Campaigns Result - SOCRadar LABS

Ipv4s	Source	Last Update
81.19.135.241	SOCRadar	2024-08-28
178.250.243.30	SOCRadar	2024-08-27
45.136.49.35	SOCRadar	2024-08-27

The D Brief: Russia’s MIRV missile; Space Force’s naughty list; McConnell to Senate Approps; Worst telecom hack in US history; And a bit more.

2024-11-24

defenseone.com

rss

forum

news

surface web

Looking at the Attack Surfaces of the Kenwood DMX958XR IVI

2024-11-24

In our previous Kenwood DMX958XR blog post, we detailed the internals of the Kenwood in-vehicle infotainment (IVI) head unit and provided annotated pictures of each PCB. In this post, we aim to outline the attack surface of the DMX958XR in the hopes of providing inspiration for vulnerability research.

We will cover the main supported technologies that present potential attack surfaces, such as USB, Bluetooth, Android Auto, Apple CarPlay, Kenwood apps, and more. We also provide a list of the open-source components the DMX958XR claims to use.

All information has been obtained through reverse engineering, experimenting, and combing through the following resources:

·      Kenwood DMX958XR Product Page
·      Kenwood DMX958XR Instruction Manual [PDF]
·      Kenwood DMX958XR Quick Start Guide [PDF]
·      Kenwood Portal App
·      Kenwood Remote S App

USB

The DMX958XR is equipped with a single USB-C port that operates at USB 2.0 speeds and provides the necessary interface for wired Android Auto and Apple CarPlay. The USB port also supports playback of audio files from a USB flash drive. The supported audio filetypes and their associated extensions are:

·      MP3 (.mp3)
·      WMA (.wma)
·      AAC-LC (.m4a)
·      WAV (.wav)
·      FLAC (.flac, .fla)
·      Vorbis (.ogg)

Beyond just audio, a USB flash drive can also be used to play back video files. The supported video file types and their associated extensions are:

·      MPEG-1 (.mpg, .mpeg)
·      MPEG-2 (.mpg, .mpeg)
·      H.264 / MPEG-4 (.mp4, .m4v, .avi, .flv, .f4v)
·      WMV (.wmv)
·      MKV (.mkv)

Robustly parsing and decoding these file formats is notoriously complicated and error-prone, which makes for a potentially rewarding attack surface. USB flash drives must be formatted as either FAT16, FAT32, exFAT, or NTFS for the head unit to be able to read them.

Bluetooth

Bluetooth version 5 is supported by the head unit and is used for making phone calls, receiving calls, and playing audio from a paired mobile phone. The following Bluetooth profiles are implemented:

·      Hands-Free Profile v1.7
·      Serial Port Profile
·      Phonebook Access Profile
·      Audio/Video Remote Control Profile (AVRCP) v1.6
·      Advanced Audio Distribution Profile (A2DP)
·     Supporting codecs: SBC, AAC or LDAC

Android Auto, Apple CarPlay, and the Kenwood apps all utilize Bluetooth in varying capacities.

Wi-Fi

The head unit provides a Wi-Fi access point, which is primarily used for wireless Android Auto and Apple CarPlay. There is no intention for the end user to directly connect to this access point, and there is no officially documented way of acquiring the password. However, internal research has discovered multiple methods to obtain the password. Once connected to the access point the following ports are listening:

· TCP: 7000, 8086
· UDP: 67, 5353, 35917, 50002, 60794

The two TCP ports and UDP port 50002 are of particular interest since they are running non-standard services.

Android Auto and Apple CarPlay

Both wired and wireless Android Auto and Apple CarPlay are supported without the need for a third-party application to be installed on the paired mobile phone. When using the wireless versions, the paired phone connects to the aforementioned Wi-Fi network to establish a high-bandwidth channel for data to be sent and received. When connecting using a USB cable, the Wi-Fi network isn't used by Android Auto or Apple CarPlay, but it is still active.

Pwn2Own Automotive 2024 didn’t see any entries that leveraged Android Auto or Apple CarPlay functionality to compromise a head unit. We will have to wait and see if Pwn2Own Automotive 2025 does!

Kenwood Apps

Kenwood offers two Android/iOS apps to interface with the DMX958XR. The first app is the Kenwood Portal App, which allows users to transfer photos from a mobile phone to the head unit over Bluetooth. The transferred photos can then be viewed as a slideshow on the head unit or be used as wallpaper.

This presents an interesting attack surface – especially if the DMX958XR itself performs any complex image handling tasks on the received images, such as resizing or converting between different image formats. The user-supplied images also need to be persisted in the head unit's filesystem, further expanding the attack surface.

The second app is the Kenwood Remote S app, which connects to the head unit over Bluetooth and allows for multimedia control, such as selecting a radio station, skipping a track, and more. The Bluetooth Audio/Video Remote Control Profile (AVRCP) is designed for this task. However, no research was performed to confirm if the Remote S app takes advantage of AVRCP. There are a few other Kenwood apps available, but they are not listed as supported on the DMX958XR product page and therefore have not been explored.

Open Source Software

A list of open-source licenses can be viewed from the head unit by navigating to Menu -> Settings -> Special -> Open Source Licenses. There is no guarantee these open-source projects are actually used, but a complete list of the projects is provided at the end of this blog post. Where available, the versions of the projects have also been included.

Summary

We hope that this blog post has provided enough information about the DMX958XR attack surface to guide vulnerability research. Not every attack surface has been mentioned and we encourage researchers to investigate further. The next post in this series will cover details of the DMX958XR firmware.

We are looking forward to Automotive Pwn2Own, again to be held in January 2025 at the Automotive World conference in Tokyo. We will see if IVI vendors have improved their product security. Don’t wait until the last minute to ask questions or register! We hope to see you there.

You can find me on Twitter at @ByteInsight, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.

Open Source Software List

Below is a complete list of all the open-source software the head unit claims to use:

·      OpenSSL (2011)
·      SSLeay (1998)
·      ALSA
·      BusyBox
·      Cairo
·      D-Bus
·      dnsmasq (2014)
·      e2fsprogs (2007)
·      Freeware Advanced Audio Coder v1.36 (2009)
·      flac (2014)
·      fontconfig (2012)
·      GLIB (1997)
·      bashline (1993)
·      iconv (2011)
·      GNU MP (2007)
·      GNU readline (2005)
·      GNU tar (2006)
·      gstreamer (2000)
·      GdkPixbuf (1999)
·      GnuTLS (2012)
·      HarfBuzz (2012)
·      ICU (2015)
·      ImageMagick (2016)
·      iperf (2007)
·      libpng (2019)
·      libusb (2015)
·      xiph (2015)
·      libxml2 (2012)
·      libxslt (2002)
·      Naver fonts (2007)
·      GIO (2010)
·      OpenSSH
·      OpenSSL (2011)
·      PCI Utilities v3.3.1 (2015)
·      Qt (2013)
·      Bluetooth SBC library (2013)
·      Sysvinit (2004)
·      Info-ZIP (2007)
·      bzip2 v1.0.6 (2010)
·      cURL (2015)
·      dpkg (1995)
·      libffi (2014)
·      libjpeg v9a (2014)
·      XFree86 (2000)
·      libproxy (2006)
·      libX11 (2006)
·      soup-cache (2010)
·      nettle (2002)
·      libdpkg (1995)
·      pango (1999)
·      sysctl v1.0.1 (1999)
·      alloc (2002)
·      pslash (2006)
·      tslib (2001)
·      libudev (2011)
·      usbmisc (2003)
·      zlib v1.2.8
·      s-bios (2011)
·      devmem2 (2000)
·      hostapd (2015)
·      hidapi (2010)
·      wpa-supplicant (2015)
·      OpenMax (2008)
·      oRTP (2015)
·      unzip v1.1 (2010)
·      hts_engine (2011)
·      google-breakpad (2006)
·      boost v1.0 (2003)
·      SQLite (2001)
·      PCRE (2019)
·      OpenGL (2012)
·      base64 (2001)
·      mDNSResponder
·      RapidJSON (2015)
·      crc32 (2005)
·      zconf (2005)

zerodayinitiative.com

rss

forum

news

surface web

domain-protect: prevent subdomain takeover

2024-11-24

The post domain-protect: prevent subdomain takeover appeared first on Penetration Testing Tools.

meterpreter.org

rss

forum

news

surface web

Above: Invisible protocol sniffer for finding vulnerabilities in the network

2024-11-24

The post Above: Invisible protocol sniffer for finding vulnerabilities in the network appeared first on Penetration Testing Tools.

meterpreter.org

rss

forum

news

surface web

CISA Warns of Apple & Oracle Agile Vulnerabilities Exploited in Wild

2024-11-24

The post CISA Warns of Apple & Oracle Agile Vulnerabilities Exploited in Wild appeared first on Cyber Security News.

cybersecuritynews.com

rss

forum

news

surface web

Attackers retain old scamming tricks with new twists — and consumers must stay informed to protect themselves

2024-11-24

techradar.com

rss

forum

news

surface web

China-Linked TAG-112 Targets Tibetan Media with Cobalt Strike Espionage Campaign

2024-11-24

The post China-Linked TAG-112 Targets Tibetan Media with Cobalt Strike Espionage Campaign appeared first on All Hacker News.

domains

urls

china

security

joomla

Week in review: 0-days exploited in Palo Alto Networks firewalls, two unknown Linux backdoors identified - Help Net Security

2024-11-24

google.com

rss

forum

news

surface web

The Good, the Bad and the Ugly in Cybersecurity – Week 47

2024-11-22

sentinelone.com

rss

forum

news

surface web

CVE-2024-52615 | Avahi DNS Response injection

2024-11-22

A vulnerability, which was classified as problematic, was found in Avahi. This affects an unknown part of the component DNS Response Handler. The manipulation leads to injection. This vulnerability is uniquely identified as CVE-2024-52615. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

vuldb.com

rss

forum

news

surface web

CVE-2024-52616 | Avahi DNS Transaction ID initialization

2024-11-22

A vulnerability has been found in Avahi and classified as problematic. This vulnerability affects unknown code of the component DNS Transaction ID Handler. The manipulation leads to improper initialization. This vulnerability was named CVE-2024-52616. The attack can only be initiated within the local network. There is no exploit available. It is recommended to apply a patch to fix this issue.

vuldb.com

rss

forum

news

surface web

Hackers Exploit Jupyter Notebooks for Sports Piracy Through Stream Ripping Tools

2024-11-22

Malicious hackers are taking advantage of misconfigured JupyterLab and Jupyter Notebooks to facilitate sports piracy through live stream capture tools, according to a report by Aqua Security shared with The Hacker News.

The attack involves hijacking unauthenticated Jupyter Notebooks to gain initial access and execute a series of steps aimed at illegally streaming sports events. This activity was uncovered during an investigation into attacks on Aqua's honeypots.

"First, the attacker updated the server, then downloaded the tool FFmpeg," explained Assaf Morag, director of threat intelligence at Aqua Security. "This action alone is not a strong enough indicator for security tools to flag malicious activity."

Morag noted that the attackers then executed FFmpeg to capture live sports streams, redirecting them to their server. The campaign’s ultimate objective is to download FFmpeg from MediaFire, capture live feeds from Qatari network beIN Sports, and rebroadcast the content illegally via ustream[.]tv. This tactic allows the attackers to misuse compromised Jupyter Notebook servers as intermediaries while profiting from advertising revenues linked to the unauthorized streams.

Although the identity of the hackers remains unclear, one of the IP addresses used (41.200.191[.]23) suggests they may originate from an Arabic-speaking region.

"However, it's crucial to remember that the attackers gained access to a server intended for data analysis, which could have serious consequences for any organization's operations," Morag added.

He warned that the risks extend beyond piracy, potentially leading to denial-of-service attacks, data manipulation, theft, corruption of AI and ML processes, lateral movement within critical systems, and severe financial and reputational harm.

blogger.com

rss

forum

news

surface web

ffmpeg

The Hidden Dangers of Compromised Wi-Fi Routers

2024-11-22

Cybercriminals who attack routers are swift and precise, spending countless hours studying network vulnerabilities to compromise sensitive data and then taking advantage of those vulnerabilities to compromise the router. The term "router hacking" refers to taking control of a user's router without their consent by a cybercriminals.

