Categories: News
Categories: Threat Intelligence
Tags: Education

Beyond spikes in detections, the education sector has dealt with an onslaught of attacks ranging from spyware and denial of service tools to ransomware.



(Read more...)




The post Education hammered by exploits and backdoors in 2021 and 2022 appeared first on Malwarebytes Labs.

In May of 2021, education underwent a siege of exploit attempts using the vulnerability CVE-2021-21551, which exploits a Dell system driver bug and helps attackers to gain access to a network. Considering that many schools across the United States use Dell hardware, it’s understandable to see such a large amount of this exploit. 

In fact, both Rockland Schools in Massachusetts and Visalia USD in California were hit with ransomware attacks during this period. The states that detected this threat the most were Minnesota and Michigan, with Detroit being the biggest target in the US. 

In September of 2021, there was a spike of the malicious setting, **RiskwareTool.IFEOHijack**, with detections having increased from July 2021 onward. This threat is flagged when malware modifies a registry setting that changes the default Windows debugger to a malware executable. It is a red flag that needs to be investigated immediately. Unfortunately, it doesn’t pinpoint which malware made the modification, but the increased presence of this threat, especially in Oklahoma and Washington State, calls for deeper threat hunting on the victims' networks. During the same period, a spike in exploit detections was observed and Howard University was breached.

The Trojan TechSupportScam covers an array of applications all designed to fool users into calling a “tech support” number to solve a problem created by the application, such as a blue screen, error message, activation alert, etc. These tools started spiking in January of 2022.  Educational institutions in New Jersey have had to deal with this threat more than any other state, however the public school district of Albuquerque, NM suffered a breach during the same month that could have been influenced by this spike in scams. Students and staff likely encountered these threats when installing risky software and/or visiting shady sites.

Finally, Pennsylvania schools have been dealing with an active campaign of backdoors, specifically QBot, since March of 2022, which will likely result in greater infections during the rest of 2022.

Beyond spikes in detections, the education sector has dealt with an onslaught of attacks ranging from spyware and denial of service tools to ransomware.  Throughout the year, almost every month has a report of an educational institution under attack. The first half of 2021 saw attacks against schools in Florida, New York, Oregon, Massachusetts, and California, while the second half saw attacks against Texas, Washington D.C., Wisconsin, and Illinois. The biggest attack of 2022, so far, would be the breach of Austin Peay State University in April, though time will tell if that remains true.

The education industry has the largest userbase out of all industries, considering the constant rotation of students and faculty. Therefore, the greatest threat to these organizations are the users themselves, who may download their own applications, visit dangerous websites, and even make system modifications to get around monitoring tools.

**Recommendations for education**

Our recommendation for this sector includes keeping an eye out for all new exploits that might affect your organization, especially commonly used systems. In a lot of cases, organizations may have a difficult time updating quickly, because of operational needs, but in the case of schools, a single vulnerability might be duplicated across 99% of its endpoints, which turns each of those systems into backdoors for the bad guys. So, making vulnerability patching one of the highest priorities will reduce attacks and decrease malicious file installation.

Next, systems that have been infected may leave behind artifacts of its operations, for example the IFEOHijack registry setting. Additionally, threats that may be installed on day one, might not activate until a user does something specific, or a certain date comes around, allowing the threat to hide in the meantime. To combat this threat, consider creating a secure, default system image that can be easily duplicated to endpoints, returning them to a default state. While this is likely already done by many schools every year, consider increasing the frequency to every quarter, maybe even every month, and have students save their files on cloud-based storage solutions.

By utilizing a default image, an organization can erase hidden malware, reset modified settings, and provide confidence in quickly isolating or wiping out an infected system. For the education industry, it’s not so much about what threats are actively targeting schools, but rather what threats have been left behind, that open doors for other, future attacks.

Education hammered by exploits and backdoors in 2021 and 2022

Machine-learning algorithms alone may miss signs of a successful attack on your organization.

Zero-day attacks that exploit unpatched software vulnerabilities saw exponential growth last year. According to cybersecurity researchers like the Zero-Day Tracking Project, 2021 saw more than 80 zero-day exploits recorded, versus 36 in 2000. There are already 22 such exploits on record for the first half of 2022.

As soon as a vulnerability becomes known, cybercriminals rush to exploit it before the software developer can write, test, and release a patch. That window may be hours, but more likely days or weeks long. So, it's important that you have threat hunters — humans, not machine-learning algorithms — scouring your infrastructure proactively for signs of a successful attack.

The risk of falling victim to a zero-day attack is considerable, and the consequences real. One study from the Ponemon Institute found that 80% of successful data breaches originated with zero-day exploits. The vulnerabilities exploited are found in software common to the enterprise, including Microsoft Windows and Office, Google Chrome, Adobe Reader, Apple iOS, and Linux.

With 2021's Apache Log4j Java-based vulnerability, we can add hundreds of millions of devices and a wide range of websites, consumer and enterprise services, and applications to the list.

Step one in protecting every organization is to practice excellent IT hygiene — keep up to date on patching and updating all software. It's the back-to-basics measure that so many companies love to overlook or postpone. Granted, it can be time and resource consuming to test and deploy software patches, and the process can disrupt business operations. But it's a critical safeguard and far less costly than a data breach.

**The Invisibility of Newness**

A strong perimeter and signature-based edge controls like anti-virus software and intrusion prevention do not provide complete protection. That's because they can only detect known threats. They are blind to the footprints of zero-day attacks, when the cybercriminals are the first to uncover and exploit a software vulnerability. That's why zero-day exploit kits carry very high price tags on the black market, running from tens of thousands of dollars up to millions. They work that well.

Once a cybercriminal has used a zero-day exploit to penetrate a network unseen, they can take their time and deploy their weapon of choice, from viruses and worms to malware and ransomware to remote code execution. They can move laterally in the network, steal identities, and steal data. As long as you don't know they're there, it's like handing over the keys to the crown jewels.

**The Role of Threat Hunting**

It's that invisibility that makes proactive threat hunting an essential component of the layered approach to security. It's made possible in part because we have been smart about using machine learning to free up scarce cybersecurity people resources by reducing the number of alerts needing human intervention by 90%. Some in the industry have taken this success to mean that humans can be phased out of the security equation by algorithms, and that algorithms can do the work for us, including threat hunting.

Machine learning does bring significant advantages to cybersecurity management, but it will never completely replace humans in the security operations center. Machines handle high-volume tasks like eliminating false positives and repetitions extremely well. Machine learning may assist when you are hunting for known threats, including advanced and "low-and-slow" threats, where you know what indicators of compromise (IoCs) to look for.

However, human intelligence, intuition, strategic thinking, and creative problem solving are essential in proactive zero-day threat hunting where the IoCs are unknown and the hunter is looking for the subtle indications that another human is maliciously active in your environment.

This approach is research intensive. The analyst may create a hypothesis and then validate it based on observed patterns or anomalous activity in security data logs and user and entity behavioral analysis (UEBA) logs. According to CISA, these can include failed file modifications, increased CPU activity, inability to access files, unusual network communications, compromised administrator privileges, credentials theft, increases in database read volumes, and irregular geographical access.

Companies can develop threat hunting skills in-house or acquire them as a managed service. Either way, these human defenders and their proactive threat hunting expertise are the new elites in the security industry. Supported by comprehensive log data, threat intelligence, and tools like the MITRE ATT&CK knowledge base, human threat hunters are essential to combatting zero-day attacks, multistage attacks, and devious, low-and-slow hackers.

Human Threat Hunters Are Essential to Thwarting Zero-Day Attacks

Regulators are close to stopping Meta from sending EU data to the US, bringing a years-long privacy battle to a head.

Facebook faces trouble in Europe—and Meta wants you to know about it. Every three months since June 2018, the company has used its financial results to warn that it could be forced to stop running Facebook and Instagram across the continent—potentially pulling its apps from millions of people and thousands of businesses—if it can’t send data between the EU and the US.

Whether Meta’s bluffing will become clear soon enough.

Data regulators are on the verge of making a historic ruling in a years-long case, and they are expected to say Facebook’s data transfers across the Atlantic should be blocked. For years, Meta has fought against European privacy activists over how data is sent to the US, with courts ruling multiple times that European data isn’t properly protected and can potentially be snooped on by the NSA and other US intelligence agencies.

While the case focuses on Meta, it has widespread ramifications, potentially impacting thousands of businesses across Europe that rely upon the services of Google, Amazon, Microsoft, and more. At the same time, US and European negotiators are scrambling to finalize a long-awaited new data-sharing deal that will limit what information US intelligence agencies can get their hands on. If negotiators can’t get it right, people’s privacy will remain at risk and billions of dollars of trade will be put in jeopardy.

At the start of July, the Irish Data Protection Commission, Facebook’s main data regulator in Europe, issued a draft decision that would block Meta from sending data across the Atlantic. While the specifics of that draft decision aren’t known, if it is enacted, it could create a Facebook blackout across Europe.

Under the GDPR, Europe’s data law, countries across the continent get 30 days to scrutinize Ireland’s Meta decision and respond with any potential changes or complaints. That time is now up. A spokesperson for the Irish regulator says “some” objections have been received from a “small” number of other countries and it is working to address these. Experts say these are likely to be minor points of law, rather than overturning the entire decision.

So, how likely is it that Meta will actually pull its services from Europe? In reality, the chances are probably pretty slim. Meta has said it has “no desire” to leave the continent, going as far as publishing a blog post titled “Meta Is Absolutely Not Threatening to Leave Europe.” Europe’s 30-plus countries are a large market for Meta, and stopping services, even temporarily, could be costly. (A close comparison is when the company briefly banned news posts in Australia in early 2021, following a row with publishers.) While Meta may not leave Europe, it may have to make changes to how it stores and transfers data once the final decision from the Irish regulator is published, although there is no set timeline. It may also face a fine.

“My guess is that Meta is going to have to look at some form of geo-siloing if they want to continue to operate in the EU,” says Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center, a nonprofit digital rights research organization. Schroeder, who previously worked with companies on international data transfers, says this approach could mean Meta would have to create its own servers and data centers in the EU that aren’t connected to its broader databases.

Harshvardhan Pandit, a computer science research fellow at Trinity College Dublin who is researching the GDPR, says that as data authorities are still considering Meta’s case and a final decision hasn’t been published yet, they could include several caveats or steps that Meta should take to fall in line. For instance, one recent data protection decision in Europe gave a six-month period for a company to make changes to its business.

“I think the most pragmatic solution would be for them to create the European infrastructure, like Google or Amazon, which have quite a few data centers here,” Pandit says, adding that Meta could also introduce more encryption to how it stores data and maximize how much it keeps in the EU. All these measures would be costly, though. Jack Gilbert, director and associate general counsel at Meta, says that the issue “is in the process of being resolved.” Facebook did not respond specifically to questions about its plan to respond to the Irish decision.

European officials have twice ruled that systems put in place to share data between the EU and US don’t properly protect people’s data—the complaints have been ongoing since the early 2010s. European courts ruled that international data-sharing agreements weren’t up to scratch first in 2015 and then again in July 2020, when the Privacy Shield agreement was ruled illegal.

“All that the EU is asking for when organizations transfer data to other countries is to protect that data in line with the GDPR,” says Nader Henein, a research vice president specializing in privacy and data protection at Gartner. “The issue is that laws in the US that protect the data of ‘nonresident aliens’ are woefully insufficient and make it very difficult for organizations like Facebook to comply with local law and the GDPR.”

While Meta is the focus of the most high-profile complaint, it isn’t the only company impacted by a lack of clarity on how companies in Europe can send data to the US. “The data transfer issue is not Meta-specific,” David Wehner, Meta’s chief strategy officer, said in a July earnings call. “It relates to how in general data is transferred for all US and EU companies back and forth to the US.”

The impacts of the July 2020 decision to get rid of Privacy Shield are now being felt. Since January of this year, multiple European data regulators have ruled that using Google Analytics, the company’s traffic-monitoring service for websites, falls foul of the GDPR. Danish authorities went even further: Schools can’t use Chromebooks without restrictions being put in place. “There is a ton of legal uncertainty, and there is a significant compliance risk,” says Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a nonprofit think tank.

Politicians are well aware of the problems. In March, US president Joe Biden and European Commission president Ursula von der Leyen announced a new Trans-Atlantic Data Privacy Framework, which will change the way data is sent between the EU and US. The deal, which will be introduced by executive order, will limit what data US intelligence agencies can access and will create a new system where Europeans can complain if they think they’ve been illegally spied upon by US agencies.

However, since the deal was announced, no specifics—including any legal texts—have been published. In June, officials said the deal could be published in the coming weeks, but so far, there has been little public progress. The US Department of Commerce says discussions are still taking place, including a meeting between both sides last week. (A European Commission spokesperson says work on the new agreement is ongoing, but they do not have a timeline that can be shared.) The longer the negotiations take, the more blocking orders will drop. “Obviously, if that framework is not complete, we would be in jeopardy of being able to transfer data,” Facebook’s Wehner said earlier this year.

The deal is likely to take a while yet. “Realistically, at this point, we're looking at a potential adequacy decision for this Trans-Atlantic data transfers framework sometime next year—maybe the first quarter of next year,” Zanfir-Fortuna says. Once the details have been published, EU officials will spend months scrutinizing the specifics to see if they fall in line with court orders.

And they won’t be the only ones pouring over it. Privacy activists and lawyers will also be looking at the agreement and could launch further legal challenges if they find that data moving from Europe to the US still isn’t protected strongly enough. “The continued challenges are not unwarranted, particularly considering the Snowden revelations and the prevalence of Big Tech firms coming out of the US,” Schroeder says. “As a whole, America really needs to make sure we rise to the challenge of showing that we can be good stewards of the industry that we're trying to be leaders in.”

Will Europe Force a Facebook Blackout?

By Deeba Ahmed
The US Treasury Department has blacklisted Tornado Cash on the accusation that the platform helped bad actors harvest…
This is a post from HackRead.com Read the original post: US Blacklists Tornado Cash, GitHub Removes Co-Founder in Response

****The US Treasury Department has blacklisted Tornado Cash on the accusation that the platform helped bad actors harvest over $7 billion in cryptocurrencies.****

American citizens will not be able to use the Tornado Cash mixer protocol due to the US law enforcement agencies’ recent crackdown on the cryptocurrency industry. The authorities considered Tornado Cash a threat to the country’s national security and placed the platform on blocked entities, making it illegal to send/receive money via Tornado Cash.

The volatility of cryptocurrencies and the industry’s potential role in cybercrimes have been a cause of concern among US regulators/lawmakers.

> Seems like USDC has indeed blacklisted the @TornadoCash contracts, meaning if you had USDC deposited in Tornado you can not access it anymore even if everything you did was perfectly legit and legal. https://t.co/f5rpt4Ul9M
> 
> — Martin Köppelmann 🇺🇦 (@koeppelmann) August 8, 2022

The undersecretary for terrorism and financial intelligence, Brin Nelson, **stated** that Tornado Cash repeatedly got involved in laundering funds for cybercriminals despite “public assurance.”

It is worth noting that the State-backed North Korean Lazarus Group was blamed for **stealing 1.7 billion worth of cryptocurrencies** from different exchanges.

The Treasury Department claims that the platform laundered over $455 million in cryptocurrencies in 2022 via Lazarus Group, while overall, $7 billion have been laundered by Lazarus and other cybercrime groups.

Another cryptocurrency exchange under the radar of US authorities and may be facing blacklisting is **Kraken**.

**What is Tornado Cash?**

Tornado Cash is a decentralized mixer protocol (smart contract) launched in 2019. It is used to carry out private transactions on Ethereum. The platform accepts mixes, and pools cryptocurrency from different senders to ensure maximum privacy and obscure audit trail. These crypto mixers combine multiple streams of transactions to hide the funds’ origin and destination

**GitHub Removes Tornado Cash Co-founder**

Within hours after the US government blacklisted Tornado Cash, actions were taken against the platform, and all websites and accounts linked to it were removed from the internet.

**Microsoft-owned GitHub** also deleted the account of one of the co-founders of Tornado Cash, Roman Semenov. GitHub previously hosted code related to the mixer. When checked, the co-founder’s accounts returned a “Page Not Found” error, and emails also bounced back with the following message:

>  “The email account that you tried to reach is disabled.”

According to a GitHub spokesperson, as per trade laws, they are required to restrict entities/customers declared Specially Designated Nationals (SDNs) or who have been blocked by authorities from using GitHub.

