STE WILLIAMS

The FBI this week shut down Deer.io, a Russia-based hacker platform through which criminals could buy access to virtual storefronts and sell illegal products or services. Officials arrested its suspected administrator, alleged Russian hacker Kirill Victorovich Firsov, charging him with crimes related to hacking US companies for customers’ personal data, the Department of Justice reports.

Cyberstores hosted on Deer.io sold a range of hacked personally identifiable information (PII), financial and corporate data, and compromised user accounts from several US companies. Shoppers could buy computer files, financial data, PII, and credentials stolen from machines infected with malware located in the US and around the world. Since it began operations in October 2013, Deer.io claims to have more than 24,000 active shops with sales in excess of $17 million.

An attacker who wanted to buy data from a Deer.io shop could use a Web browser to access the Deer.io domain, which resolved to Deer.io storefronts. There they could search for user accounts or PII from specific companies or browse different criminal services for sale.

In early March, FBI investigators bought about 1,100 gamer accounts and thousands of PII accounts from multiple Deer.io shops. They confirmed 249 gamer accounts were related to a specific company, which confirmed the accounts were legitimate and could grant an attacker access to a victim’s media library and linked payment methods. PII accounts revealed data the FBI used to identify names, birthdates, and Social Security numbers for American citizens.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Three Ways Your BEC Defense Is Failing How to Do Better.“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/fbi-shutters-russian-based-hacker-platform-makes-arrest/d/d-id/1337402?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft Azure applications could be weaponized to break into Microsoft 365 accounts, report researchers who are investigating new attack vectors as businesses transition to cloud environments.

The Varonis research team encountered this vector while exploring different ways to exploit Azure, explains security researcher Eric Saraga. While they found a few campaigns intended to use Azure applications to compromise accounts, they discovered little coverage of the dangers. They decided to create a proof-of-concept apps to demonstrate how this attack might work. It’s worth noting they did not discover a flaw within Azure, but instead detail ways its existing features could be maliciously used. 

“We decided to do the proof of concept after seeing potential danger — not from any specific trends,” he says. “However, if anybody is utilizing what we described here to launch attacks, it will most certainly be an [advanced persistent threat] group or a very sophisticated attacker.” As the cloud advances, Saraga anticipates we’ll start seeing campaigns designed to use simpler versions of this attack.

Microsoft built the Azure App Service so that developers could create custom cloud applications to call and consume Azure APIs and resources. It’s meant to simplify the process of building programs that integrate with different components of Microsoft 365. The Microsoft Graph API, for example, lets apps communicate with co-workers, groups, OneDrive documents, Exchange Online mailboxes, and conversations across a single person’s Microsoft 365 platform.

Before an app can do this, however, it must first ask an employee for access to the resources it needs. An attacker who designs a malicious app and deploys it via phishing campaign could trick someone into granting them access to resources within the cloud. Azure applications don’t require Microsoft’s approval or code execution on a victim’s machine, researchers point out; as a result, it’s easier for them to evade security systems.

An attacker must first have a web application and Azure tenant to host it. From there, phishing emails are the most effective way for them to gain a foothold, says Saraga. An attacker could send a message with a link to install the malicious Azure app; this link would direct the user to an attacker-controlled site, which would redirect the user to Microsoft’s login page. 

“The authentication is handled and signed by Microsoft; therefore, even educated users might be fooled,” he notes. Once the victim logs in to his or her Microsoft 365 instance, a token is created for the app and the user will be prompted to grant permissions. The prompt will look familiar to anyone who has installed an app in SharePoint or Teams; however, it’s also where victims may see a red flag: “This application is not published by Microsoft or your organization.”

This is the only clue that might indicate foul play, Saraga notes, but many people are likely to click “accept” without thinking twice about it. From there, a victim won’t know someone unauthorized is there unless the intruder modifies or creates objects that are visible to the user, he explains.

With these permissions, an attacker would be able to read emails or access files as they wish. This tactic is ideal for reconnaissance, launching employee-to-employee spearphishing attacks, and stealing files and emails from Office 365, Saraga adds. “By reading the user’s emails, we can identify the most common and vulnerable contacts, send internal spearphishing emails that come from our victim, and infect his peers,” he writes in a blog post on the findings. “We can also use the victim’s email account to exfiltrate data that we find in 365.” 

Flying Under the Radar
Granting access to an Azure app is not very different from running a malicious executable or enabling macros in a malicious file, Saraga notes. But because this technique does not require executing code on the endpoint, it is difficult to detect and block.

Microsoft does not recommend disabling third-party applications altogether as it prevents users from granting consent on a tenant-wide basis and limits their ability to fully leverage third-party apps. Given this, Saraga advises paying close attention to the warning text that appears when an unknown application asks for permissions.

“First, keep a close eye on new Azure applications. Then decide if they are trustworthy or not: Are they verified? Do you know the developer? Can you trust it?” he advises. “Second, monitor user activity across the organization. Abnormal activity might indicate a compromise.”

Related Content:

• Process Injection Tops Attacker Techniques for 2019
• Cybercriminals’ Promises to Pause During Pandemic Amount to Little
• Security Lessons We’ve Learned (So Far) from COVID-19
• Vulnerability Management Isn’t Just a Numbers Game

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Three Ways Your BEC Defense Is Failing How to Do Better.“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/how-attackers-could-use-azure-apps-to-sneak-into-microsoft-365/d/d-id/1337399?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Pandemics make for strange bedfellows.

In mid-March, ransomware gangs claimed to be pausing operations against healthcare organizations for the duration of the coronavirus pandemic, following pleas from some security firms and questions from journalists. The group behind the Maze ransomware operation, for example, pledged that “we [will] stop all activity versus all kinds of medical organizations until the stabilization of the situation with the virus.”

But the sincerity of such promises is suspect. The Maze Team reportedly was, at the same time they were pledging to stop activity, in the process of extorting money from a UK medical research facility, Hammersmith Medicines Research. The University Hospital of Brno in the Czech Republic reportedly suffered an outage on March 20 due to a cyberattack, possibly ransomware. Other groups have rapidly increased phishing attacks that leverage the subject of the coronavirus, and the COVID-19 disease it causes, as a lure. And outright fraud has increased as well, such as e-mail campaigns collecting “donations” for coronavirus-fighting charities, according security services firm CrowdStrike.

The chaos and fear created by the coronavirus pandemic is just too enticing for cybercriminals to resist, says Adam Meyers, vice president of intelligence at CrowdStrike. “When you have something this widely recognized, and you have people, frankly, freaking out about it, then it becomes an effective way to exploit those fears,” he says. “The threat is definitely there, and it’s something we are paying close attention to.”

As countries struggle to respond to the coronavirus pandemic, some cybercriminals and security firms have advised against exploiting the chaos.

Security firm Emisoft addressed ransomware groups directly in a March 18 statement urging them to — at the very least — leave healthcare organizations alone: “Make no mistake, an attack on a healthcare organization will have negative outcomes and may result in the loss of life. We ask for your empathy and cooperation. Please do not target healthcare providers during the coming months and, if you target one unintentionally, please provide them with the decryption key at no cost as soon as you possibly can.”

Chatter in underground forums appear to show that some operators may have similar sympathies. When one would-be fraudster asked how they could take advantage of the COVID-19 chaos, other forum participants criticized them, in an exchange seen by threat intelligence firm Digital Shadows.

“As we’ve seen time and time again, cybercriminals will find ways to take advantage of people’s fears and uncertainties in the wake of major disasters and emergencies,” Alex Guirakhoo, a threat research analyst with Digital Shadows, wrote in a blog post. “However, the gravity of the COVID-19 pandemic has shown some benevolent reasoning has emerged on some platforms that are typically used for crime: Users urging others to avoid taking advantage of an already dire situation.”

Still, such sentiments seem to be a rarity. Moreover, pledging to forgo attacks against healthcare institutions may be a ploy to gain some goodwill and convince other companies that the cybercriminal group is trustworthy.

“For most attackers, a time of crisis is in reality a time to expand their businesses,” Tim Mackey, principal security strategist for software-security firm Synopsys, said in a statement. “They know that with businesses operating with either remote workers or with limited IT staffing levels that defenses will be weakened. Since the attackers define their rules of attack, it’s worth noting that even a pledge to not target healthcare providers by ransomware teams may in actuality be part of their strategy.”

And for nation-state actors, stealing information about another nation’s reaction to the crisis could be good politics, says Patrick Coughlin, CEO for threat intelligence provider TruSTAR Technology.

“It’s hard to know whether the major nation-states or known major threat actors have ordered a detente or a truce — it’s hard to know,” he says. “But it doesn’t really matter because the noise from the scammers continues to grow, and they can use all the noise as cover.”

In addition to the increased activity from cybercriminals groups, the fact that most companies now have to deal with many more remote workers aids attackers. The pandemic and the move to remote working has caused massive changes in the patterns of life for workers, which may cause many organizations to struggle to redefine a new baseline “normal” pattern of behavior, Coughlin says.

“The baseline signal that a security organization would have of what is normal activity has been thrown out the window,” he says. “That loss of the normal pattern of life is providing cover for the bad guys. They have a whole different layer of noise that they can hide in.”

Many cybersecurity firms have offered to help healthcare organizations and critical groups with responding to ransomware incidents and other cyberattacks.

Related Content

• Attack Surface, Vulnerabilities Increase as Orgs Respond to COVID-19 Crisis
• FBI Warns of Fake CDC Emails in COVID-19 Phishing Alert
• VPN Usage Surges as More Nations Shut Down Offices
• Over 80% of Medical Imaging Devices Run on Outdated Operating Systems
• The Cybercrime Pandemic Keeps Spreading

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Three Ways Your BEC Defense Is Failing How to Do Better.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/cybercriminals-promises-to-pause-during-pandemic-amount-to-little/d/d-id/1337393?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

At a time when almost every company is to some degree a software company, digital transformation and cloud adoption are not just strategic but critical to enterprise success. Whether companies were born into the cloud or are just setting foot into it, it’s important to know that the traditional security practices of firewall-based network segmentation are no longer dependable in this new frontier.

Indeed, the effectiveness of traditional firewalls is fundamentally minimized by the scale and elasticity of cloud infrastructure, virtual private cloud networks, and cloud-native applications, and the many stakeholders that build, ship, and operate those applications. As more companies shift their software to a microservices-based architecture and orchestrate their containerized applications in Kubernetes, distributed security controls become a must.

In cloud environments, and in Kubernetes specifically, the threat and risk model should account for internal-born threats already present inside one of the running components. Examples include a rogue software library imported for use or a container image coming from an untrusted source.

Kubernetes has solid native security controls compared to open-platform native techrnologies or even proprietary virtual machine-based platforms. Kubernetes offers flexible authentication machinery, mature role-based access control (RBAC) for authorization, fine-grained controls on how processes run, validation of resources before admitting them into a Kubernetes cluster, and adaptive pod (colocated containers) east-west network segmentation.

Implementing fine-grained microservices network segmentation has a high impact as far as reducing and limiting the attack surface, limiting the ability to pivot from one component to another, exfiltration of data, and other forms of lateral movements.

Microsegmentation Management
Undeniably, one of the biggest challenges with microsegmentation is managing it over time. As of Kubernetes v1.8, the following native network policy APIs are generally available:

• By default, Kubernetes workloads (pods) are not isolated; pods accept traffic from any source, and pods are allowed to send traffic to any destination.

• Kubernetes network policy semantics only enable east-west (cluster internal) segmentation, as well as specifying Classless Inter-Domain Routing (CIDR) blocks. It does not support domain names (or domain wildcards) in the policy syntax.

• Kubernetes NetworkPolicy captures application intent by specifying how groups of pods are allowed to communicate with each other and other network endpoints (CIDR).

• Kubernetes NetworkPolicy resources use labels to select pods and define rules that specify what traffic is allowed to the selected pods.

• The Kubernetes Container Network Interface (CNI) plugin must support the network-policy APIs in order to enable network policy enforcement. Some popular plugin choices include Calico and Flannel, as well as the cloud provider CNI plugin that leverages the cloud service provider virtual private cloud (VPC) networking. All of the recommended plugins can be found in the Kubernetes documentation.

Right off the bat, one simple policy you can set to flip the open-by-default paradigm and close your pods off to traffic is the deny-all policy, also known as blacklisting. Blacklisting a pod denies all traffic to and from other pods. The best practice is to blacklist all of your pods, then set additional network policies to explicitly allow communication between pods as needed, also known as whitelisting. You can do this with a default deny-all policy, which changes the namespace’s default to deny all non-whitelisted traffic.

Additional network security configurations that control which traffic sources (network blocks) are allowed to be ingested into the cluster by load balancers and layer-7 proxy (Kubernetes Ingress) are available in the form of special resource annotations. This configuration comes in the form of special tags that are consumed by a Kubernetes cloud controller, a glue layer between Kubernetes, and the underlying platform the cluster runs on. The cloud controller programs the underlying VPC networking security configuration as well as load balancers in accordance with those special annotations.

Not Far Enough
While this seems a healthy amount of network security controls, Kubernetes’ native controls are not sufficient:

• Workloads (pods) that run on the host network are not subject to whatever network policies were configured on the host network.

• Kubernetes policies are additive and adhere to a whitelisting approach. It lacks very basic semantics of drop-actions in network policy rules. Whitelisting extensions can be achieved with third-party tools and open source projects such as Calico.

• Workloads that require access to resources outside the cluster are denoted by domain endpoints (such as database or SaaS services like Slack) that can’t be segmented on their egress paths.

• Identity-based access controls are not addressed by the Kubernetes native controls and require side-car based proxies to establish such controls.

• Kubernetes infrastructure does not expose policy violation statistics or logs, which means the substance that intrusion detection and prevention systems rely on is absent.

• The domain name system (DNS), Kubernetes’ underlying service discovery, is open by default for every pod in the cluster. This means exfiltration methods such as DNS tunneling and abusing inherent weaknesses in DNS protocol require specialized network security analysis to detect anomalies and threats.

Take Control of Your Own (Security) Fate
Kubernetes is still relatively new and can have a steep learning curve. Ultimately, understanding that Kubernetes is open by default is the most important step you can take toward securing your cloud-native applications and preventing unwanted traffic. With this understanding, you can change the default and take control of the traffic flowing through your application.

Related Content:

• 5 Common Cloud Configuration Mistakes
• 6 Serverless and Containerization Trends CISOs Should Track
• How Enterprises Are Developing and Maintaining Secure Applications
• Security at the Speed of DevOps: Maturity, Orchestration, and Detection
• Security Teams Struggle with Container Security Strategy

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Three Ways Your BEC Defense Is Failing How to Do Better.“

Gadi Naor brings 15 years of experience in leading the development of cybersecurity products to his role as CTO and co-founder of Alcide. Gadi has blended his management and technological background in various positions. From 2001-2008, he worked at CheckPoint, where he … View Full Bio

Article source: https://www.darkreading.com/cloud/how-to-secure-your-kubernetes-deployments/a/d-id/1337324?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A Trojan that gains remote control of devices has been identified and is being tracked by researchers with the Kaspersky Global Research and Analysis Team (GReAT). Dubbed “Milum,” the Trojan is being distributed in a campaign the researchers are calling “WildPressure.”

Analysis indicates that Milum was created in March 2019. The current campaign, which is ongoing, is targeting organizations in the Middle East. Researchers say Milum is especially troubling because it can gain control of industrial devices. In addition, Milum shares no code with other known malicious campaigns and is spread through a mechanism that has not yet been identified.

“So far, we haven’t seen any clues that would support the idea that the attackers behind WildPressure have intentions beyond gathering information from the targeted networks,” said Denis Legezo, Kaspersky senior security researcher, in a statement. “However, this campaign is still actively developing, and we’ve already discovered new malicious samples apart from the three originally discovered.”

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Three Ways Your BEC Defense Is Failing How to Do Better.“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-apt-targets-middle-eastern-victims/d/d-id/1337395?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new malware family has been discovered operating in 56 Google Play applications, which have collectively been downloaded nearly one million times around the world. Dubbed “Tekya,” the malware aims to commit mobile ad fraud by imitating user actions to click advertisements.

Check Point researchers say 24 of these infected apps are designed for children; for example, puzzles or racing games. The rest are utility apps: calculators, translators, and cooking apps, for example. Tekya obfuscates native code to evade Google Play Protect detection, and it uses the MotionEvent mechanism built into Android to imitate the user’s actions and generate clicks for ads from agencies like Google’s AdMob, AppLovin’, Facebook, and Unity, researchers report.

The Tekya campaign built its audience by cloning legitimate popular applications, especially children’s apps, which were most popular for this particular malware. All of the infected apps have been removed from Google Play. If you think you may have one of these malicious apps on your device, researchers recommend uninstalling the affected app and updating the device’s operating system and applications. 

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Three Ways Your BEC Defense Is Failing How to Do Better.“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/malware-found-hidden-in-android-utility-apps-childrens-games/d/d-id/1337396?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple