About Dark Reading Staff

This author has not yet filled in any details.
So far Dark Reading Staff has created 111 blog entries.

NSA Appoints Rob Joyce as Cyber Director

2021-01-16T10:39:31-05:00

Enterprise VulnerabilitiesFrom DHS/US-CERT's National Vulnerability Database CVE-2020-25533PUBLISHED: 2021-01-15An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ... CVE-2021-3162PUBLISHED: 2021-01-15Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation. CVE-2021-21242PUBLISHED: 2021-01-15OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a... CVE-2021-21245PUBLISHED: 2021-01-15OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u... CVE-2021-21246PUBLISHED: 2021-01-15OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...

NSA Appoints Rob Joyce as Cyber Director2021-01-16T10:39:31-05:00

'Chimera' Threat Group Abuses Microsoft & Google Cloud Services

2021-01-15T10:36:34-05:00

Researchers detail a new threat group targeting cloud services to achieve goals aligning with Chinese interests. Security researchers are watching a threat group that takes advantage of Microsoft and Google cloud services with the goal of exfiltrating data across a broad range of target organizations. These attackers have a "wide set of interests," say researchers with NCC Group and Fox-IT, who note the group is referred to as Chimera. Their target data ranges from intellectual property belonging to victims in the semiconductor industry to passenger data from the airline industry. Chimera appeared in various incident response engagements between October 2019 and April 2020. Researchers say the group has remained undetected in a network for up to three years. Attackers begin by obtaining usernames and passwords from victims of previous breaches. The credentials are used in credential stuffing or password-spray attacks against a victim's remote services; for example, Web mail or other online mail services. Once they have a valid account, they use it to access the victim's VPN, Citrix, or another remote service with network access.  With a foothold in the network, the attackers check the account permissions and try to get a list of accounts with admin privileges. This list helps them launch another password-spraying attack until a valid admin account is compromised. They use this account to load a Cobalt Strike beacon into memory; this is can be used for remote access and command and control (C2). In a writeup, researchers explain how the attackers use Microsoft and Google cloud services to achieve their goals. In one case, they collected data from Microsoft SharePoint Online in order to exfiltrate information. In other attacks, they changed their C2 domains: in 2019 they began using subdomains under the parent domain appspot.com, which is owned by Google, and azureedge.net, a domain owned by Microsoft and part of its Azure content delivery network.  Read the full analysis for more details. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio Recommended Reading: More Insights

'Chimera' Threat Group Abuses Microsoft & Google Cloud Services2021-01-15T10:36:34-05:00

NSA Recommends Using Only 'Designated' DNS Resolvers

2021-01-15T10:36:35-05:00

Agency provides guidelines on securely deploying DNS over HTTPS, aka DoH. The National Security Agency (NSA) has issued an advisory recommending that enterprises employ only their designated DNS resolver for DNS traffic and avoid third-party resolvers, which could place their data at risk. NSA said encrypted Domain Name System (DNS) technology, aka DNS over HTTPS (DoH), can be abused by attackers if it's not properly deployed in an enterprise. Using only the organization's designated enterprise DNS server for both encrypted or unencrypted DNS traffic is the safest route. "All other DNS resolvers should be disabled and blocked," the agency said. DHS, which converts domain names into IP addresses on the Internet, increasingly has become a popular attack vector for attackers. The NSA published new guidelines for rolling out DoH securely, Adopting Encrypted DNS in Enterprise Environments. "It outlines the importance of configuring enterprise networks appropriately to add benefits to, and not hinder, their DNS security controls. These enterprise DNS controls can prevent numerous threat techniques used by cyber threat actors for initial access, command and control, and exfiltration," the NSA said. Read more here.  Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio Recommended Reading: More Insights

NSA Recommends Using Only 'Designated' DNS Resolvers2021-01-15T10:36:35-05:00

SolarWinds Attackers May Have Hit Mimecast, Driving New Concerns

2021-01-15T10:36:38-05:00

Mimecast no longer uses the SolarWinds Orion network management software that served as an attack vector for thousands of organizations. The discovery of a data breach at email service provider Mimecast could indicate attackers behind the massive SolarWinds incident may have pursued multiple paths to infiltrate target organizations, a new report states.  Earlier this week, Mimecast confirmed an attacker had compromised a certificate provided to certain customers to authenticate Mimecast products to Microsoft 365 Exchange Web Services. The tools and techniques used in this attack link these operators to those who recently targeted SolarWinds, The Wall Street Journal reports. The SolarWinds attack affected some 18,000 public and private organizations that downloaded infected versions of legitimate updates to its Orion network management software. However, the attack on Mimecast shows not all victims had to be SolarWinds customers to be targeted. Mimecast was a SolarWinds customer in the past but no longer uses the Orion software, a person familiar with the matter told WSJ. The company has not determined how attackers got in or whether its earlier use of SolarWinds could have left it vulnerable.  As security experts note, Mimecast digital certificates could enable attackers to read data stored on Microsoft Exchange servers. Mimecast says the incident affected about 10% of its customers. It's asking those who use this certificate-based connection to delete the existing connection in their Microsoft 365 tenant and establish a new certificate-based connection with a new certificate it has made available.  Read the full report for more details. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio Recommended Reading: More Insights

SolarWinds Attackers May Have Hit Mimecast, Driving New Concerns2021-01-15T10:36:38-05:00

Huntress Acquires EDR Technology From Level Effect

2021-01-15T10:36:39-05:00

Huntress seeks to improve its detection and response capabilities with a more comprehensive view of endpoint security. Huntress, provider of managed detection and response (MDR), has confirmed the acquisition of endpoint detection and response (EDR) technology from startup Level Effect. Level Effect offers a platform called Recon, an EDR tool designed to combine endpoint forensics with network traffic visibility. Recon was built to observe threat activity on protected internal and external endpoints so it can detect attacker behavior such as malware downloads and lateral movement. By integrating Recon, Huntress plans to give its platform the ability to respond to malicious network sessions, event logs, and nonpersistent threats, founder and CEO Kyle Hanslovan says in a statement. Level Effect co-founders Greg Ake and Robert Noeth will join the Huntress team to support the initial integration of its technology and ongoing development of Recon software. Huntress has purchased both Recon and its related IP portfolio; however, Level Effect will continue to operate as an independent business. Going forward, it will provide cybersecurity training for aspiring security practitioners. Financial terms of the deal were not disclosed. Read the full release for more details. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio Recommended Reading: More Insights

Huntress Acquires EDR Technology From Level Effect2021-01-15T10:36:39-05:00

United Nations Security Flaw Exposed 100K Staff Records

2021-01-15T10:36:43-05:00

Security researchers have disclosed a vulnerability they exploited to access more than 100,000 private employee records. Security researchers have disclosed a vulnerability they exploited to access at least 100,000 private records belonging to employees of the United Nations' Environmental Programme (UNEP). Jackson Henry, John Jackson, Nick Sahler, and Aubrey Cottle, a team with security research group Sakura Samurai, discovered the flaw while looking for bugs affecting UN systems, Bleeping Computer reports. They found exposed Git directories and Git credential files on domains connected to both the UNEP and the UN International Labour Organization (ILO); they were able to dump the contents of these files and clone repositories. The Git directory held sensitive files, including WordPress configuration files containing admin database credentials. These credentials gave the team access to at least 100,000 UN employee records from multiple systems. Exfiltrated data included employee ID, name, employee group, travel justification, start and end dates, approval status, destination, and the length of stay. Researchers were also able to access more UN databases containing generalized employee records, employee evaluation reports, project funding source records, and human resources' demographic data, including nationality, gender, and pay grade, for thousands of UN workers.  The researchers say the issue has now been addressed. Read the full findings here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio Recommended Reading: More Insights

United Nations Security Flaw Exposed 100K Staff Records2021-01-15T10:36:43-05:00
Go to Top