The spokesperson further added that they need to check government sanctions regularly to ensure such entities don’t impact other users. On the other hand, Semenov later tweeted about his account’s blocking on GitHub stating the following:

> My @GitHub account was just suspended 🤷
> 
> Is writing an open source code illegal now?
> 
> — Roman Semenov 🌪️ 🇺🇦 (@semenov\_roman\_) August 8, 2022

1.  **German Authorities Warn Against Using Kaspersky Products**
2.  **US Warns Firms About North Korean Hackers Posing as IT Workers**
3.  **US Adds Kaspersky to List of Firms Posing Threat to National Security**
4.  **GitHub Blocks Accounts of Two Large Russian Banks Amid US Sanctions**
5.  **LAZARUS APT Using TraderTraitor Malware to Target Blockchain Orgs, Users**

US Blacklists Tornado Cash, GitHub Removes Co-Founder in Response

The U.S. Treasury Department on Monday placed sanctions against crypto mixing service Tornado Cash, citing its use by the North Korea-backed Lazarus Group in the high-profile hacks of Ethereum bridges to launder and cash out the ill-gotten money.
Tornado Cash, which allows users to move cryptocurrency assets between accounts by obfuscating their origin and destination, is estimated to have been

The U.S. Treasury Department on Monday placed sanctions against crypto mixing service Tornado Cash, citing its use by the North Korea-backed Lazarus Group in the high-profile hacks of Ethereum bridges to launder and cash out the ill-gotten money.

Tornado Cash, which allows users to move cryptocurrency assets between accounts by obfuscating their origin and destination, is estimated to have been used to launder more than $7.6 billion worth of virtual assets since its creation in 2019, the department said.

Thefts, hacks, and fraud account for $1.54 billion of the total assets sent through the mixer, according to blockchain analytics firm Elliptic.

Crypto mixing is akin to shuffling digital currencies through a black box, blending a certain quantity of digital funds in private pools before transferring it to its designated receivers for a fee. The aim is to make transactions anonymous and difficult to trace.

"Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks," Brian E. Nelson, under secretary of the Treasury for terrorism and financial intelligence, said.

The development comes as North Korea's Lazarus Group (aka Hidden Cobra) has been linked to the use of the decentralized crypto mixer to funnel the proceeds from a string of major hacks targeting virtual currency services, including that of Axie Infinity and Harmony Horizon Bridge in recent months.

The theft of $624 million worth of Ethereum from Axie Infinity's Ronin network bridge is the largest known cryptocurrency heist to date, with the $190 million hack of Nomad Bridge last week taking the fifth spot. The Horizon Bridge theft hack comes in at 11.

Specifically, the Treasury Department pointed to Tornado Cash's role in laundering over $455 million and $96 million worth of cryptocurrency stolen from the two heists. It has also been implicated for facilitating the theft of at least $7.8 million following the attack on Nomad Bridge.

"Tornado receives a variety of transactions and mixes them together before transmitting them to their individual recipients," the agency said. "While the purported purpose is to increase privacy, mixers like Tornado are commonly used by illicit actors to launder funds, especially those stolen during significant heists."

Also sanctioned by the department are 38 Ethereum-based addresses holding Ether (ETH) and USD Coin (USDC) that are linked to it, effectively prohibiting U.S. entities from transacting with these wallets.

"As a smart contract-based mixer, Tornado Cash is one of the most advanced methods available for laundering ill-gotten cryptocurrency, and cutting it off from compliant cryptocurrency businesses represents a huge blow for criminals looking to cash out," Chainalysis said.

The move makes Tornado Cash the second cryptocurrency mixer to be blocklisted by the Office of Foreign Assets Control (OFAC) following the designation of Blender.io in May 2022, also for its part in laundering illicit funds siphoned by the Lazarus Group and cybercrime cartels like TrickBot, Conti, Ryuk, and Gandcrab.

It's also the latest escalation in a series of enforcement actions aimed at tackling cryptocurrency-based crime, in the wake of similar sanctions imposed by the Treasury on virtual currency exchanges SUEX, CHATEX, and Garantex over the past year.

"Tornado Cash community tries its best to make sure it can be used by good actors by providing compliance tools for example," Roman Semenov, one of the co-founders of Tornado Cash, said in a tweet. "Unfortunately it's technically impossible to block anyone from using the smart contract on the blockchain."

The sanctions seem to be having further repercussions, what with Semenov's GitHub account suspended in the aftermath of the announcement. "Is writing an (sic) open source code illegal now?," he tweeted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Sanctions Virtual Currency Mixer Tornado Cash for Alleged Use in Laundering

A few days ago, a friend and I were having a rather engaging conversation that sparked my excitement. We were discussing my prospects of becoming a red teamer as a natural career progression. The reason I got stirred up is not that I want to change either my job or my position, as I am a happy camper being part of Cymulate's blue team.
What upset me was that my friend could not grasp the idea

A few days ago, a friend and I were having a rather engaging conversation that sparked my excitement. We were discussing my prospects of becoming a red teamer as a natural career progression. The reason I got stirred up is not that I want to change either my job or my position, as I am a happy camper being part of Cymulate's blue team.

What upset me was that my friend could not grasp the idea that I wanted to keep working as a blue teamer because, as far as he was concerned, the only natural progression is to move to the red team.

Red teams include many roles ranging from penetration testers to attackers and exploit developers. These roles attract most of the buzz, and the many certifications revolving around these roles (OSCP, OSEP, CEH) make them seem fancy. Movies usually make hackers the heroes, while typically ignoring the defending side, the complexities and challenges of blue teamers' roles are far less known.

While blue teams' defending roles might not sound as fancy and gather little to no buzz, they include essential and diverse titles that cover exciting and challenging functions and, finally, pay well. In fact, Hollywood should look into it!

**Defending is more complex than attacking, and it is more crucial**

Consider that you are a cyber security defender and that your assigned job is to protect your IT Infrastructure.

