fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Ransomware Gang Now Using Critical Windows Flaw In Attacks

Ransomware Gang Now Using Critical Windows Flaw In Attacks

Microsoft is warning that cybercriminals have started to incorporate exploit code for the ZeroLogon vulnerability in their attacks. The alert comes after the company noticed ongoingattacks from cyber-espionage group MuddyWater (SeedWorm) in the second half of September.

This time, the threat actor is TA505, an adversary who is indiscriminate about the victims it attacks, with a history starting with the distribution of Dridex banking trojan in 2014.

Over the years, the actor has been in attacks delivering a wide variety of malware, from backdoors to ransomware.

Recently, intrusions from this group are followed by the deployment of Clop ransomware, as in the attack on Maastricht University last year that resulted in paying a 30 bitcoin (about $220,000) ransom.

Fake updates and legit tools

Microsoft says that TA505, which it tracks as Chimborazo, deployed a campaign with fake software updates that connect to the threat actor’s command and control (C2) infrastructure.

The purpose of the malicious updates is to give hackers increased privileges (User Account Control bypass) on the target system and run malicious scripts.

source: Microsoft

Also Read: How Singapore Cybersecurity Masterplan 2020 Is Formidable

For the second part, TA505 uses Windows Script Host (WScript.Exe), which allows executing scripts in various programming languages, including VBScript, Python, Ruby, PHP, JavaScript, and Perl.

Microsoft says that the attackers compile a version of the Mimikatz post-exploitation tool using the Microsoft Build Engine (MSBuild.Exe)n for building applications.

The version of Mimikatz obtained this way includes exploit code for the ZeroLogon vulnerability (CVE-2020-1472). Over the past month, numerous researchers released proof–of–concept exploits for this flaw.

What Microsoft described in a short thread is a classic domain takeover attack, where ZeroLogon is a perfect fit. It offers direct access to the domain controller, so the attacker no longer needs to spend time getting the admin credentials.

With TA505 involved in big-money ransomware business, organizations should prioritize applying security patches for this vulnerability as attacks similar to what Microsoft described are likely to occur with increased frequency.

ZeroLogon details available

Discovered by Tom Tervoort of Secura, ZeroLogon allows intruders on a domain network to increase permissions to administrator level without needing to authenticate.

Tervoort found that he could force the connection to a domain controller through the Netlogon Remote Protocol in an unencrypted state (non-secure RPC communication).

Next, by leveraging a flaw in the Netlogon crypto algorithm, it is possible to spoof a domain administrator login. A technical write-up is available from Secura.

Microsoft addressed this vulnerability partially for now, by preventing Windows Active Domain controller communication over non-secure RPC. This update is available since August 11.

On February 9, though, a new update will enforce the same secure communication to all devices on the network.

Also Read: 10 Practical Benefits of Managed IT Services

Warnings released

Network admins received repeated warnings about the severity of the ZeroLogon vulnerability (maximum critical score 10/10) and urged to apply the current patch.

With exploit code that (domain admin privilege obtained in seconds) released since mid-September, threat actors moved quickly to incorporating it in their attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on September 18 required the Federal Civilian Executive Branch to treat fixing the flaw as an emergency.

Microsoft first sounded the alarm on September 23, when it saw ZeroLogon actively exploited in attacks. Next came the alert about MuddyWater leveraging the exploit.

Now it’s cybercriminals wielding it, a clear sign that ZeroLogon is on the way of being adopted by a wide range of threat groups targeting organizations in both the public and private sectors.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us