Connect with us

Cyber Security

Dustman Attack Underscores Iran’s Cyber Capabilities

Published

on

For nearly six months, an attack group linked to Iran reportedly had access to the network of Bahrain’s national oil company, Bapco, before it executed a destructive payload.

On December 29, a group of attackers used a data-deleting program known as a “wiper” to attempt to destroy data on systems at Bahrain’s national oil company, overwriting data with a string of characters including the phrases “Down With Bin Salman” and “Down With Saudi Kingdom,” according to multiple analyses.

While the destructive malware, dubbed “Dustman” by the Saudi National Cyber Security Centre (NCSC), differs from previous wiper attacks, many of its techniques link the code to Shamoon and ZeroCleare, two data-destroying programs used by Iranian-linked groups to target firms in the Middle East. In addition, while the group behind Dustman had access to the victim’s network since July 2019, they only executed the wiper code on December 29, the same day that the United States retaliated for the death of an American contractor by bombing Iranian-linked targets in Syria and Iraq.

The attack deleted the data on most of the victim’s computers, according to other NCSC analysis.

“Just because it is anti-Saudi does not make it necessarily Iranian,” says Dmitriy Ayrapetov, vice president of platform architecture at SonicWall. “But because it is so related in techniques and modules that it uses [when compared] to the previous two attacks that have been attributed to Iran, we can — with fairly clear confidence — say this is a continuation of the campaigns of Iranian hacking groups.”

The attack demonstrates both the technical capabilities of the group behind Dustman and the level of access that it has to networks in the Middle East.

The attackers gained access by using a vulnerability in the company’s virtual private networking software, used the antivirus management server to distribute the malware, manually deleted data on the company’s storage servers, and then deleted the VPN access logs to hide their tracks. However, the attack missed some machines on the network because they had been in sleep mode.

“Based on analyzed evidence and artifacts found on machines in a victim’s network that were not wiped by the malware, NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC [operational security] failures observed on the infected network,” NCSC stated in its analysis.

Iranian-linked groups — the two major actors known as APT33 and APT34 — have been active for some time in the Middle East and against US targets. A 2-year-old vulnerability in Microsoft Outlook, for example, has been used to attack companies because of the complexity of patching the issue correctly.

The NCSC report did not name the target, but both press reports and security firm’s analyses indicated that the victim was the Kingdom of Bahrain’s national oil company.

While Iranian espionage and hacking groups may be best known for their destructive attacks, the groups are also quite adept at stealing data and other intelligence operations, says Adam Meyers, vice president of intelligence at CrowdStrike.

“Dustman is one of the destructive [and] disruptive tools that we associate with Iranian government-affiliated threat actors, though we have not associated it directly to any of the groups CrowdStrike tracks at this time with any degree of confidence,” Meyers says, adding “Iran has deployed destructive wipers several times over the years. They are more commonly engaged in intelligence collection intrusions, but they have been known to use wipers.”

The NCSC report stated that the initial infiltration occurred in July 2019 using a vulnerability in a virtual private network (VPN) application. A critical vulnerability in Pulse Secure’s VPN software has been used in several attacks — most recently, it was purportedly used in the breach of travel-service provider Travelex — but none of the analyses linked that specific vulnerability to the Dustman incident.

The attack also used legitimate, signed drivers with known vulnerabilities to bypass some Windows security features, says SonicWall’s Ayrapetov. The attackers first load the driver, for the virtual machine software VirtualBox, and then exploit the driver to load a different untrusted driver to overwrite data, SonicWall stated in its analysis.

“They load an old signed driver that is vulnerable, and then they exploit that vulnerability and load the modules from a legitimate piece of software to do the wiping attack,” he says. “They are hijacking legitimate functionality to bypass some of the Windows security controls.”

The use of the antivirus management console should also be noted by security teams, Yaron Kassner, chief technology officer of cybersecurity firm Silverfort, said in a statement.

“Highly privileged service accounts are a top target for hackers because once compromised, they can be exploited to reach sensitive systems and gain control over them,” he said. “These accounts can pose significant risk to corporate networks. Therefore it is important to monitor and restrict access of such service accounts.”

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “6 Unique InfoSec Metrics CISOs Should Track in 2020.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

More Insights

Source: https://www.darkreading.com/vulnerabilities—threats/advanced-threats/dustman-attack-underscores-irans-cyber-capabilities/d/d-id/1336797?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cyber Security

SonicWall has Patched a critical Flaw impacting Several Secure Mobile Access (SMA)

Published

on

SonicWall fixes critical bug allowing SMA 100 device takeover

SonicWall has corrected a significant security hole that affects various Secure Mobile Access (SMA) 100 series products and allows unauthenticated attackers to get admin access on vulnerable devices remotely.