*   As a defender, you need to learn all sorts of attack mitigation techniques to protect your IT infrastructure. Conversely, an attacker can settle for gaining proficiency in exploiting just one vulnerability and keep exploiting that single vulnerability.
*   As a defender, you must be alert 24/7/365 to protect your infrastructure. As an attacker, you either choose a specific time/date to launch an attack or run boring brute force attacks across many potential targets.
*   As a defender, you must protect all weak links in your infrastructure - xerox, machine printer, attendance system, surveillance system, or endpoint used by your receptionist - whereas attackers can select any system connected to your infrastructure.
*   As a defender, you must comply with your local regulator while performing your daily work. Attackers have the liberty to mess up with laws and regulations.
*   As a defender, you are prepared by the red team that assists your work by creating attack scenarios to test your capabilities.

**Blue teams include complex, challenging, and research-intensive disciplines, and the related roles are not filled.**

In the conversation mentioned above, my friend assumed that defending roles mainly consist of monitoring SIEMs (Security Information and Event Management) and other alerting tools, which is correct for SOC (Security Operations Center) analyst roles. Here are some atypical Blue Team roles:

*   **Threat Hunters** – Responsible for proactively hunting for threats within the organization
*   **Malware Researchers** – Responsible for reverse engineering malware
*   **Threat Intelligence Researchers** – Responsible for providing intelligence and information regarding future attacks and attributing attacks to specific attackers
*   **DFIR** – Digital Forensics and Incident Responders are responsible for containing and investigating attacks when they happen

These roles are challenging, time intensive, complex, and demanding. Additionally, they involve working together with the rest of the blue team to provide the best value for the organization.

According to a recent CSIS survey of IT decision makers across eight countries: "82 percent of employers report a shortage of cybersecurity skills, and 71 percent believe this talent gap causes direct and measurable damage to their organizations." According to CyberSeek, an initiative funded by the National Initiative for Cybersecurity Education (NICE), the United States faced a shortfall of almost 314,000 cybersecurity professionals as of January 2019. To put this in context, the country's total employed cybersecurity workforce is just 716,000. According to data derived from job postings, the number of unfilled cybersecurity jobs has grown by more than 50 percent since 2015. By 2022, the global cybersecurity workforce shortage has been projected to reach upwards of 1.8 million unfilled positions."

**C Level executives are disconnected from reality when it comes to Internal Blue Teams**

The above graph is from an excellent talk called "How to Get Promoted: Developing Metrics to Show How Threat Intel Works - SANS CTI Summit 2019". It illustrates the disconnect between the high-level executives and "on-the-ground" employees and how high-level executives think that their defensive teams are much more mature than their team self-assessment.

**Solving the Problem****Strive to teach SOC analyst's new craft**

Bringing new and experienced researchers is expensive and complicated. Perhaps organizations should strive to promote and encourage entry analysts to learn and experiment with new skills and technologies. While SOC managers might fear that this might interfere with experienced analysts' daily missions or result in people leaving the company but, paradoxically, it will encourage analysts to stay and take a more active part in maturing the organization's security at almost no extra cost.

**Cycle employees through positions**

People get tired of doing the same thing every day. Perhaps a clever way to keep employees engaged and strengthen your organization is to let people cycle across distinct roles, for example, by teaching threat hunters to conduct threat intelligence work by giving them easy assignments or sending them off to courses. Another promising idea is to involve low-tier SOC analysts with real Incident Response teams and thus advance their skills. Both organizations and employees benefit from such undertakings.

Let our employees see the results of their demanding work

Whether low-tier SOC analysts or Top C-level executives, people need motivation. Employees need to understand whether they are doing their job well, and executives need to understand their job's value and the quality of its execution.

Consider ways to measure your Security Operations Center:

*   How effective is the SOC at processing important alerts?
*   How effectively is the SOC gathering relevant data, coordinating a response, and taking action?
*   How busy is the security environment, and what is the scale of activities managed by the SOC?
*   How effectively are analysts covering the maximum possible number of alerts and threats?
*   How adequate is the SOC capacity at each level, and how heavy is the workload for different analyst groups?

The table below contains more examples and measures taken from Exabeam.

And, of course, validate your blue team's work with continuous security validation tools such as those on Cymulate's XSPM platform where you can automate, customize and scale up attack scenarios and campaigns for a variety of security assessments.

Seriously, validating your blue team's work both increases your organization's cyber resilience and provides quantified measures of your blue team's effectiveness across time.

_Note: This article is written and contributed by by Dan Lisichkin, Threat Hunter and Threat Intelligence Researcher at Cymulate._

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

The Benefits of Building a Mature and Diverse Blue Team

Pwn stars

Hacker Summer Camp is only days away, so in order to whet your appetite, The Daily Swig has compiled a list of some of the best talks of years past.

Over the years there’s been thrills, spills, and (of course) ‘sploits, as the top researchers in the security world have descended on Las Vegas for Black Hat USA and DEF CON – a security double bill that’s hard to beat.

This year’s Black Hat – which is again taking place as a hybrid event – and DEF CON offerings are sure to add to the already impressive roster of ground-breaking talks from years gone by.

Now that Covid-related restrictions have largely been lifted, the 2022 edition promises to be something of a grand reopening of arguably the single most important event in the infosec calendar.

Without further ado (and in no particular order) here are our top picks from past Black Hat and DEF CON events…

**Panic in the Cisco**

Michael Lunn’s 2005 talk on the security shortcomings of Cisco’s networking technology was important not only because of the potential impact of his discovery, but because it served as an example of an attempt to suppress security research.

Lunn resigned from his employment with Internet Security Systems in order to deliver a talk on a critical vulnerability in router technology from Cisco.

The security researcher demonstrated an exploit – which opened the door to a range of attacks from eavesdropping to disabling the compromised device – while withholding any details. Cisco issued a security fix to its firmware prior to the talk, but not many organizations had applied it by the time it rolled around.

Cisco initially gave the go-ahead for the talk but had second thoughts with the event imminent. ISS agreed to a request from the networking giant, but Lunn disagreed. This prompted his decision to resign in order to present his findings.

**Cache from chaos**

Dan Kaminsky’s reveal of a cache poisoning flaw affecting the software of multiple DNS vendors back in 2008 remains a landmark event in networking security.

The security researcher worked with DNS vendors for months to fix the critical vulnerability before laying the problem bare during Black Hat 2008.

It remains a testament to the late security researcher, who sadly passed away in April 2021, prompting an outpouring of tributes to a true infosec great characterized by “kindness, boundless energy, and positivity”.

**Hitting the Jackpot**

Barnaby Jack’s live hack demo on an ATM set the benchmark for spectacular hacks and cutting-edge security research. Jackpotting – as the attack later became known – involved a targeted assault on the software running on ATMs.

The end result involved injecting malware into the operating system of cash dispensing machines, causing them to dish out bank notes fraudulently. Either exploitable vulnerabilities in an ATM’s remote management system or unauthorised physical access to a machine (perhaps facilitated by a corrupt insider) might be used to carry out an attack.

Prior to Jack’s research, embedded systems such as ATMs were widely (but incorrectly) thought to be beyond the scope of potential hack attacks. The research paved the road to follow-up studies into the security of medical devices such as pacemakers and insulin pumps.

**Up in the air**

Interest in the security of air traffic control systems took off with Andrei Costin’s presentation on the issue during Black Hat 2012. Costin’s talk focused on security aspects of ADS-B (Automatic Dependent Surveillance-Broadcast), a satellite-based aircraft tracking technology, and other flight technologies.

The presentation looked at ADS-B (in)security from a practical perspective, presenting the “feasibility and techniques of how potential attackers could play with generated/injected air traffic, and as such potentially opening new attack surface” into air traffic control systems.

**Don’t look up**

Shifting the focus from airborne planes to satellites in orbit, a well-received 2014 talk by Ruben Santamarta reviewed the security of satellite communication terminals.

IOActive found that all the devices they accessed were potentially open to abuse. The vulnerabilities uncovered included multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, or weak encryption algorithms.

“These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products,” IOActive warned at the time. “In certain cases, no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it.”

**Policy forum**

Black Hat and DEF CON have never been the forum for technical discussions and hacking demos alone. Policy issues are often in play too, as evidenced by talks from the likes of Dan Geer and Jennifer Granick.

Geer, CISO for In-Q-Tel, a not-for-profit venture capitalist firm that looks for tech that supports the US intelligence community, spoke about cyberspace as a domain for conflict between nations and on power politics in 2014.

Granick, director of civil liberties at the Stanford Center for Internet and Society, looked forward to the next phases of the development of the internet in 2015.

More recently Parisa Tabriz, director of engineering at Google, used her 2018 Black Hat keynote to give a practical perspective on secure development. And last year Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), outlined how hackers, the government, and the private sector can work together to confront cyber threats.

**Kettle reinvents HTTP request smuggling**

PortSwigger’s James Kettle reinvented the long-neglected topic of request smuggling with his presentation on HTTP desync attacks at DEF CON in 2019.

Kettle showed how it was possible to manipulate web requests in order to poison web caches. The hack allowed Kettle to compromise PayPal’s login page, among other targets, and claim $70K in bug bounties.

The hack relied in exploiting flaws in how web systems pass web-based requests between front end and back end system, as explained in a Daily Swig article published at the time of the talk.

**A new era in SSRF**

Noted web security researcher Orange Tsai used a 2017 Black Hat talk to outline an exploit technique variant that might be harnessed to bypass server-side request forgery (SSRF) protections.

The technique relied on fuzzing to unearth previously undiscovered vulnerabilities in the libraries of programming languages including Python, PHP, Perl, Ruby, Java, JavaScript, Wget, and cURL.

The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.

Flaws in web applications such as WordPress, vBulletin, MyBB, and GitHub have also been uncovered using the same approach, the security researcher told Black Hat USA attended in 2017.

**Hasta la Vista**

Polish security researcher Joanna Rutkowska became well known in the security community following her demonstration of an attack against Windows Vista’s kernel protection mechanism at Black Hat USA 2006.

During the same presentation, she also demonstrated a technique called ‘Blue Pill’ that involved hacking the operation of a virtual machine to plant stealthy malware.

**Gone in 40ms**

Hacking took to the roads in 2015 after security researchers Charlie Millar and Chris Valasek demonstrated how to launch a remote cyber-attack against an unaltered factory vehicle.

The security researchers hacked into a Jeep Cherokee through a mobile connection to its entertainment system via a technique that allowed them to send messages on the CAN bus to critical electronic control units. This, in turn, allowed them to control the braking, steering, and acceleration of the car.

That’s our round-up of the best-ever talks at Hacker Summer Camp – but what are your picks?

Have we failed to mention any unmissable talks? What are your favourite hacks? Let us know on Twitter at @DailySwig.

You can also watch more talks from previous Hacker Summer Camps on YouTube, ranked by numbers of views, via the DEF CON and Black Hat archives.  

YOU MAY ALSO LIKE ParseThru: HTTP parameter smuggling flaw uncovered in several Go applications

The best Black Hat and DEF CON talks of all time

Categories: Explained
A hack tool called KMSPico is hailed as the go-to tool when it comes to activiating Windows. But is it safe?



(Read more...)




The post KMSpico explained: No, KMS is not "kill Microsoft" appeared first on Malwarebytes Labs.

_Thanks to Pieter Arntz and the Threat Intelligence Team who contributed to the research._

A hack tool is a program that allows users to activate software even without a legitimate, purchased key. Hack tools are often used to root devices in order to (among others) remove barriers that stop users from using apps from other markets. This is why the term “hack tool” is often interchanged with “crack tool” and “rooting program.”

Many seek such tools in the hopes of getting more control over their devices, or out of necessity if the software they want to use requires them. In this post, we’ll focus on one hack tool that has been a trusted tool for activating pirated copies of Microsoft products for free: KMSPico.

**What is KMSPico?**

KMSPico (often stylized as KMSPICO or KMS Pico) uses an unofficial key management services (KMS) server to activate Microsoft products—although several hack tools already do the same. Here are some of Malwarebytes’ detection of such tools:

*   RiskWare.AutoKMS
*   AutoKMS.HackTool.Patcher.DDS
*   RiskWare.KMS
*   HackTool.KMS
*   HackTool.Agent.KMS
*   HackTool.IdleKMS
*   HackTool.AutoKMS
*   HackTool.WinActivator

KMSPico is one of the most (if not _the_ most) popular software activation tools for Windows and Office Suite, with millions of global users and endorsers. Funnily enough, it also seems to have a lot of "official websites."

Searching for “official KMSpico site” on your favorite search engine will yield thousands of results, including pages of posts from various portals warning internet users not to download KMSPico from Website A or Website B as its malware. And they’re right.

Whatever KMSPico “official” website you find in your search results is undoubtedly fake, which leaves people wondering—or probably even believing—that KMSPico is a myth. This tool, however, is far from mythical. It does exist, and the latest version, **10.2.0**, can only be downloaded from a members-only forum posted almost a decade ago.

**How does it work?**

To understand how KMSPico works, we should first understand how a KMS activation works.

KMS is a legitimate way to activate Windows licenses in client computers, especially en masse (volume activation). There is even a Microsoft document on creating a KMS activation host.

A KMS client connects to a KMS server (the activation host), which contains the host key the client uses for activation. Once KMS clients are validated, the Microsoft product on those clients contacts the server every 180 days (6 months) to maintain its validity. However, a KMS set-up is only viable for large organizations with Volume Licensed (VL) Microsoft products.

This is what KMSPico is trying to exploit. Once installed onto user clients, it changes a user’s retail version of their Microsoft to a “Volume Licensed” one by simply changing the key into a generic VL key. KMSPico then changes the default KMS server to an unofficial KMS server set up by the hack tool’s developer. 

Note that if the KMSPico developer decides to kill the server, then whoever their users are would no longer have an activated version of their Microsoft product.

**Why we don’t recommend it**

Hack tools can be qualified as riskware, a category of software that may be risky to install on your computer or device. This is because a legitimate copy of the software may be bundled with adware, or it’s actually malware named after popular software. Such is the case for KMSPico.

On top of that, using KMSPico violates Microsoft’s ToS (terms of service) for its products.

Our 2021 State of Malware report found that hack tools plagued our consumer and enterprise clients for the previous two years. 

Perhaps the most critical data we have of KMS hack tools are that they are ranked as a top threat for consumers (with a 2,118 percent growth) and enterprises (with a 2,251 percent growth). We attributed this to the sudden change in work life due to many moving to a work-from-home (WFH) set up during the COVID-19 pandemic. Many employees—and potentially even employers—resorted to using cracked versions of Microsoft products.

Finally, regarding software updates or patching, it’s also likely that KMSPico blocks any activated Microsoft product from “calling home.” If it does, then that would stop these products from getting updates or patches, and KMSPico users would be left with very vulnerable Microsoft software.

**Does Malwarebytes detect KMSPico?**

Yes. We detect components from the same toolset. So if you have downloaded the KMSPico tool, expect your Malwarebytes product to alert you of files detected as **HackTool.KMSpico**, **CrackTool.KMSPico**, or both.

KMSpico explained: No, KMS is not "kill Microsoft"

By Waqas
Researchers have warned users of Gmail on Microsoft Edge and Google Chrome browser of a new email spying…
This is a post from HackRead.com Read the original post: Hackers Using SHARPEXT Browser Malware to Spy on Gmail and Aol Users

****Researchers have warned users of Gmail on Microsoft Edge and Google Chrome browser of a new email spying malware dubbed SHARPEXT.****

**Gmail** users should watch out for the newly discovered email reading malware named SHARPEXT. It is identified by cybersecurity firm Volexity. This nosey malware spies on AOL and Google account holders and can read/download their private emails and attachments.

**Campaign Details**

SHARPEXT malware infects devices through browser extensions on Google Chrome and Chromium-based platforms, including Korean browser Naver Whale and Microsoft Edge. Its primary targets are users in the USA, South Korea, and Europe, while its origin has been traced to a North Korean hacker group called Kimsuky or SharpTongue, which is associated with the North Korean intelligence agency Reconnaissance General Bureau.

The typical targets of SHARPEXT malware include those working in nuclear weaponry. It is worth noting that **in Jun 2021**, Kimsuky APT was found targeting the South Korean atomic agency by exploiting VPN flaws. **In March 2015**, the same group was blamed for targeting South Korea’s Kori nuclear plant and leaking sensitive data on Twitter.

As for SHARPEXT; the malware can directly inspect and exfiltrate data from Gmail accounts and impact version 3.0. This campaign has been active for more than a year, and during this time, it has stolen thousands of files and messages from Gmail and AOL email accounts.

The malware is currently targeting Windows devices, but Volexity claims it may work on Linux and macOS devices too.

**How the Attack Occurs?**

The victims are lured into opening a document that contains the malware. The malware is distributed through **social engineering** and spear phishing scams.

> “Prior to deploying SHARPEXT, the attacker manually exfiltrates files required to install the extension (explained below) from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script.”
> 
> Paul Rascagneres, Thomas Lancaster – Volexity Threat Research

According to Volexity’s **blog post**, once installed on the device, SHARPEXT malware inserts itself within the browser via the Preferences and Secure Preferences files. It then enables its email read/download capabilities. Moreover, it also hides warning alerts that may be displayed to notify the user about the presence of an unverified extension on the device.

For your information, SHARPEXT malware-laced extensions are hard to spot since there’s no such thing in it that could trigger an antivirus scanner response, and the actual threat runs from another server.

Process workflow of SHARPEXT malware (Image: Volexity)

1.  **Gmail wittingly storing your online purchase data for years**
2.  **Google vulnerability allowed sending spoofed emails with Gmail ID**
3.  **Hackers using malicious Firefox extension to phish Gmail credentials**
4.  **Popular Android Zombie game phishing users to steal Gmail credentials**
5.  **Microsoft MSHTML flaw exploited in Gmail and Instagram phishing scam**

**How to Stay Protected?**

Volexity has published a list of IoCs (indicators of compromise) on **Github** to help you identify if the device has been infected already. You may also inspect all the browser extensions installed and check if all of them can be found on Chrome Web Store.

Furthermore, Remove any extensions that look suspicious, or you downloaded from an unreliable source. Always use the best antivirus solutions to keep your device protected.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hackers Using SHARPEXT Browser Malware to Spy on Gmail and Aol Users

Plus: A crypto-heist extravaganza, a peek at an NSO spyware dashboard, and more.

Cryptocurrency tracing has become a key tool for police investigating everything from fraud and ransomware to child abuse. But its accuracy may soon be put to the test.

This week, we reported on new court filings from the legal team representing Roman Sterlingov, who’s been in jail for 15 months, accused of laundering $336 million in cryptocurrency as the alleged owner and operator of dark-web crypto mixer Bitcoin Fog. Sterlingov not only maintains he is innocent, but his defense attorney claims that the blockchain analysis that served as evidence that Sterlingov set up Bitcoin Fog is flawed.

Elsewhere, we highlighted Microsoft’s newly bolstered Morse bug-hunting team, which aims to catch flaws in the company’s software before they cause problems for the company’s 1 billion users. We dove into the spectacular failure of a new post-quantum encryption algorithm. We listed all the big security updates you need to be on top of from July, and we detailed all the data that Amazon’s Ring cameras collect about you.

Finally, a new report from cybersecurity company Mandiant found an attack on Albania’s government has the hallmarks of state-sponsored Iranian hacking—a notable moment of escalation in the history of cyberwar, given that Albania is a NATO member. And we got into the weeds of a Slack error that exposed hashed passwords for five years.

But that’s not all. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

This is not a test. Software used to transmit US government-issued emergency alerts on television and radio contains flaws that could allow an attacker to broadcast false messages, according to the Federal Emergency Management Agency and the security researcher who found the vulnerabilities. The company that makes the software, Digital Alert Systems, has issued patches, and FEMA has alerted the TV and radio networks that use the software to update their devices immediately. Of course, patches may not be universally adopted, leaving the system at risk. There’s no evidence that an attacker has exploited the flaws so far. But considering the mayhem false emergency alerts can cause, we’ll just have to hope that it stays that way.

One major theft of cryptocurrency in a week would be bad, and this week saw two. First, thanks to a flaw in the Nomad bridge—a type of application that lets users move digital tokens across blockchains that are prime hacker targets—“hundreds” of people were able to steal a collective $190 million in cryptocurrencies. Nomad now says that anyone who returns 90 percent of the funds they swiped will be considered a “white hat” and can keep the remaining 10 percent as a bounty. Some $22 million of the stolen funds had been recovered so far.

The second crypto hack of the week came just a day later, on Tuesday night, with hackers draining around 8,000 “hot” wallets (cryptocurrency storage apps that are connected to the internet) connected to the Solana ecosystem, allowing them to steal around $5 million worth of crypto. Solana said in a tweet that the exploit was due to a bug in “software used by several software wallets popular among users of the network,” not the Solana network or its cryptography.

It’s one thing to be told what NSO Group’s spyware can do, but it’s quite another to see it for yourself. Reporters at Israel’s _Haaretz_ got their hands on never-before-seen screenshots of Syaphan, a prototype of NSO’s now-infamous Pegasus spyware, which has retained much of the look and functionality of its precursor. The screenshots show that operators have the ability to access call logs and messages and remotely enable cameras and microphones to turn an infected device into a real-time spying tool.

Government use of Pegasus and other spyware has resulted in a growing number of scandals, particularly in Europe. Yesterday, Panagiotis Kontoleon, the head of Greece’s intelligence service, and Grigoris Dimitriadis, general secretary of the prime minister’s office, resigned. Their departures follow a complaint filed by Nikos Androulakis, the head of the socialist PASOK party, who alleged that his phone had been targeted by Predator spyware created by Cytrox, which is based in neighboring North Macedonia. Greece’s prime minister’s office maintains, however, that the resignations and the spyware allegations are unconnected. “In no case does it have anything to do with Predator (spyware), to which neither he nor the government are in any way connected, as has been categorically stated,” it said in a statement.

Remember a few months ago when everyone was mad at DuckDuckGo? Well, that thing you were angry about has now been (mostly) fixed, according to the company. Back in May, security researcher Zach Edwards found that DuckDuckGo’s privacy browsers—not its search engine, for which the company is better known—allowed some third-party Microsoft tracking scripts. DuckDuckGo, which has a partnership with Microsoft, says it has expanded its 3rd-Party Tracker Loading Protection to include 21 more domains, thus blocking the bulk of Microsoft tracking scripts on websites accessed via its mobile DuckDuckGo Privacy Browser or while using its Privacy Essentials extension, which can be used with all major browsers. However, DuckDuckGo will still allow advertisers to track clicks from DuckDuckGo through scripts from the bat.bing.com domain. Is it perfect? No—even DuckDuckGo admits that. But it’s still a privacy improvement over mainstream browsers and search engines.

Tag

#intel