The Wi-Fi hacker, like other types of hackers, relies on security measures that a user may have implemented to protect themselves against the hack - often the administrator password for their router or an unpatched vulnerability in their system. The hacker has a variety of tricks that he can use if he wants to hack into a router successfully.

There is a risk that a hacker will be able to gain access to a router in minutes if the user has not set a strong password for their router. The hacker can take control of users' router after they have gained access, and even change the settings or install malicious software on users' router after they have gained control. These are all signature signs that users have been hit by a black-hat hacker, as opposed to their more altruistic white-hat cousins.

Approximately one in 16 internet-connected home Wi-Fi routers can be remotely accessed by attackers using the manufacturer's default admin password. Getting continually kicked off users' home networks can be super annoying, but that's what some hackers will do. A hacker may use a de-authentication attack to target network devices. To do so, a hacker does not even need administrative access to the user router; they only need to find the router and device users' using. They can do this by using a tool such as Aircrack-ng. After doing so, they craft a command that uses the users' router's authentication protocol to deauthenticate users, thus kicking them off the network.

A Forbes study found that 86% of users never change their default credentials. As default credentials are easily found online, all hackers must do a perfunctory Google search to find the information they need to log into users' routers. If they do, they can change things like the password and SSID. Changing the password will kick users off their network, and changing the SSID will change their network name. They could also hide users' networks entirely after kicking them off and changing the name, making it difficult to get back online. Scammers employ various methods to hack into Wi-Fi networks, exploiting vulnerabilities and poor security practices.

One common technique is brute-forcing Wi-Fi passwords, where hackers systematically attempt numerous password combinations to gain access. Once successful, they can lock users out by changing the password and taking control of the router. Another method involves using the router’s default credentials, often left unchanged by users. Cybercriminals can exploit these factory-set admin passwords to alter router settings, emphasizing the importance of creating a unique password and SSID (wireless network name) for enhanced security.

Unpatched firmware vulnerabilities also present significant risks. Attackers can exploit outdated software to infiltrate a router's internal systems. For instance, in June 2023, Asus issued critical firmware updates to protect against remote code execution attacks. One of the most severe vulnerabilities, CVE-2018-1160, dating back to 2018, carried a high severity rating of 9.8 on the Common Vulnerability Scoring System (CVSS).

Furthermore, cybercriminals can execute Domain Name Server (DNS) hijacking by altering a router’s DNS settings and redirecting users to malicious phishing websites. These examples underscore the importance of updating router firmware regularly, using strong passwords, and proactively securing Wi-Fi networks. Understanding the signs of a hacked router is essential for safeguarding users' networks. Altered DNS settings are a major indicator of a breach, as hackers may manipulate these settings to redirect users' internet traffic without their knowledge, potentially launching devastating pharming attacks.

Users can check their router’s DNS settings in the admin menu to ensure they have not been tampered with. Another red flag is an inability to access the router using the user's admin password. If the credentials no longer work, it could mean a hacker has changed them. In such cases, perform a factory reset immediately and create a new, strong password. Unexpectedly slow internet can also hint at a router hack, especially when accompanied by other suspicious activities. Hackers may exploit users' bandwidth, causing noticeable performance drops. Additionally, strange software or malware on users' devices can result from a router breach, as hackers often use this method to infiltrate connected devices. While malware can spread through various means, its presence alongside other signs of hacking is a cause for concern.

Monitoring users' networks for unrecognized devices is another critical security measure. Tools like AVG AntiVirus FREE can detect when unfamiliar devices join users' Wi-Fi, issuing alerts that prompt further investigation. While unauthorized devices don’t always indicate a router hack, their presence could lead to one, emphasizing the need for continuous network monitoring. Using reliable security software is vital to protecting users' devices and networks. AVG AntiVirus FREE offers comprehensive cybersecurity features, including real-time malware detection, phishing defence, ransomware protection, and tools to secure users' Wi-Fi networks from potential router hackers. Staying vigilant and equipped with robust security measures ensures a safe online experience.

Hackers can easily carry out this kind of attack even if they do not have administrative access to the user's router; they only need to identify the router and the device that users use to do so. An aircraft-ng tool, which is available online, can be used to accomplish this task. As a result, they craft a command that uses the authentication protocol of the users' router to deauthenticate them, which means they are kicked off of the network once more. The study by Forbes found that 86% of users do not change their default credentials despite being notified about it.

The default credentials for routers can readily be found online, so it is only a matter of a quick Google search before hackers can discover the credentials they need to access the routers of their targeted victims. In that case, they can change things such as the password and the SSID of the network. By changing a user's password, they will be kicked off their network, and by changing their SSID, their network name will be changed. It's possible that they could also hide the users' networks entirely after they have been kicked off and changed their names, which would make it difficult for them to return to the network. Using a variety of methods, scammers can hack into Wi-Fi networks by exploiting the vulnerabilities and unfavourable security practices that exist.

There is no doubt that the most common method of hacking Wi-Fi passwords in today's world is through brute-force attacks, which involve scanning many different combinations of passwords too to discover someone's password by scanning all of the combinations simultaneously. When they are successful in taking control of the router, they can lock users out of their accounts by changing their passwords. A second method involves the use of the router's default credentials, often left unchanged by users when they set up the router. These factory-provided admin passwords can be vulnerable to abuse by cybercriminals, highlighting the importance of using a unique password and SSID (wireless network name) for enhanced security when setting up users' routers.

As a result of firmware vulnerabilities that remain unpatched, there are significant risks involved. There are several ways in which attackers can compromise the internal operating systems of a router by exploiting outdated software. Asus's most recent firmware upgrade for its laptops was released in June 2023, preventing remote code execution attacks against the device. On the Common Vulnerability Scoring System (CVSS), which calculates the severity of vulnerabilities based on their association with security incidents and their impact, CVE-2018-1160, dated back to 2018, had a severity rating of 9.8. A further method of executing Domain Name Server (DNS) hijacking is to alter a router's DNS settings, redirecting the user to malicious phishing sites by altering the DNS settings of a router.

As a result of these examples, router firmware must be updated regularly, strong passwords are used, and wi-fi networks are carefully secured proactively. Recognizing the signs of a hacked router is crucial for protecting users' networks. Altered DNS settings often indicate a breach, as hackers can manipulate these to redirect users' internet traffic and launch phishing or pharming attacks. Regularly reviewing users' routers' DNS settings in the admin menu can help prevent such risks. Similarly, being unable to access the router with their admin password may mean hackers have taken control. In such cases, a factory reset followed by setting a strong new password is essential.

A sudden drop in internet speed, especially when combined with other suspicious activity, could point to unauthorized bandwidth usage by hackers. Additionally, unexpected malware or unfamiliar software on users' devices might result from a router breach. Monitoring for unrecognized devices on users' networks is equally important, as these can indicate unauthorized access and potential hacking attempts.

Investing in robust security tools is a key step in safeguarding users' digital environments. Comprehensive solutions like AVG AntiVirus FREE provide 24/7 protection against malware, phishing, ransomware, and other threats while keeping users' network secure from unauthorized access. Staying proactive with these measures is the best defense for ensuing their online safety.

blogger.com

rss

forum

news

surface web

passwords

Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization

2024-11-21

Executive Summary

The Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment (RTA) at the request of a critical infrastructure organization. During RTAs, CISA’s red team simulates real-world malicious cyber operations to assess an organization’s cybersecurity detection and response capabilities. In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory to detail the red team’s activity—including their tactics, techniques, and procedures (TTPs) and associated network defense activity. Additionally, the advisory contains lessons learned and key findings from the assessment to provide recommendations to network defenders and software manufacturers for improving their organizations’ and customers’ cybersecurity posture.

Within this assessment, the red team (also referred to as ‘the team’) gained initial access through a web shell left from a third party’s previous security assessment. The red team proceeded to move through the demilitarized zone (DMZ) and into the network to fully compromise the organization’s domain and several sensitive business system (SBS) targets. The assessed organization discovered evidence of the red team’s initial activity but failed to act promptly regarding the malicious network traffic through its DMZ or challenge much of the red team’s presence in the organization’s Windows environment.

The red team was able to compromise the domain and SBSs of the organization as it lacked sufficient controls to detect and respond to their activities. The red team’s findings illuminate lessons learned for network defenders and software manufacturers about how to respond to and reduce risk.

Lesson Learned: The assessed organization had insufficient technical controls to prevent and detect malicious activity. The organization relied too heavily on host-based endpoint detection and response (EDR) solutions and did not implement sufficient network layer protections.
Lesson Learned: The organization’s staff require continuous training, support, and resources to implement secure software configurations and detect malicious activity. Staff need to continuously enhance their technical competency, gain additional institutional knowledge of their systems, and ensure they are provided sufficient resources by management to have the conditions to succeed in protecting their networks.
Lesson Learned: The organization’s leadership minimized the business risk of known attack vectors for the organization. Leadership deprioritized the treatment of a vulnerability their own cybersecurity team identified, and in their risk-based decision-making, miscalculated the potential impact and likelihood of its exploitation.

To reduce risk of similar malicious cyber activity, CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of this advisory to ensure security processes and procedures are up to date, effective, and enable timely detection and mitigation of malicious activity.

This document illustrates the outsized burden and costs of compensating for insecure software and hardware borne by critical infrastructure owners and operators. The expectation that owners and operators should maintain the requisite sophisticated cyber defense skills creates undue risk. Technology manufacturers must assume responsibility for product security. Recognizing that insecure software contributes to these identified issues, CISA urges software manufacturers to embrace Secure by Design principles and implement the recommendations in the Mitigations section of this advisory, including those listed below:

Embed security into product architecture throughout the entire software development lifecycle (SDLC).
Eliminate default passwords.
Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature.

Download the PDF version of this report:

AA24-326A Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a U.S. Critical Infrastructure Sector Organization (PDF, 823.56 KB )

INTRODUCTION

CISA has authority to—upon request—provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to federal and non-federal entities with respect to cybersecurity risks. (See generally 6 U.S.C. §§ 652[c][5], 659[c][6]). The target organization for this assessment was a critical infrastructure organization in the United States. After receiving a request for an RTA from the organization and coordinating the high-level details of the engagement, CISA conducted the RTA over approximately a three-month period.

During RTAs, a CISA red team simulates real-world threat actors to assess an organization’s cybersecurity detection and response capabilities. During Phase I, the red team attempts to gain and maintain persistent access to an organization’s enterprise network, avoid detection, evade defenses, and access SBSs. During Phase II, the red team attempts to trigger a security response from the organization’s people, processes, and/or technology.

Drafted in coordination with the assessed organization, this advisory details the red team’s activity and TTPs, associated network defense activity, and lessons learned to provide network defenders with recommendations for improving an organization’s cybersecurity posture. The advisory also provides recommendations for software manufacturers to harden their customer networks against malicious activity and reduce the likelihood of domain compromise.

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 16. See Appendix: MITRE ATT&CK Tactics and Techniques for a table of the red team’s activity mapped to MITRE ATT&CK tactics and techniques.

Phase I: Red Team Cyber Threat Activity

Overview

The CISA red team operated without prior knowledge of the organization’s technology assets and began the assessment by conducting open source research on the target organization to gain information about its network [T1590], defensive tools [T1590.006], and employees [T1589.003]. The red team designed spearphishing campaigns [T1566] tailored to employees most likely to communicate with external parties. The phishing attempts were ultimately unsuccessful—targets ran the payloads [T1204], but their execution did not result in the red team gaining access into the network.

After the failed spearphishing campaigns, the red team continued external reconnaissance of the network [T1595] and discovered a web shell [T1505.003] left from a previous Vulnerability Disclosure Program (VDP). The red team used this for initial access [TA0001] and immediately reported it to the organization’s trusted agents (TAs). The red team leveraged that access to escalate privileges [TA0004] on the host, discover credential material on a misconfigured Network File System (NFS) share [T1552.001], and move from a DMZ to the internal network [TA0008].

With access to the internal network, the red team gained further access to several SBSs. The red team leveraged a certificate for client authentication [T1649] they discovered on the NFS share to compromise a system configured for Unconstrained Delegation. This allowed the red team to acquire a ticket granting ticket (TGT) for a domain controller [T1558.001], used to further compromise the domain. The red team leveraged this level of access to exploit SBS targets provided by the organization’s TAs.

The assessed organization detected much of the red team’s activity in their Linux infrastructure after CISA alerted them via other channels to the vulnerability the red team used for initial access. Once given an official notification of a vulnerability, the organization’s network defenders began mitigating the vulnerability. Network defenders removed the site hosting the web shell from the public internet but did not take the server itself offline. A week later, network defenders officially declared an incident once they determined the web shell was used to breach the internal network. For several weeks, network defenders terminated much of the red team’s access until the team maintained implants on only four hosts. Network defenders successfully delayed the red team from accessing many SBSs that required additional positioning, forcing the red team to spend time refortifying their access in the network. Despite these actions, the red team was still able to access a subset of SBSs. Eventually, the red team and TAs decided that the network defenders would stand down to allow the red team to continue its operations in a monitoring mode. In monitoring mode, network defenders would report what they observed of the red team’s access, but not continue to block and terminate it.

See Figure 1 for a timeline of the red team’s activity with key points access. See the following sections for additional details, including the red team’s TTPs.

Figure 1 - Timeline of Red Team Activity (CI) — *Figure 1: Timeline of Red Team Cyber Threat Activity*

Initial Access

Following an unsuccessful spearphishing campaign, the red team gained initial access to the target by exploiting an internet-facing Linux web server [T1190] discovered through reconnaissance [TA0043] of the organization’s external internet protocol (IP) space [T1590.005].

The red team first conducted open source research [T1593] to identify information about the organization’s network, including the tools used to protect the network and potential targets for spearphishing. The red team looked for email addresses [T1589.002] and names to infer email addresses from the organization’s email syntax (discovered during reconnaissance). Following this action, the red team sent tailored spearphishing emails to 13 targets [T1566.002]. Of these 13 targets, one user responded and executed two malicious payloads [T1204.002]. However, the payloads failed to bypass a previously undiscovered technical control employed by the victim organization, preventing the red team’s first attempt to gain initial access.

To find an alternate pathway for initial access, the red team conducted reconnaissance with several publicly available tools, such as Shodan and Censys, to discover accessible devices and services on the internet [T1596.005]. The red team identified an old and unpatched service with a known XML External Entity (XXE) vulnerability and leveraged a public proof of concept to deploy a web shell. The associated product had an exposed endpoint—one that system administrators should typically block from the public internet—that allowed the red team to discover a preexisting web shell on the organization’s Linux web server. The preexisting web shell allowed the red team to run arbitrary commands on the server [T1059] as a user (WEBUSER1). Using the web shell, the red team identified an open internal proxy server [T1016] to send outbound communications to the internet via Hypertext Transfer Protocol Secure (HTTPS). The red team then downloaded [T1105] and executed a Sliver payload that utilized this proxy to establish command and control (C2) over this host, calling back to their infrastructure [TA0011].

Note: Because the web shell and unpatched vulnerability allowed actors to easily gain initial access to the organization, the CISA red team determined this was a critical vulnerability. CISA reported both the vulnerability and the web shell to the organization in an official vulnerability notification so the organization could remediate both issues. Following this notification, the victim organization initiated threat hunting activities, detecting some of the red team’s activity. The TAs determined that network defenders had previously identified and reported the vulnerability but did not remediate it. Further, the TAs found that network defenders were unaware of the web shell and believed it was likely leftover from prior VDP activity. See the Defense Evasion and Victim Network Defense Activities section for more information.

Linux Infrastructure Compromise

Local Privilege Escalation and Credential Access

The red team then moved laterally from the web server to the organization’s internal network using valid accounts [T1078] as the DMZ was not properly segmented from the organization’s internal domain.

The red team acquired credentials [TA0006] by first escalating privileges on the web server. The team discovered that WEBUSER1 had excessive sudo rights, allowing them to run some commands as root commands without a password. They used these elevated rights to deploy a new callback with root access [T1548.003].

With root access to the web server, the team had full access to the organization’s directories and files on a NFS share with no_root_squash enabled. If no_root_squash is used, remote root users can read and change any file on the shared file system and leave a trojan horse [T1080] for other users to inadvertently execute. On Linux operating systems this option is disabled by default, yet the organization enabled it to accommodate several legacy systems. The organization’s decision to enable the no_root_squash option allowed the red team to read all the files on the NFS share once it escalated its privileges on a single host with the NFS share mounted. This NFS share hosted the home directories of hundreds of Linux users—many of which had privileged access to one or more servers—and was auto-mounted when those users logged into Linux hosts in the environment.

The red team used its escalated privileges to search for private certificate files, Secure Shell (SSH) private keys, passwords, bash command histories [T1552.003], and other sensitive data across all user files on the NFS share [T1039]. The team initially obtained 61 private SSH keys [T1552.004] and a file containing valid cleartext domain credentials (DOMAINUSER1) that the team used to authenticate to the organization’s domain [T1078.002].

Linux Command and Control

In the organization’s Linux environment, the red team leveraged HTTPS connections for C2 [T1071.001]. Most of the Linux systems could not directly access the internet, but the red team circumvented this by leveraging an open internal HTTPS proxy [T1090.001] for their traffic.

Lateral Movement and Persistence

The red team’s acquisition of SSH private keys generated for user and service accounts facilitated unrestricted lateral movement to other Linux hosts [T1021.004]. This acquisition included two highly privileged accounts with root access to hundreds of servers. Within one week of initial access, the team moved to multiple Linux servers and established persistence [TA0003] on four. The team used a different persistence mechanism on each Linux host, so network defenders would be less likely to discover the red team’s presence on all four hosts. The team temporarily backdoored several scripts run at boot time to maintain persistence [T1037], ensuring the original versions of the scripts were re-enabled once the team successfully achieved persistence. Some of the team’s techniques included modifying preexisting scripts run by the cron utility [T1053.003] and ifup-post scripts [T1037.003].

Of note, the team gained root access to an SBS-adjacent infrastructure management server that ran Ansible Tower. Access to this Ansible Tower system [T1072] provided easy access to multiple SBSs. The team discovered a root SSH private key on the host, which allowed the team to move to six SBSs across six different sensitive IP ranges. A week after the team provided screenshots of root access to the SBSs to the TAs, the TAs deconflicted the red team’s access to the Ansible Tower system that network defenders discovered. The organization detected the compromise by observing abnormal usage of the root SSH private key. The root SSH private key was used to log into multiple hosts at times and for durations outside of preestablished baselines. In a real compromise, the organization would have had to shut down the server, significantly impacting business operations.

Windows Domain Controller Compromise

Approximately two weeks after gaining initial access, the red team compromised a Windows domain controller. This compromise allowed the team to move laterally to all domain-joined Windows hosts within the organization.

To first gain situational awareness about the organization’s environment, the red team exfiltrated Active Directory (AD) information [TA0010] from a compromised Linux host that had network access to a Domain Controller (DC). The team queried Lightweight Directory Access Protocol (Over SSL)—(LDAPS)—to collect information about users [T1087.002], computers [T1018], groups [T1069.002], access control lists (ACL), organizational units (OU), and group policy objects (GPO) [T1615]. Unfortunately, the organization did not have detections to monitor for anomalous LDAP traffic. A non-privileged user querying LDAP from the organization’s Linux domain should have alerted network defenders.

The red team observed a total of 42 hosts in AD that were not DCs, but had Unconstrained Delegation enabled. Hosts with Unconstrained Delegation enabled store the Kerberos TGTs of any user that authenticates to them. With sufficient privileges, an actor can obtain those tickets and impersonate associated users. A compromise of any of these hosts could lead to the escalation of privileges within the domain. Network defenders should work with system administrators to determine whether Unconstrained Delegation is necessary for their systems and limit the number of systems with Unconstrained Delegation unnecessarily enabled.

The red team observed insufficient network segmentation between the organization’s Linux and Windows domains. This allowed for Server Message Block (SMB) and Kerberos traffic to a DC and a domain server with Unconstrained Delegation enabled (UDHOST). The team discovered an unprotected Personal Information Exchange (.pfx) file on the NFS home share that they believed was for UDHOST based on its naming convention.

Equipped with the .pfx file, the red team used Rubeus—an open source toolset for Kerberos interaction and abuses—to acquire a TGT and New Technology Local Area Network Manager (NTLM) hash for UDHOST from the DC. The team then used the TGT to abuse the Server-for-User-to-Self (S4U2Self) Kerberos extension to gain administrative access to UDHOST.

The red team leveraged this administrative access to upload a modified version of Rubeus in monitor mode to capture incoming tickets [T1040] on UDHOST with Rubeus’ /monitor command. Next, the team ran DFSCoerce.py to force the domain controller to authenticate to UDHOST [T1187]. The team then downloaded the captured tickets from UDHOST.

With the DC’s TGT, the team used Domain Controller Sync (DCSync) through their Linux tunnels to acquire the hash of several privileged accounts—including domain, enterprise, and server administrators—and the critical krbtgt account [T1003.006].

Gaining access to AD is not unusual for most of CISA’s Red Team engagements, but it is rare to find network defenders who can secure and monitor it quickly and effectively.

Once the team harvested the credentials needed, they moved laterally to nearly any system in the Windows domain (see Figure 2) through the following steps (hereafter, this combination of techniques is referred to as the “Preferred Lateral Movement Technique”):

The team either forged a golden ticket using the krbtgt hash or requested a valid TGT using the hashes they exfiltrated for a specific account before loading the ticket into their session for additional authentication.
The team dropped an inflated Dynamic Link Library (DLL) file associated with legitimate scheduled tasks on the organization’s domain.
When the scheduled task executed on its own or through the red team’s prompting, the DLL hijack launched a C2 implant.

Figure 2 - Movement to Domain Controller — *Figure 2: Movement to Domain Controller*

Windows Command and Control

The red team initially established C2 on a workstation over HTTPS before connecting to servers over SMB [T1071.002] in the organization’s Windows environment. To connect to certain SBSs later in its activity, the team again relied on HTTPS for C2.

Post-Exploitation Activity: Gaining Access to SBSs

After the red team gained persistent access to Linux and Windows systems across the organization’s networks, the team began post-exploitation activities and attempted to access SBSs. The TAs provided a scope of the organization’s Classless Inter-Domain Routing (CIDR) ranges that contained SBSs. The team gained root access to multiple Linux servers in these ranges. The TAs then instructed the red team to exploit its list of primary targets: admin workstations and network ranges that included OT networks. The team only achieved access to the first two targets and did not find a path to the OT networks. While the team was able to affect the integrity of data derived from OT devices and applications, it was unable to find and access the organization’s internal network where the OT devices resided.

To gain access to the SBSs, the team first gained access to Microsoft System Center Configuration Manager (SCCM) servers, which managed most of the domain’s Windows systems. To access the SCCM servers, the team leveraged their AD data to identify administrators [T1087] of these targets. One of the users they previously acquired credentials for via DCSync was an administrator on the SCCM servers. The red team then used the Preferred Lateral Movement Technique to eventually authenticate to the SCCM servers. See Figure 3.

Figure 3 - Attack Path to SCCM Server (Red Team CI) — *Figure 3: Attack Path to SCCM Server*

Admin Workstations

The first specific set of SBS targets provided by the TAs were admin workstations. These systems are used across various sensitive networks external to, or inaccessible from, the internal network where the team already had access. Normally, authorized personnel leverage these administrator workstations to perform administrator functions. CISA’s red team targeted these systems in the hopes that an authorized—but unwitting—user would move the tainted system to another network, resulting in a callback from the sensitive target network.

The red team reviewed AD data to identify these administrator systems. Through their review, the team discovered a subset of Windows workstations that could be identified with a prefix and determined a group likely to have administrative rights to the workstations.

With access to the SCCM server, the red team utilized their Preferred Lateral Movement Technique to gain access to each admin workstation target (see Figure 4).

Figure 4 - Attack Path from SCCM Server (Red Team CI) — *Figure 4: Attack Path from SCCM Server to Admin Workstations*

The red team maintained access to these systems for several weeks, periodically checking where they were communicating from to determine if they had moved to another network. Eventually, the team lost access to these systems without a deconfliction. To the best of the red team’s knowledge, these systems either did not move to new networks or, if they did, those systems no longer had the ability to communicate with red team’s C2 infrastructure.

Additional Host and Other Subnets

Figure 5 - Attack Path from SCCM Server (Red Team CI) — *Figure 5: Attack Path from SCCM Server to Host and Other Subnets*

After compromising admin workstations, the red team requested that the TAs prioritize additional systems or IP ranges. The TAs provided four CIDR ranges to target:

A corporate DMZ that contained a mixture of systems and other subnets.
A second subnet.
A third subnet.
An internal network that contained OT devices.

