file. 🔘 The attacks against Angola are also notable for the fact that it utilizes a new remote access trojan codenamed SpiceRAT using lures from Neytralny Turkmenistan, a Russian-language newspaper in Turkmenistan. 🔘 SpiceRAT, for its part, employs two different infection chains for propagation, one of which uses an LNK file present inside a RAR archive that deploys the malware using DLL side-loading techniques. 🔘 “When the victim extracts the RAR file, it drops the #LNK and a hidden folder on their machine," the researchers said. "After a victim opens the shortcut file, which masqueraded as a #PDF document, it executes an embedded command to run the malicious launcher executable from the dropped #hidden folder." 🔘 The launcher then proceeds to display the decoy document to the victim and run a legitimate binary ("dxcap.exe"), which subsequently sideloads a malicious #DLL responsible for loading SpiceRAT. 🔘 The second variant entails the use of an #HTML Application (HTA) that drops a Windows batch script and a Base64-encoded downloader #binary, with the former launching the executable by means of a scheduled task every five minutes. #rcc #alert #cybersecurity #cybercrime #cyberint #cyberintelligence #dnsc #top

👁🗨 Fickle Stealer, a new Rust-based malware, and AZStealer, an open-source Python stealer, target sensitive data from crypto wallets, browsers, and more through multiple attack chains and exfiltration methods. 🔘 Fortinet FortiGuard Labs said it's aware of four different distribution methods -- namely #VBA dropper, VBA downloader, link downloader, and executable downloader -- with some of them using a #PowerShell #script to bypass User Account Control (UAC) and execute #Fickle #Stealer. 🔘 The PowerShell #script ("bypass.ps1" or "u.ps1") is also designed to periodically send #information about the #victim, including country, city, #IP address, operating system version, computer name, and username to a #Telegram #bot controlled by the attacker. 🔘 The stealer payload, which is protected using a packer, runs a series of anti-analysis checks to determine if it's running in a sandbox or a virtual machine environment, following which it beacons out to a remote server to exfiltrate #data in the form of #JSON strings. 🔘 Fickle Stealer is no different from other variants in that it's designed to gather information from crypto wallets, web browsers powered by Chromium and the #Gecko browser engine (i.e, #Google #Chrome, #Microsoft #Edge, #Brave, #Vivaldi, and #Mozilla #Firefox), and applications like #AnyDesk, #Discord, #FileZilla, #Signal, #Skype, #Steam, and #Telegram. 🔘 It's also designed to export files matching the extensions .txt, .kdbx, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .odp, and wallet.dat. 🔘 "In addition to some popular applications, this stealer searches sensitive files in parent directories of common installation directories to ensure comprehensive data gathering," security researcher Pei-Han Liao said. "It also receives a target list from the server, which makes Fickle Stealer more flexible." 🔘 The disclosure comes as Symantec disclosed details of an open-source #Python stealer called #AZStealer that comes with the functionality to steal a wide variety of information. Available on #GitHub, it has been advertised as the "best undetected Discord stealer." 🔘 "All stolen information is zipped and depending on the size of the archive exfiltrated directly through Discord webhooks or first uploaded to #Gofile online files storage and after that exfiltrated via Discord," the Broadcom-owned company said. 🔘 “AZStealer will also attempt the theft of document files with predefined targeted extensions or those having specific #keywords such as #password, #wallet, #backup, etc. in the filename." #rcc #cybersecurity #alert #cyberint #cybercrime #cyberintelligence #news