Connect with us

Government hackers attack port of Houston through Zoho vulnerability

Published

on

The CISA, the FBI, and the US Coast Guard have issued a joint warning about foreign attacks through the Zoho vulnerability.

A hacker group, allegedly funded by a certain state, attempted to attack the computer network of one of the largest ports in the United States, the Port of Houston. During the attack, the attackers intended to exploit a zero-day vulnerability in Zoho. This was announced on Thursday, September 23, by representatives of the Cyber ​​and Infrastructure Security Agency (CISA) at a hearing in the US Senate.

Port Authority stated that she was able to successfully repel the attack and “no operational data or systems were affected.” Following an investigation by the CISA, the FBI and the US Coast Guard published a joint warning to organizations in the United States of foreign country attacks through the Zoho vulnerability.

How reported CrowdStrike Senior Analyst Matt Dahl, the zero-day vulnerability has been exploited in attacks since August 2021.

Zoho fixed the vulnerability (CVE-2021-40539) on September 8th, and then CISA released his first warning of attacks. Who is behind the attacks is still unknown. CISA has not yet credited the attempted hacking of the Port of Houston computer network to any particular group.

“Of course, the most sophisticated attackers go to great lengths, as in the case of SolarWinds, to cover their tracks and hide their presence in order to stay on the networks for extended periods of time and extract data. But we are working very closely with our interagency partners and the intelligence community to better understand the actors of threats and can not only protect systems, but ultimately bring these actors to justice, ”- said the leadership of CISA.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

PT Network Attack Discovery detects 33 more suspicious network activities

Published

on

Positive Technologies has released a new release of the PT Network Attack Discovery (PT NAD) 10.2 traffic analysis system.

Positive Technologies has released a new release of the traffic analysis system PT Network Attack Discovery (PT NAD) 10.2, which automatically detects the types and roles of network nodes, detects scan, flood and DDoS attacks, and processes traffic losslessly at speeds up to 10 Gbps.

Detection of new threats

In PT NAD 10.2, the number of detected suspicious activities has been increased by 9 times – there are 37 of them now. All of them are displayed in a single feed [1]to help users respond faster to detected threats. The feed collects threats identified using analytics modules (non-signature method) on one page and makes it possible to manage them. PT NAD users will now know in a timely manner when:

Credentials are transmitted to the network in clear text (which can be used by an attacker during an attack);

· Active VPN and proxy servers are monitored (for example, if internal nodes access external OpenVPN or SOCKS5 proxy servers);

· Software for remote control is used (TeamViewer, AeroAdmin, RMS, etc.) or remote commands are executed using PsExec and PowerShell;

· There is malware activity on the network.

In addition, the Activity stream continues to display custom notifications, backtracking indicator of compromise messages, dictionary passwords, and information about unknown DHCP servers.


PT NAD’s activity feed includes 37 types of threats that require a response

PT NAD 10.2 has a built-in mechanism for detecting network scanning, flooding and DDoS attacks. During such attacks, many sessions are created on the company’s network. Instead of storing information about each connection separately, PT NAD now creates one session record and one attack record in the activity stream, which contains aggregated data about the entire attack session. Such a combination “saves” the system: protects against database overflow and increases the stability of the sensor.

Network Node Management: Roles and Types

In order for information security specialists to have complete information about which nodes are involved in the network interaction and how the network works as a whole, PT NAD began to automatically determine the types and roles of nodes. The type indicates whether a particular node is a server, printer, mobile device, or workstation. Role refers to a function that a device performs. Version 10.2 defines 15 roles, including DNS server, VPN, domain controller, proxy server, monitoring system. The user can manually reassign the device type and role.


With the help of the updated filter, the user can find the nodes of interest by IP address, type, role, group membership and other parameters

Knowledge of what constitutes a company’s infrastructure is necessary in order to properly protect it and accurately detect attacks in it., – comments Dmitry Efanov, head of development, PT NAD Positive Technologies… – This information in PT NAD gives security operators an understanding of what devices are on the network and what roles they play, thus helping to take inventory of the network.“.

Capture and analyze traffic

Starting with this version, PT NAD captures traffic on Linux using the DPDK engine (Intel library that provides the most efficient way to capture traffic on Linux among other mechanisms), which processes it losslessly at a speed of tens of gigabits per second.

For greater transparency of internal traffic, PT NAD 10.2 has expanded the list of defined and parsed protocols. The updated system now parses all existing SQL data transfer protocols: MySQL, PostgreSQL, Transparent Network Substrate from Oracle and Tabular Data Stream (the ability to detect it was added in the previous release). PT NAD also defines the protocols of the Elasticsearch system and PostScript printing – with the help of the latter, printers on the corporate network communicate. The total number of detected protocols has reached 86.

Other UX improvements

A number of changes in PT NAD 10.2 are aimed at improving the usability of the product. Now you can find out from the interface about the current status and validity of the license and add or change it yourself. Added the option to copy the link to the card of a specific session or attack, in order to quickly exchange information with other users.

[1] Added in release PT NAD 10.1

Continue Reading

Security

Facebook Papers Sheds Light on Social Media Moderation Issues

Published

on

The media, to which the company’s internal documents were leaked, claim that the company prioritizes profits over users.

The so-called Facebook Papers (an array of documents released to the public by former Facebook product director Francis Haugen) shed light on the problems with content moderation and the fight against disinformation on the platform. Major media outlets to which Haugen handed the documents, including Reuters, Bloomberg and The Washington Post, argue that the company prioritizes profit over user safety, although Facebook employees have repeatedly warned it of the potential risks.

For example, The Washington Post accuses Facebook head Mark Zuckerberg of downplaying the importance of reports that the site contributed to incitement to hatred, while addressing the US Congress. According to the newspaper, Zuckerberg knew that the problem was actually much more serious than it was reported to the public.

According to internal company documents, the platform removes less than 5% of hateful posts, and senior management (including Zuckerberg) was well aware of the platform dividing people into opposing camps. Facebook denies the allegations and claims its internal documents were misinterpreted.

Zuckerberg is also allegedly responsible for the decision not to suppress misinformation about COVID-19 in the early stages of the pandemic, as there could be a “significant trade-off with the influence of MSI” (meaningful social interaction – an internal Facebook metric). Facebook denies this, claiming that the documents have been misunderstood.

In turn, the news agency Reuters accused Facebook of regularly neglecting developing countries, which were allowed to publish publications inciting hatred and calling for extremist action. In other words, the company did not hire enough moderators with knowledge of the language and culture of these countries to effectively remove such content. Instead, it unjustifiably relied on its automatic moderation systems, which are ineffective in non-English-speaking countries. Again, Facebook denies these allegations.

According to reports from The New York Times, Facebook was well aware that the “Like” and “Share” functions (key elements of the social network) contributed to the spread of hate speech. As stated in a document titled “What Is Collateral Damage”, Facebook’s failure to address this issue will ultimately result in the company “actively (not necessarily knowingly) promoting such activity.” Again, Facebook claims the document was misinterpreted because the company would not harm its users.

Continue Reading

Security

Discourse team has released an urgent patch to fix a critical vulnerability

Published

on

The vulnerability allows remote code execution using a specially crafted request.

Discourse Development Team let out steele update to address a remote code execution vulnerability in the platform.

Discourse is a popular open source Internet forum and mailing list management software with a client base of over 2,000 customers, including Amazon Seller Central, which has a monthly audience of 30 million users.

The vulnerability (CVE-2021-41163) is a validation error in the aws-sdk-sns gem upstream stream that can be exploited to remotely execute code using a specially crafted request. The highest severity vulnerability (CVSS 10) exists due to a lack of validation in the subscribe_url values.

The issue was fixed in Discourse 2.7.9 (stable) and 2.8.0.beta7. The Discourse team did not provide full information about the problem, but the information security expert who discovered the vulnerability, known as joernchen, published some details about her.

Developers are advised to upgrade to Discourse 2.7.9 and higher as soon as possible, and if this is not yet possible, apply protective measures, in particular, block requests containing the / webhooks / aws path at the upstream proxy level.

Continue Reading

Most Popular