Security Posts

DOJ Charges 6 Sandworm APT Members in NotPetya Cyberattacks

Threatpost - Mon, 2020/10/19 - 21:10
DOJ charges six Russian nationals for their alleged part in the NotPetya, Ukraine power grid and Olympics cyberattacks.
Categories: Security Posts

GravityRAT Comes Back to Earth with Android, macOS Spyware

Threatpost - Mon, 2020/10/19 - 19:34
The espionage tool masquerades as legitimate applications and robs victims blind of their data.
Categories: Security Posts

Overlay Malware Targets Windows Users with a DLL Hijack Twist

Threatpost - Mon, 2020/10/19 - 19:05
Brazilians are warned of a new Vizom malware masquerading as video conferencing and browser software.
Categories: Security Posts

US charges Russian hackers behind NotPetya, KillDisk, OlympicDestroyer attacks

Zero Day | ZDNet RSS Feed - Mon, 2020/10/19 - 19:03
The US Department of Justice has unsealed today charges against six GRU officers believed to be members of Sandworm, one of today's most advanced state-sponsored hacking groups.
Categories: Security Posts

US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit

Wired: Security - Mon, 2020/10/19 - 19:00
The Department of Justice has named and charged six men for allegedly carrying out many of the most costly cyberattacks in history.
Categories: Security Posts

Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack

Threatpost - Mon, 2020/10/19 - 18:36
Researchers said the group was able to move from initial phish to full domain-wide encryption in just five hours.
Categories: Security Posts

Microsoft Exchange, Outlook Under Siege By APTs

Threatpost - Mon, 2020/10/19 - 17:09
A new threat report shows that APTs are switching up their tactics when exploiting Microsoft services like Exchange and OWA, in order to avoid detection.
Categories: Security Posts

Microsoft issues two emergency Windows patches

ESET - Mon, 2020/10/19 - 16:51
The flaws, neither of which is being actively exploited, were fixed merely days after the monthly Patch Tuesday rollout The post Microsoft issues two emergency Windows patches appeared first on WeLiveSecurity
Categories: Security Posts

Game Titles Watch Dogs: Legion, Albion Both Targeted by Hackers

Threatpost - Mon, 2020/10/19 - 16:24
In both cases, cybercriminals claim to have reams of information for the popular gaming titles.
Categories: Security Posts

Toshiba targets $20bn quantum key, data encryption business with Verizon, BT partnerships

Zero Day | ZDNet RSS Feed - Mon, 2020/10/19 - 13:50
Toshiba estimates the market will be worth $20 billion worldwide by 2035.
Categories: Security Posts

Naked Security Live – Ping of Death: are you at risk?

Naked Security Sophos - Mon, 2020/10/19 - 13:31
Here's the latest Naked Security Live video - enjoy (and please share with your friends)!
Categories: Security Posts

PSPs vs. OPA Gatekeeper: Breaking down your Kubernetes Pod security options

AlienVault Blogs - Mon, 2020/10/19 - 13:00
This blog was written by an independent guest blogger. Organizations are increasingly turning to Kubernetes, but they’re having trouble balancing security in the process. In its State of Container and Kubernetes Security Fall 2020 survey, for instance, StackRox found that 91% of respondents were using Kubernetes to orchestrate their containers and that three quarters of organizations were using the open-source container-orchestration system in production. Even so, nine in 10 respondents told StackRox in its poll that they had experienced a security event in their container and Kubernetes environment in the last 12 months. Two-thirds of organizations said those incidents had involved a misconfiguration. These findings highlight the need for organizations to enhance the security of their Kubernetes environments against misconfiguration incidents. In this blog post, we’ll narrow our focus and discuss how one type of misconfiguration in particular—embracing default pod communication—endangers organizations’ security. We’ll then discuss how organizations can use either Pod Security Policies (PSPs) or OPA Gatekeeper to ensure the security of their pods. Understanding the Security Challenges of Pod Communication To understand the security challenges inherent in default Kubernetes pod communication, it’s important that we first define what a pod is and does. Pods consist of one or more containers, shared storage/network resources and specifications for running those containers, according to the Kubernetes website. When framed in Docker terms, pods act as groups of Docker containers that share namespaces and filesystem volumes. These small computing units help organizations to group containers together and have these resources collaborate on specific projects or sets of work. Where organizations run into challenges is the way in which pods communicate by default. As noted elsewhere on Kubernetes website, the standard configuration for pods is non-isolated in that they are capable of accepting traffic from any source. This is a problem, as this type of open communication potentially enables malicious actors to abuse the Kubernetes environment for nefarious purposes. Digital attackers could stage an attack in which they create a malicious container and use that to compromise its corresponding pod, for instance. That actor could then abuse unrestricted communication between pods to move laterally throughout the Kubernetes environment, deploying cryptominers and installing infostealing malware along the way. Using Security Context to Address These Challenges Fortunately, organizations can address these security challenges associated with pods using what are known as security contexts. Kubernetes notes on its site that security contexts function as configurations that help to define the security properties of a pod or a container. These configurations include access controls that govern who can access a pod or container and whether a Kubernetes resource is privileged. With the right security contexts, organizations can therefore prevent unauthorized actors from gaining access to a container, from elevating privileges on a compromised resource and from moving laterally on the network. Enforcing Security Context with Pod Security Policies When it comes time to enforce a security context, organizations may choose to use pod security policies (PSPs). These cluster-level resources manage the specifications under which a pod is allowed to run on a system, notes Kubernetes. Pod security policies empower administrators to monitor how the file system is used and which containers are privileged, among other things. After creating a pod security policy, administrators should authorize the user or target pod’s service account to use the policy. (They can do this by allowing the “use” verb on the policy.) It’s then that they can enforce those policies by enabling the admission controller. (If the order is reversed and organizations enable the admission controller before authorizing a policy, they could inadvertently prevent pods from spawning inside the cluster.) Addressing PSPs’ Limitations with OPA Gatekeeper All that said, PSPs are not without their drawbacks. Amazon notes on its AWS blog that PSPs can sometimes be a bit cumbersome; it’s only the first policy listed in alphabetical order on Kubernetes’ Role-Based Access Control (RBAC) that applies, after all. More than that, PSPs don’t cover all security concerns that an organization might have, and they’re not user extensible. Not only that, but they’ve been in beta for some time; there’s no guarantee that they’ll make it to General Availability or that they’ll operate in the same way that they do now if they do. Many organizations are responding to these shortcomings by opting for Open Policy Agent (OPA) Gatekeeper. The advantage here is that Gatekeeper functions as an admission controller webhook on top of an OPA engine. In essence, this design makes Gatekeeper portable in that administrators can use it to detect non-noncompliant commits before they slow down the organization. It will also ensure that any resource added to or updated on the cluster complies with the policies defined in the OPA engine, which is a general-purpose engine for defining and enforcing policies. Through those means, administrators can control where images come from, specify that pods have defined resource limits and essentially enforce anything they could with PSPs while having the ability to make custom policies for other specs, Amazon explained. Automating This Process Organizations can protect their pods using either PSPs or OPA Gatekeeper. But this isn’t always that easy. As noted by StackRox, “Hardening pods using native controls can, at times, get quite complex, especially when running clusters at scale.” That’s why organizations should consider not manually implementing these controls on their own. Instead, they should look for solutions that can help them to automate policy enforcement. This can save teams time, allowing them to uphold best security and compliance practices across their environment.
Categories: Security Posts

