Monday, 2 September 2019
VIRGINIA PUBLIC SCHOOLS, NEW TARGET OF RANSOMWARE ATTACKS. WILL THE AUTHORITIES PAY THE RANSOM?
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/08/28/virginia-public-schools-new-target-of-ransomware-attacks-will-the-authorities-pay-the-ransom/
Ransomware incidents keep popping up while victims face a crossroads: try to recover their files on their own, or negotiate with the attackers and pay a ransom. This time, cybersecurity services experts have detected a new attack against multiple public schools in New Kent County, Virginia.
In this regard, Superintendent Brian Nichols mentioned that “during the incident the files located on the hard drives of the school district’s computers were encrypted, so for now it is not possible for the school system to access this information.” Simply put, it is now impossible for the administrative staff of these schools to do their jobs as normal, and they will have to work on forced marches to start the school year as planned.
It is necessary to remember that a ransomware attack consists of a malicious program that encrypts the files of a computer or system, demanding a ransom in exchange for restoring normal access to the compromised information; hackers generally demand that this payment be made via transfers of cryptocurrencies such as Bitcoin. According to experts in cybersecurity services, ransomware is typically developed by groups of cybercriminals without affiliation to political organizations, although some of the most dangerous variants of this malware have been developed by groups of hackers backed by governments in countries such as Russia or North Korea.
In subsequent statements, Superintendent Nichols mentioned that the school district has hired the services of a group of experts in external cybersecurity services. In addition, he said the investigation is progressing well and pledged to continue sharing updates on the incident. “The FBI and Federal Police are also collaborating on the investigation; although this process has not concluded, we can assure you that we have found no evidence to prove the theft of confidential information,” Nichols says.
For now, state authorities do not plan to change the start date of the school year, so New Kent schools will open the same day as the rest of public schools in Virginia, “we will try to keep student registration systems ready for the first day of school,” the superintendent added. So far it is unknown whether local authorities have considered paying the ransom to hackers, although this measure is, for obvious reasons, very risky.
In the most recent months, cybersecurity services specialists from the International Institute of Cyber Security (IICS) have reported at least ten incidents of ransomware attack on school systems in U.S. states such as Florida, Idaho and New York. Nevertheless, the most impactful case occurred in the state of Louisiana, where a group of threat actors were able to fully encrypt access to the systems of an entire school district. To an unprecedented extent, the state governor declared a state of emergency throughout the territory, leading to the intervention of federal security agencies and the restructuring of the IT systems throughout the affected district.
CYBERSECURITY SERVICES COMPANY IMPERVA WAS HACKED & ITS CUSTOMERS’ DATA BREACHED
ORIGINAL CONTENT: https://www.securitynewspaper.com/2019/08/28/cybersecurity-services-company-imperva-was-hacked-its-customers-data-breached/
Despite not being the oldest company in the field of cybersecurity, Imperva has established itself as one of the leaders in this market, offering solutions and advice to help other companies protect the security of their information; however, this does not make it immune to cyberattacks. Web application security experts reported a data breach in the company that has compromised a considerable amount of Imperva customers’ data.
Established in California, USA, Imperva is a cybersecurity software and services company that provides enterprise data protection and web application security for multiple companies.
To be more specific, the data breach affects users of Cloud WAF, the company’s cloud application firewall solution. This is a product specialized in the mitigation of denial of service(DoS) attacks and also has other security protection features of web application security.
The incident was detected about a week ago after the company received some reports on data exposure from some customers of this security tool, web application security experts mentioned.
In a statement, company CEO Chris Hylen mentioned that the data exposed due to this incident include email addresses of all users of the tool who started using it from September 2017, API keys, SSL certificates, among other data.
“After detecting the incident, the implementation of our security breach response protocol began, and an internal investigation will be conducted and we will exhaust all available resources to retrieve the compromised information”, mentions the statement. “International data protection regulators have already been informed,” Hylen adds.
The company’s web application security experts still do not determine what methods threat actors used to access and leak this information, as it is unclear whether any vulnerabilities in their web servers were exploited or if Imperva staff committed some oversight, miss configuring the security of some database on the Internet.
