Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking an user to open a crafted malicious docker-desktop:// URL.

CVE-2023-0628: Docker Desktop release notes

By Habiba Rashid
The alleged administrator of the website selling NetWire malware has been arrested in Croatia.
This is a post from HackRead.com Read the original post: NetWire Malware Site and Server Seized, Admin Arrested

****NetWire malware has been utilized by various cybercrime groups, but its most notable use occurred in February 2022 when the ModifiedElephant APT group used the malware to plant incriminating evidence on victims’ devices.****

In a joint operation between the US Federal Bureau of Investigation (**FBI**), the European Union Agency for Law Enforcement Cooperation (**Europol**), and other international law enforcement agencies, the internet domain used to sell NetWire malware has been seized.

NetWire is a powerful tool used by cybercriminals to gain unauthorized access to computer systems and control them remotely. It’s worth noting that NetWire was used extensively in several cyberattacks, including those targeting the aviation and defence sectors **in February 2022**, thousands of global oil and gas and energy firms **in August 2017**, and attacks on the aerospace and travel sectors **in May 2021**.

In addition, NetWire was utilized in a malicious campaign last year by the ModifiedElephant APT to **plant incriminating evidence** on victims’ devices. The activities of this APT group are closely aligned with the “Indian state interests.

According to a press release from the US Attorney’s Office for the Central District of California, the seizure was part of an ongoing investigation into the sale and distribution of NetWire malware. The domain, which had been in operation since 2012, sold the malware to buyers worldwide, including individuals in the United States for their own criminal ends.

The operation to seize the domain involved the coordinated efforts of law enforcement agencies from around the world. The FBI worked with Europol, Croatia, Switzerland, and other partners to identify and track down the individuals responsible for the sale and distribution of NetWire.

The operation resulted in the seizure of the domain and the arrest of a suspect whose name has not been released by US or Croatian authorities.

NetWire malware is a type of remote access Trojan (RAT) that cybercriminals often use to gain access to a victim’s computer. Once installed, the malware allows the attacker to remotely control the computer, access sensitive information, and carry out a range of malicious activities.

The seizure of the NetWire domain is a significant development in the fight against cybercrime. It demonstrates the effectiveness of international cooperation in tackling online threats and highlights the commitment of law enforcement agencies worldwide to combat cybercrime.

The seizure notice

“By removing the NetWire RAT, the FBI has impacted the criminal cyber ecosystem,” Donald Alway, the assistant director in charge of the FBI’s Los Angeles field office, said in a **statement**.

“The global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in order to perpetuate global fraud, data breaches and network intrusions by threat groups and cyber criminals,” Alway added.

This victory serves as a reminder that the fight against malware is far from over because cybercriminals are constantly developing new tools and techniques to evade detection. It is therefore essential that individuals and organizations take steps to protect themselves against cyber attacks by **implementing strong security measures**, such as using anti-virus software and keeping their systems up to date with the latest security patches.

1.  **Teen hires attacker to DDoS his school district**
2.  **Hive Ransomware Gang Disrupted; Domain Seized**
3.  **No prison for duo behind vDOS DDoS for hire service**
4.  **DoubleVPN’s server used by ransomware gangs seized**
5.  **NetWalker ransomware busted – funds and domain seized**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

NetWire Malware Site and Server Seized, Admin Arrested

By Habiba Rashid
It turns out that the number of women on the darker side of cybersecurity is increasing, and these stats will shock you.
This is a post from HackRead.com Read the original post: Gender Diversity in Cybercrime Forums: Women Users on the Rise

****According to the report, 36% of users at Hackforums were likely women, based on their use of language, and 30% of XSS forum users, a Russian language cybercrime forum, were reportedly women.****

In recent years, there has been a shift toward increased gender equality in **underground cybercriminal forums**. This stands in stark contrast to the more male-dominated cybersecurity industry, where women continue to face significant barriers to entry and advancement.

A recently published **study** by Trend Micro pushes forward a similar finding wherein at least 30%, if not more, of cybercriminal forum users, are women. Although the methodology used makes the results of the study somewhat unreliable, the report itself recognizes this. 

Trend Micro inspected five English-language cybercrime forums: Sinister, Cracked, Breached, Hackforums, and **(now defunct and seized) Raidforum**, as well as five Russian-language sites: XSS, Exploit, Vavilon, BHF, and WWH-Club.

Since these sites are frequented by largely anonymous users, tools such as Semrush and uClassify’s Gender Analyzer V5 were used to estimate the number of female users.

According to the report, 36% of users at **Hackforums** were likely women, based on their use of language, and 30% of XSS forum users were reportedly women, based on the same analysis. At first glance, these numbers indicate that cybercriminal forums are more meritocratic than the white hat world, but this article will delve deeper to understand the reasons behind this difference. 

One reason for the gender diversity in cybercriminal forums is that these groups are often more decentralized and less hierarchical than traditional workplaces. This can make it easier for women to participate and contribute their skills without **fear of discrimination or harassment**.

It is important to understand that these forums have traditionally been male-dominated spaces where men exchange information, tools, and services related to cybercrime.

However, with the increased diversity in the cybersecurity industry over the years, more women have entered the field. As a result, there are now more women who possess the skills and knowledge necessary to participate in these forums.

But why is gender diversity not growing at an equal rate in the cybersecurity workforce? The reasons for this gender gap are complex and multifaceted. Women face a range of barriers to entry, including unconscious bias, stereotypes, and a lack of female role models and mentors in the industry. Additionally, the highly technical and male-dominated culture of cybersecurity can create a challenging environment for women to thrive.

According to a **2022 report** from Cybersecurity Ventures, women make up just 25% of the cybersecurity workforce, with even lower numbers in leadership roles. This gender gap is especially concerning, given the increasing demand for cybersecurity professionals and the potential consequences of a lack of diversity in this field.

One of the most significant reasons for the increase in the number of female users on cybercriminal forums is anonymity, which can be empowering for women who may face discrimination or harassment in the workplace.

In an **underground cybercriminal forum**, participants are judged solely on their skills and contributions, rather than their gender or other personal characteristics. This creates a level playing field where women can demonstrate their expertise and gain respect from their peers. As a result, women who seek out a gender-anonymous space have been increasingly drawn to these forums.

Lastly, the **rise of cryptocurrencies** has made it easier for women to participate in these forums. Traditionally, cybercriminals have used traditional payment methods, such as wire transfers or PayPal, to exchange money for tools and services.

Ilya Lichtenstein and his wife, Heather Morgan, were arrested in February 2022 and charged for their involvement in money laundering of funds stolen in the Bitfinex cryptocurrency hack of 2016.

Suzette Kugler, a 59-year-old US woman, was arrested for hacking the internal network of her employer, PenAir.

Valerie Gignac, a 27-year-old Canadian woman, was arrested in April 2015 for spying on people through webcams, harassing victims, and even owning a famous hacking forum with more than 35,000 members.

Eighteen-year-old Michaela Gabriella King carried out crippling DDoS attacks on her school system.

However, these methods are often difficult for women to use, as they may not have access to a bank account or a credit card. Cryptocurrencies, on the other hand, can be easily obtained and used anonymously, making it easier for women to participate in these forums.

What all of this proves is that women are not absent from the cybersecurity industry, but rather likely to be on the wrong side of it. Efforts to address gender inequality in cybersecurity are underway, with initiatives such as Women in Cybersecurity (WiCyS) and the National Cyber Security Centre’s CyberFirst Girls competition aimed at encouraging more women to pursue careers in this field.

However, progress has been slow, and it will likely take a concerted effort from the industry as a whole to truly move the needle on gender diversity. By addressing the underlying barriers to entry and fostering a more inclusive culture, we can create a more equitable and effective **cybersecurity workforce** where women with a passion for cybersecurity become a valuable part of the industry. 

1.  **Woman arrested for spying on people via webcams**
2.  **Woman hacked, leaked private pics of Selena Gomez**
3.  **Woman hacked airline network, busted through VPN logs**
4.  **Female DDoS attacker charged with crippling school system**
5.  **Husband and wife ransomware operators arrested in Ukraine**

Gender Diversity in Cybercrime Forums: Women Users on the Rise

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The list of vulnerabilities is below -

CVE-2022-35914 (CVSS score: 9.8) - Teclib GLPI Remote Code Execution Vulnerability
CVE-2022-33891 (CVSS score: 8.8) - Apache Spark Command Injection Vulnerability

Vulnerability / Cybersecurity

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The list of vulnerabilities is below -

*   CVE-2022-35914 (CVSS score: 9.8) - Teclib GLPI Remote Code Execution Vulnerability
*   CVE-2022-33891 (CVSS score: 8.8) - Apache Spark Command Injection Vulnerability
*   CVE-2022-28810 (CVSS score: 6.8) - Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability

The most critical of the three is CVE-2022-35914, which concerns a remote code execution vulnerability in the third-party library htmlawed present in Teclib GLPI, an open source asset and IT management software package.

The exact specifics surrounding the nature of attacks are unknown, but the Shadowserver Foundation in October 2022 noted that it's seeing exploitation attempts against its honeypots.

Since then, a cURL-based one-line proof of concept (PoC) has been made available on GitHub and a "mass" scanner has been advertised for sale, VulnCheck security researcher Jacob Baines said in December 2022.

Furthermore, data gathered by GreyNoise has revealed 40 malicious IP addresses from the U.S., the Netherlands, Hong Kong, Australia, and Bulgaria, attempting to abuse the shortcoming.

The second flaw is an unauthenticated command injection vulnerability in Apache Spark that has been exploited by the Zerobot botnet to co-opt susceptible devices with the goal of carrying out distributed denial-of-service (DDoS) attacks.

Lastly, also added to the KEV catalog is a remote code execution flaw in Zoho ManageEngine ADSelfService Plus that was patched in April 2022.

Discover the Latest Malware Evasion Tactics and Prevention Strategies

Ready to bust the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!

RESERVE YOUR SEAT

"Multiple Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset," CISA said.

Cybersecurity company Rapid7, which discovered the bug, said it detected active exploitation attempts by threat actors to "execute arbitrary OS commands in order to gain persistence on the underlying system and attempt to pivot further into the environment."

The development comes as API security firm Wallarm said it has found ongoing exploit attempts of two VMware NSX Manager flaws (CVE-2021-39144 and CVE-2022-31678) since December 2022 that could be leveraged to execute malicious code, and siphon sensitive data.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems

By Owais Sultan
As technology continues to evolve, the need for businesses to focus more on cybersecurity is becoming increasingly important…
This is a post from HackRead.com Read the original post: Why do Businesses Need to Focus More on Cybersecurity

As technology continues to evolve, the need for businesses to focus more on cybersecurity is becoming increasingly important and more people are starting to look into **cyber security bootcamps** to learn and be safer online. The reality is that cyber-attacks are no longer a rarity and can have devastating consequences for any business. 

The fact of the matter is that businesses do not have their own data that needs to be safeguarded. That said, most companies today process a lot of consumers’ data and sensitive information on a daily basis. Therefore, not just business data is at potential risk. Moreover, it’s no secret that cyber attacks are more frequent and more sophisticated than ever before. Hackers are no longer targeting big corporations **but small businesses** and startups as well. 

Pretty much anyone is fair game, especially companies that don’t have proper security measures in place and are vulnerable to data breaches. And as you may already know, any type of data is valuable to hackers as it can be sold to interested parties on the open market somewhere online. With that in mind, let’s have a look at why businesses need to focus more on cybersecurity. 

**The risks of not prioritizing cybersecurity for businesses**

Cybersecurity is an essential part of any business, regardless of its size or industry. Unfortunately, many businesses fail to **prioritize cybersecurity** and this can have serious consequences. For starters, a data breach can lead to the loss of sensitive customer information, which can result in financial losses and reputational damage. 

Not only that but cybercriminals may be able to access confidential company information such as trade secrets, intellectual property and consumer-sensitive information. This could not only ruin a company’s reputation but also put it out of business entirely. Furthermore, if a hacker gains access to a company’s network they may be able to install malicious software that could cause disruption or even **shut down operations completely**. 

Not to mention that this leaves businesses vulnerable to ransomware attacks where hackers demand payment in exchange for restoring access to their systems. All these risks demonstrate why it is so important for businesses to take cybersecurity seriously and invest in measures that will protect their networks from potential threats.

**The value of investing in proactive cybersecurity measures**

Investing in proactive cybersecurity measures is vital for any business, regardless of size or industry. As mentioned before, cybersecurity threats are **constantly evolving** and becoming more sophisticated, so it’s important to stay ahead of the curve by investing in the latest technologies and solutions. 

That said, many people are deciding to opt for cyber security bootcamps so they can get proper education and skills that can help them with future employment. So there’s no shortage of experts in the market, companies just have to hire them. Also, proactive measures can help protect your data from malicious actors, as well as reduce the risk of a data breach or other cyber attack. 

A good example of this is penetration testing where a data breach is simulated to identify potential risks and weaknesses in the company’s network or security measures. A data breach may happen sooner or later so it’s better to prepare for it than to sit idly by and hope that hackers will avoid your company for some reason. 

**Types of cyberattacks and Impact on businesses**

Cyber attacks come in many different forms, and each type of attack can have a unique impact on businesses. The most common types of cyberattacks are malware, phishing, ransomware, distributed denial-of-service **(DDoS) attacks**, and SQL injection. 

Hackers use different methods and different types of attacks to gain access to company data or at least, leave a backroom open for future breaches. That said, the most common type of attack is phishing scams. It’s much easier for hackers to try and fool unwary employees than it is for them to launch a full-scale attack on a company’s defences directly. 

Phishing and social engineering scams are much more effective and subtle ways of breaching a network as many companies neglect to invest in employee education regarding cybersecurity. This way, hackers gain access to company files and networks without anyone noticing they did so. After that, they will either leech information or prepare something much worse depending on their motives. 

Businesses need to prioritize cybersecurity to protect their data and systems from malicious online threats. Investing in the right security measures is essential for any business that wants to stay safe and secure in the digital world so modern businesses must focus on cybersecurity more. 

1.  **How to use AI in cybersecurity?**
2.  **5 Top Cybersecurity Threats to Businesses**
3.  **Benefits of video surveillance in your business**
4.  **Cybersecurity firms need real-time collaboration tool**
5.  **Cybersecurity automation: How can businesses benefit**

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Why do Businesses Need to Focus More on Cybersecurity

Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security policy in which a contributor's draft can only be read by editors until published by an editor. NOTE: the vendor's position is that this behavior has no security impact.

Ghost is committed to developing secure, reliable products utilising all modern security best practices and processes.

The Ghost security team is made up of full time staff employed by the Ghost Foundation as well as volunteer open source contributors and security experts. We do both consultation and penetration testing of our software and infrastructure with external security researchers and agencies.

We take security very seriously at Ghost and welcome any peer review of our completely open source codebase to help ensure that it remains completely secure.

**Security features****Automatic SSL**

Ghost’s CLI tool attempts to automatically configure SSL certificates for all new Ghost installs with Let’s Encrypt by default. In 2019 we intend to make SSL mandatory for all new installs.

**Standardised permissions**

Ghost-CLI does not run as root and automatically configures all server directory permissions correctly according to OWASP Standards.

**Brute force protection**

User login attempts and password reset requests are all limited to 5 per hour per IP.

**Data validation and serialisation**

Ghost performs strong serialisation and validation on all data that goes into the database, as well as automated symlink protection on all uploaded files.

**Encoded tokens everywhere**

All user invitation and password reset tokens are base64 encoded with serverside secret. All tokens are always single use and always expire.

**Password hashing**

Ghost follows OWASP authentication standards with all passwords hashed and salted properly using bcrypt to ensure password integrity.

**SQLi prevention**

Ghost uses Bookshelf ORM + Knex query builder and does not generate _any_ of its own raw SQL queries. Ghost has no interpolation of variables directly to SQL strings.

**XSS prevention**

Ghost uses safe/escaped strings used everywhere, including and especially in all custom Handlebars helpers used in Ghost Themes

**Dependency management**

All Ghost dependencies are continually scanned using a combination of automated GitHub tooling and yarn audit to ensure their integrity.

**Reporting vulnerabilities**

Potential security vulnerabilities can be reported directly to us at security@ghost.org. The Ghost Security Team communicates privately and works in a secured, isolated repository for tracking, testing, and resolving security-related issues.

**Responsible disclosure**

The Ghost Security team is committed to working with security researchers to verify, reproduce and respond to legitimate reported vulnerabilities.

*   Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept
*   Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites
*   Give reasonable time to correct the issue before making any information public

Security issues always take precedence over bug fixes and feature work. We can and do mark releases as “urgent” if they contain serious security fixes.

We will publicly acknowledge any report that results in a security commit to https://github.com/TryGhost/Ghost

**Issue triage**

We’re always interested in hearing about any reproducible vulnerability that affects the security of Ghost users, including…

*   Remote Code Execution (RCE)
*   SQL Injection (SQLi)
*   Server Side Request Forgery (SSRF)
*   Cross Site Request Forgery (CSRF)
*   Cross Site Scripting (XSS) but please read on before reporting XSS…

**However, we’re generally _not_ interested in…**

*   Privilege escalation as result of trusted users publishing arbitrary JavaScript1
*   HTTP sniffing or HTTP tampering exploits
*   Open API endpoints serving public data
*   Ghost version number disclosure
*   Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.
*   Output from automated scans
*   Clickjacking with minimal security implications
*   Missing DMARC records

**Privilege escalation attacks**

Ghost is a content management system and all users are considered to be privileged/trusted. A user can only obtain an account and start creating content after they have been invited by the site owner or similar administrator-level user.

A basic feature of Ghost as a CMS is to allow content creators to make use of scripts, SVGs, embedded content & other file uploads that are required for the content to display as intended. Because of this there will always be the possibility of “XSS” attacks, albeit only from users that have been trusted to build the site’s content.

Ghost’s admin application does a lot to ensure that unknown scripts are not run within the the admin application itself, however that only protects one side of a Ghost site. If the front-end (the rendered site that anonymous visitors see) shares the same domain as the admin application then browsers do not offer sufficient protections to prevent successful XSS attacks by trusted users.

If you are concerned that trusted users you invite to create your site will act maliciously the best advice is to split your front-end and admin area onto different domains (e.g. https://mysite.com and https://admin.mysite.com/ghost/). This way browsers offer greater built-in protection because credentials cannot be read across domains. Even in this case it should be understood that you are giving invited users completely free reign in content creation so absolute security guarantees do not exist.

Anyone concerned about the security of their Ghost install should read our hardening guide.

We take any attack vector where an untrusted user is able to inject malicious content very seriously and welcome any and all reports.

**How reports are handled**

If you report a vulnerability to us through the security@ghost.org mailing list, we will:

*   Acknowledge your email within a week
*   Investigate and let you know our findings within two weeks
*   Ensure any critical issues are resolved within a month
*   Ensure any low-priority issues are resolved within three months
*   Credit any open source commits to you
*   Let you know when we have released fixes for issues you report

**Privacy**

Ghost as an organisation is self-funded, wholly independent, and only makes revenue directly from its customers. It has zero business interests of any kind predicated on selling private user data.

In addition the Ghost software itself contains a plainly written summary of every privacy-affecting feature within Ghost, along with detailed configuration options allowing any and all of them to be disabled at will. We take user privacy seriously.

CVE-2023-26510: Ghost Security & Privacy

Attackers have already targeted electric vehicle (EV) charging stations, and experts are calling for cybersecurity standards to protect this necessary component of the electrified future.

As electric vehicle (EV) charging infrastructure rushes to keep pace with the dramatic rise in sales of electric vehicles in the United States, cyberattackers and security researchers alike have already started focusing on security weaknesses in the infrastructure.

In February, researchers with energy-network cybersecurity firm Saiflow discovered two vulnerabilities in the Open Charge Point Protocol (OCPP) that could be used in a distributed denial-of-service (DDoS) attack and to steal sensitive information. And the Idaho National Laboratory recently found that every charger it examined — more formally known as Electric Vehicle Supply Equipment (EVSE) — was running outdated versions of Linux, had unnecessary services, and allowed many services to run as root, according to a survey of EV charging vulnerability research in the journal Energies. Other potential attacks include adversary-in-the-middle (AitM) and services exposed to the public Internet, according to the paper.

The risks are not just theoretical: A year ago, after Russia invaded Ukraine, hacktivists compromised charging stations near Moscow to disable them and display their support for Ukraine and their contempt for Russian President Vladamir Putin.

The cybersecurity concerns come as electric vehicle sales have taken off in the United States, accounting for 5.8% of all vehicles sold 2022, up from 3.2% the previous year, according to JD Power. Currently, less than 51,000 Level 2 and DC Fast charging stations are available in the US, representing the capability to charge 130,000 vehicles simultaneously, according to the US Department of Energy. With more than 1.5 million electric vehicles registered as of June 2022, that means there are 11 vehicles for every public charging port.

To keep up with demand, the major players in the EV charging sector all have significant expansion plans, and the Biden administration aims to increase the number of vehicle chargers to 500,000 by 2030.

While cybersecurity experts worry that the rush to create a comprehensive charging infrastructure could come at the expense of cybersecurity, the question of its cybersecurity preparedness is especially piquant given the connectedness of the infrastructure and the ability to potentially cause damage using access to the high voltage available, says Phil Tonkin, senior director of strategy at Dragos, a provider of industrial cybersecurity.

"Most EV chargers can be considered an Internet of Things (IoT) technology, but they are one of the first that has control over such a significant amount of electrical load," he says. He adds, "The aggregated risk of so many devices, often connected to a small number of single systems, means that devices of this type need to be implemented with care."

**EV Chargers: IoT, OT & Critical Infrastructure**

In many ways, EV charging infrastructure represents a perfect storm of technologies. The devices are connected via mobile applications and carry the same risks as other IoT devices, but they're also set to become a critical part of transportation network in the United States, like other operational technology (OT). And because EV charging stations must be connected to public networks, ensuring that their communications are encrypted will be critical to maintaining the security of the devices, says Dragos' Tonkin.

"Hacktivists will always be looking for poorly secured devices on public networks, it's important that the owners of EV put in place controls to ensure they are not easy targets," he says. "The crown jewels of the operators of EV chargers have to be their central platforms, the chargers themselves intrinsically trust the instructions pushed down from the center."

Consumer devices are also a problem. About 80% of charging takes place in the home, according to ChargePoint session data. But unfortunately, those devices may be easier to disrupt because consumers are not focused, nor should they need to be focused, on cybersecurity, Tonkin says.

"It's not practical for the average domestic customer to have to put in place the right security, therefore making sure the device itself and the methods it uses to communicate with cloud-based services should always be on the vendor," he says.

**Government's Role in EV Cybersecurity**

The US government should make standards and best practices available to companies to prevent cybersecurity weaknesses, some say. Sandia National Laboratories, for instance, has recommended a number of initiatives to strengthen cybersecurity, including improving EV owner authentication and authorization, adding more security to the cloud component of the charging infrastructure, and hardening the actual charging units against physical tampering.

"The government can say 'produce secure electric vehicle chargers,' but budget-oriented companies don't always choose the most cyber-secure implementations," Brian Wright, a Sandia cybersecurity expert working on the vulnerability project, said in a statement. "Instead, the government can directly support the industry by providing fixes, advisories, standards, and best practices."

EV Charging Infrastructure Offers an Electric Cyberattack Opportunity

Innocently or not, residential proxy networks can obscure the actual geolocation of an access point. Here's why that's not great and what you can do about it.

With so much of the world’s wealth, assets, and trade secrets existing in the cloud, fraudsters and nefarious players have ample motivation to look for new ways to break into networks. Increased VPN usage provides opportunities for threat actors to operate with nearly total anonymity, and we are seeing an uptick in breaches stemming from the widespread use of commercial or anonymous VPNs.

As a cybersecurity practitioner, I continually stress the importance of examining the context of VPN-driven data. Let's look at the top three trends I see emerging, as well as the role that IP address data will continue to play in the world of cybersecurity and ad fraud.

**1\. Residential Proxy Networks Will Keep Security and Marketing Teams Up at Night**

I am amazed by the growing number of entities offering residential proxy networks and promising a world of possibilities in scraping — search engine results pages, e-commerce sites, and webpages. Residential proxy networks use the IP addresses of consumers who sign up for any number of apps that pay them to share their bandwidth. The website or service will see requests coming from what they think are residential IP addresses and allow access to content that would have been blocked had the site been able to see the original IP address.

If I wanted to, I could access or scrape any site that restricts hosted or bot traffic by disguising myself using a legitimate residential IP address from whatever location I wanted.

Many of these apps are upfront with the users who opt to share their bandwidth, but some are more nefarious players, offering users access to a VPN without telling them that their IP addresses will be shared. In such cases, those IP addresses can be used to scrape websites, commit fraud, or launch distributed denial-of-service (DDoS) attacks.

The existence of residential proxy networks is quite troubling for organizations. Marketing teams may be paying for traffic they believe to be legitimate but is actually fraudulent.

Let's say an ad farm sets up a website for the sole purpose of selling ad space via the open-market exchanges. Your company may be led to believe it's a legitimate website that receives lots of consumer traffic in your target markets and which you verify by checking the IP address type and location. But how do you actually distinguish between real users and hosted or bot traffic hiding behind and proxy residential IDs? Without additional context around residential IPs, you can't make that distinction.

**2\. Security Teams Will Realize That WAFs Have Blind Spots**

Every organization has multiple layers of security, including Web application firewalls (WAFs).

A WAF protects your Web applications by monitoring, filtering, and blocking malicious HTTP/S traffic traveling to a Web application, preventing unauthorized data from leaving the application. It does this by adhering to a set of policies, including context around the IP address, that helps determine which traffic is malicious and which is safe. If, for instance, corporate security policy mandates that all non-residential IP addresses and addresses from a specific geolocation should be blocked, the firewall will block all traffic that matches those criteria.

Unfortunately, the proliferation of residential proxy networks means WAFs have a significant blind spot: Knowing the traffic is residential and has a geolocation that is permissible is no longer sufficient. While organizations deploy WAFs to protect against things like scraping and DDoS attacks, these tools can also be tricked into providing access when they shouldn't. Security teams need a lot more context around IP addresses to understand their incoming traffic.

**3\. Security Teams Will Find Ways to Detect Residential Proxy IPs**

In the face of these networks, context is your best defense. Security teams should ask critical questions about incoming traffic, such as:

*   Is this traffic proxied or VPN?
*   How many devices are connected to that IP address? (If you see hundreds of devices connected to an IP address, it’s probably not an individual person.)
*   Is the IP address stable? Has it been in the same location for 20 weeks?
*   Is the IP address part of a known residential proxy network that’s being used for other things?

All of this VPN-driven data and context provides vital clues that can protect marketing budgets as well as corporate networks.

IP address intelligence data isn’t the panacea for securing a network, but it can go a long way in providing the context security teams to identify when unusual activities are occurring and to investigate further. It can also help them enforce digital access rights, ensuring that users in prohibited or embargoed areas are restricted from accessing certain digital assets.

3 Ways Security Teams Can Use IP Data Context

Misconfigured Redis database servers are the target of a novel cryptojacking campaign that leverages a legitimate and open source command-line file transfer service to implement its attack.
"Underpinning this campaign was the use of transfer[.]sh," Cado Security said in a report shared with The Hacker News. "It's possible that it's an attempt at evading detections based on other common code

Data Security / Cryptojacking

Misconfigured Redis database servers are the target of a novel cryptojacking campaign that leverages a legitimate and open source command-line file transfer service to implement its attack.

"Underpinning this campaign was the use of transfer\[.\]sh," Cado Security said in a report shared with The Hacker News. "It's possible that it's an attempt at evading detections based on other common code hosting domains (such as pastebin\[.\]com)."

The cloud cybersecurity firm said the command line interactivity associated with transfer\[.\]sh has made it an ideal tool for hosting and delivering malicious payloads.

The attack chain commences with targeting insecure Redis deployments, followed by registering a cron job that leads to arbitrary code execution when parsed by the scheduler. The job is designed to retrieve a payload hosted at transfer\[.\]sh.

It's worth noting that similar attack mechanisms have been employed by other threat actors like TeamTNT and WatchDog in their cryptojacking operations.

The payload is a script that paves the way for an XMRig cryptocurrency miner, but not before taking preparatory steps to free up memory, terminate competing miners, and install a network scanner utility called pnscan to find vulnerable Redis servers and propagate the infection.

"Although it is clear that the objective of this campaign is to hijack system resources for mining cryptocurrency, infection by this malware could have unintended effects," the company said. "Reckless configuration of Linux memory management systems could quite easily result in corruption of data or the loss of system availability."

The development makes it the latest threat to strike Redis servers after Redigo and HeadCrab in recent months.

The findings also come as Avertium disclosed a new set of attacks in which SSH servers are brute-forced to deploy the XorDdos botnet malware on compromised servers with the goal of launching distributed denial-of-service (DDoS) attacks against targets located in China and the U.S.

The cybersecurity company said it observed 1.2 million unauthorized SSH connection attempts across 18 honeypots between October 6, 2022, and December 7, 2022. It attributed the activity to a threat actor based in China.

42% of those attempts originated from 49 IP addresses assigned to ChinaNet Jiangsu Province Network, with the rest emanating from 8,000 IP addresses scattered all over the world.

"It was found that once the scanning identified an open port, it would be subject to a brute-force attack against the 'root' account using a list of approximately 17,000 passwords," Avertium said. "Once the brute-force attack was successful, a XorDDoS bot was installed."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers

**SAN FRANCISCO – March 1, 2023 –** Fastly, Inc. (NYSE: FSLY), the world’s fastest global edge cloud platform, today launched Fastly Managed Security Service, a premier 24/7 threat detection and response service dedicated to helping organizations significantly reduce the risk  of web application attacks and associated business costs due to lost transactions. Available to Fastly’s global Next-Gen WAF customers, Fastly Managed Security Service further demonstrates the company’s commitment to helping global marquee customers deliver innovative, secure digital experiences to their users.

Web applications continue to be popular targets for today’s attackers. In fact, according to the Verizon 2022 DBIR, web applications are the number one vector, and not surprisingly, they are also connected to the high number of Denial of Service attacks. This pairing, along with the growing use of stolen credentials (commonly targeting some form of web application) is consistent with what we’ve seen for the past few years. Existing security teams are spread thin and don’t always have the expertise or time to continuously monitor and detect these types of threats. Organizations can deploy Fastly Next-Gen WAF for accurate protection, and now they can further enhance this protection with Fastly’s Managed Security Service.

“Today’s defenders face an uphill battle against cyber adversaries due to an exploding attack surface and increasing volumetric attacks, particularly DDoS attacks. At the same time, security teams want to reduce complexity and prioritize their resources,”said Gino Lang, Vice President of Customer Security, Fastly. “By providing global 24/7 proactive protection, Fastly Managed Security Service delivers comprehensive visibility and the expert staff needed to quickly identify and mitigate potential threats. This frees up organizations to focus their security staff on other business priorities.” 

This latest announcement builds on the success of Fastly’s Response Security Service and other security offerings. “Fastly’s decision to extend its next-generation security capabilities to offer a managed security service is a natural evolution and reconfirms the company’s commitment to protecting organizations from today’s agile and persistent adversaries,” said Christopher Rodriguez, IDC Research Director, Security & Trust.

IDC recently recognized Fastly as a leader in the "IDC MarketScape: Worldwide Commercial CDN Services 2022 Vendor assessment", highlighting the company's ability to create fast, dynamic, and secure digital experiences.   

**About Fastly Managed Security Service**

Fastly Managed Security Service is a premium offering that provides Fastly Next-Gen WAF customers with continuous monitoring and proactive mitigation of web-application attacks, all backed by a 15-minute response time SLA for critical security incidents. We combine this with robust post-event reporting and regular, strategic security consultation in order to ensure the highest level of application protection to strengthen an organization’s overall security posture. 

Staffed 24/7 by Fastly’s global Customer Security Operations Center (CSOC), this service enables in-house teams to improve their overall security posture and focus on their core competencies, strategic initiatives, and high-impact projects.

Fastly’s Managed Security Service is now available to Fastly Next-Gen WAF customers. To learn more about how your organization can add this white glove experience to your security program, please contact \[email protected\]. For additional information about the new service, please visit here. 

**About Fastly**

Fastly’s powerful and programmable edge cloud platform helps the world’s top brands deliver the fastest online experiences possible, while improving site performance, enhancing security, and empowering innovation at global scale. With world-class support that achieves 95%+ average annual customer satisfaction ratings, Fastly’s beloved suite of edge compute, delivery, security and observability offerings has been recognized as a leader by industry analysts such as IDC, Forrester and Gartner. Compared to legacy providers, Fastly’s powerful and modern network architecture is the fastest on the planet, empowering developers to deliver secure websites and apps at global scale with rapid time-to-market and industry-leading cost savings. Thousands of the world’s most prominent organizations trust Fastly to help them upgrade the internet experience, including Reddit, Pinterest, Stripe, Neiman Marcus, The New York Times, Epic Games, and GitHub. Learn more about Fastly at https://www.fastly.com, and follow us @fastly.

Source: Fastly, Inc.

Tag

#ddos