QAnon/8Chan Sites Briefly Knocked Offline

Krebs - Mon, 2020/10/19 - 06:03
A phone call to an Internet provider in Oregon on Sunday evening was all it took to briefly sideline multiple websites related to 8chan/8kun — a controversial online image board linked to several mass shootings — and QAnon, the far-right conspiracy theory which holds that a cabal of Satanic pedophiles is running a global child sex-trafficking ring and plotting against President Donald Trump. Following a brief disruption, the sites have come back online with the help of an Internet company based in St. Petersburg, Russia. The IP address range in the upper-right portion of this map of QAnon and 8kun-related sites — 203.28.246.0/24 — is assigned to VanwaTech and briefly went offline this evening. Source: twitter.com/Redrum_of_Crows. A large number of 8kun and QAnon-related sites (see map above) are connected to the Web via a single Internet provider in Vancouver, Wash. called VanwaTech (a.k.a. “OrcaTech“). Previous appeals to VanwaTech to disconnect these sites have fallen on deaf ears, as the company’s owner Nick Lim reportedly has been working with 8kun’s administrators to keep the sites online in the name of protecting free speech. But VanwaTech also had a single point of failure on its end: The swath of Internet addresses serving the various 8kun/QAnon sites were being protected from otherwise crippling and incessant distributed-denial-of-service (DDoS) attacks by Hillsboro, Ore. based CNServers LLC. On Sunday evening, security researcher Ron Guilmette placed a phone call to CNServers’ owner, who professed to be shocked by revelations that his company was helping QAnon and 8kun keep the lights on. Within minutes of that call, CNServers told its customer — Spartan Host Ltd., which is registered in Belfast, Northern Ireland — that it would no longer be providing DDoS protection for the set of 254 Internet addresses that Spartan Host was routing on behalf of VanwaTech. Contacted by KrebsOnSecurity, the person who answered the phone at CNServers asked not to be named in this story for fear of possible reprisals from the 8kun/QAnon crowd. But they confirmed that CNServers had indeed terminated its service with Spartan Host. That person added they weren’t a fan of either 8kun or QAnon, and said they would not self-describe as a Trump supporter. CNServers said that shortly after it withdrew its DDoS protection services, Spartan Host changed its settings so that VanwaTech’s Internet addresses were protected from attacks by ddos-guard[.]net, a company based in St. Petersburg, Russia. Spartan Host’s founder, 25-year-old Ryan McCully, confirmed CNServers’ report. McCully declined to say for how long VanwaTech had been a customer, or whether Spartan Host had experienced any attacks as a result of CNServers’ action. McCully said while he personally doesn’t subscribe to the beliefs espoused by QAnon or 8kun, he intends to keep VanwaTech as a customer going forward. “We follow the ‘law of the land’ when deciding what we allow to be hosted with us, with some exceptions to things that may cause resource issues etc.,” McCully said in a conversation over instant message. “Just because we host something, it doesn’t say anything about we do and don’t support, our opinions don’t come into hosted content decisions.” But according to Guilmette, Spartan Host’s relationship with VanwaTech wasn’t widely known previously because Spartan Host had set up what’s known as a “private peering” agreement with VanwaTech. That is to say, the two companies had a confidential business arrangement by which their mutual connections were not explicitly stated or obvious to other Internet providers on the global Internet. Guilmette said private peering relationships often play a significant role in a good deal of behind-the-scenes-mischief when the parties involved do not want anyone else to know about their relationship. “These arrangements are business agreements that are confidential between two parties, and no one knows about them, unless you start asking questions,” Guilmette said. “It certainly appears that a private peering arrangement was used in this instance in order to hide the direct involvement of Spartan Host in providing connectivity to VanwaTech and thus to 8kun. Perhaps Mr. McCully was not eager to have his involvement known.” 8chan, which rebranded last year as 8kun, has been linked to white supremacism, neo-Nazism, antisemitism, multiple mass shootings, and is known for hosting child pornography. After three mass shootings in 2019 revealed the perpetrators had spread their manifestos on 8chan and even streamed their killings live there, 8chan was ostracized by one Internet provider after another. The FBI last year identified QAnon as a potential domestic terror threat, noting that some of its followers have been linked to violent incidents motivated by fringe beliefs. Further reading: What Is QAnon? QAnon: A Timeline of Violent Linked to the Conspiracy Theory
Categories: Security Posts

MACsec MKA Validation - Why Back-to-Back Tests Fall Short

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
In my previous blog, I focused on validation for MACsec hardware implementations. In this one, I…
Categories: Security Posts

TSN Frame Preemption Meets Stringent Latency Requirements of 5G Fronthaul

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
Adoption of 5G Giving Birth to an Ethernet-Based Fronthaul The operators adopting 5G are…
Categories: Security Posts

BreakingPoint Strike Lists: A New Default for Better Cybersecurity Testing

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
With the Application and Threat Intelligence (ATI) strikepack release of 2019 (ATI-2019-24), astute…
Categories: Security Posts

New TSN Standards Like IEEE 802.1CB Highlight Importance of Having the Right Test Solution in Place

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
While working with a customer who was using low-end, low-budget traffic generators, it turned out…
Categories: Security Posts

MACsec Hardware Testing—Why Back-to-Back Validation Falls Short

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
MACsec has become an important encryption technology that is shipped with next-generation chips,…
Categories: Security Posts

ATI Adds Maze Ransomware Attack Campaign

BreakingPoint Labs Blog - Wed, 2020/09/23 - 12:46
Last month, the Application and Threat Intelligence (ATI) Team released a new type of cyberattack…
Categories: Security Posts
Syndicate content