The company continues to investigate the data breach, and they also ensure that customers potentially affected by the incident are being notified. Other security measures will be announced shortly. “We deeply regret the inconvenience this incident has caused; we will continue to share updates in the coming days in line with the progress of our research. We are confident that this bad experience will help us improve our security practices and prevent similar incidents in the future,” the statement concludes.
As the company’s research concludes, web application security specialists from the International Institute of Cyber Security (IICS) recommend that users of the Cloud WAF tool reset their passwords to access their Imperva accounts, in addition to implementing other security layers, such as the use of multi-factor authentication. Generating and uploading new SSL certificates and resetting their API keys are also highly recommended measures.
Sunday, 1 September 2019
Friday, 30 August 2019
NUEVA TÉCNICA DE HACKING PARA EXPLOTAR ANTIVIRUS Y EXTRAER DATOS DE SERVIDORES
CONTENIDO ORIGINAL: https://noticiasseguridad.com/seguridad-informatica/nueva-tecnica-de-hacking-para-explotar-antivirus-y-extraer-datos-de-servidores/
El equipo de expertos en seguridad de aplicaciones web de TokyoWesterns acaba de revelar un nuevo método de ataque que, de ser explotado, permitiría la extracción de información confidencial de cualquier servidor protegido con Windows Defender.
Este método de ataque, apodado “AV Oracle”, fue revelado durante un reciente evento de ciberseguridad y, según sus desarrolladores, se trata de una técnica especializada de falsificación de solicitudes en el lado del servidor que aprovecha los mecanismos de seguridad incluidos en Windows Defender por defecto. Windows Defender es la herramienta de seguridad antivirus preinstalada en los sistemas de Microsoft.
Esta clase de ataques (comúnmente conocidos como ataques SSRF) dependen del envío de paquetes de solicitudes especialmente diseñados para engañar a los servidores y obtener como respuesta información confidencial, inaccesible de otro modo para los actores de amenazas, aseguran los especialistas en seguridad de aplicaciones web.
Usualmente, los hackers recurren al uso de ataques SSRF para acceder a ciertos recursos, como archivos confidenciales y otros recursos, a los que sólo se puede acceder a través de una red local del servidor objetivo. En el método desarrollado por los investigadores se muestra un ataque contra una aplicación web ejecutada en un servidor protegido con Windows Defender.
La aplicación objetivo contenía algunas URL disponibles públicamente (cualquier usuario podría acceder a ellas), además de una URL accesible solamente para los administradores usando la dirección local “localhost” (en el mismo servidor); según los expertos, esta URL contenía la información confidencial del objetivo.
Posteriormente, los expertos en seguridad de aplicaciones web crearon un fragmento de código JavaScript especialmente diseñado para incrustarlo en la cadena de consulta de una de las URL disponibles públicamente. Esto provoca que algunas características de protección en Windows Defender analicen el fragmento de código buscando comandos maliciosos. Este análisis afecta las respuestas del servidor al cliente, por lo que un hacker podría hacer que Windows Defender filtre información confidencial almacenada en la aplicación web objetivo manipulando su script cuidadosamente.
Además, esta vulnerabilidad también podría ser clasificada como un exploit de la categoría XS-Search. En otras palabras, esta falla hace que el software antivirus pierda un valor secreto al almacenar un archivo que contiene un valor controlado por el atacante e información confidencial.
Acorde a especialistas en seguridad de aplicaciones web del Instituto Internacional de Seguridad Cibernética (IICS) Windows Defender comenzaría a filtrar de forma involuntaria múltiples detalles sobre el sistema atacado a los atacantes. Al ser consultado acerca de esta falla, uno de los miembros del equipo que realizó esta investigación aseguró que este método de ataque podría ser funcional en otras soluciones de protección de endpoint, destacando este escenario requeriría que el antivirus atacado cuente con un componente para analizar código JavaScript, al igual que Windows Defender.
Por otra parte, al ser cuestionado acerca del potencial dañino del ataque AV Oracle en otros escenarios o contra otros objetivos, el especialista mencionó que la investigación aún no concluye, por lo que nuevas formas de explotar estas fallas podrían aparecer en breve, aunque sí menciona un potencial escenario: “Puede que este ataque también funcione contra la memoria caché de un navegador, por lo que AV Oracle afectaría a los servidores y a los usuarios”, advierte el experto.
