Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Source newsletter (Feb. 23, 2023) — Social media sites are making extra security a paid

App-based multi-factor authentication — which is still free on Twitter — is safer than SMS MFA. So in theory, forcing people to pay for it would make them less likely to use it and switch to the free option.

TALOS
#sql#vulnerability#microsoft#cisco#rce#auth

Thursday, February 23, 2023 14:02

Welcome to this week’s edition of the Threat Source newsletter.

Social media’s latest business plan seems to be charging for security.

Twitter recently announced a plan to make SMS-based two-factor authentication a paid service as part of Twitter Blue — asking users to pay either $8 or $11 monthly for the feature set. Meta, Facebook’s parent company, also announced a new pay-for-verification service on Facebook and Instagram that will allow users to pay up to $14 a month for “a verified badge that authenticates your account with government ID, proactive account protection, access to account support, and increased visibility and reach.”

The Twitter plan falls into a gray area for me. I’ve talked to experts who pointed out that app-based multi-factor authentication — which is still free on Twitter — is safer than SMS MFA. So in theory, forcing people to pay for it would make them less likely to use it and switch to the free option.

However, among all Twitter users who utilize MFA, more than 74 percent of them opt into SMS-based authentication. Based on the estimated number of Twitter users (more than 353 million) and the total amount of users who use any type of MFA (2.6 percent), that means about 6,845,841 accounts will be forced to pay to continue their use of SMS-based authentication or switch to an app-based method.

Many of these users may switch to Twitter Blue or find a new way to keep MFA on their accounts. Many of them will just drop the feature altogether. I would argue any good social media company needs to keep its users’ safety a priority no matter what.

Things like making sure you can’t be impersonated on a site seem like it would be a basic expectation when you give up the amount of personal information you already must to sign up. And many consumers (especially someone who’d be considered the “Average Joe”) do not want to spend time downloading a new MFA app and completing the setup process.

Even the security savvy are growing tired of having to download multiple MFA apps for various uses, leaving password managers as the clearest path to a safe login (but those aren’t foolproof, either).

Meta and Twitter users who don’t want to pay for the additional protections have a few other options to improve their account’s security:

  • Purchase a physical security key that generates a unique code each time you go to log into your account.
  • Enroll in app-based multi-factor authentication (like Cisco Duo), which is still free to use on Twitter.
  • If you’re setting up an MFA app for the first time, follow the U.S. Cybersecurity and Infrastructure Security Agency’s guidelines for implementing phishing-resistant MFA.
  • If you opt to not enroll in any sort of MFA, use a password management program to generate a new, random password with a mix of characters and cases and store it securely using the program. But app-based MFA is always the safest option.

The one big thing

An unknown actor is deploying the new MortalKombat ransomware a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims. Talos researchers have seen several campaigns targeting individuals, small businesses and large organizations that aim to steal or demand ransom payments in cryptocurrency.

Why do I care?

MortalKombat (yes, a reference to that “Mortal Kombat”) is a new ransomware that just appeared in January, so we still know relatively little about this malware family, though new protections are now available from Talos. While cryptocurrency’s value is down across the board, that doesn’t mean attackers have stopped caring about it, and it’s still the safest way for attackers to make money without being tracked.

So now what?

Talos released several new Snort rules and ClamAV signatures to protect against the threats we outlined in last week’s blog post. Cisco Secure Endpoint users can also use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat.

Top security headlines of the week

The Clop ransomware gang claims its recently breached more than 130 organizations, many of them related to health care, with a large chunk affecting CHS Healthcare patients. CHS reported the breach to the U.S. Securities and Exchange Commission, saying that the attack targeted GoAnywhere MFT, a managed file transfer product. The filing stated the breach affected up to 1 million individuals. Members of Clop said it exploited the security flaw, CVE-2023-0669, which enables them to gain remote code execution on unpatched GoAnywhere MFT instances with their administrative console exposed to the internet. The breaches took place over the course of 10 days earlier this year. (Bleeping Computer, Ars Technica)

The FBI said it recently “contained” a security incident on its computer network, offering sparse details otherwise. “The FBI is aware of the incident and is working to gain additional information,” the bureau said in a statement to news network CNN. “This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.” The report also indicates that the attack specifically targeted the portion of the FBI’s network it uses in investigations of images of child sexual exploitation. (CNN, InfoSecurity)

Data brokers are increasingly relying on information from virtual therapy apps to profit from users’ information. A new study from Duke University found that one firm even charged $100,000 a year for a “subscription” service to data that included information on individuals’ mental health conditions. This data included highly sensitive information, such as a person’s demographics, and what ailments they’ve reported, including depression, OCD, bipolar disorder and strokes. Virtual therapy apps have become increasingly popular among the American population, especially during the COVID-19 pandemic. They offer a cheaper and more accessible option to patients who often find it difficult to find therapy providers that accept insurance. (PBS, Washington Post, Duke University)

Can’t get enough Talos?

