Breaches & Vulnerabilities in this week Cyber News!

1. Cybercriminals use Reverse Tunneling & URL Shorteners for Phishing Campaigns.

A new way of carrying out phishing attacks is being adopted by criminal groups – and it could make threat actors virtually undetectable, security researchers warn. The?technique?involves using ‘reverse tunnel’ services and URL shorteners to launch large-scale phishing attacks. The attackers are not exploiting a?vulnerability?in the technical sense. Instead, they are misusing off-the-shelf, legitimate services to bypass anti-phishing measures. Services associated with the technique include bit.ly, Ngrok, and Cloudflare’s Argo Tunnel. Reverse tunnels allow criminal groups to evade some of the most effective countermeasures. One way phishing groups are caught is through their reliance on hosting providers, and their use of domains that, CloudSEK says, “impersonate targeted companies or keywords”. CloudSEK is calling for improved monitoring of reverse tunnel services. Ngrok, for example, now requires its users to disclose their IP addresses, and to register before hosting HTML content, while Cloudflare requires users to create an account. URL shortening is harder to police, as there is no actual malicious activity: they simply point users to a website. CloudSEK concedes, though, that discovering attacks depends on third-party monitoring. “If a domain is registered with a hosting provider, they can respond to complaints and take down a website, but with reverse tunnels, the reverse tunnel provider has no accountability for that, which means it’s potentially harder to take down. Combine that with a URL shortener, it can be very effective. “It’s going to sound clichéd, but the advice we have is to double down on phishing awareness to lessen the likelihood of someone clicking on a malicious link.” (Source).

2. Remote Code Execution(RCE) vulnerability uncovered in Hasnode blog platform

A remote code execution (RCE) attack chain caused by a local file inclusion bug in the blogging platform Hashnode has been disclosed by security researchers. On February 28, Aditya Dixit, a penetration tester and security engineer based in India, said in?a security advisory?that the RCE had been found in Hashnode, a blogging platform for the engineering and developer community. This issue was present in Hashnode’s Bulk Markdown Importer, a feature developed for users to import. ZIP compressed files in Markdown (.md) format. Together with security researcher Adhyayan Panwar, Dixit was able to escalate the LFI to achieve?RCE. The duo found an Error NO ENTry (ENOENT) error in Markdown – via Burp Suite – when a user tried to insert an image with a specified path. The Hashnode team was informed of the researchers’ findings on February 8. Hashnode told us that “the vulnerability was associated with one of our legacy components and was fixed pretty much immediately. We also rotated all of our keys immediately.” “The takeaway from our exploit would be to never display descriptive messages to the end-users and always have input validation in place on all the input parameters,” the researcher added. “It’s a really bad idea to trust your users' inputs.” (Source).

3. SureMDM bug chain enabled wholesale compromise of managed devices.

Vulnerabilities in SureMDM could have been chained to compromise every device running the popular mobile device management (MDM) platform within a targeted enterprise, security researchers have revealed. The vendor, Indian tech firm 42 Gears, has patched the bugs, which led to?remote code execution?(RCE) via the web console, along with RCE,?command injection, hardcoded password, local privilege escalation, and?information disclosure?flaws affecting the Linux agent. The vulnerabilities affect both cloud and on-premise installations. The RCE exploit in the SureMDM web console, which is shown in the video below, enabled unauthenticated attackers with no knowledge of target customers to seize control of Linux, macOS, and Android devices, as well as desktops and servers, and subsequently disable security tools and install malware on compromised devices. The web console issues include a lack of default?authentication?between the agent running on the host and server which meant attackers could register fake devices and potentially intercept job requests containing sensitive data. Immersive Labs first contacted 42 Gears over the flaws on July 6, 2021. The lengthy disclosure process, which was complicated by the periodic discovery of additional vulnerabilities, culminated in the release of patches in November and January. (Source).

