Traditional businesses migrating to the cloud need robust information security mechanisms. Gartner predicts that more than 95% of new digital workloads will continue to be deployed on cloud-native platforms by 2025.
Robust cloud data security is imperative for businesses adopting rapid digital transformation to the cloud. While a traditional hosting model could be considered more secure, not all

Traditional businesses migrating to the cloud need robust information security mechanisms. Gartner predicts that more than 95% of new digital workloads will continue to be deployed on cloud-native platforms by 2025.

Robust **cloud data security** is imperative for businesses adopting rapid digital transformation to the cloud. While a traditional hosting model could be considered more secure, not all organizations are receptive to relinquishing control over their infrastructure or applications by relying on a cloud provider at an increased risk of data theft from a cyberattack done by an outsider.

Having said so, let's try to understand the vital part.

****What is Cloud Data Security?****

Cloud data security entails securing data, whether at rest or in motion, on cloud-based infrastructure, applications, etc., against cyber threats like data breaches, unauthorized access, DDoS attacks, etc.

This includes the technologies, policies, controls, and services to protect cloud-based systems, data, and infrastructure to meet the needs of a business by configuring it to ensure that only the people and equipment with verified credentials can gain access to confidential data.

It ensures that sensitive data is encrypted and the right access controls to safeguard it once it's migrated into the cloud. This helps protect against unauthorized employees accessing any personal and confidential corporation data stored on remotely hosted network drives.

The dangerous content and malicious scripts are filtered out before serving employees or customers. Perhaps most importantly, data is backed up if an incident or disaster strikes.

On a broader scale, the following are included when it comes to cloud security:

*   Physical networks
*   Network security
*   Access control
*   Applications and software
*   Data servers
*   Regulatory compliance etc.

Implementation of cloud computing security processes should be a joint responsibility between the business owner and the solution provider.

However, if asked to implement strategic cloud computing solutions that have strict operational needs, it's vital to make sure you have your resource planning in order by formulating strong technological policies; monitoring response time; putting IT support in place for contacts, fixes, enhancement, and growth requirements; aligning usage with cost-effectiveness objectives and so on.

****How is Data Secured in the Cloud?****

Never let your guard down when it comes to it, as it does not share the same stage with Security-as-a-Service (SECaaS or SaaS).

Also, it is impractical to assume that the cloud is totally secured, and as a business owner, make sure it's best always to have someone check what's going on in your account. It's best never to be too comfortable with how secure or authorized information may be stored because there are no guarantees when you entrust it to third parties who offer these services.

****Three Key Technologies Make Data Secure in the Cloud********1** — **Cloud Firewall****

Firewalls are designed to protect from malicious internet traffic. This makes it safer for users to access their data and applications on the net safely.

The **cloud-based WAF** (Web Application Firewall) has two main parts. First, an agent sits on each server in the cloud environment. Secondly, there is a management console from where you can perform all the tasks of configuring the settings of your WAF, be it adding new rules or deleting existing ones, for example.

Whether you use a private or public cloud or set up one yourself, installing and using our WAF across your platforms is hassle-free and simple.

****2** — **Cloud Data Encryption****

Suppose a cyber attacker hacks into a company's cloud and finds plain data. In that case, the attacker can carry out attacks at their leisure: they could leak your sensitive information to damage your reputation or, worse still, sell this information to other malicious actors so that it could be used against you.

Encrypting data is an important process because, if done correctly, it can prevent your information from being hacked or uncovering private information while in transit.

To engage in encryption successfully, you need to follow certain steps. First and foremost, the code needs to be altered using a cipher that changes regularly. The key to this kind of encryption is the right keys used when encrypting information and decrypting sensitive data.

****3** — **Identity and Access Management (IAM)****

Identity Access Management or IAM products are designed to store and track information relevant to user identification and each account's level of access, status, and digitally stored credentials. This information keeps malicious security threats off a network by verifying each user's authorization attempting to access it.

****Cloud Data Protection – 5 Top Benefits****

The business advantage of cloud protection comes in many forms. Here are the 5 key advantages of cloud data protection:

****1** — **Round-the-clock Visibility****

The best cloud data security solutions make it easy to monitor your application and cloud-based assets 24/7.

****2** — **DDoS Protection****

A DDoS (Distributed Denial of Service) attack is designed to flood web servers and deny access to users attempting to visit the site. This is done by overloading the web host system with many requests, which can bring the target down if it's overwhelmed by too much traffic.

By installing **AppTrana WAF**, a fully managed Web Application Firewall, you can handle various attack types by identifying and patching vulnerabilities instantly, thereby determining what is required to quell an attack and always ensure available data.

****3** — **Data Security****

Cloud computing security policies are like locks on a building door. The better the lock, the more likely it is to keep people out when you are not around. The same is true for your confidential information. It would help to encrypt it so that hackers can't read it.

Cloud data security relies on protocols and policies like strong access controls and data encryption to protect confidential information from unauthorized entities.

****4** — **Advanced Threat Detection****

Cyber threats considered advanced have to include certain parameters in qualifying as advanced truly. For example, suppose a cyber threat (ransomware, zero-days or malware, etc.) is created to gain unauthorized access to a vulnerable network. The attackers have unlimited tools and resources (meaning no features have been built into them to prevent potential breaches). In that case, this qualifies as an advanced type of attack.