Access to the corporate DMZ was necessary to reach the second and third ranges, and the red team hoped that gaining access to these would facilitate access to the fourth range.

The red team followed a familiar playbook to gain access to these SBSs from another SCCM server. First, the team performed reverse DNS lookups [T1596.001] on IP addresses within the ranges the TAs provided. They then scanned SMB port 445/TCP [T1046] from a previously compromised SCCM server to discover Windows hosts it could access on the corporate DMZ. The team discovered the server could connect to a host within the target IP range and that the system was running an outdated version of Windows Server 2012 R2. The default configuration of Windows Server 2012 R2 allows unprivileged users to query the group membership of local administrator groups. The red team discovered a user account [T1069] by querying the Windows Server 2012 R2 target that was in a database administrator group. The team leveraged its Preferred Lateral Movement Technique to authenticate to the target as that user, then repeated that technique to access a database. This database receives information from OT devices used to feed monitoring dashboards, information which factors into the organization’s decision-making process [T1213].

The new host had several active connections to systems in the internal ranges of the second and third subnets. Reverse domain name system (DNS) lookup requests for these hosts failed to return any results. However, the systems were also running Windows Server 2012 R2. The red team used Windows API calls to NetLocalGroupEnum and NetLocalGroupGetMembers to query local groups [T1069.001], revealing the system names for these targets as a result. The red team performed their Preferred Lateral Movement Technique to gain access to these hosts in the second and third provided network ranges.

With access to these subnets, the red team began exploring a path to systems on a private subnet where OT devices resided but failed to locate a path to that fourth subnet.

Corporate Workstations of Critical Infrastructure Administrators and Operators

Next, the red team targeted the corporate workstations of the administrators and operators of the organization’s critical infrastructure. Because the team lacked knowledge of the organization’s OT devices and failed to discover a path to the private subnet where they resided, they instead tried to locate users that interacted with human machine interfaces (HMI). Access to such users could enable the team to access the HMI, which serves as a dashboard for OT.

The red team leveraged its AD data once again, combining this data with user information from SCCM to identify targets by job role and their primary workstation. Then the team targeted the desktop of a critical infrastructure administrator, the workstation of another critical infrastructure administrator, and the workstations of three critical infrastructure operators spread across two geographically disparate sites.

The AD data revealed users in a group that were administrators of all the targets. The red team then repeated their Preferred Lateral Movement Technique and identified a logged-in user connected to a “System Status and Alarm Monitoring” interface. The team discovered credentials to the interface in the user’s home directory, proxied through the system, and accessed the HMI interface over HTTP. The team did not pursue further activity involving the interface because their remaining assessment time was limited. Additionally, they did not discover a way to compromise the underlying OT devices.

Command and Control

The team used third-party owned and operated infrastructure and services [T1583] throughout its assessment, including in certain cases for command and control (C2). The tools that the red team obtained included [T1588.002]:

Sliver, Mythic, Cobalt Strike, and other commercial C2 frameworks.
- The team maintained multiple command and control servers hosted by several cloud vendors. They configured each server with a different domain and used the servers for communication with compromised hosts. These servers retained all assessment data.
Two commercially available cloud-computing platforms.
- The team used these platforms to create flexible and dynamic redirect servers to send traffic to the team’s servers [T1090.002]. Redirecting servers make it difficult for defenders to attribute assessment activities to the backend team servers. The redirectors use HTTPS reverse proxies to redirect C2 traffic between the target organization’s network and the team servers. The team encrypted all data in transit [T1573] and secured all data at rest through a VPN with multifactor authentication.
Content delivery network (CDN) services.
- This technique leverages CDNs associated with high-reputation domains, causing malicious traffic to appear directed towards a reputational domain. However, it is redirected to red team-controlled servers. This allows the team to obfuscate some of their C2 traffic.

The team used domain fronting [T1090.004] to disguise outbound traffic, diversifying communications between the domains and the persistent beacons. This technique (which also leverages CDNs) allows the beacon to appear to connect to third-party domains but instead connects to the team’s redirect server.

Defense Evasion and Victim Network Defense Activities

Most of the encounters between the red team and network defenders occurred in the organization’s Linux environment. The red team leveraged Linux tradecraft in an attempt to evade network defenses. In response, network defenders’ threat hunting activities identified some of the team’s presence in their Linux environment. To evade defenses, the red team reordered the process identifier (PID) of its executable processes to appear closer to the kernel and minimize the team’s likelihood of detection. The team also modified its processes [T1055] by changing their names in memory and at execution. In addition, they used Python scripts [T1059.006] run in memory [T1620] to avoid on-disk detection. Some of the red team’s Linux persistence techniques included modifying preexisting scripts run by the cron utility and creating backdoors through ifup-post scripts and .bashrc. Network defenders ultimately identified the team’s backdoor in .bashrc [T1546.004].

Defenders also successfully detected anomalous activity on their Ansible Tower host and other systems in their Linux environment. The defenders actively analyzed NetFlow data, which helped them identify the red team’s persistence and lateral movement. To mitigate the impact of the red team’s tactics, network defenders would have needed to shut down a critical server as part of their incident response activities. A shut down would have resulted in downtime for hundreds of systems, including SBSs.

The organization’s EDR solutions largely failed to protect the organization. EDR detected only a few of the red team’s payloads in the organization’s Windows and Linux environments. In the instance the EDR protected the organization from the initial phishing payload, it generated an alert that network defenders neither read nor responded to. The red team excelled in bypassing EDR solutions by avoiding the use of basic “known-bad” detections the tools would capture. The team also inflated its file sizes above the upload threshold of the organization’s EDR [T1027.001]. In addition, the organization completely lacked any EDR solution in a legacy environment. As such, the red team’s persistence there went undetected throughout the assessment.

Network defenders failed to detect red team activity in the organization’s Windows environment due to a lack of proper identity management. Specifically, network defenders failed to detect and respond to the red team’s S4U2Self, asktgs, dcsync, and golden ticket activity. Had the organization monitored for unusual activity involving AD and Kerberos, they would have detected more red team activity.

Lastly, there were significant deficiencies in the organization’s DMZ that should have detected traffic into the organization’s internal network over the ports used by SMB and LDAPS. Network defenders never properly implemented an intrusion detection system (IDS) or intrusion prevention system (IPS) to monitor the DMZ at the network level. This lack of implementation resulted in a failure to detect malicious network traffic through their DMZ. Further, the red team was able to move laterally through the DMZ because there was an open internal proxy with internet access that enabled the team’s C2.

Phase II: Red Team Measurable Events Activity

The red team executed 13 measurable events designed to provoke a response from the people, processes, and technology defending the organization’s network. The red team did not have full visibility into the organization’s responses to these events and lacked the support of a white team to help assess the organization’s responses. See Table 1 for a description of the events, the organization’s actual response, and key takeaways.

*Table 1: Measurable events*
Measurable Event	Description	MITRE ATT&CK Technique(s)	Organization’s Reported Reactions	Key Takeaways
Internal Port Scan	Launches a scan from inside the network from a previously gained workstation to enumerate ports on target workstation, server, and domain controller system(s).	Network Service Discovery [T1046]	Identified an AD enumeration tool and temporarily blocked access to one C2 domain, which resulted in the red team temporarily losing access to six SCCM servers.	The organization did not report identifying the port scan. In addition, with proper network segmentation, the scan’s target hosts should not have been able to communicate.
Comprehensive Active Directory and Host Enumeration	Performs AD enumeration by querying all domain objects from the DC and enumerates trust relationships within the AD Forest, user accounts, and current session information from every domain computer (workstation and server).	Domain Trust Discovery [T1482] Account Discovery: Domain Account [T1087.002] System Owner/User Discovery [T1033] Remote System Discovery [T1018]	Identified an AD enumeration tool and temporarily blocked access to one C2 domain, which resulted in the red team temporarily losing access to six SCCM servers.	The organization did not report identifying the port scan. In addition, with proper network segmentation, the scan’s target hosts should not have been able to communicate.
Data Exfiltration – 1 GB of Data	Sends a large amount (1GB) of mock sensitive information to an external host.	Exfiltration Over Alternative Protocol [T1048]	A proxy likely blocked 1GB of data exfiltration during the red team’s first attempt. However, the team’s second attempt was successful when they exfiltrated the data in 100MB blocks. Hours after the data exfiltration, the organization blocked the domain used for C2 and removed access to the compromised host.	Organizations should implement web proxies that contain data threshold restrictions. Furthermore, network defenders need to manually analyze proxy data to determine whether there is legitimate outbound traffic or potentially malicious data exfiltration.
Malicious Traffic Generation- Workstation to External Host	Establishes a session that originates from a target workstation system directly to an external host over a clear text protocol, such as HTTP.	Application Layer Protocol [T1071]	The organization blocked access to the host and the C2 domains the red team used.	The organization blocked the malicious traffic at the network level but did not appear to identify the source workstation.
Active Directory Account Lockout	Locks out several administrative AD accounts in rapid succession.	Account Access Removal [T1531]	The organization’s password policy locked out the AD accounts. However, within minutes the accounts reopened, likely due to a group policy and/or an automated response.	There was no identified active response from the organization. Organizations should monitor AD account activity in Windows event logs against baselines to detect anomalous and potentially malicious activity.
Local Admin User Account Creation (workstation)	Creates a local administrator account on a target workstation system.	Create Account: Local Account [T1136.001] Account Manipulation [T1098]	An automated response removed the account from local administrator’s group but did not delete it.	Despite group policy objects removing the account, there were no detections for the activity.
Local Admin User Account Creation (server)	Creates a local administrator account on a target server system.	Create Account: Local Account [T1136.001] Account Manipulation [T1098]	An automated response removed the account from local Administrator’s group but did not delete it.	Despite group policy objects removing the account, there were no detections for the activity.
Active Directory Account Creation	Creates AD accounts and add them to domain admins group	Create Account: Domain Account [T1136.002] Account Manipulation [T1098]	An alert existed for this action but was disabled at the time the original event was triggered, thus it was undetected. After coordination between the TAs and red team revealed this lapse, the alert was enabled, the red team performed the action once again, and this time, TAs provided a screenshot of the alert from their monitoring dashboards.	Detection tools are only useful when network defenders tune them appropriately and effectively monitor alerts. At first, the organization missed an opportunity to respond to a tool that should have produced a true positive alert because it was misconfigured.
Domain Admin Lateral Movement—Workstation to Domain Controller and Workstation to Workstation	Compromises a Domain Admin account and uses it to run PSExec on multiple workstations and domain controllers.	System Services: Service Execution [T1569.002] Remote Services: SMB/Windows Admin Shares [T1021.002]	None identified.	Detect malicious use of standard tools like PSExec that malicious cyber actors may use for lateral movement by monitoring Windows logs for anomalous activity. In addition, organizations should look for abnormal communications between workstations.
Malicious Traffic Generation- Domain Controller to External Host	Establishes a session that originates from a target domain controller system directly to an external host over a clear text protocol, such as HTTP.	Application Layer Protocol [T1071]	None identified.	DCs should never connect directly to an external host over HTTP. The organization failed to detect and respond to this.
Trigger Host-Based Protection- Domain Controller	Uploads and executes a well-known (e.g., with a signature) malicious file to a target DC system to generate host-based alerts.	Ingress Tool Transfer [T1105]	Malicious file was removed by host-based endpoint protection system.	Host based detection tools can be helpful in detecting known IOCs. However, organizations should focus on detecting anomalous behavior by monitoring their networks and hosts against good baselines. The blocking of this well-known tool on a DC should trigger an urgent investigation.
Ransomware Simulation	Executes simulated ransomware on multiple workstation systems to simulate a ransomware attack. Note: This technique does not encrypt files on the target system.	N/A	Two out of nine users reported the event to defensive staff who identified all hosts that executed the ransomware. Five users likely rebooted their systems when observing the ransomware, one logged off and on, one closed the ransomware application repeatedly and continued working, one locked their screen, and another user exited the ransomware process after two hours.	Security awareness training should provide employees effective tools on how to respond to ransomware activity.

LESSONS LEARNED AND KEY FINDINGS

The red team noted the following lessons learned relevant to all organizations generated from the security assessment of the organization’s network. These findings contributed to the team’s ability to gain persistent access across the organization’s network. See the Mitigations section for recommendations on how to mitigate these findings.

Lesson Learned: Insufficient Technical Controls

The assessed organization had insufficient technical controls to prevent and detect malicious activity. The organization relied too heavily on host-based EDR solutions and did not implement sufficient network layer protections.

Finding #1: The organization’s perimeter network was not adequately firewalled from its internal network, which allowed the red team a path through the DMZ to internal networks. A properly configured network should block access to a path from the DMZ to other internal networks.
Finding #2: The organization was too reliant on its host-based tools and lacked network layer protections, such as well-configured web proxies or intrusion prevention systems (IPS). The organization’s EDR solutions also failed to catch all the red team’s payloads. Below is a list of some of the higher risk activities conducted by the team that were opportunities for detection:
- Phishing;
- Kerberoasting;
- Generation and use of golden tickets;
- S4U2self abuse;
- Anomalous LDAP traffic;
- Anomalous NFS enumeration;
- Unconstrained Delegation server compromise;
- DCSync;
- Anomalous account usage during lateral movement;
- Anomalous outbound network traffic;
- Anomalous outbound SSH connections to the team’s cloud servers from workstations; and
- Use of proxy servers from hosts intended to be restricted from internet access.
Finding #3: The organization had insufficient host monitoring in a legacy environment. The organization had hosts with a legacy operating system without a local EDR solution, which allowed the red team to persist for several months on the hosts undetected.

Lesson Learned: Continuous Training, Support, and Resources

The organization’s staff requires continuous training, support, and resources to implement secure software configurations and detect malicious activity. Staff need to continuously enhance their technical competency, gain additional institutional knowledge of their systems, and ensure are provided sufficient resources by management to adequately protect their networks.

Finding #4: The organization had multiple systems configured insecurely. This allowed the red team to compromise, maintain persistence, and further exploit those systems (i.e., access credentials, elevate privileges, and move laterally). Insecure system configurations included:
- Default server configurations. The organization used default configurations for hosts with Windows Server 2012 R2, which allows unprivileged users to query membership of local administrator groups. This enabled the red team to identify several standard user accounts with administrative access.
  Note: By default, NFS shares change the root user to the nfsnobody user, an unprivileged user account. In this way, users with local root access are prevented from gaining root level access over the mounted NFS share. Here, the organization deviated from the secure by default configuration and implemented the no_root_squash option to support a few legacy systems instead. This deviation from the default allowed the red team to escalate their privileges over the domain.
- Hosts with Unconstrained Delegation enabled unnecessarily. Hosts with Unconstrained Delegation enabled will store the Kerberos TGTs of all users that authenticate to that host. This affords threat actors the opportunity to steal TGTs, including the TGT for a domain controller, and use them to escalate their privileges over the domain.
- Insecure Account Configuration. The organization had an account running a Linux webserver with excessive privileges. The entry for that user in the sudoers file—which controls user rights—contained paths with wildcards where that user had write access, allowing the team to escalate privileges.
  Note: This file should only contain specific paths to executable files that a user needs to run as another user or root, and not a wildcard. Users should not have write access over any file in the sudoers entry.
Finding #5: The red team’s activities generated security alerts that network defenders did not review. In many instances, the organization relied too heavily on known IOCs and their EDR solutions instead of conducting independent analysis of their network activity compared against baselines.
Finding #6: The organization lacked proper identity management. Because network defenders did not implement a centralized identity management system in their Linux network, they had to manually query every Linux host for artifacts related to the red team’s lateral movement through SSH. Defenders also failed to detect anomalous activity in their organization’s Windows environment because of poor identity management.

Lesson Learned: Business Risk

The organization’s leadership minimized the business risk of known attack vectors for their organization. Leadership deprioritized the treatment of a vulnerability their own cybersecurity team identified, and in their risk-based decision-making, miscalculated the potential impact and likelihood of its exploitation.

Finding #7: The organization used known insecure and outdated software. The red team discovered software on one of the organization’s web servers that was outdated.
- After their operations, the red team learned the insecure and outdated software was a known security concern. The organization’s security team alerted management to the risks associated this software, but management accepted the risk.
- Next, the security team implemented a VDP program, which resulted in a participant exploiting the vulnerability for initial access. The VDP program helped the security team gain management support, and they implemented a web application firewall (WAF) as a compensating control. However, they did not adequately mitigate the vulnerability as they configured the WAF to be only in monitoring mode. The security team either did not have processes (or implement them properly) to scan, assess, and test whether they treated the vulnerability effectively.

Additional Findings

The red team noted the following additional issues relevant to the security of the organization’s network that contributed to their activity.

Unsecured Keys and Credentials. The organization stored many private keys that lacked password protection, allowing the red team to steal the keys and use them for authentication purposes.
- The private key of a PFX file was not password protected, allowing the red team to use that certificate to authenticate to active directory, access UDHOST, and eventually compromise the DC. In addition, the organization did not require password protection of SSH private keys.
  Note: Without a password protected key, an actor can more easily steal the private key and use it to authenticate to a system through SSH.
- The organization had files in a home share that contained cleartext passwords. The accounts included, among other accounts, a system administrator.
  Note: The organization appeared to store cleartext passwords in the description and user password sections of Active Directory accounts. These passwords were accessible to all domain users.
Email Address Verification. The active Microsoft Office 365 configuration allows an unauthenticated external user to validate email addresses through observing error messages in the form of HTTP 302 versus HTTP 200 responses. This misconfiguration helps threat actors verify email addresses before sending phishing emails.

Noted Strengths

The red team noted the following technical controls or defensive measures that prevented or hampered offensive actions:

Network defenders detected the initial compromise and some red team movement. After being alerted of the web shell, the organization initiated hunt activities, detected initial access, and tracked some of the red team’s Phase I movements. The organization terminated much of the red team’s access to the organization’s internal network. Of note, once the organization’s defenders discovered the red team’s access, the red team spent significant time and resources continuously refortifying their access to the network.
Host-based EDR solutions prevented initial access by phishing. The EDR stopped the execution of multiple payloads the red team sent to a user of the organization over a week long period. The organization leveraged two products on workstations, one that was publicly discoverable and another the red team did not learn about until gaining initial access. The product the red team was unaware of, and did not test their payload against, was responsible for stopping the execution of their payloads.
Strong domain password policy. The organization’s domain password policy neutralized the red team’s attempts to crack hashes and spray passwords. The team was unable to crack any hashes of all 115 service accounts it targeted.
Effective separation of privileges. The organization’s administrative users had separate accounts for performing privileged actions versus routine activities. This makes privilege escalation more difficult for threat actors.

MITIGATIONS

Network Defenders

CISA recommends organizations implement the recommendations in Table 2 to mitigate the findings listed in the Lessons Learned and Key Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

*Table 2: Recommendations to Mitigate Identified Findings*
Finding	Recommendation
Insufficient Network Segmentation of DMZ	Apply the principle of least privilege to limit the exposure of systems and services in the DMZ. Segment the DMZ based on the sensitivity of systems and services [CPG 2.F]. Implement firewalls, access control lists, and intrusion prevention systems.
Insufficient Network Monitoring	Establish a security baseline of normal network traffic and tune network appliances to detect anomalous behavior. Tune host-based products to detect anomalous binaries, lateral movement, and persistence techniques [CPG 3.A]. Create alerts for Windows event log authentication codes, especially for the domain controllers. This could help detect some of the pass-the-ticket, DCSync, and other techniques described in this report. Reduce the attack surface by limiting the use of legitimate administrative pathways and tools such as PowerShell, PsExec, and WMI, which are often used by malicious actors. Select one tool to administer the network, enable logging, and disable the others.
Insufficient Host Monitoring in Legacy Environment	Implement an EDR solution to monitor legacy hosts for suspicious activity and to detect breaches [CPG 3.A].
Insecure configurations of systems	Do not use the `no_root_squash` option. Remove `Unconstrained Delegation` from all servers. If `Unconstrained Delegation` functionality is required, upgrade operating systems and applications to leverage other approaches (e.g., `Constrained Delegation`) or explore whether systems can be retired or further isolated from the enterprise. Consider disabling or limiting NTLM and WDigest Authentication if possible. Instead, use modern federation protocols (SAML, OIDC) or Kerberos for authentication with AES-256 bit encryption. If NTLM must be enabled, enable Extended Protection for Authentication (EPA) to prevent NTLM-relay attacks, and implement SMB signing to prevent certain adversary-in-the-middle and pass-the-hash attacks. See Microsoft Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) and Microsoft Overview of Server Message Block signing for more information. Adhere to the principle of least privilege. Ensure the `sudoers` file contains only essential commands, avoids the use of wildcards, and contains password requirements for command execution.
Lack centralized identity management and monitoring systems	From a detection standpoint, focus on identity and access management (IAM) rather than just network traffic or static host alerts. Examine who is accessing a resource, what is being accessed, where the request originates, and the time of activity.
Use of known insecure and outdated software	Keep systems and software up to date. If updates cannot be uniformly installed, update insecure configurations to meet updated standards.
Insecure Keys and Credentials	Implement a password protection policy for all certificates that contain private keys that ensures every certificate is encrypted with a strong password. Ensure all certificates are stored in a secure location [CPG 2.L]. Regularly audit network shares to identify files that contain passwords accessible to multiple users [CPG 2.L]. Provide training on the proper use of password management tools. Implement a policy that prohibits storing passwords in plaintext, and regularly review and audit Active Directory for plain text passwords [CPG 2.L]. If system administrators must store passwords in active directory, restrict access to only users who require them.

Additionally, CISA recommends organizations implement the mitigations below to improve their cybersecurity posture:

Provide users with regular training and exercises, specifically related to phishing emails. Phishing accounts for majority of initial access intrusion events.
Enforce phishing-resistant MFA to the greatest extent possible.
Reduce the risk of credential compromise via the following:
- Place domain admin accounts in the protected users group to prevent caching of password hashes locally; this also forces Kerberos AES authentication as opposed to weaker RC4 or NTLM authentication protocols.
- Upgrade to Windows Server 2019 or greater and Windows 10 or greater. These versions have security features not included in older operating systems.

As a long-term effort, CISA recommends organizations prioritize implementing a more modern, Zero Trust network architecture that:

Leverages secure cloud services for key enterprise security capabilities (e.g., identity and access management, endpoint detection and response, and policy enforcement).
Upgrades applications and infrastructure to leverage modern identity management and network access practices.
Centralizes and streamlines access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks.
Invests in technology and personnel to achieve these goals.

Software Manufacturers

The above mitigations apply to critical infrastructure organizations with on-premises or hybrid environments. Recognizing that insecure software is the root cause of many of these flaws and responsibility should not fall on the end user, CISA urges software manufacturers to implement the following:

Embed security into product architecture throughout the entire software development lifecycle (SDLC).
Eliminate default passwords. Do not provide software with default passwords. To eliminate default passwords, require administrators to set a strong password [CPG 2.B] during installation and configuration.
Design products so that the compromise of a single security control does not result in compromise of the entire system. For example, narrowly provision user privileges by default and employ ACLs to reduce the impact of a compromised account. This will make it more difficult for a malicious cyber actor to escalate privileges and move laterally.
Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature.
Reduce hardening guide size, with a focus on systems being secure by default. In this scenario, the red team noticed default Windows Server 2012 configurations that allowed them to enumerate privileged accounts.

Important: Manufacturers need to implement routine nudges that are built into the product rather than relying on administrators to have the time, expertise, and awareness to interpret hardening guides.

These mitigations align with principles provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving security outcomes of their customers by applying these and other secure by design practices. By adhering to secure by design principles, software manufacturers can make their product lines secure out of the box without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.

For more information on secure by design, see CISA’s Secure by Design webpage. For more information on common misconfigurations and guidance on reducing their prevalence, see the joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

Select an ATT&CK technique described in this advisory (see Table 3 to Table 16).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

See CISA’s RedEye tool on CISA’s GitHub page. RedEye is an interactive open source analytic tool used to visualize and report red team command and control activities. See CISA’s RedEye tool overview video for more information.
See CISA’s Phishing Guidance.
See CISA’s Secure by Design page to learn more about secure by design principles.

APPENDIX: MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 3 to Table 16 for all referenced red team tactics and techniques in this advisory. Note: Unless noted, activity took place during Phase I. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

*Table 3: Reconnaissance*
Technique Title	ID	Use
Gather Victim Network Information	T1590	The team conducted open source research on the target organization to gain information about its network.
Gather Victim Network Information: Network Security Appliances	T1590.006	The team conducted open source research on the target organization to gain information about its defensive tools.
Gather Victim Identity Information: Employee Names	T1589.003	The team conducted open source research on the target organization to gain information about its employees.
Active Scanning	T1595	The team conducted external reconnaissance of the organization’s network.
Gather Victim Network Information: IP Addresses	T1590.005	The team conducted reconnaissance of the organization’s external IP space.
Search Open Websites/Domains	T1593	The team conducted open source research to identify information about the organization’s network.
Gather Victim Identity Information: Email Addresses	T1589.002	The team looked for email addresses and names to infer email addresses from the organization’s email syntax.
Search Open Technical Databases: Scan Databases	T1596.005	The team conducted reconnaissance with several publicly available tools, such as Shodan and Censys, to discover accessible devices and services on the internet.
Search Open Technical Databases: DNS/Passive DNS	T1596.001	The team performed reverse DNS lookups on IP addresses within the ranges the TAs provided.

*Table 4: Resource Development*
Technique Title	ID	Use
Acquire Infrastructure	T1583	The team used third-party owned and operated infrastructure and services throughout its assessment.
Obtain Capabilities: Tool	T1588.002	The team obtained tools (i.e., Sliver, Mythic, Cobalt Strike, and other commercial C2 frameworks).

*Table 5: Initial Access*
Technique Title	ID	Use
Phishing	T1566	The team designed spearphishing campaigns tailored to employees of the organization most likely to communicate with external parties.
Exploit Public-Facing Application	T1190	The team gained initial access to the target by exploiting an internet-facing Linux web server.
Phishing: Spearphishing Link	T1566.002	The team sent tailored spearphishing emails to 13 targets.

*Table 6: Execution*
Technique Title	ID	Use
User Execution	T1204	The team’s phishing attempts were ultimately unsuccessful; targets ran the payloads, but their execution did not result in the red team gaining access into the network.
User Execution: Malicious File	T1204.002	One user responded and executed two malicious payloads.
Command and Scripting Interpreter	T1059	The preexisting web shell allowed the team to run arbitrary commands on the server.
Command and Scripting Interpreter: Python	T1059.006	The team used python scripts.
System Services: Service Execution	T1569.002	The team compromised a Domain Admin account and used it to run PSExec on multiple workstations and a domain controller.
Remote Services: SMB/Windows Admin Shares	T1021.002	The team established a session that originated from a target.

*Table 7: Persistence*
Technique Title	ID	Use
Server Software Component: Web Shell	T1505.003	After the failed spearphishing campaigns, the red team continued external reconnaissance of the network and discovered a web shell left from a previous VDP program.
Boot or Logon Initialization Scripts	T1037	The team backdoored several scripts run at boot time for persistence.
Scheduled Task/Job: Cron	T1053.003	Some of the team’s techniques included modifying preexisting scripts run by the cron utility and ifup-post scripts.
Boot or Logon Initialization Scripts: Network Logon Script	T1037.003	The team modified preexisting scripts run by the cron utility and ifup-post scripts.
Event Triggered Execution: Unix Shell Configuration Modification	T1546.004	The team used a backdoor in .bashrc.
Create Account: Local Account	T1136.001	During Phase II, the team created a local administrator account on a target server system.
Account Manipulation	T1098	During Phase II, the team created a local administrator account on a target server system.
Create Account: Domain Account	T1136.002	The team created AD accounts and added them to domain admins group.

*Table 8: Privilege Escalation*
Technique Title	ID	Use
Valid Accounts	T1078	The team moved laterally from the web server to the organization’s internal network using valid accounts.
Abuse Elevation Control Mechanism: Sudo and Sudo Caching	T1548.003	The team discovered that WEBUSER1 had excessive sudo rights, allowing them to run some commands as root without a password.

*Table 9: Defense Evasion*
Technique Title	ID	Use
Process Injection	T1055	The team modified its processes by changing their names in memory and at execution.
Reflective Code Loading	T1620	The team used Python scripts run in memory to avoid on-disk detection.
Obfuscated Files or Information: Binary Padding	T1027.001	The team inflated its file sizes above the upload threshold of the organization’s EDR.

*Table 10: Credential Access*
Technique Title	ID	Use
Unsecured Credentials: Credentials In Files	T1552.001	The team discovered credential material on a misconfigured Network File System.
Steal or Forge Authentication Certificates	T1649	The team used a certificate for client authentication discovered on the NFS share to compromise a system configured for Unconstrained Delegation.
Steal or Forge Kerberos Tickets: Golden Ticket	T1558.001	The team acquired a ticket granting ticket for a domain controller.
Unsecured Credentials: Bash History	T1552.003	The team used its escalated privileges to search bash command histories.
Data from Network Shared Drive	T1039	The team used its escalated privileges to search for private certificate files, Secure Shell (SSH) private keys, passwords, bash command histories, and other sensitive data across all user files on the NFS share.
Unsecured Credentials: Private Keys	T1552.004	The team initially obtained 61 private SSH keys and a file containing valid cleartext domain credentials.
Valid Accounts: Domain Accounts	T1078.002	The team initially obtained 61 private SSH keys and a file containing valid cleartext domain credentials.
Network Sniffing	T1187	The red team leveraged this administrative access to upload a modified version of Rubeus in monitor mode to capture incoming tickets.
OS Credential Dumping: DCSync	T1003.006	The team used DCSync through Linux tunnels to acquire the hash of several privileged accounts.

*Table 11: Discovery*
Technique Title	ID	Use
System Network Configuration Discovery	T1016	The team leveraged the web shell to identify an open internal proxy server.
Account Discovery	T1087	The team leveraged their AD data to identify administrators of the SCCM servers.
Account Discovery: Domain Account	T1087.002	The team queried LDAPS to collect information about users, computers, groups, access control lists (ACL), organizational units (OU), and group policy objects (GPO). During Phase II, the team performed AD enumeration by querying all domain objects from the DC, as well as enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer.
Remote System Discovery	T1018	The team queried LDAPS to collect information about users, computers, groups, access control lists (ACL), organizational units (OU), and group policy objects (GPO). During Phase II, the team performed AD enumeration by querying all domain objects from the DC as well as enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer.
Permission Groups Discovery: Domain Groups	T1069.002	The team queried LDAPS to collect information about users, computers, groups, access control lists (ACL), organizational units (OU), and group policy objects (GPO).
Group Policy Discovery	T1615	The team queried LDAPS to collect information about users, computers, groups, access control lists (ACL), organizational units (OU), and group policy objects (GPO).
Network Service Discovery	T1046	The team scanned SMB port 445/TCP. During Phase II, the team launched a scan from inside the network from a previously gained workstation.
Permission Groups Discovery	T1069	The team discovered a user account through querying the Windows Server 2012 R2 target.
Permission Groups Discovery: Local Groups	T1069.001	The team used Windows API calls to NetLocalGroupEnum and NetLocalGroupGetMembers to query local groups.
Domain Trust Discovery	T1482	During Phase II, the team enumerated trust relationships within the AD Forest.
System Owner/User Discovery	T1033	During Phase II, the team performed AD enumeration by querying all domain objects from the DC, as well as enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer.

*Table 12: Lateral Movement*
Technique Title	ID	Use
Taint Shared Content	T1080	Since no_root_squash was used, the team could read and change any file on the shared file system and leave trojanized applications.
Remote Services: SSH	T1021.004	The team’s acquisition of SSH private keys of user and service accounts, including two highly privileged accounts with root access to hundreds of servers, facilitated unrestricted lateral movement to other Linux hosts.
Software Deployment Tools	T1072	Access to an Ansible Tower system provided the team easy access to multiple SBSs.

*Table 13: Collection*
Technique Title	ID	Use
Data from Information Repositories	T1213	The team accessed a database that received information from OT devices to feed monitoring dashboards, which the organization used to make decisions.

*Table 14: Command and Control*
Technique Title	ID	Use
Ingress Tool Transfer	T1105	The team then downloaded and executed a Sliver payload that utilized this proxy to establish command and control. During Phase II, the team uploaded and executed a well-known malicious file to a target DC system to generate host-based alerts.
Application Layer Protocol: Web Protocols	T1071.001	In the organization’s Linux environment, the red team leveraged HTTPS connections for C2.
Proxy: Internal Proxy	T1090.001	The team leveraged an open internal HTTPS proxy for their traffic.
Application Layer Protocol: File Transfer Protocols	T1071.002	The team connected to servers over SMB.
Proxy: External Proxy	T1090.002	The team used cloud platforms to create flexible and dynamic redirect servers to send traffic to the team’s servers.
Encrypted Channel	T1573	The team encrypted all data in transit and secured all data at rest through a VPN with multifactor authentication.
Proxy: Domain Fronting	T1090.004	The team used domain fronting to disguise outbound traffic.
Application Layer Protocol	T1071	During Phase II, the team established a session that originated from a target Workstation system directly to an external host over a clear text protocol, such as HTTP.

*Table 15: Exfiltration*
Technique Title	ID	Use
Exfiltration Over Alternative Protocol	T1048	During Phase II, the team sent a large amount of mock sensitive information to an external host.

*Table 16: Impact*
Technique Title	ID	Use
Account Access Removal	T1531	The team locked out several administrative AD accounts in rapid succession.

us-cert.gov

rss

forum

news

surface web

cisa

Cyber Story Time: The Boy Who Cried “Secure!”

2024-11-21

The post Cyber Story Time: The Boy Who Cried “Secure!” appeared first on All Hacker News.

allhackernews.com

rss

forum

news

surface web

Differential analysis raises red flags over @lottiefiles/lottie-player

2024-11-21

Malware on public repositories is nothing new. For a couple of years now, ReversingLabs threat researchers have been monitoring npm, PyPI and recently VSCode Marketplace, RubyGems and NuGet for potential malware whose inclusion in the development cycle could cause a supply chain attack. More often than not, malicious packages are published by new accounts and are made from scratch.

reversinglabs.com

rss

forum

news

surface web

[email protected] (lucija valentić)

NodeStealer Malware Targets Facebook Ad Accounts, Harvesting Credit Card Data

2024-11-21

The post NodeStealer Malware Targets Facebook Ad Accounts, Harvesting Credit Card Data appeared first on All Hacker News.

allhackernews.com

rss

forum

news

surface web

How to watch Indian TV channels in the USA with a VPN

2024-11-21

L’article How to watch Indian TV channels in the USA with a VPN est apparu en premier sur Comparitech.

comparitech.com

rss

forum

news

surface web

The best VPNs for BlueSky (and how to use a VPN with BlueSky)

2024-11-21

L’article The best VPNs for BlueSky (and how to use a VPN with BlueSky) est apparu en premier sur Comparitech.

comparitech.com

rss

forum

news

surface web

D-Link Devices Face Cyber Attacks Following End-of-Life Announcement

2024-11-21

Cybersecurity researchers have confirmed that the exploitation of D-Link NAS devices has been ongoing. Recently it was found to contain a critical flaw, for which the manufacturer is no longer offering support on such devices.

Critical Flaw and Discontinued Support

A critical security flaw, rated 9.2 on the severity scale, was found in various editions of D-Link NAS devices. This flaw may allow attackers to remotely execute malevolent commands that would place sensitive data stored on these systems at risk. However, D-Link announced that it will not release a patch for this issue as these devices have reached EOL status. Users are instead advised to update to newer products in order to continue protection.

Tens of Thousands of Devices Vulnerable

Researchers have discovered more than 60,000 vulnerable devices worldwide. The affected models include DNS-320 Version 1.00, DNS-320LW Version 1.01.0914.2012, DNS-325 Versions 1.01 and 1.02, and DNS-340L Version 1.08. While the above number of possible exploited devices is very large, so far only around 1,100 instances of exploitation were seen, according to a threat monitoring service called Shadowserver.

Active Exploitation Starts

Exploitation attempts for this vulnerability, tracked as CVE-2024-10914, were first sighted on November 12. According to the researchers at Shadowserver, attackers are taking advantage of a command injection vulnerability on the "/cgi-bin/account_mgr.cgi" endpoint of the affected devices. Though the exploitation of this flaw is relatively complex, a public exploit available does increase the risk for its users.

Shadowserver makes a big point of pulling these types of devices off the internet as their EOL status signifies D-Link will not be putting out any further updates or releases on these devices.

Why NAS Devices Are Attractive

For centralizing data storage, NAS devices make it possible for quite a few users and devices to access and share files, let alone back them up. They are highly used in homes and businesses for reliability, ease of use, and scalability. However, due to their nature as data hubs, they are great targets for cybercriminals-these criminals typically try to steal, encrypt, or delete valuable information, and one of the most commonly used tools is through ransomware attacks.

What Users Should Do

Thereby, the owners of affected D-Link NAS devices are advised to replace them with the supported versions. Disconnecting the affected devices from the internet would be one of the immediate steps to reduce the exposure.

Furthermore, users should keep their systems up to date and implement robust security measures in place for protecting data. For this reason, cyber threats evolve very fast, and only a vigilant user can save the sensitive information.

blogger.com

rss

forum

news

surface web

nas

Resilient Internet connectivity in Europe mitigates impact from multiple cable cuts

2024-11-20

cloudflare.com

rss

forum

news

surface web

Pandora FMS NG 779 RRR

2024-11-20

The post Pandora FMS NG 779 RRR appeared first on Pandora FMS.

pandorafms.com

rss

forum

news

surface web

China-Backed Hackers Leverage SIGTRAN, GSM Protocols to Infiltrate Telecom Networks

2024-11-20

The post China-Backed Hackers Leverage SIGTRAN, GSM Protocols to Infiltrate Telecom Networks appeared first on All Hacker News.

allhackernews.com

rss

forum

news

surface web

Hackers Using Sitting Ducks Attack To Hijack Domains, 1 Million Domains Vulnerable

2024-11-20

The post Hackers Using Sitting Ducks Attack To Hijack Domains, 1 Million Domains Vulnerable appeared first on Cyber Security News.

cybersecuritynews.com

rss

forum

news

surface web

10 Best IT Asset Management Tools In 2024

2024-11-20

The post 10 Best IT Asset Management Tools In 2024 appeared first on Cyber Security News.

cybersecuritynews.com

rss

forum

news

surface web

Tageszusammenfassung - 19.11.2024

2024-11-20

https://www.bleepingcomputer.com/news/security/spotify-abused-to-promote-pirated-software-and-game-cheats/

New Helldown Ransomware Variant Expands Attacks to VMware and Linux Systems

Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus."Helldown deploys Windows ransomware derived from the LockBit 3.0 code," Sekoia ..

https://thehackernews.com/2024/11/new-helldown-ransomware-expands-attacks.html

Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble

If you didnt fix this a month ago, your to-do list probably needs a reshuffle Two VMware vCenter server bugs, including a critical heap-overflow vulnerability that leads to remote code execution (RCE), have been exploited in attacks after Broadcom-s first attempt to fix the flaws fell short.

https://www.theregister.com/2024/11/18/vmware_vcenter_rce_exploited/

Veritas Enterprise Vault: Kritische Codeschmuggel-Lücken in Archivsoftware

In Vertias Enterprise Vault können Angreifer kritische Lücke zum Einschleusen von Schadcode missbrauchen.

https://www.heise.de/news/Veritas-Enterprise-Vault-Kritische-Codeschmuggel-Luecken-in-Archivsoftware-10053675.html

Kritische Palo-Alto-Lücke: Details und Patches sind da, CISA warnt vor Exploit

Fast drei Wochen nach ersten Exploit-Gerüchten hat der Hersteller nun endlich reagiert, trickst aber. Derweil warnt die US-Cyberbehörde vor Angriffen.

https://www.heise.de/news/Kritische-Palo-Alto-Luecke-Patches-sind-da-CISA-warnt-vor-Exploit-10051696.html

FreeBSD Foundation releases Bhyve and Capsicum security audit

The FreeBSD Foundation has announced the release of a security audit report conducted by security firm Synacktiv. The audit uncovered a number of vulnerabilities: Most of these vulnerabilities have been addressed through official FreeBSD Project security advisories, which offer detailed information about each vulnerability, its impact, and the measures ..

https://lwn.net/Articles/998615/

FrostyGoop-s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications

We analyze FrostyGoop malware, which targets OT systems. This article walks through newly discovered samples, indicators, and also examines configurations and network communications.

https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/

The Importance of Establishing a Solid Third Party Risk Management Framework for Risk Mitigation

In the previous post, we introduced the concept of Third-Party Risk Management (TPRM) and its importance in today-s interconnected world. Now, let us have a look at the practical aspects of building a solid TPRM program and why it is important for your company. 1. Start with a Third-Party Inventory The first step in building ..

https://blog.nviso.eu/2024/11/19/the-importance-of-establishing-a-solid-third-party-risk-management-framework-for-risk-mitigation/

Facebook Malvertising Campaign Spreads Malware via Fake Bitwarden

A Facebook malvertising campaign disguised as Bitwarden updates spreads malware, targeting business accounts. Users are tricked ..

https://hackread.com/facebook-malvertising-malware-via-fake-bitwarden/

Threat Actors Hijack Misconfigured Servers for Live Sports Streaming

To keep up with the ever-evolving world of cybersecurity, Aqua Nautilus researchers deploy honeypots that mimic real-world development environments. During a recent threat-hunting operation, they uncovered a surprising new ..

https://blog.aquasec.com/threat-actors-hijack-misconfigured-servers-for-live-sports-streaming

Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474

Note: Since this is breaking news and more details are being released, were updating this ..

https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

NVD Backlog Tops 20,000 CVEs Awaiting Analysis as NIST Prepares System Updates

CVEs awaiting analysis by the NVD have broken the 20,000 mark, after the security community noticed its enrichment activity slowed to nearly a halt again last week. NIST failed to meet its self-imposed deadline of ..

https://socket.dev/blog/nvd-backlog-tops-20-000-cves

Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets

In October 2024, Socket discovered a widespread npm malware campaign using Ethereum smart contracts to evade detection and maintain control over infected systems. Building on our initial research and equipped with analyses of the ..

https://socket.dev/blog/exploiting-npm-to-build-a-blockchain-powered-botnet

Extending Burp Suite for fun and profit - The Montoya way - Part 7

Last time we saw how to develop an extension that will add custom active and passive checks to the Burp Scanner. Today we will modify that extension to detect serialization issues using ..

https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-7/

U.S. Extradites and Charges Alleged Phobos Ransomware Admin

The United States secured the extradition of a Russian national from South Korea who is allegedly the mastermind behind the notorious Phobos ransomware. Evgenii Ptitsyn, 42, is accused of administering the Phobos ..

https://thecyberexpress.com/us-charges-alleged-phobos-ransomware-admin/

Vulnerabilities

ZDI-24-1516: Trend Micro Deep Security Agent Manual Scan Command Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Deep Security Agent. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-51503.

http://www.zerodayinitiative.com/advisories/ZDI-24-1516/

ZDI-24-1517: McAfee Total Protection Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

This vulnerability allows local attackers to escalate privileges on affected installations of McAfee Total Protection. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.7. The following CVEs are assigned: CVE-2024-49592.

http://www.zerodayinitiative.com/advisories/ZDI-24-1517/

Security updates for Tuesday

Security updates have been issued by AlmaLinux (.NET 9.0, bcc, bluez, bpftrace, bubblewrap, flatpak, buildah, cockpit, containernetworking-plugins, cups, cyrus-imapd, edk2, expat, firefox, fontforge, gnome-shell, gnome-shell-extensions, grafana, grafana-pcp, gtk3, httpd, iperf3, jose, krb5, libgcrypt, libsoup, libvirt, libvpx, lldpd, microcode_ctl, ..

https://lwn.net/Articles/998755/

Oracle Security Alert for CVE-2024-21287 - 18 November 2024

https://www.oracle.com/security-alerts/alert-cve-2024-21287.html

cert.at

rss

forum

news

surface web

Hackers Hijack Unsecured Jupyter Notebooks to Stream Illegal Sports Broadcasts

2024-11-19

The post Hackers Hijack Unsecured Jupyter Notebooks to Stream Illegal Sports Broadcasts appeared first on All Hacker News.

allhackernews.com

rss

forum

news

surface web

Windows security and resiliency: Protecting your business

2024-11-19

The post Windows security and resiliency: Protecting your business appeared first on Windows Blog.

windows.com

rss

forum

news

surface web

My information was stolen. Now what? - We Live Security

2024-11-19

google.com

rss

forum

news

surface web

dnsReaper: subdomain takeover tool for attackers, bug bounty hunters and the blue team

2024-11-19

The post dnsReaper: subdomain takeover tool for attackers, bug bounty hunters and the blue team appeared first on Penetration Testing Tools.

meterpreter.org

rss

forum

news

surface web

New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers

2024-11-19

The post New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers appeared first on All Hacker News.

allhackernews.com

rss

forum

news

surface web

Data Breaches Digest - Week 47 2024

2024-11-18

Welcome to this week's Data Breaches Digest, a catalogue of links concerning Data Breaches and Cyber Security that were published on the Internet during the period between 18th November and 24th November 2024.

18th November

1.5 Million Exposed: Set Forth & Centrex Hit by Massive Data Breach

ADT Freight Services listed as alleged victim by Sarcoma ransomware gang

AI Can Be Leveraged For Phishing Scams: What You Need To Know To Stay Safe

APT Group DONOT Launches Cyberattack on Pakistan’s Maritime and Defense Industry

Argentina: Student Database Breach in Entre Ríos Province

Australia: Cyber security bill recommended for 'urgent' parliamentary approval

Bitfinex hacker who stole 120,000 bitcoins gets five years in prison

Black Friday or Black Fraud-day? A Prime Time for Fraud and Cyberattacks

Chatbots & Voice Phishing: How To Safeguard Against Potential Risks From AI

Chinese Salt Typhoon Hacked T-Mobile in US Telecom Breach Spree

Critical RCE bug in VMware vCenter Server now exploited in attacks

Don’t Hold Down The Ctrl Key - New Warning As Cyber Attacks Confirmed

Fake Bitwarden ads on Facebook push info-stealing Chrome extension

Fake Discount Sites Exploit Black Friday to Hijack Shopper Information

Ford Customer Data Breach, German Statistical Data Leak, and Bank of France Targeted

Germany: Stauberstahl.com Database Breach Exposes Sensitive Data

Gmail's New Shielded Email Feature Lets Users Create Aliases for Email Privacy

Hacked crypto project Thala agrees to $300K bounty, recovers $25M

Helix darknet Bitcoin 'mixer' will fork over $750M, serve time, for processing 1M+ transactions

How and where to report cybercrime: What you need to know

How to ensure a fast recovery from the inevitable cyber-attack

Increased GDPR Enforcement Highlights the Need for Data Security

India: NCISM NEET Students Data Breach Exposes Personal Details

India: Sreedharscce.com Data Breach Exposes Millions of Records

India: Tjori.com 2021 Data Breach Exposes 1 Million User Records

India sees 135,173 financial phishing attacks in H1 2024, says study

Major US telecom T-Mobile among victims of China-linked breach

Microsoft 365 Admin portal abused to send sextortion emails

Mistakes that leave you open to attack

Mozilla 0Din Warns of ChatGPT Sandbox Flaws Enabling Python Execution

Navigating the compliance labyrinth: A CSO’s guide to scaling security

North Korean IT Worker Network Tied to BeaverTail Phishing Campaign

NSO Group Exploited WhatsApp to Install Pegasus Spyware Even After Meta's Lawsuit

Palo Alto firewalls exploited after critical zero-day vulnerability

Palo Alto Networks patches two firewall zero-days used in attacks

RansomHub ransomware gang claims data breach targeting Mexican government

RansomHub says 313GB exfiltrated in Mexican government cyber attack

Ransomware: Significant rise of attacks on Indian businesses

Ransomware attacks surge in Southeast Asia with 57,000 cases

Strengthening cybersecurity this Black Friday: combatting social engineering and phishing threats

Surge in DocuSign Phishing Attacks Target US State Contractors

T-Mobile confirms breach amid wave of Chinese state-sponsored telecom attacks

TEAM Software Breach, Hackers Gain Unauthorized Access To Network Infrastructure

Thala recovers $25.5M in crypto lost through v1 farming vulnerability

The Problem of Permissions and Non-Human Identities - Why Remediating Credentials Takes Longer Than You Think

Transforce.in – Database Breach Exposes Sensitive User Data

Turkey fines Amazon’s Twitch 2 million lira for data breach

Turkey sanctions Twitch for user data breach

Türkiye fines Twitch $58K over massive data breach impacting thousands

Twitch Fined $58K in Turkey Over Major Data Breach Fail

UK Shoppers Lost £11.5m Last Christmas, National Cyber Security Centre (NCSC) Warns

Unraveling the Mysteries of Ransomware- How AI-Driven Detection is Turning the Tide

Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites

URL Login & Password Leak – 2.5 Million Records Exposed

US charges Phobos ransomware admin after South Korea extradition

US space tech giant Maxar discloses employee data breach

dbdigest.com

rss

forum

news

surface web

sec

How to Fix Diablo 4 Lagging Issues on PC, PS5 & Xbox (2024)

2024-11-18

dns

vpnmentor.com

rss

forum

news

QuickBooks popup scam still being delivered via Google ads

2024-11-18

malwarebytes.org

rss

forum

news

surface web

Fake Discount Sites Exploit Black Friday to Hijack Shopper Information

2024-11-18

The post Fake Discount Sites Exploit Black Friday to Hijack Shopper Information appeared first on All Hacker News.

allhackernews.com

rss

forum

news

surface web

ADcheck: Assess the security of your Active Directory

2024-11-17

The post ADcheck: Assess the security of your Active Directory appeared first on Penetration Testing Tools.

meterpreter.org

rss

forum

news

surface web

CVE-2024-0760 | ISC BIND up to 9.18.27/9.18.27-S1/9.19.24 DNS Messages over TCP resource consumption (Nessus ID 211195)

2024-11-16

A vulnerability was found in ISC BIND up to 9.18.27/9.18.27-S1/9.19.24. It has been classified as critical. Affected is an unknown function of the component DNS Messages over TCP Handler. The manipulation leads to resource consumption. This vulnerability is traded as CVE-2024-0760. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

vuldb.com

rss

forum

news

surface web

CVE-2022-32743 | Samba up to 4.16.x dNSHostName default permission (FEDORA-2022-4555909843 / Nessus ID 211187)

2024-11-16

A vulnerability was found in Samba up to 4.16.x. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument dNSHostName leads to incorrect default permissions. The identification of this vulnerability is CVE-2022-32743. Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.

vuldb.com

rss

forum

news

surface web

Can Someone Track My Phone Without Me Knowing? 12 Signs

2024-11-16

vpnmentor.com

rss

forum

news

surface web

Malwarebytes Premium Security review: An antimalware staple is now optional

2024-11-16

At a glance

Expert's Rating

Pros

Clean, simple interface
Essential protection against malware
Lower impact on PC system resources

Cons

Less participation in testing performed by independent security organizations
Extremely light on features

Our Verdict

Malwarebytes Premium Security offers a simple, easy-to-use alternative to Windows Security—but don’t expect big bang for your buck. Seasoned security vets may also find the lower amount of available independent performance test results offputting.

Price When Reviewed

This value will show the geolocated pricing text for product undefined

Best Pricing Today

Malwarebytes

$42.79

View Deal

Price When Reviewed

60

Best Prices Today: Malwarebytes Premium Security

Malwarebytes

$42.79

View Deal

Malwarebytes was once a crucial piece of software—a necessary supplement for your main antivirus scanner. You couldn’t always count on just one program to catch everything, and Malwarebytes rose to prominence as a reliable secondary tool.

But the world has changed since 2010. Now if you run multiple antivirus apps, you could open yourself up to software conflicts or increased risk for system vulnerabilities. One single program is the way to go—and if you’re a newbie to security and prefer a dead simple app, then Malwarebytes’ streamlined, elegant approach can fit the bill.

How much does Malwarebytes Premium Security cost?

As a simple suite, Malwarebytes Premium Security costs $60 per year. New subscribers can sign up for a two-year package to save $9 ($111 total). Unlike most other antivirus vendors, Malwarebytes bills in monthly installments over a 12-month term, rather than charging the total cost upfront.

For its consumer products, the company offers a 14-day trial, and a 60-day money back guarantee.

Single-device plan (3 devices)

$60 per year (billed monthly over a 12-month term)

Malwarebytes’ plan allows you to spread your device allotment over those running Windows, macOS, Android, iOS, and even ChromeOS.

PCWorld

If you want to cover more gear, or save a little more cash, you can get licenses for Malwarebytes through third-parties like Amazon and the PCWorld Software store with more flexible terms and at lower rates. However, such plans currently don’t include VPN service, which Malwarebytes added to the subscriptions it sells directly.

What does Malwarebytes Premium Security include?

When you step up from Malwarebytes’ free version to a paid subscription, real-time monitoring for malware, email, web, and select network threats becomes active. (The free plan only scans if you initiate a manual check.) Overall, you’re protected against viruses, ransomware, and other malware, as well as other common attacks like phishing attempts, zero-day exploits on the web and over email, and suspicious apps.

Choosing Malwarebytes Premium Security adds on access to the company’s VPN, which Malwarebytes advertises as a no-log service. As premium upgrades go, this one is simplistic—you don’t get parental controls, a password manager, additional defenses like protected folders, or PC utilities, as you do with a rival like AVG. The company seems to weigh its VPN service as equally valuable to a collection of such antivirus features.

Key features of Malwarebytes Premium Security

Installation and user interface

After you install the app, you’ll see the main dashboard. The interface is incredibly streamlined, with just two tabs on the left navbar—Dashboard and Settings. You can choose between Light, Dark, or matching Windows’ mode.

PCWorld

Accordingly, you’ll send almost all your time on the Dashboard view, which is divided into three segments. In the larger one, you’ll see a couple of sections blocked out. At the upper left is Security, with Scanner, Detection History, and Real-Time Protection as the three options and their settings:

Scanner lets you run a quick, full, or custom scan, as well as jump directly to related settings. You can also access the scheduled scans to review what’s already set up and create new ones.
Detection History shows quarantined items, the history of events (like detected viruses), and your allow list—items that you’ve approved as safe after initially being flagged by Malwarebytes.
Real-Time Protection is not so much a feature, but an explanation for how Malwarebytes and how it safeguards your PC continuously.

Directly underneath the security section is one for the VPN. It puts the major controls at your fingertips, letting you quickly activate the service and change the location. You can also jump into related settings.

Along the right side is a rating for your PC’s protection level—Malwarebyte’s assessment of how close you are to utilizing the app fully. You can also check on other devices associated with your account.

PCWorld

Generally, the interface is clean and simple, as are the settings for the app and its features. The only area where you can dig in deeper are the antivirus protection settings—but as Malwarebytes rightly warns, nearly all users are better off leaving the defaults as they are.

One tip: Once the software is installed, head to Settings > Notifications, scroll down to the bottom, and turn off marketing notifications.

Virus, malware, and threat protection

Real-time protection

Malwarebytes Premium Security constantly keeps an eye out for a variety of threats. When you’re opening or adding files, using apps, or browsing the web, it’ll block viruses, ransomware, and other malware like rootkits, along with phishing attempts.

Unlike other rivals, Malwarebytes doesn’t offer a firewall. That job is left to Windows. It also doesn’t offer additional protections against dangers like DNS hijacking and webcam takeovers. As for identity protection, like dark web monitoring and insurance coverage, you must upgrade to the company’s Complete Protection plan, which costs twice as much per year.

PCWorld

If you want to adjust your real-time scanning settings, you can change what the app screens for and how stringent it is with its filters, as well as how it handles suspicious files. Malwarebytes allows you dig surprisingly deep, though only experts should get into the weeds. The overwhelming majority of users should keep the defaults as they are.

Scheduled and manual scans

At installation, Malwarebytes Premium Security automatically creates a scheduled scan for once per week. It runs whenever your system is idle, which the app calls a “smart scan.” You can edit this default or create additional scheduled scans.

For manual scans, Malwarebytes offers three types. The default is a threat scan, which checks commonly targeted areas of your PC, including things running in memory and at startup, as well as registry changes. Files stored on your PC are also looked over.

PCWorld

To fire up a quick or custom scan, you must choose Advanced Scan from the three-dot menu for the Scanner on the dashboard. Custom scans let you tweak a handful of settings related to file types and areas of your PC, as well as how to handle potentially unwanted programs and modifications to your system.

Additional features

Browser extension

Malwarebytes offers a Browser Guard extension for Chrome, Firefox, and Edge, but despite being available as a separate free download, it’s still considered a component of the Premium Security suite. After installation, it runs quietly in the background, protecting your browser from malware and scams (including credit card skimming), as well as serving as an adblocker.

VPN

Malwarebytes keeps its controls for its VPN simple rather than restrictive. Firing up the service is quick and fast, as is choosing a location for a server—and Malwarebytes lets you choose a handful of cities within countries outside of the US, more similar to a dedicated VPN.

PCWorld

You can choose servers in Albania, Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Chile, Colombia, Croatia, Czech Republic, Denmark, Estonia, Finland, Germany, Greece, Hong Kong, Hungary, Indonesia, Ireland, Israel, Italy, Japan, Latvia, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Serbia, Singapore, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Thailand, UK, Ukraine, USA.

This country list isn’t as large as with some VPN services, but as mentioned above, you can generally choose between two to four cities per country. The exception is the United States, which has 18 cities available, coast to coast.

Speeds held stable when using the VPN during light testing. For US server speeds, Los Angeles (within the same state as PCWorld’s San Francisco location) showed a decrease of about 5 to 7 percent, while New York saw a roughly 26 percent drop.

Customer support

From within the app, you can jump to Malwarebytes’ user guide, support pages, and support tool. You can also use an AI chatbot for answers to your questions, or if you’re signed into your Malwarebytes account, to contact customer support—you’ll get funneled to your choice of email or live chat.

Updates and maintenance

Updates for the app and virus definitions happen automatically in the background, but you can also trigger a check manually. You’ll need to click on the person icon in the upper right of the app window, then choose About Malwarebytes and click on the Check for updates button.

PCWorld

Performance

While Malwarebytes participates in some independent benchmarking of its software, it has no current results from AV-Test and AV-Comparatives, two major organizations that test how well antivirus suites can catch threats.

Instead, the company points the curious toward AVLabs’s testing data. During the company’s September 2024 advanced in-the-wild test, Malwarebytes caught all 510 samples, with its detection rate was split between 90.98 percent pre-launch and 9.02 percent post-launch of the samples (that is, before the malware samples could activate versus after).

When asked about its participation in independent benchmarks, a representative from Malwarebytes said the company “focuses on third-party testing that is most closely aligned with the needs of customers” and that it works “with the third-party testers that are most relevant to what our customers encounter in today’s threat landscape.”

PCWorld / AVLab

During hardware performance tests on our budget Acer Aspire 3 test laptop, Malwarebytes lived up to its claims of light impact on PC resources. When left idle in the background, it had virtually no effect on typical tasks, as shown by PCMark 10’s extended benchmark. That test simulates video chatting, web browsing, gaming, image and document editing in free apps like GIMP and LibreOffice, and the like.

If you work instead on Microsoft Office documents, our UL Procyon tests showed a minimal impact on results, with a less than 3 percent difference. Similarly, our Handbrake encoding test only dipped by about 4 percent.

Even running a threat scan continuously during our benchmarks didn’t disturb these numbers much—PCMark 10 slipped by about 7 percent, Procyon by about 14 percent, and Handbrake by about 19 percent. Given how rival antivirus engines from rivals like McAfee and Norton are far greedier about system resources, Malwarebytes does distinguish itself in this regard.

Conclusion

If you dislike complicated interfaces, Malwarebytes Premium Security can be a good fit as an alternative to Windows Security—so long as you don’t mind not getting as much bang for your buck. The app is attractive and clean in its layout, and the settings are clear and straightforward. However, more seasoned security vets may have reason to hesitate on pulling the trigger, due to the relatively low amount of independent testing data available about software performance.

pcworld.com

rss

forum

news

surface web

antivirus

Thousands of web domains hijacked in "sitting ducks" attack

2024-11-15

techradar.com

rss

forum

news

surface web

Avast One review: Well-priced PC security with excellent protection

2024-11-15

At a glance