  • Crypto investors under attack by new malware, reveals Cisco Talos
  • Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
  • Beers with Talos Ep. #130: Ransomware is a people problem (but getting rid of email helps)

Upcoming events where you can find Talos

WiCyS (March 16 - 18)

Denver, CO

RSA (April 24 - 27)

San Francisco, CA

Most prevalent malware files from Talos telemetry over the past week

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311

SHA 256: de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423
MD5: 954a5fc664c23a7a97e09850accdfe8e
Typical Filename: teams15.exe
Claimed Product: teams15
Detection Name: Gen:Variant.MSILHeracles.59885

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

Related news

Feds Warn of North Korean Cyberattacks on US Critical Infrastructure

The Andariel group is targeting critical defense, aerospace, nuclear, and engineering companies for data theft, the FBI, NSA, and others said.

Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs

Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.

Patch Your GoAnywhere MFT Immediately - Critical Flaw Lets Anyone Be Admin

A critical security flaw has been disclosed in Fortra's GoAnywhere Managed File Transfer (MFT) software that could be abused to create a new administrator user. Tracked as CVE-2024-0204, the issue carries a CVSS score of 9.8 out of 10. "Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal," Fortra&

Data theft extortion rises, while healthcare is still most-targeted vertical in Talos IR engagements

Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent.

Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks

Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool that has come under active exploitation by ransomware actors to steal sensitive data. The high-severity flaw, tracked as CVE-2023-0669 (CVSS score: 7.2), concerns a case of pre-authenticated command injection that could be abused to achieve code execution. The

Goanywhere Encryption Helper 7.1.1 Remote Code Execution

Goanywhere Encryption Helper version 7.1.1 suffers from a remote code execution vulnerability.

Clop Keeps Racking Up Ransomware Victims With GoAnywhere Flaw

After several weeks and more than 130 ransomware victims, GoAnywhere parent company Forta issues a statement.

Rubrik is latest victim of the Clop ransomware zero-day campaign

Categories: News Categories: Ransomware Tags: Rubrik Tags: GoAnywhere MFT Tags: Fortra Tags: Clop ransomware Tags: Clop Tags: ransomware Tags: CVE-2023-0669 Tags: zero-day Rubrik, a cloud data management company, has revealed that Clop made use of an infamous GoAnywhere flaw. (Read more...) The post Rubrik is latest victim of the Clop ransomware zero-day campaign appeared first on Malwarebytes Labs.

Clop ransomware is victimizing GoAnywhere MFT customers

Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Clop Tags: ransomware Tags: GoAnywhere Tags: CVE-2023-0669 The Clop ransomware gang has claimed responsibility for attacking several GoAnywhere MFT customers by exploiting a vulnerability in the managed file transfer software's administrative interface. (Read more...) The post Clop ransomware is victimizing GoAnywhere MFT customers appeared first on Malwarebytes Labs.

U.S. Cybersecurity Agency CISA Adds Three New Vulnerabilities in KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of shortcomings is as follows - CVE-2022-47986 (CVSS score: 9.8) - IBM Aspera Faspex Code Execution Vulnerability CVE-2022-41223 (CVSS score: 6.8) - Mitel MiVoice Connect Code Injection

GoAnywhere zero-day opened door to Clop ransomware

Categories: News Categories: Ransomware Tags: Clop Tags: Clop ransomware Tags: ransomware Tags: GoAnywhere Tags: managed file transfer Tags: MFT Tags: Fortra Tags: CISA Tags: Known Exploited Vulnerabilities Catalog The Clop ransomware gang has claimed responsibility for a wave of attacks that exploited a zero-day in GoAnywhere MFT admin consoles. (Read more...) The post GoAnywhere zero-day opened door to Clop ransomware appeared first on Malwarebytes Labs.

Massive GoAnywhere RCE Exploit: Everything You Need to Know

Weeks after an exploit was first announced in a popular cloud-based file transfer service, could some organizations still be vulnerable? The answer is yes.

CISA Warns of Active Attacks Exploiting Fortra MFT, TerraMaster NAS, and Intel Driver Flaws

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active abuse in the wild. Included among the three is CVE-2022-24990, a bug affecting TerraMaster network-attached storage (TNAS) devices that could lead to unauthenticated remote code execution with the highest privileges. Details

Fortra GoAnywhere MFT Unsafe Deserialization Remote Code Execution

This Metasploit module exploits an object deserialization vulnerability in Fortra GoAnywhere MFT.

CVE-2023-0669: Customer Portal

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.

TALOS: Latest News

NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities