Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories.
NOTE: Except where indicated, this report is released as TLP: CLEAR, and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Hackers exploit Fortinet flaw, deploy ScreenConnect, Metasploit in new campaign.
(TLP: CLEAR) The article titled “Hackers Exploit Fortinet Flaw to Deploy Cring Ransomware and Backdoors” reports on a significant cyber threat targeting Fortinet devices. The exploit leverages a vulnerability in Fortinet’s FortiOS operating system, which allows hackers to infiltrate systems and deploy malicious software, including the Cring ransomware and various backdoors.
The attackers take advantage of the vulnerability, tracked as CVE-2024-10404, to gain unauthorized access to vulnerable systems. Once inside, they deploy Cring ransomware, which encrypts files on the compromised devices, rendering them inaccessible to their owners. Additionally, the hackers install backdoors, providing them with persistent access to the compromised systems for future exploitation.
(TLP: CLEAR) Comments: The article highlights the severity of the situation, as Fortinet is a widely used provider of network security appliances and services. The exploit poses a significant risk to organizations using Fortinet devices, potentially leading to data loss, financial damage, and operational disruption. It emphasizes the importance of promptly applying security patches and updates provided by Fortinet to mitigate the risk of exploitation. Additionally, organizations are advised to implement robust cybersecurity measures, such as network segmentation and intrusion detection systems, to detect and prevent unauthorized access and malware infections.
(TLP: CLEAR) Recommended best practices/regulations:
Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:
“Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typosquats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
“Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command and control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
“Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depends on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attributes and tagging those associated with known DGA attributes, such as high entropy.
“Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices and inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.
Source: https://thehackernews.com/2024/04/hackers-exploit-fortinet-flaw-deploy.html
Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services.
(TLP: CLEAR) The article on The Hacker News discusses a warning issued by Cisco regarding a significant increase in brute-force attacks globally. Brute-force attacks involve automated attempts to guess passwords or encryption keys, often through trial and error. Cisco’s report highlights a surge in these attacks targeting various organizations and industries, posing a serious threat to enterprise data and systems.
(TLP: CLEAR) Comments: Remote access has been heavily targeted by threat actors over the past six months because a successful compromise allows the attackers the ability to access other resources inside the enterprise, including file servers, email accounts, etc. Other VPNs, such as Ivanti Connect, have also been attacked and used to plant malware and to look for credentials and documents inside of email inboxes.
(TLP: CLEAR) Recommended best practices/regulations:
NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”
One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.
(TLP: CLEAR) Vercara: Vercara has two solutions that can help in this instance. UltraWAF can help protect SSL VPNs against vulnerabilities and brute-force logins. Once attackers are inside the enterprise network, UltraDDR can detect and block tool downloads, data exfiltration, and other activities on compromised endpoints.
Vercara’s Web Application Firewall, UltraWAF, provides protection at the application layer to detect and block DDoS attacks but also unwanted web bots and application attacks such as SQLi, XSS, and CSRF.
Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://thehackernews.com/2024/04/cisco-warns-of-global-surge-in-brute.html
Critical Atlassian flaw exploited to deploy Linux variant of Cerber ransomware.
(TLP: CLEAR) The article discusses a critical security flaw discovered in Atlassian software, specifically in its Confluence platform, which has been actively exploited by malicious actors. The vulnerability allows attackers to execute arbitrary code remotely without authentication, potentially leading to unauthorized access and control over affected systems.
(TLP: CLEAR) Comments: Atlassian has released patches to address this issue, urging users to update their software immediately to mitigate the risk of exploitation. The article highlights the significance of promptly applying security updates to safeguard against potential cyber threats.
(TLP: CLEAR) Recommended best practices/regulations:
PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:
“Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
“Actively running and up to date as applicable.
“Generating audit logs.
“Configured to either block web-based attacks or generate an alert that is immediately investigated.”
Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, delivers robust web application protection. This cloud-based service shields against application layer and web application firewall software threats, ensuring fast, secure defense for your online assets.
Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices and inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.
Source: https://thehackernews.com/2024/04/critical-atlassian-flaw-exploited-to.html
TA558 hackers weaponize images for wide-scale malware attacks.
(TLP: CLEAR) In April 2024, The Hacker News reported on a new tactic employed by the notorious TA558 hacking group. Known for its sophisticated cyber-attacks, TA558 has now turned to weaponizing images as a means of spreading malware. By embedding malicious code within seemingly harmless image files, the group aims to bypass traditional security measures and infect unsuspecting victims’ devices.
(TLP: CLEAR) Comments: This innovative approach underscores the evolving nature of cyber threats and highlights the importance of vigilance in defending against such attacks.
(TLP: CLEAR) Recommended best practices/regulations:
PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.”
Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in real-time and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.
Source: https://thehackernews.com/2024/04/ta558-hackers-weaponize-images-for-wide.html
AWS, Google, and Azure CLI tools could leak credentials in build logs.
(TLP: CLEAR) The article discusses a potential security threat affecting cloud service providers like AWS, Google Cloud, and Azure. Researchers have identified vulnerabilities in command-line interface (CLI) tools used by these platforms, which could allow attackers to execute arbitrary code on users’ machines.
(TLP: CLEAR) Comments: These vulnerabilities stem from insecure practices in how these tools handle certain types of inputs, potentially enabling malicious actors to exploit them for remote code execution. The article emphasizes the importance of promptly updating CLI tools to their latest versions to mitigate these risks and ensure robust security measures.
(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-40R4 “Guide to Enterprise Patch Management Planning” Chapter 2.2: “Know when new software vulnerabilities affect your organization’s assets, including applications, operating systems, and firmware. This involves knowing what assets your organization uses and which software and software versions those assets run down to the level of packages and libraries, as well as keeping track of new vulnerabilities in that software. For example, your organization might subscribe to vulnerability feeds from software vendors, security researchers, and the National Vulnerability Database (NVD).”
(TLP: CLEAR) Vercara: Vercara’s UltraBot Manager effectively counters sophisticated bot attacks and business logic abuse, integrating API threat detection and API threat hunting mechanisms by leveraging a vast threat database of malicious behaviors, IP addresses, and organizations, and blocking attacks in real time.
Source: https://thehackernews.com/2024/04/aws-google-and-azure-cli-tools-could.html
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please visit our solutions overview page or contact us.