4. Indian authorities set to tighten data breach laws in 2022.

Authorities in?India?are set to clamp down on data breaches and tighten rules for holding sensitive data, according to local media reports. Organizations will be forced to disclose data breaches within 72 hours, bringing India in line with territories such as the EU, which mandates breach disclosures under its General Data Protection Regulation (GDPR). And Indian firms will no longer be able to store payment card information, with only card issuers and card networks – such as Visa or Mastercard – permitted to do so. Organizations in India will be forced to disclose any?data breach?within 72 hours, with potential jail terms or fines being introduced for those who intentionally disclose personal data without the consent of the data processor. Firms will need to report any leaks and take “appropriate remedial measures” to protect their customers following a breach. Penalties for breaches include jail terms of up to three years or fines of up to 200,000 rupees ($2,678) for anyone who intentionally discloses personal data without permission. If an organization acting as a ‘data fiduciary’, or data controller, fails to disclose a breach, fails to register with the DPA, fails to conduct the required audits, or fails to appoint a data protection officer, it faces a fine of up to 2% of worldwide turnover, or 50 million rupees. “By getting the right standards in place and enshrined in regulation, it will make it easier for companies to know what security they have to put in place to conduct their operations. This will also support the development of digital businesses in India as trustworthy, secure companies that consumers can trust. “Looking at the PDP bill, in particular, this will ensure that India has a standard set of rules and regulations with regards to data protection and governance, similar to those that were created for developed markets like the United States and the European Union.” (Source).

5. Telecom industry facing increased DDoS attacks.

The telecommunications industry is facing an increased threat of?distributed denial-of-service?(DDoS) attacks, according to a new report. n the findings, the web infrastructure, and security company note that the?telecommunications?industry was the most targeted sector in the first three months of the year. Cloudflare’s latest report is based on data taken from the company’s DDoS mitigation platform that serves approximately 25 million users. “Attacks?under 500 Mbps are often sufficient to create major disruptions for internet properties that are not protected by a cloud-based DDoS protection service. “Many organizations have uplinks provided by their service providers with less bandwidth capacity than 1 Gbps. “Assuming their public-facing network interface also serves legitimate traffic, you can see how even DDoS attacks under 500 Mbps can easily take down internet properties.” The British software engineer added: “There was [also] a large increase in attacks using Jenkins and TeamSpeak3 servers. This is due to recently discovered vulnerabilities that DDoS attackers are exploiting.” (Source).

6. Scammers shifting tactics were revealed at the Akamai event.

Cybercrooks “never waste a good crisis”, said?Keren Elazari, cybersecurity analyst, author, and researcher, at Akamai’s Edge Live Virtual Summit for the EMEA region on July 1. “They’re always moving, changing their game, coming up with new creative ways to make money,” she added, as she outlined the various fiendish ways?cybercriminals?have exploited the public’s fears and anxieties during the Covid-19 pandemic. Already growing before the crisis, the attack surface ballooned during the first half of 2020, as locked-down citizens worked from home and flocked to online platforms to?shop, continue their studies, or speak to family and friends. Interestingly, while malicious hackers have upped the ante against business and government assets, their white hat counterparts have also stepped up to defend. In his keynote address, Dr. Tom Leighton, Akamai’s CEO and co-founder considered the global pandemic’s impact on attack models and trends, based on data generated by the security company’s threat monitoring tools. In a talk focused on credential stuffing attacks,?Troy Hunt, founder of the ‘Have I Been Pwned’ data breach database, told the Akamai Edge event audience that he was particularly interested in how these breaches are represented in the media, because “that is the lens by which the public view the organization”. YouTube videos are showing “ways to easily mount credential stuffing texts for free”, he says, which illustrates the central, still unresolved challenge for the infosec industry: “The complexity of defending against credential stuffing attacks is incommensurate with the ease of mounting them.” (Source).

Visit us for any software related solutions at?TechBag Digital Pvt. Ltd.

All our Solutions and Services are delivered in SaaS Mode.

Free Expert Advices?are available for all the Solutions and before choosing to subscribe.

(TechBag is a software e-commerce marketplace that enables better decision-making for users while navigating through different software, and enabling vendors to reach a wider audience.)