SMA 200, 210, 400, 410, and 500v appliances are vulnerable to attacks targeting the incorrect access control vulnerability listed as CVE-2021-20034.

There are no temporary mitigations to remove the attack vector, and SonicWall strongly advises impacted customers to install security updates as soon as possible to resolve the problem.

There will be no exploitation in the wild.

Attackers who successfully exploit this flaw can remove arbitrary files from unpatched SMA 100 secure access gateways, reboot the device to factory default settings, and potentially acquire administrator access.

“The vulnerability is due to an improper limitation of a file path to a restricted directory potentially leading to arbitrary file deletion as nobody,” the company said.

SonicWall advised enterprises who use SMA 100 series appliances to immediately log in to MySonicWall.com and update the appliances to the patched firmware versions shown in the table below.

There is currently no evidence that this serious pre-auth vulnerability is being exploited in the wild, according to the business.

Product Platform Impacted Version Fixed Version
SMA 100 Series • SMA 200
• SMA 210
• SMA 400
• SMA 410
• SMA 500v (ESX, KVM, AWS, Azure)
10.2.1.0-17sv and earlier 10.2.1.1-19sv and higher
10.2.0.7-34sv and earlier 10.2.0.8-37sv and higher
9.0.0.10-28sv and earlier 9.0.0.11-31sv and higher

SEE ALSO:

US financial regulator warns of a massive phishing campaign

Targeted ransomware

Since the beginning of 2021, ransomware gangs have targeted SonicWall SMA 100 series appliances on many occasions, with the objective of migrating laterally into the target organization’s network.

For example, a threat organisation known as UNC2447 used the CVE-2021-20016 zero-day flaw in SonicWall SMA 100 appliances to spread the FiveHands ransomware strain (a DeathRansom variant just as HelloKitty).

Before security patches were issued in late February 2021, their attacks targeted a number of North American and European enterprises. In January, the same issue was utilised in attacks against SonicWall’s internal systems, and it was afterwards used indiscriminately in the wild.

SonicWall warned two months ago, in July, that unpatched end-of-life (EoL) SMA 100 series and Secure Remote Access (SRA) systems were at danger of ransomware attacks.

Security researchers from CrowdStrike and Coveware added to SonicWall’s warning, stating that the ransomware campaign was still active. Three days later, CISA validated the researchers’ findings, warning that threat actors were targeting a SonicWall vulnerability that had already been patched.

HelloKitty ransomware had been exploiting the weakness (recorded as CVE-2019-7481) for a few weeks before SonicWall’s ‘urgent security notification’ was issued, according to BleepingComputer.

SonicWall recently announced that its products are used by over 500,000 businesses in 215 countries and territories across the world. Many of them may be found on the networks of the world’s top companies, organisations, and government institutions.

SEE ALSO:

Top 5 Programming Languages to Learn for Cyber Security

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://cybersguards.com/sonicwall-has-patched-a-critical-flaw-impacting-several-secure-mobile-access-sma/

Continue Reading

Cyber Security

Apple bans Epic Games from App Store

Published

on

Apple bans Epic Games from App Store until all litigation is finalized

Epic Games CEO Tim Sweeney announced the indefinite ban with a series of tweets.

According to a series of emails published on Twitter and a blog post by Epic CEO Tim Sweeney, Apple has blocked Epic Games from returning to the App Store ecosystem indefinitely, despite the games developer claiming it would stop its own payments system.

Epic’s iOS developer account was blocked in August of last year after the company introduced a new payment method designed to bypass Apple’s payment systems and 30 percent commission fees. Epic filed cases against Apple in response to the prohibition, with the US litigation resulting in a mixed court verdict a fortnight ago.

Apple was justified in cancelling Epic’s iOS developer account because it breached App Store criteria, according to the mixed court verdict.

Epic has subsequently challenged the ruling, and the court is currently deciding whether or not to hear the case.

SEE ALSO:

Iranian Hackers Recently Switched to WhatsApp and LinkedIn to Conduct Phishing Attacks

The games developer’s apps, such as its flagship game Fortnite, would not be permitted to return to the App Store until the US case was resolved, according to one of the disclosed emails reportedly received by Apple’s legal representatives on September 21.

“Apple has exercised its discretion not to reinstate Epic’s developer program account at this time. Furthermore, Apple will not consider any further requests for reinstatement until the district court’s judgment becomes final and non-appealable,” the emails reads.

The letter alluded to the mixed court judgement, which stated that Apple was within its rights to remove any Epic-related accounts from the App Store and that Epic’s developer account could not be reinstated.

Sweeney accused Apple of breaking its promise to enable Epic Games to return to the App Store if it agreed to “play by the same standards” in his tweets.

This was in response to an Apple spokesperson’s emailed remark from a week ago:

“As we’ve said all along, we would welcome Epic’s return to the App Store if they agree to play by the same rules as everyone else. Epic has admitted to breach of contract and as of now, there’s no legitimate basis for the reinstatement of their developer account.”

“Apple lied,” Sweeney tweeted.

SEE ALSO:

Top 10 Websites for Freelancers to Make More Money Online

“Apple spent a year telling the world, the court, and the press they’d ‘welcome Epic’s return to the App Store if they agree to play by the same rules as everyone else.’ Epic agreed, and now Apple has reneged in another abuse of its monopoly power over a billion users.”

Other repercussions of the US court judgement include Epic’s attempt to reintroduce Fortnite to the South Korean iOS App Store, which is now in jeopardy due to the company’s lack of an iOS developer account. Despite the fact that South Korea recently passed legislation requiring programme stores like the App Store to accept different payment methods, this is still the case.

Epic Games’ other pending lawsuits around the world, such as two in Australia, accuse Apple and Google of acting anti-competitively through their app store tactics, would be influenced by the court verdict.

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://cybersguards.com/apple-bans-epic-games-from-app-store/

Continue Reading

Cyber Security

Google Update on Memory Safety in Chrome

Published

on

Google shared details about its long-term plan for memory safety in Chrome this week. It also announced the first stable release Chrome 94 which addresses a total 19 vulnerabilities.

Google decided to address the issue before it gets worse by identifying memory safety issues as the root cause of over 70% of Chrome’s severe bugs last year.

The Internet search giant chose to concentrate on two solutions out of all the possible options. They introduced runtime checks to verify that pointers are correct and sought a different safe memory programming language.

“Runtime checks have a performance cost. Checking the correctness of a pointer is an infinitesimal cost in memory and CPU time. But with millions of pointers, it adds up,” Google notes.

However, it was considered a viable option and Google is currently experimenting with it.

“[T]he Rust compiler spots mistakes with pointers before the code even gets to your device, and thus there’s no performance penalty,” Google explains.

The company is currently only interested in how it can make C++/Rust work together. However, it has already begun non-user-facing Rust experiments.

Chrome 94.0.4606.54 is now available for Windows, Mac, and Linux. It fixes 19 security vulnerabilities, including five high-severity and ten moderate-severity issues, as well as two low-severity ones.

SEE ALSO:

Google: We’ve changed search rankings to reward ‘original news reporting’

CVE-2021-37956 is the most serious of the severe issues. This flaw can be used in Offline, and Google paid a $15,000 bounty.

The company also paid $7500 for a WebGPU bug, $3,000 for an inappropriate implementation of Navigation, and $1,000 to resolve a Task Manager issue.

Google claims it also paid high rewards to five vulnerabilities of medium severity: $10,000 each for tab strip flaws and one in Performance Manager; $3,000 each side-channel information leakage and ChromeOS Networking inappropriate implementation, and Background Fetch API inappropriate implementation.

Google paid out more than $56,000 in bounty payments to researchers who reported on the issues, though the actual amount could be much greater, as the company has not yet revealed the rewards for seven of them.

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://cybersguards.com/google-update-on-memory-safety-in-chrome/

Continue Reading

Cyber Security

A New Vulnerability Found in Apple’s macOS Finder Lets Attackers Run Commands Remotely

Published

on

New macOS zero-day bug lets attackers run commands remotely

A new vulnerability in Apple’s macOS Finder was revealed today, allowing attackers to run arbitrary instructions on Macs running any macOS version up to the most recent release, Big Sur.

Zero-day vulnerabilities are defects that have been publicly published but have not yet been patched by the vendor and are sometimes actively exploited by attackers or have publicly available proof-of-concept exploits.

The flaw, discovered by independent security researcher Park Minchan, is caused by the way macOS processes inetloc files, which permits it to mistakenly run any commands encoded inside by an attacker without any warnings or prompts.

Internet location files with on macOS.

inetloc extensions are system-wide bookmarks for opening internet resources (news:/, ftp:/, afp:/) or local files (file:/).

“A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands,” an SSD Secure Disclosure advisory published today revealed.

“These files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user.”

