ElevenPaths Cyber Security Weekly Briefing May 1-7 Apple fixes four 0-day vulnerabilities in WebKit Apple released yesterday a security update to fix four 0-day vulnerabilities that could be actively exploited, according to Apple itself. These four flaws...
ElevenPaths Cyber Security Weekly Briefing April 24-30 BadAlloc – Critical Vulnerabilities in Industrial IoT and OT Devices Microsoft security researchers have discovered 25 critical remote code execution (RCE) vulnerabilities, collectively referred to as BadAlloc, affecting a wide...
ElevenPaths #CyberSecurityReport19H2: Qihoo is the company that most collaborates in the reporting of vulnerabilities in Microsoft products Currently, there are a number of reports addressing trends and summaries on security. However, at ElevenPaths we want to make a difference. Our Innovation and Labs team has just launched another release...
Gonzalo Álvarez Marañón Rock, Paper, Scissors and Other Ways to Commit Now and Reveal Later Have you ever played rock, paper, scissors? I bet you have. Well, let’s put the tin lid on it: how would you play through the phone? One thing is...
ElevenPaths Cyber Security Weekly Briefing May 1-7 Apple fixes four 0-day vulnerabilities in WebKit Apple released yesterday a security update to fix four 0-day vulnerabilities that could be actively exploited, according to Apple itself. These four flaws...
ElevenPaths Cyber Security Weekly Briefing April 10-16 0-days in Chrome and Edge Security researcher Rajvardhan Agarwal has discovered a 0-day vulnerability in the current versions of Google Chrome and Microsoft Edge, which he has made public via his...
Sergio De Los Santos Pay When You Get Infected by Ransomware? Many Shades of Grey The Internet is full of articles explaining why ransomware should not be paid. And they are probably right, but if you don’t make a difference between the type of ransomware and...
Innovation and Laboratory Area in ElevenPaths #CyberSecurityReport20H2: Microsoft Corrects Many More Vulnerabilities, But Discovers Far Fewer There are many reports on security trends and summaries, but at ElevenPaths we want to make a difference. From the Innovation and Laboratory team, we have just launched our...
ElevenPaths Tips to Download Apps Securely The arrival of smartphones brought about a paradigm shift in the way we use and consume content through mobile devices. So much so that, from that moment on, they...
ElevenPaths Cyber Security Weekly Briefing May 1-7 Apple fixes four 0-day vulnerabilities in WebKit Apple released yesterday a security update to fix four 0-day vulnerabilities that could be actively exploited, according to Apple itself. These four flaws...
Gonzalo Álvarez Marañón Nonces, Salts, Paddings and Other Random Herbs for Cryptographic Salad Dressing The chronicles of the kings of Norway has it that King Olaf Haraldsson the Saint disputed the possession of the Hísing island with his neighbour the King of Sweden....
Diego Samuel Espitia Detecting the Indicators of An Attack We always choose to implement prevention and deterrence rather than containment mechanisms in security. However, the implementation of these mechanisms is not always effective or simple to set up...
Cyber Security Weekly Briefing January 16-22ElevenPaths 22 January, 2021 SolarWinds Update New details have been released about the software supply chain compromise unveiled in December. FireEye researchers have published an analysis that puts the focus on the threat actor called UNC2452, to which the incident is attributed. This group uses a combination of techniques to move laterally in the Microsoft 365 cloud: the theft of token signing certificates in ADFS; the modification or addition of trust domains in Azure AD; the compromise of local user credentials with high privileges synchronized to M365; and finally, the abuse of a legitimate app’s permissions by installing a backdoor. Meanwhile, Symantec researchers have discovered an additional piece of malware that would have been used as a secondary payload on several of the systems compromised by UNC2452. This malware, called Raindrop, is a payload mainly intended for the installation of Cobalt Strike.The software company MalwareBytes has admitted in a statement to have been compromised by UNC2452, although not through SolarWinds Orion, but through the abuse of a third-party application with permissions within the corporate Office365. They point out, however, that the threat actor only accessed a limited number of emails.Microsoft researchers have provided more details on the mechanisms involved in the distribution of secondary payloads (Teardrop, Raindrop, etc.) from the Solorigate backdoor (SUNBURST, according to FireEye’s terminology), which is the origin of the compromises of public and private entities resulting from the trojanisation of the SolarWinds Orion software. The researchers show how the initial backdoor is only activated for specific victims by creating two files on disk: a VBScript, which is typically named after existing services or folders to simulate legitimate machine activities; and a DLL implant, which corresponds to a custom Cobalt Strike loader. The Cobalt Strike implant, however, is not executed directly, but instead the attackers generate an IFEO registry value for a commonly running process in Windows, thus making its activation completely detached from the backdoor, making it difficult to detect and ensuring that Solarigate remains hidden. Apart from Teardrop and Raindrop, Microsoft claims to have detected other custom Cobalt Strike beacons. These DLLs are mainly placed in existing Windows subdirectories and are assigned names similar to legitimate files and directories to camouflage themselves as much as possible with the environment. New data on Intrusion at the European Medicines Agency Further details of unauthorised access to the European Medicines Agency (EMA) by cybercriminals were revealed in December, when they gained access to confidential documentation on the vaccine developed by Pfizer-BioNtech. In the last statement issued by the Agency, it has been confirmed that the cybercriminals leaked some of the documents to which they had access in underground forums at the end of December, including internal emails related to the vaccine evaluation processes, Word documents, PDFs, etc. In addition, the EMA has reported that some of this correspondence was manipulated prior to publication, in order to undermine confidence in vaccines. More details: https://www.ema.europa.eu/en/news/cyberattack-ema-update-5 FBI Warns of New Vishing Attacks The Federal Bureau of Investigation (FBI) has issued a notice to the private industry warning of the detection of telephone social engineering techniques with the aim of acquiring corporate credentials that would allow access to the networks of national and international entities. The threat actors are reportedly using VoIP platforms (also known as IP telephone services) to contact employees of any category and guide them to access a fraudulent website (e.g. fake VPN interface) where they enter their login credentials. This first compromise provides them with an entry vector that is later used to gain greater privileges by finding other network users with permissions to create and modify e-mails and usernames. This is the second warning of active vishing attacks against employees issued by the FBI since the beginning of the pandemic, after a growing number of them became homeworkers. More information: https://beta.documentcloud.org/documents/20458329-cyber-criminals-exploit-network-access-and-privilege-escalation-bleepingcomputer-210115 DNSpooq: Seven Vulnerabilities that Allow DNS Hijacking Security consultant JSOF has revealed seven vulnerabilities in Dnsmasq, an open source DNS redirection software widely used to add capabilities in IoT devices and other embedded systems. Together, these flaws have been referred to as DNSpooq, and could be exploited for DNS cache poisoning, remote code execution or denial of service attacks against millions of affected devices. Three of the vulnerabilities (classified as CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) allow DNS spoofing attacks to be carried out by poisoning the cache. With this attack, the threat actors can redirect users to malicious servers under their control without them noticing. The rest are buffer overflow vulnerabilities (classified as CVE-2020-25687, CVE-2020-25683, CVE-2020-25682 and CVE-2020-25681) that could allow remote code execution. While several workarounds exist, JSOF advises that the best and only full mitigation is to update Dnsmasq to version 2.83 or above. All the information: https://www.jsof-tech.com/disclosures/dnspooq/ Exposed RDP Services Used to Amplify DDoS Attacks Security researchers at Netscout have recently detected malicious exploitation of the Windows Remote Desktop Protocol (RDP) by threat actors as part of the infrastructure of stressers (on-demand DDoS tools). The RDP service is typically configured to receive requests on port 3389, TCP and/or UDP. When the second option is enabled, it is possible to achieve an amplification ratio of almost 86:1. The observed attacks range in size from 20 to 750 Gbps. All packets sent are consistent in size, 1,260 bytes. According to the researchers, there are more than 14,000 servers susceptible to this type of attack. More details: https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification Homeworking: Balancing Corporate Control and Employee Privacy (II)Laboratory Information Management System (LIMS) and its Mobile Applications
ElevenPaths Tips to Download Apps Securely The arrival of smartphones brought about a paradigm shift in the way we use and consume content through mobile devices. So much so that, from that moment on, they...
ElevenPaths Cyber Security Weekly Briefing May 1-7 Apple fixes four 0-day vulnerabilities in WebKit Apple released yesterday a security update to fix four 0-day vulnerabilities that could be actively exploited, according to Apple itself. These four flaws...
ElevenPaths Cyber Security Weekly Briefing April 24-30 BadAlloc – Critical Vulnerabilities in Industrial IoT and OT Devices Microsoft security researchers have discovered 25 critical remote code execution (RCE) vulnerabilities, collectively referred to as BadAlloc, affecting a wide...
ElevenPaths Do I Really Need an Antivirus? How can standard users protect themselves? In this article we explain what an antivirus is for and how you can be (more) protected.
Gonzalo Álvarez Marañón NFT Fever: The Latest Cryptocurrency Killing It Online In May 2007, the digital artist known as Beeple decided to create and publish a new piece of artwork on the Internet every day. True to his word, he...
Pablo Alarcón Padellano Telefónica Tech, recognized with Palo Alto Networks’ SASE, Cloud and Cortex Specializations We are the first partner in Spain awarded with Prisma SASE, Prisma Cloud and Cortex XDR/XSOAR specializations.