Cloud computing security closes the security gaps with end-point scanning, and global threat intelligence. Thereby you can detect threats more easily.

****5** — **Regulatory Compliance****

Cloud-based businesses need to be aware of data protection laws in the countries their business works with and the cyber risks they face to avoid creating industry & location-Specific Regulations mess that could impact their revenue and reputation.

A big benefit of using managed cloud security services is having expert assistance in risk management and compliance programs. A cloud-based managed security service is not only there to perform on-demand audits of your servers and data, but it's also there to offer improvements in existing and emerging laws impacting privacy.

****Conclusion****

Akin to data in your laptop's hard disk, Data security on the cloud is a top priority for organizations today. But that doesn't mean that you can be complacent when protecting your infrastructure - especially considering how much there is to manage, like web applications and APIs, and keeping your network secure.

With robust web application security solutions, your business would be able to protect itself from widespread cyber threats with more peace of mind without worrying about hackers breaking into your system and stealing your company secrets.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Are You Investing in Securing Your Data in the Cloud?

Maintainers of open source software (OSS) will gain additional security tools for their own projects, while the developers who use OSS — and about 97% of software does — will gain more data on security.

The maintainers of thousands of critical open source projects and the developers who build on the foundation of that code will both benefit from 10 security initiatives launched late last week by the Linux Foundation, the Open Source Security Foundation (OpenSSF), and 37 technology companies, the groups said — including tech bigwigs Amazon, Google, and Microsoft.

During a second summit of software industry professionals and government officials, the organizations committed to supporting a 10-step plan to shore up open source maintainers, provide tools to improve software security, and secure the software supply chain. 

The Open Source Software Security Mobilization Plan groups the 10 steps into three broad initiatives: securing open source software production, improving the discovery and remediation of vulnerabilities, and speeding the ecosystem's time to patch.

To show their commitment, a group of companies has pledged $30 million of the estimated $150 million needed to fund all 10 initiatives for the first two years, Brian Behlendorf, general manager of the OpenSSF, said during a press conference on Thursday. This initial $30 million comes from Amazon, Ericsson, Google, Intel, Microsoft, and VMWare.

"We realize that \[$150 million\] is a meaningful amount," he said. "It is an amount more than any one open source developer has, or even most open source projects. But when compared to the cost of remediating a major vulnerability out there, like we have seen in the last few years, it is a drop in the bucket — a very small ounce of prevention to spend for many, many pounds of cure."

The 10-step plan calls for educating and certifying developers in secure programming, creating and maintaining security metrics for the top 10,000 OSS components, promote digital signing of software releases, and replacing non-memory-safe languages, such as C and C++, with more modern alternatives, such as Go and Rust. The plan also calls for improving the discovery of vulnerabilities and their remediation by funding a team of experts to assist open source projects during incidents, provide advanced security tools, fund third-party reviews, and coordinate sharing of data to determine the most critical components.

The intent is to improve security without increasing workload, the open source foundations stated in the report.

"\[A\]ll forms of investment and intervention should be focused on delivering new value to OSS maintainers — from making it easier to adopt practices that enhance the security and integrity of their work, to funding activities like third party code reviews that most projects struggle to afford to perform on their own," the report stated. "Any investments or policies that place additional burdens on developers, increase their personal or professional liability for working on code, or issue unfunded mandates upon them, would struggle for adoption and potentially inhibit further advancements in open source software."  

**Developers & Maintainers to See More Tools  
**The main focus of the $150 million effort will be to produce tools, training. and services for developers and maintainers to create more secure software. Already, some tools have been released as part of the efforts of the OpenSSF and other supporters, such as Google. 

Google, for example, released a tool known as AllStars that automatically vets GitHub projects to flag any anomalies, which could indicate a security issue in the maintenance of the project. The company has also released a system, Scorecard, for rating projects in 18 different areas to give them a security rating. Google and the Linux Foundation, meanwhile, released a tool, sigstore, to help verify the integrity of software supply chains.

Such efforts are extremely important to reduce the impact of security efforts on developers' work, Stephen Chin, vice president of developer relations at software supply chain security firm JFrog, said in a statement.

"We believe open-source security will only be successful if we give OSS projects the same tools and services available to enterprises," he said. "Access to automated tools and high-quality security databases for open-source projects is essential and something that JFrog is committed to helping make happen."

Even more important than the tools are that the efforts create standards that allow interoperability between tool sets, Dan Lorenc — CEO and co-founder at Chainguard and a co-creator of sigstore — said in a statement.

"Interoperability is the linchpin in securing software throughout the supply chain," he said, adding: "These open source tools and projects are the core infrastructure for securing our digital world. But we know not every organization is in a position to go deep on learning each project, nor do they have dedicated staff to understand and integrate all of these tools."

**Gaining Momentum for Open Source Security Support  
**OpenSSF has already made a number of announcements of initiatives that will likely become components of the industry's approach to supporting the creation and maintenance of a more secure software supply chain. Earlier this year, for example, the group announced the Alpha-Omega Project, which aims to secure the most critical software by providing tools and support to maintainers. In March, the OpenSSF and the Laboratory for Innovation Science at Harvard announced four lists of 500 open source projects deemed most critical in two major ecosystems, the JavaScript-based Node Package Manager (NPM) and non-NPM frameworks.

In October, the OpenSSF announced that 16 premier members — including Amazon, Cisco, Facebook, Fidelity, Google, Microsoft, and Red Hat — along with 15 general members had  committed $10 million to expand and support the organization.

The broad base of support shows that open source security is a problem that affects every business using software, Brian Fox, CTO at Sonatype, said in a statement.

"It’s rare to see vendors, competitors, government, and diverse open source ecosystems all come together like they have today," he said. "It shows how massive a problem we have to solve in securing open source, and highlights that no one entity can solve it alone."

Open Source Security Gets $150M Boost From Industry Heavy Hitters

To see why low-code/no-code is inevitable, we need to first understand how it finds its way into the enterprise.

A few months ago I had a conversation with the CISO of a multinational logistics company who told me that his company will never allow citizen development. "I see that the benefit could be massive, but we will never allow it," he said.

This statement made perfect sense. Allowing employees with little IT or coding experience to develop applications seems counterintuitive to companies that are used to seeking strict controls over developers, applications, and digital assets. For many executives, citizen development seems to belong to a distant future.

In a follow-up meeting with that same CISO a few weeks ago, the conversation went in a very different direction. Marketing teams found their way around the CASB and started using no-code automation. Business applications teams started using Salesforce to streamline business processes rather than focus only on sales and customization. Employees all around the company were using Microsoft's built-in platform to build custom applications in Teams. "Turns out, we didn't get to choose. Citizen development is now a reality, and I am now expected to mitigate its security risks," he told me.

This CISO is not alone. The world's largest banks, retailers, and manufacturing companies are going all-in on citizen development. At a recent online event, Microsoft announced that 97% of Fortune 500 companies use its low-code/no-code platform.

**How Low-Code/No-Code Platforms Find Their Way Into the Enterprise**  
To understand how organizations can transition from "low-code who?" to "business developers" in just a few months, we need to understand how low-code/no-code finds its way into the enterprise. We also need to look at low-code/no-code platforms' go-to-market (GTM) strategies.

**1\. Land-and-expand:** Low-code/no-code platforms follow multiple paths into the heart of the business. The first and most obvious one is a top-down approach. In organizations where digital transformation is a strategic effort, senior management often looks for platforms that can accelerate the productivity of their business teams. Low-code/no-code platforms are built to do exactly that. Two popular choices for digital transformation are low-code application platforms (LCAPs) and integration platform-as-a-service (iPaaS).

In the digital transformation scenario, an organization would typically set up a center of excellence (CoE) that starts off by finding key use cases that quickly produce business value. Think of business applications used to manage a giveaway campaign by HR, welcome vendors to your facilities, or facilitate IT equipment orders by employees. Even more importantly, the CoE serves as inspiration for business users to think of more ways in which they can improve their productivity with business applications and automation. This centralized team leading by example doesn't have to be explicitly called a CoE. It can be the business applications team, the intelligent automation team, or the integration team, for example.

Once users start getting an appetite for applications that streamline business processes, the CoE's backlog quickly overflows. It is at this stage that business users start building their own applications, either with guidance from the CoE or on their own.

Both LCAP and iPaaS vendors rely heavily on this process of expansion within the enterprise as their core growth strategy. While it's easier to get through the door with a solution used by a centralized team, the value that can be realized grows significantly when low-code/no-code tools are placed directly in the hands of business users. Indeed, LCAP and iPaaS vendors are investing a lot in making their platforms easier for citizen developers to use. Slowly but surely, business teams across the organization become aware of these platforms and start to use them to get their job done.

This land-and-expand model is a win-win for vendors and customers alike. Centralized teams bring these platforms into the corporation and demonstrate their value, leading to business teams realizing their potential by addressing a wide range of business needs quickly, on their own.

**2\. Bottom-up (shadow IT):** The marketing team at the aforementioned logistics company has been hard at work on a big conference. The company plans to make a few key announcements, with the intent to make it a big deal and generate lots of buzz. To translate this hype into leads, they want to set up a dedicated landing page with content optimized for conference visitors. The marketing team hires a vendor to build the page. In order to deliver quickly, the vendor uses a no-code automation platform to set up an email campaign and sync leads to the company's CRM. The end result is a great conference experience, powered by a no-code automation platform connected to the company's CRM.

In the rush of things, however, the CRM integration was set up with an administrator account shared with all developers on that account. At launch, only a few developers have access to the account, but after seeing the value, the whole marketing team is granted access, inadvertently sharing administrator privileges to the CRM. Security teams found out about it after the fact. The platform was purchased out of pocket due to time constraints, so there was no security assessment or an opportunity to say no.

This is a typical story, where platforms are introduced directly by users to solve a specific problem, without security visibility or guardrails. Once inside, they continue to expand to additional use cases and business groups. Vendors call this product-led growth (PLG), and it has been the hot GTM trend for the past few years.

Indeed, users are introducing these platforms because they actually solve their problems. Manual processes around order-to-cash, customer care, and marketing operations are a common example. This is great for business productivity. However, over time organizations can find that their business-critical data and processes have slipped out from under the security umbrella.

**3\. SaaS becoming the new business cloud:** Name your favorite corporate SaaS platform. Chances are, it's a low-code/no-code development platform too, and your business users are already building with it. Don't just trust me on this — I encourage you to check it out yourself.

In recent years, SaaS vendors are increasingly shifting toward becoming low-code/no-code development platforms. Microsoft, Salesforce, ServiceNow, Workday, Slack, and other leaders in SaaS have all introduced their own low-code/no-code platform, embedded right into the platforms your business users are already using. Some vendors are focused on if-this-then-that automation and others on custom application development. But all of them are reaching out to business users directly, empowering them to do more on their own.

Back in the previously mentioned logistics company, the CISO found out that users across the organization were using Power Platform, Microsoft's low-code/no-code platform embedded in Office, to build custom applications for their Teams channels. These applications gained access to resources on behalf of their Teams users to do useful things like set up calendar invites, send emails, or share SharePoint files. Inadvertently, it also gave the application creators control over application user identities, allowing them to impersonate their users through the applications. Like any application that gains access on behalf of users, that access could be used to do harm, either by malice or by mistake.

SaaS vendors are pushing strong on low-code/no-code as a way to expand their business. They are using their advantage of already being at the fingertips of business users and are building app development platforms for their specific personas. This, again, is great for innovation and business velocity.

**The Time to Act Is Now  
**With all of the different ways low-code/no-code finds its way into the enterprise, it's becoming clear that organizations can't just opt out of citizen development. Gartner has predicted that the number of active citizen developers at large enterprises will outnumber professional developers four to one by 2023. Other analyst firms have predicted similar numbers. Even if we end up having _just_ one citizen developer per professional developer, can we really let that slip outside the security umbrella?

Instead, security teams should embrace low-code/no-code and help guide the new generation of citizen developers in line with enterprise requirements. The sooner this is done, the better.

You Can't Opt Out of Citizen Development

In a Black Hat Asia keynote fireside chat, US national cyber director Chris Inglis outlined his vision of an effective cybersecurity public-private partnership strategy.

BLACK HAT ASIA – The future of cybersecurity public-private partnerships (PPP) will be about sharing efforts and pooling resources to provide a common defense, explained US national cyber director Chris Inglis during a fireside chat at Black Hat Asia.

Inglis called it a "new social contract" and defined the joint work that lies ahead for both government and business to protect their interests. It should be a "collaborative, not a division of effort," he told moderator and Black Hat founder Jeff Moss. He added that it's up to businesses to build secure systems from the start rather than being "the poor soul at the end of the supply chain."

**Building a Defensible System**  
In return for adding the cost of security into the design and build phase, these companies won't be left alone when it's time to respond to threats.

"We have to build a defensible system," Inglis said. "And in a collaborative fashion, we are going to defend it."

Market forces are pushing companies toward that model, but not fast enough, Inglis said, with the assurance that any regulation will be with the "lightest touch" by government.

**Business as a Government Cybersecurity Collaborato**r  
He added that since the Russian invasion of Ukraine, the US government has shared intelligence with the private sector to help defend their systems against cyberattacks. Inglis also lauded the action by Microsoft to roll out a patch against the Russian wiper virus used in attacks against Ukraine, but warned that it's imperative that we not "conflate geography with risk."

For instance, blocking Putin from platforms is different than blocking the wider Russian population, which has happened on TikTok, Netflix, Facebook, and many others.

Inglis also expressed that the private sector should demonstrate that is has an interest in protecting privacy and providing more transparency into their businesses.

Ultimately, the relationship between business and government is evolving.

"Today, there are instances where the private sector is the supported organization and the government is the supporting organization," Inglis said. "This is a new social contract, but we've done this before. It's about allocation of responsibility across the entire ecosystem."

US Cyber Director: Forging a Cybersecurity Social Contract Is Not Optional

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.

Skip to content

*   Penetration Testing
*   Prism
*   Why Prism?
*   Partners
    *   Service Provider Partners
    *   Penetration Testing Partners
*   Resources
    *   Tech Talks
    *   Blog
    *   Our Customers

*   Penetration Testing
*   Prism
*   Why Prism?
*   Partners
    *   Service Provider Partners
    *   Penetration Testing Partners
*   Resources
    *   Tech Talks
    *   Blog
    *   Our Customers

**Rootshell Discovered a Critical Vulnerability in Top WordPress Theme**

Rootshell Discovered a Critical Vulnerability in Top WordPress Theme

The Rootshell team discovered a critical vulnerability within Avada, the number one best-selling theme on WordPress.

Rootshell Security Consultant, Calum Elrick, identified a Server-Side Request Forgery (SSRF) issue by manipulating a parameter in the theme’s prebuilt contact form builders.

SSRF is a vulnerability that allows threat actors to create requests from the vulnerable server and access private IP addresses on the server’s local network.

This enables threat actors to target internal systems behind firewalls that are normally inaccessible, as well as access services from the same server that is listening on the loopback interface.

In summary, Server-Side Request Forgery attacks make it possible to:

*   Scan and attack systems from the internal network that are not normally accessible
*   Enumerate and attack services that are running on these hosts
*   Exploit host-based authentication services

On discovery of the issue, the Rootshell team quickly took action, and responsibly disclosed the vulnerability to Theme Fusion, the creators of Avada.

Theme Fusion addressed the issue promptly, and a patch has now been added in versions 7.6.2 (security update) and 7.7.

More details, including proof-of-concept code, will be available on our blog soon.

**This vulnerability affects Avada version 7.6.1 and below. We advise Avada users to update their version to the latest patch,** **available here****.**

**Share This Story, Choose Your Platform!**

**Related Posts**

*   Penetration Testing as a Service
*   Web Application Penetration Testing
*   Cloud Penetration Testing
*   Mobile Application Testing
*   Red Team as a Service
*   Cyber Threat Intelligence
*   Managed Vulnerability Scanning
*   Phishing Assessments

*   Prism Platform
*   Prism Plus+
*   Prism Features
*   Request a Demo

*   Tech Talks
*   Blog
*   Our Customers

*   Service Provider Partners
*   Penetration Testing Partners
*   About Us
*   Accreditations
*   Careers

© Copyright 2022 | Rootshell Security

Page load link

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies.

**Privacy Overview**

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie

Duration

Description

cookielawinfo-checkbox-analytics

11 months

This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".

cookielawinfo-checkbox-functional

11 months

The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".

cookielawinfo-checkbox-necessary

11 months

This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".

cookielawinfo-checkbox-others

11 months

This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.

cookielawinfo-checkbox-performance

11 months

This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".

viewed\_cookie\_policy

11 months

The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

CVE-2022-1386: Rootshell Discovered a Critical Vulnerability in Top WordPress Theme

Threat actors have launched a new campaign that starts with compromised WordPress sites and leads to fake reCAPTCHA sites designed to get visitors to accept web push notifications.
The post Fake reCAPTCHA forms dupe users via compromised WordPress sites appeared first on Malwarebytes Labs.

Researchers at Sucuri investigated a number of WordPress websites complaining about unwanted redirects and found websites that use fake CAPTCHA forms to get the visitor to accept web push notifications.

These websites are a new wave of a campaign that leverages many compromised WordPress sites.

**CAPTCHA**

CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”) is one of the annoyances that we have learned to take for granted when we browse the Internet. Scientists developed CAPTCHA as a method to tell humans and bots apart so as to to keep bots from accessing sites or systems where they are not welcome.

Google bought and owns reCAPTCHA, which represents a CAPTCHA system expressly developed to reduce the needed amount of user interaction. The original version asked users to decipher hard to read text or match images. Version 2 required users to decipher text or match images if the analysis of cookies and canvas rendering suggested an automatic download of the page. Since version 3, reCAPTCHA doesn’t interrupt users, running automatically when users load pages or click buttons.

The basic version of a real reCAPTCHA the threat actors used as a template to create the fake ones looks like this:

_legitimate reCAPTCHA_

**The campaign**

The fake CAPTCHA sites are part of a long lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the years.

The compromised websites all share a common issue. The threat actors injected malicious JavaScript within the affected website’s files and database. Attackers attempted to automatically infect any .js file with jQuery in the name, on a compromised website. They then injected obfuscated code when successful. This malicious JavaScript was appended under the current script or under the head of the page where it was fired on every page load, redirecting site visitors to the destination chosen by the threat actor.

The Malwarebytes Threat Intelligence Team tracked a rogue affiliate’s traffic which flowed through the same **local\[.\]drakefollow\[.\]com** subdomain that was mentioned in the Sucuri blog. The threat actor chose to promote a legitimate security product in this case, but might as well have led visitors to potentially unwanted programs (PUPs), adware, or tech support scams.

_Traffic flow from compromised WordPress site to rogue affilate’s site_

**The fake CAPTCHA**

At this point in the chain of redirections, the fake reCAPTCHA websites kick in. The fake reCAPTCHA sites are the final step towards duping the visitor. The unsuspecting visitor will land on a site that tries to trick them into accepting push notifications from the landing page’s domain.

_fake reCAPTCHA_

Visitors think they need to click “Allow” to get past the CAPTCHA screen, when in fact they are giving permission to the domain to send them push notifications.

By design, push notifications work similarly across different operating systems and web browsers. They appear outside of the browser window just above the taskbar on the right hand side. This is misleading as they may seem to originate from the operating system. Knowing the difference between a web push notification and an alert that comes from the operating system or another program installed on the device is hard, and that makes it difficult for the unsuspecting user of an affected system to know what is going on.

As we reported in the past, adware, search hijackers, and PUP families have added push notifications as one of their attack vectors. Sucuri warns that it is also one of the most common ways attackers display “tech support” scams, where users are told their computer is infected or slow and they should call a toll-free number to fix the problem.

**Removal and mitigation**

Knowing that these fake reCAPTCHA sites exist and being able to spot the difference with a real one is your best protection. Also, many security programs, including Malwarebytes, will block access to the campaign’s domains.

If your system shows you push notifications, you can find detailed instructions on how to disable and remove permissions for browser push notifications in our article: Browser push notifications: a feature asking to be abused.

Website owners can use Sucuri’s free remote website scanner to detect the malware.

Stay safe, everyone!

_Special thanks to the Malwarebytes Threat Intelligence Tea_m _for their contribution and the screenshot_

Fake reCAPTCHA forms dupe users via compromised WordPress sites

By Deeba Ahmed
Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group,…
This is a post from HackRead.com Read the original post: Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US

Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group, whereas Cobalt Mirage’s activities have been reported as TunnelVision and Phosphorus.

SecureWorks® Counter Threat Unit™ (CTU) researchers are investigating an Irani threat group known as the Cobalt Mirage group. This group first surfaced in June 2020 and is linked to another Irani threat group Cobalt Illusion, also known as Charming Kitten, Phosphorus, APT35, and Newscaster.

The group primarily uses phishing campaigns to gain access to networks. Researchers suspect that the two groups are interconnected and might share access and tradecraft.

It is worth noting that previously, Charming Kitten was also accused of its involvement in some highly sophisticated social engineering attacks including bypassing Gmail and Yahoo’s 2FA (Two-Factor Authentication (2FA) in December 2018.

Furthermore, Charming Kitten was the talk of the town in March 2019 when Microsoft seized 99 websites used by Iranian hackers for large-scale phishing attacks. In July 2020, the same group exposed 40GB of videos exposing its entire modus operandi.

**Cobalt Mirage Attack Tactics**

Based on information obtained via incident response activities and public reporting, the researchers identified two clusters of Cobalt Mirage attacks, labeled Cluster A and Cluster B. 

According to researchers, threat actors used DiskCryptor and BitLocker in Cluster A for conducting ransomware attacks that are mainly profit-driven. On the other hand, Cluster B entails targeted intrusions to invade a network and collect intelligence. But sometimes, Cluster B attacks may also involve ransomware in selected cases.

COBALT MIRAGE’s attack vector (Image: SecureWorks)

**Primary Targets of Cobalt Mirage**

According to SecureWorks’s blog post published on May 12th, Cobalt Mirage’s victims are primarily organizations in the USA, Australia, Europe, and Israel. The group mainly uses file-encrypting ransomware to target its victims.

Some of its previous campaigns include the scan-and-exploit attack against Microsoft Exchange Servers and exploiting the ProxyShell vulnerabilities in March 2022 to access a US local government network.

The group also targeted a philanthropic organization in the USA in January 2022. Research reveals that the group has limited ability to capitalize on the access they gain to a network and use it for financial gains or intelligence data collection.

**How does Cobalt Mirage Attack its Victims?**

Research revealed that Cobalt Mirage scans internet-exposed servers to detect vulnerable servers and identify initial access routes. They often look for flaws in Microsoft Exchange servers and Fortinet appliances.

In 2021, SecureWorks’ blog post revealed that the threat group scanned ports 4443, 8443, and 10443 to find flaws in devices vulnerable to FortiOS vulnerabilities (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591).

In September 2021, they targeted the MS Exchange servers and deployed the Fast Reverse Proxy Client by exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to enable access to vulnerable devices.

Once they identify a loophole, they drop web shells and use them as a conduit for lateral movement across the network and launch the ransomware. They complete their attack with a rather unusual way of sending ransom notes, which they send to a local printer.

This note contains the email address and Telegram account details for victims to contact the attacker. However, researchers couldn’t identify how the encryption feature is triggered. The group uses publicly available encryption tools for launching ransomware attacks.

COBALT MIRAGE’s ransom note (Image: SecureWorks)

> “CTU researchers recommend that organizations use available controls to review and restrict access using the indicators listed in Table 1. Note that IP addresses can be reallocated. The domains and IP addresses may contain malicious content, so consider the risks before opening them in a browser.”

**More Iranian Security News on Hackread.com**

1.  Iran-linked hackers hit Israeli, US and EU defense tech firm
2.  Irani and Chinese State Hackers Exploiting Log4j Vulnerability
3.  Watch as hackers disrupt Iran’s prison computers; leak live footage
4.  Exposed: 6 year old Iranian espionage campaign using Android backdoor
5.  Iranian APT group hits schools, universities in global spear phishing attacks

Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US

Malwarebytes Threat Intelligence has uncovered an attack using the lure of information about the war in Ukraine to target people in Germany.
The post Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis appeared first on Malwarebytes Labs.

_This blog post was authored by Hossein Jazi and Jérôme Segura_

Populations around the world—and in Europe in particular—are following the crisis in Ukraine very closely, and with events unfolding on a daily basis, people are hungry for information.

Although all countries have reasons to be concerned, the situation is Germany is more complicated than most. It is one of the few European countries to have received criticism for its attitude to the Ukraine-Russia conflict, as it struggles to end its reliance on Russian energy, and Moscow recently imposed sanctions on Gazprom Germania, further increasing economic tensions.

This week our analysts discovered a new campaign that plays on these concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine. The downloaded document is in fact decoy for a Remote Access Trojan (RAT) capable of stealing data and executing other malicious commands on a victim’s computer.

**Decoy site lures victims with Ukraine situation**

Threat actors registered an expired German domain name at collaboration-bw\[.\]de that was formally used as a collaboration platform to develop new ideas for the Baden-Württemberg state.

Threat actors registered an expired domain associated with Baden-Württemberg

The threat actors used the domain to host a website that looked like the official Baden-Württemberg website, baden-wuerttemberg.de.

A comparison of the real baden-wuerttemberg.de (top) and the malicious fake (bottom)

With this copycat, the attackers created the perfect placeholder for the lure they wanted their victims to download: A file tantalising called 2022-Q2-Bedrohungslage-Ukraine (threat situation in Ukraine for Q2), offered via a prominent blue download button.

The website promises important information and tips about the Ukraine crisis

An English translation of the page reads:

**Important, current threat situation regarding the Ukraine crisis**

On this website you will always find the most important information and tips for dealing with the current threat posed by the Ukraine crisis. Please download the document now and read through the current information. The document is constantly updated and is up to date. Our suggested tips can be practically implemented in everyday work and you should already implement them today. Thanks for your support.

**File analysis**

The archive file called 2022-Q2-Bedrohungslage-Ukraine contains a file named 2022-Q2-Bedrohungslage-Ukraine.chm. The CHM format is Microsoft’s HTML help file format, which consists of a number of compiled HTML files.

The CHM file displays a fake error message

Victims will get a fake error message when they open up that file, while PowerShell quietly runs a Base64 command.

PowerShell executes a Base64-encoded command

After de-obfuscating the command we can see it is designed to execute a script downloaded from the fake Baden-Württemberg website, using Invoke-Expression (IEX).

The PowerShell code fetches and executes a malicious script

The malicious script downloaded from the fake Baden-Württemberg website

The downloaded script creates a folder called SecuriyHealthService in the current user directory and drops two files into it: MonitorHealth.cmd and a script called Status.txt. The .cmd file is very simple and just executes Status.txt through PowerShell.

Finally, the downloaded script makes MonitorHealth.cmd persistent by creating a scheduled task that will execute it each day at a specific time.

**PowerShell RAT (Status.txt)**

Status.txt is a RAT written in PowerShell. It starts its activities by collecting some information about the victim’s computer, such as the current username and working directory, and the computer’s hostname. It also builds a unique id for the victim, the clientid.

This data is exfiltrated as a JSON data structure sent to the server via a POST request:

$json = '{
  "type": "newclient",
  "result": "",
  "pwd": "' + $pwd\_b64 + '",
  "cuser": "' + $cuser + '",
  "hostname": "' + $hname + '",
  "clientid": "' + $clientid + '"
}';

$headers = @{'X-Request-ID' = $strhash;}

However, before executing this requests the script will first bypass the Windows Antimalware Scan Interface (AMSI) using an AES-encrypted function called bypass. It is decrypted using a generated key and IV before execution.

The bypass function that contains the encrypted script to bypass AMSI.

The content of the AMSI bypass script after decryption

This RAT has the following capabilities:

*   **Download** (type: D0WNl04D): Download files from server
*   **Upload** (type: UPL04D): Upload file to the server
*   **LoadPS1** (type: L04DPS1): Load and execute a PowerShell script
*   **Command** (type: C0MM4ND): Execute a specific command

**German command and control server**

The attack was thoughtfully carried out—even ensuring that the stolen data was sent to a German domain name, kleinm\[.\]de, to avoid suspicion.

It is not easy to attribute this activity to a specific actor, and there are no solid indicators to support attribution. Based on motivation alone, we hypothesise that a Russian threat actor could be targeting German users, but without clear connections in infrastructure or similarities to known TTPs, such attribution is weak.

The Malwarebytes Threat Intelligence team continues to monitor attacks taking advantage of the war in Ukraine while ensuring our customers are protected.

**Indicators of Compromise (IOCs)**

**Phishing site**

collaboration-bw\[.\]de/bedrohung-ukr.html

**Lure**

2022-Q2-Bedrohungslage-Ukraine.zip  
2430f68285120686233569e51e2147914dc87f82c7dbdf07fe0c34dbb1aca77c  
2022-Q2-Bedrohungslage-Ukraine.chm  
80bad7e0d5a5d2782674bb8334dcca03534aa831c37aebb5962da1cd1bec4130

**Status.txt**  
a5d8beaa832832576ca97809be4eee9441eb6907752a7e1f9a390b29bbb9fe1f

**MonitorHealth.cmd**  
fc71522a4125ca4bdc5e5deca4a6498e7f2da4408614c2e1284c3ae8c083a5fd

**C2**

kleinm\[.\]de

**MITRE ATT&CK**

Tactic

ID

Name

Description

Execution

T1059

Command and Scripting Interpreter

Starts cmd.exe to run hh.exe

Executes PowerShell script to download and execute a script

Persistence

T1053

Scheduled Task/Job

Executes task scheduler to add MonitorHealth.cmd as a daily task

Defense evasion

T1222

File and Directory Permissions Modification

Uses attrib.exe to hide SecuriyHealthService folder

Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis

Plus: New details of ICE’s dragnet surveillance in the US, Clearview AI agrees to limit sales of its faceprint database, and more.

A group of human rights lawyers and investigators called on the Hague this week to bring what would be the first ever “cyber war crimes” charges. The group is urging the International Criminal Court to bring charges against the dangerous and destructive Russian hacking group known as Sandworm, which is run by Russia’s military intelligence agency GRU. Meanwhile, activists are working to block Russia from using satellites controlled by the French company Eutelsat to broadcast its state-run propaganda programming.

Researchers released findings this week that thousands of popular websites record data that users type into forms on the site before they hit the Submit button—even if the user closes the page without submitting anything. Google released a report on an in-depth security analysis it conducted with the chipmaker AMD to catch and fix flaws in specialty security processors used in Google Cloud infrastructure. The company also announced a slew of privacy and security features for its new Android 13 mobile operating system along with a vision for making them easier for people to understand and use.

The European Union is considering child protective legislation that would require scanning private chats, potentially undermining end-to-end encryption at a massive scale. Plus, defenders from the cybersecurity nonprofit BIO-ISAC are racing to protect the bioeconomy from digital threats, announcing a partnership this week with Johns Hopkins University Applied Physics Lab that will help fund pay-what-you-can incident response resources.

But wait, there’s more. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there.

The United States is completing development of a new generation of high-security encryption standards that will be robust in the current technical climate and are designed to be resistant to circumvention in the age of quantum computing. And while the National Security Agency contributed to the new standards' creation, the agency says it has no special means of undermining the protections. Rob Joyce, the NSA’s director of cybersecurity, told Bloomberg this week, “There are no backdoors." The NSA has been implicated in schemes to backdoor encryption before, including in a situation in the early 2010s in which the US removed an NSA-developed algorithm as a federal standard over backdoor concerns.

An extensive investigation by Georgetown Law’s Center on Privacy & Technology reveals a more detailed picture than ever of US Immigration and Customs Enforcement agency surveillance capabilities and practices. According to the report, published this week, ICE began developing its surveillance infrastructure at the end of the George W. Bush administration, years before it was previously thought to have begun these efforts. And researchers found that ICE spent $2.8 billion on surveillance technology, including face recognition, between 2008 and 2021. ICE was already known for its aggressive and invasive surveillance tactics during the Donald Trump administration’s anti-immigration crackdowns, but the report also argues that ICE has “played a key role in the federal government’s larger push to amass as much information as possible” about people in the United States.

“Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive review of ICE’s contracting and procurement records, reveals that ICE now operates as a domestic surveillance agency,” the report says. “By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time.”

In a legal settlement this week, the face recognition and surveillance startup Clearview AI agreed to a set of restrictions on its business in the US, including that it won’t sell its faceprint database to businesses or individuals in the country. The company says it has more than 10 billion faceprints in its arsenal belonging to people around the world and collected through photos found online. The settlement comes after the American Civil Liberties Union accused Clearview of violating the Illinois Biometric Information Privacy Act. The agreement also stipulates that the company won’t be allowed to sell access to its database in Illinois for five years. “This settlement demonstrates that strong privacy laws can provide real protections against abuse,” Nathan Freed Wessler, a deputy director of the ACLU Speech, Privacy, and Technology Project said in a statement. Despite the privacy win, Clearview may continue to sell its services to federal law enforcement, including ICE, and police departments outside of Illinois.

Costa Rican president Rodrigo Chaves said on Sunday that the country was declaring a national emergency after the notorious Conti ransomware gang infected multiple government agencies with malware last week. Sunday was the first day of Chaves' presidency. Conti leaked some of a 672 GB trove of stolen data from multiple Costa Rican agencies. In April, the Costa Rican social security administration had announced that it was the victim of a Conti attack. “At this time, a perimeter security review is being carried out on the Conti Ransomware, to verify and prevent possible attacks," the agency tweeted at the time.

The NSA Swears It Has ‘No Backdoors’ in Next-Gen Encryption

The White House and tech industry pledge $150 million over two years to boost open source resiliency and supply chain security.

Marking the one-year anniversary of President Biden's Executive Order on Improving the Nation's Cybersecurity, the Linux Foundation and the Open Source Software Security Foundation joined with 90 private-sector executives and government leadership to create a 10-point plan to improve the security of open source software. 

The plan has three primary goals — secure open source software production, improve vulnerability discovery and remediation, and shorten ecosystem patching response time — according to the announcement. 

The Open Source Software Security Mobilization Plan proposes 10 specific streams of investment in open source security including: education, risk assessment, digital signatures, memory safety, incident response, better scanning, code audits, data sharing, SBOMs, and improved software supply chain. The plan outlines the need for about $150 million in additional funding over the next two years. Amazon, Google, Ericsson, Intel, Microsoft, and VMware have pledged an initial investment of $30 million between them.

"What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it," Brian Behlendorf, executive director, Open Source Security Foundation (OpenSSF), said in a statement announcing the group's new initiative. **"**The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#intel