SSD Secure Disclosure
Image: SSD Secure Disclosure

Apple botches the patch and fails to assign a CVE ID.

As Minchan later revealed, Apple’s patch only partially addressed the weakness, as it can still be exploited by changing the protocol used to execute the embedded commands from file:/ to FiLe:/.

SEE ALSO:

Guardicore Labs are Sharing Details of a Critical Vulnerability in Hyper-V

“Newer versions of macOS (from Big Sur) have blocked the file:// prefix (in the com.apple.generic-internet-location) however they did a case matching causing File:// or fIle:// to bypass the check,” the advisory adds.

“We have notified Apple that FiLe:// (just mangling the value) doesn’t appear to be blocked, but have not received any response from them since the report has been made. As far as we know, at the moment, the vulnerability has not been patched.”

Although the study did not specify how attackers may exploit this flaw, it might be exploited by threat actors to generate malicious email attachments that, when opened by the target, execute a packaged or remote payload.

BleepingComputer further examined the researcher’s proof-of-concept exploit and found that it could be used to perform arbitrary commands on macOS Big Sur without any prompts or warnings by utilising specially designed files received from the Internet.

An.inetloc file containing the PoC code was not recognised by any of the antimalware engines on VirusTotal, implying that macOS users who may be targeted by threat actors employing this attack vector will be unprotected.

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://cybersguards.com/a-new-vulnerability-found-in-apples-macos-finder-lets-attackers-run-commands-remotely/

Continue Reading
Blockchain News32 mins ago

Crypto Exchange FTX Relocates its HQ to the Bahamas from Hong Kong

Blockchain News32 mins ago

Crypto Exchange FTX Relocates its HQ to the Bahamas from Hong Kong

HRTech55 mins ago

Organisations are at an Inflection Point When it Comes to the Next Level of Equity, Diversity, and Inclusion

HRTech55 mins ago

Organisations are at an Inflection Point When it Comes to the Next Level of Equity, Diversity, and Inclusion

HRTech58 mins ago

UK business leaders to boost investment in employee wellbeing

HRTech58 mins ago

UK business leaders to boost investment in employee wellbeing

HRTech1 hour ago

Brits don’t know how to look after their eyes

HRTech1 hour ago

Brits don’t know how to look after their eyes

HRTech1 hour ago

Five steps to best prepare for the end of furlough on September 30

HRTech1 hour ago

Five steps to best prepare for the end of furlough on September 30

HRTech1 hour ago

Happiness at Work

HRTech1 hour ago

Happiness at Work

HRTech1 hour ago

Brookeld Infrastructure & Digital Realty Joint Venture Announces Appointment of Seema Ambastha as CEO

HRTech1 hour ago

Brookeld Infrastructure & Digital Realty Joint Venture Announces Appointment of Seema Ambastha as CEO

Esports2 hours ago

Arc-V World, Pendulum Summoning, and more coming to Yu-Gi-Oh! Duel Links on Sept. 28

Blockchain News2 hours ago

Over 2.2M Crypto Accounts Set to Trade With Restrictions in South Korea as Exchange’s Deadline Looms

Esports2 hours ago

The Pokémon Company reveals four cards, including Lunala and Tapu Lele GX, from 25th Anniversary Collection

Esports2 hours ago

Pokémon Global Exhibition 2021 lineup officially revealed

Esports2 hours ago

Nintendo Switch Online Japan’s Sega Genesis controller will be the six-button version

Esports2 hours ago

Microsoft’s The Initiative brings on Crystal Dynamics to help develop its Perfect Dark reboot

Energy3 hours ago

Nel ASA: Receives purchase order for 5MW alkaline electrolyser

Techcrunch3 hours ago

Amazon assembles video streaming apps to fight with Netflix and Disney in India

Techcrunch3 hours ago

Amazon assembles video streaming apps to fight with Netflix and Disney in India

Energy3 hours ago

Die richtige Autobatterie ist nur der halbe Weg: Exide stellt neue Funktionen seines Battery Finder-Tools vor

Energy3 hours ago

Energy Leaders Launch 24/7 Carbon-free Energy Compact

Cyber Security3 hours ago

SonicWall has Patched a critical Flaw impacting Several Secure Mobile Access (SMA)

Aviation3 hours ago

Ex-Qantas exec finally starts new role at Virgin

Blockchain News3 hours ago

The Sordid Tale of QuadrigaCx is Coming to Netflix

Fintech3 hours ago

Novatti grows Ripple partnership, expanding into Thailand

Fintech3 hours ago

Novatti grows Ripple partnership, expanding into Thailand

Trending