Cisco informed customers on Wednesday that several of its products are exposed to denial-of-service (DoS) attacks due to a vulnerability in the Snort detection engine.
Cross-site request forgery (CSRF, sometimes pronounced ???sea surf??? and not to be confused with cross-site scripting) is a simple yet invasive malicious exploit of a website. It involves a cyberattacker adding a button or link to a suspicious website that makes a request to another site you???re authenticated on. For example, a user is logged into their online banking platform which has poor security, and by clicking a ???download??? button on an untrusted site, it maliciously initiates a money transfer request on their behalf through their current online banking session. Compromised sites can reveal information or perform actions as an authorized user without your explicit permission.
CSRF attack prevention
Fortunately, CSRF attacks can be prevented. Let???s look at some of the most efficient ways to safeguard your website.
Representational state transfer (REST) is a set of principles that assigns a type of activity (view, create, delete, update a resource) for each HTTP verb (GET, POST, PATCH, PUT, DELETE). Following a RESTful design will ensure that your code is clean and can scale. It also has the added benefit of reducing vulnerabilities.
A key design principle that protects you from CSRF attacks is using GET requests for only view or read-only actions. These types of requests should not transform data and must only display recorded data. This limits the number of requests that are vulnerable to CSRF attacks.
Your website will also need to use POST, PUT, PATCH and DELETE requests. To safeguard these endpoints, you can introduce an anti-forgery token in every request that uniquely identifies safe origin sites.
Every response rendered by the server will contain the anti-forgery token which is then written out to a hidden HTML field. This token is used by the client side to authenticate requests sent to the server. Now, the server knows the request is from a safe origin.
Most modern web frameworks include anti-forgery token management, out-of-the-box. For example, Ruby on Rails has a method called ???protect_from_forgery??? that authenticates requests on the server side. It also manages token generation and rendering out to HTML elements.
Set cookies with the SameSite Attribute
Cookies are a way to add persistent state to websites. This is usually used to authorize users, store session data, and more. However, it???s also an easy way to expose vulnerabilities. To address this, cookies contain a number of attributes that govern their behavior.
A commonly used attribute is Max-Age. The Chrome team recently introduced the SameSite attribute (now available across most major browsers). It is exceptionally useful in thwarting CSRF attacks.
The SameSite attribute allows you to declare if your cookie should be restricted to a first-party or same-site context. It gives you greater control over how much a client can access server-side code.
Setting a Same-Site attribute to a cookie is quite simple:
Set-Cookie: CookieName=CookieValue; SameSite=Lax;
Set-Cookie: CookieName=CookieValue; SameSite=Strict;
If the value is set to Strict, it means that any request originating from a third-party site to your site will have all cookies removed by the browser. It is the most secure setting and helps in preventing untrusted authorized requests from being rendered.
Setting the value to Lax does not remove the cookies for any GET requests. This provides a seamless experience for your user when they follow links from other sites to your site. Otherwise, your user would have to reauthenticate to gain access.
Enabling CORS protection
Cross-origin resource sharing (CORS) adds flexibility to the same-origin policy (SOP). It allows for a controlled access to requests originating outside of a given domain. It is generally used when you need to serve API requests.
Having said this, relaxing the SOP policy does open up your site to cross-domain based attacks. Fortunately, this can be prevented by having a good control over your CORS policy.
The request headers related to the policy are:
Requiring additional authentication for sensitive actions
Before performing critical and sensitive actions on your site, it is always a good idea to require your users to reauthenticate themselves. This could be a one-time password that gets sent to a registered email or phone number, a simple CAPTCHA, or revalidating passwords.
This prevents any sort of CSRF attacks and potentially even more dangerous attacks.
CSRF attacks amount to a large percentage of web-based attacks. Fortunately, it is easy to prevent and thwart attacks before they even happen. Ensure you???re following RESTful guidelines and stick to principles and policies designed to help you. Finally, set an AppSec performance monitoring lifecycle to ensure that code you write and deploy meets industry standards.
Practice coding securely and preventing vulnerabilities in our complimentary Security Labs Community Edition.
Group-IB published a report titled “Ransomware Uncovered 2020-2021”. analyzes ransomware landscape in 2020 and TTPs of major threat actors.
Group-IB, a global threat hunting and adversary-centric cyber intelligence company, has presented its new report “Ransomware Uncovered 2020-2021”. The research dives deep into the global ransomware outbreak in 2020 and analyzes major players’ TTPs (tactics, techniques, and procedures).
By the end of 2020, the ransomware market, fuelled by the pandemic turbulence, had turned into the biggest cybercrime money artery. Based on the analysis of more than 500 attacks observed during Group-IB’s own incident response engagements and cyber threat intelligence activity, Group-IB estimates that the number of ransomware attacks grew by more than 150% in 2020, with many restless players having joined the Big Game Hunting last year.
In 2020, ransomware attacks on average caused 18 days of downtime for the affected companies, while the average ransom amount increased almost twofold. Ransomware operations turned into robust competitive business structures going after large enterprises, with Maze, Conti, and Egregor gangs having been at the forefront last year. North America, Europe, Latin America, and the Asia-Pacific became the most commonly attacked regions respectively.
To keep the cybersecurity professionals up to date with how ransomware gangs operate and help the defense teams thwart their attacks, Group-IB’s DFIR team has for the first time mapped the most commonly used TTPs in 2020 in accordance with MITRE ATT&CK®. If you are a cybersecurity executive, make sure your technical team receives a copy of this report for comprehensive threat hunting and detection tips.
The gold rush of 2020
COVID-19 made many organizations, distracted with mitigating the fallout from the pandemic, vulnerable to cyber threats. Ransomware turned out to be the one that capitalized on the crisis most. The attacks not only grew in numbers (more than 150%) but also in scale and sophistication – the average ransom demand increased by more than twofold and amounted to $ 170,000 in 2020. The norm seems to be shifting toward the millions. Group-IB DFIR team found out that Maze, DoppelPaymer, and RagnarLocker were the greediest groups, with their ransom demands averaging between $ 1 million and $ 2 million.
On a technical level, public-facing RDP servers were the most common target for many ransomware gangs last year. Against the backdrop of the pandemic that caused many people to work from home, the number of such servers grew exponentially. In 52% of all attacks, analyzed by Group-IB DFIR team, publicly accessible RDP servers were used to gain initial access, followed by phishing (29%), and exploitation of public-facing applications (17%).
Big Game Hunting – targeted ransomware attacks against wealthy enterprises – continued to be one of the defining trends in 2020. In hope to secure the biggest ransom possible, the adversaries were going after large companies. Big businesses cannot afford downtime, averaging 18 days in 2020. The operators were less concerned about the industry and more focused on scale. It’s no surprise that most of the ransomware attacks, that Group-IB analyzed, occurred in North America and Europe, where most of the Fortune 500 firms are located, followed by Latin America and the Asia-Pacific respectively.
A chance of easy money prompted many gangs to join the Big Game Hunting. State-sponsored threat actors who were seen carrying out financially motivated attacks were not long in coming. Groups such as Lazarus and APT27 started to use ransomware during their operations.
Conti, Egregor, and DarkSide all joined the ransomware gold rush in 2020. Many of them were so prolific that they made it to the top of the most active gangs in their debut year. The top 5 most active ransomware families, according to Group-IB, were Maze, Conti, Egregor, DoppelPaymer, and REvil. Not all of them lasted for long for various reasons.
The growing threat of ransomware has put it in the spotlight of law enforcement. Some gangs operating under the Ransomware-as-a-Service (RaaS) model, such as Egregor and Netwalker, were impacted by the police efforts. Another notorious RaaS collective, Maze, called it quits at the end of 2020. Despite these events, the ransomware business continues prospering, with the Ransomware-as-a-Service model being of the driving forces behind this phenomenal growth.
Very organized crime
Ransomware-as-a-Service involves the developers selling/leasing malware to the program affiliates for further network compromise and ransomware deployment. The profits are shared between the operators and program affiliates. This business model with everyone focusing on what they do best can generate millions as the earnings are only limited to the number of affiliates the operators can attract. Group-IB DFIR team observed that 64% of all ransomware attacks it analyzed in 2020 came from operators using the RaaS model.
The prevalence of affiliate programs in the underground was the underlying trend of 2020. Group-IB Threat Intelligence & Attribution system recorded the emergence of 15 new public ransomware affiliate programs last year.
Mortal Combo: most common TTPs
With the rise of ransomware in 2020, cybercrime actors who use commodity malware such as Trickbot, Qakbot, and Dridex helped many ransomware operators to obtain initial access to target networks more and more often. Last year, a lot of botnet operators partnered with ransomware gangs.
It’s important to detect malware like Trickbot at the early stages to prevent the data from being encrypted before the attackers move laterally. Most of these commodity malware families are capable to perform their activities silently and can hide from traditional sandboxing solutions without raising the flag. Advanced malware detonation platforms allow detecting such threats by performing behavior analysis of emails, files, and links. It is crucial to extract and fully detonate discovered payloads in a safe isolated environment, harvesting indicators of compromise that help in subsequent threat hunting activities.
PowerShell was the most frequently abused interpreter for launching the initial payload. Its popularity among the attackers is explained by the fact that the interpreter is part of every Windows-based system, hence it’s easier to disguise malicious activity. Another theme of 2020, however, was the active exploitation of Linux with some threat actors adding corresponding versions to their arsenal.
In the credential access stage, threat actors often used brute force withNLBrute and Hydra being the most popular tools, based on Group-IB’s IR engagements. To obtain valid privileges, ransomware operators in 2020 often used credential dumping – retrieving all the passwords from the machine. The attackers’ favorite tools here were ProcDump, Mimikatz, and LaZagne.
Based on Group-IB’s DFIR team observations, in 2020, ransomware operators spent 13 days on average in the compromised network before encrypting data for impact. Before deploying ransomware, operators did their best to find and remove any available backups, so that it would be impossible for the victim to recover encrypted files. Another factor, which allowed the gangs to ensure a higher success rate, was the exfiltration of critical data to use it as a leverage to increase the chances of the ransom being paid – the trend set by the infamous Maze collective.
“The pandemic has catapulted ransomware into the threat landscape of every organization and has made it the face of cybercrime in 2020,” says Oleg Skulkin, senior digital forensics analyst at Group-IB. “From what used to be a rare practice and an end-user concern, ransomware has evolved last year into an organized multi-billion industry with competition within, market leaders, strategic alliances, and various business models. This successful venture is only going to get bigger from here. Due to their profitability, the number of RaaS programs will keep growing, more cybercriminals will focus on gaining access to networks for resale purposes. Data exfiltration effectiveness can make it another big niche, with some actors abandoning the use of ransomware at all. Growing ransom demands will be accompanied by increasingly advanced techniques. Given that most attacks are human-operated it is paramount for organizations to understand how attackers operate, what tools they use in order to be able to counter ransomware operators’ attacks and hunt for them proactively. It is everyone’s concern now.”
The full technical analysis of the adversaries’ TTPs mapped to and organized in accordance with MITRE ATT&CK® as well as threat hunting and detection tips put together by Group-IB Digital Forensics and Incident Response (DFIR) team, is available in the new report “Ransomware Uncovered 2020-2021”.
Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks and online fraud. The company also specializes in high-profile cyber investigations and digital risk protection. Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC, while its Threat Hunting Framework has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG.
Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was recognized as a Representative Vendor in Gartner’s Market Guide for Digital Forensics and Incident Response Services.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, ransomware)
The post Group-IB: ransomware empire prospers in pandemic-hit world. Attacks grow by 150% appeared first on Security Affairs.
Last Sunday night, while I was lounging on the couch watching some British Bake Off, I got word of the Solar Winds supply chain hack. After kicking back the last of my whiskey, I immediately got on the phone to start IR at work, cuz, yep, we have Solar Winds too.
Who’da thunk it?
Anyway, three days of IR stuff later, I am here to blog on the meanings for the muggles out there after having a conversation with a reporter on what it all meant. The reporter asked me about a tweet that was put out by Richard Blumenthal about needing to know more about this evolving hack and fallout thereof.
While I think that Dick is being a bit hyperbolic here, I also can tell you, gentle reader, that there is a lot to in fact be worried about regarding this instance of adversarial activity (most likely Russia’s APT29 Sluzhba vneshney razvedki Rossiyskoy /SVR group) which managed to break into a system application that many in the government, military, and corporations still run to manage their network.
This system is so prevalent in the space, that even in my environment, we still had it running and man, I thought we had made it go away long ago. So, you might be wondering what does Solar Winds really do? Well, glad you asked, it is a series of applications that help you maintain your large networks.
As you can see from the graphic from their site, the companies software performs a lot of management and monitoring capabilities within a network of individual systems. Servers, routers, databases, service desk applications, resource monitoring, network configuration, and security management. Now, you might be saying; “Ok, well, those are a lot of things that this stuff does, but, what does that mean security wise if the application (Orion) is compromised?” and that is a good question, the primary one I want you to comprehend if you are not in tech or security of the tech. What this means, is that this program suite by SolarWinds, is the ‘skeleton key’ now to a host of around 33k companies/networks that downloaded the tampered with update. This could affect around 300k clients in all, should there be more tampering or vulnerabilities exploited by the adversary now that they have the code base (assuming here) after they spent all that time inside SolarWinds systems.
So, we have a rather prevalent application suite that usually functions on a level of administrative access to do the very things it is bought to do. This means, that the Orion system contains ALL of your admin passwords up to and including domain administrator and enterprise administrator. What does this mean? It means that once the adversary had control over the Orion system, they had control over EVERYTHING that that system touched as well as now, if it did not have direct control, the passwords that would allow access within a network running this compromised system, are in the hands of the enemy.
Put simply, the adversary, has control over pretty much everything you own. They can log in, take data, manipulate data, and in the most extreme, burn your network down using other malware like a wiper or ransomware to do it. All of this, while you may not see the activity because everything is using credentials that are admin level and authenticated on your network. This is why it was so hard to detect this attack and to stop it and why they were inside the systems for so long.
Ok, so, what does that mean from the perspective of damage and about what groups the adversary hit? Well, so far, we know that the following entities were hit in this supply chain attack(s)
- Department of Homeland Security
- The National Security Council
These are all either government agencies or companies that handle a lot of government contracts, so you can kind of get a sense of what it means. However, let me expand on this, DHS and the NSC alone is a treasure trove for the Russians to gather all kinds of unclassified/classified data that they would want. Not only that, but, if you own the Orion systems in places like that, and that systems is in fact running in the CLASSIFIED space, then you have broached into the CLASSIFIED networks of things like NIPRNET and SIPRNET as well probably JWICS.
What does this mean? Lemme put it into internet vernacular for you;
This could be spectacularly bad. This is why so many are freaked out about this supply chain attack and the incident responses are all going on 24×7 now. It has yet to really be determined (at least publicly) how long the adversaries were inside these networks, but, I am going to assume that it was a long time, and a lot of damage has been done. Now all these places have to clean up the mess, re-set their networks and rebuild so that this cannot happen again. Then they have to assess the real damage to our security and perhaps someday give testimony in congress about it.
Now, about the other entities, these are the reasons that this hack is bad;
- FireEye: They do all the pentesting and security work for many of the same orgs as well as incident response. If they were owned as hard as we think, well, there is a lot of data that the adversaries could use on top of using all the tools they stole from them.
- Treasury, well, money right? Plans? Routes? All things monetary that the adversaries could use to mess with the united states up to and including theft of large sums of money potentially.
- Commerce as well, plans and other details that they could use against the US financially internally as well as globally.
Time will tell just how many other orgs got hit and may in fact have had data lost to the attackers. Also, do not forget the potential for further logic bombs out there that might be placed by the actor as well for future fun. Of course I have been hearing stories about power and water companies and systems being affected by this as well. All in all, it could be very bad for us all, and places us in our back foot most solidly globally.
One other aspect here, and this is highly speculative, but, what other secret orgs had connections to others with Orion? What orgs themselves in the secret spaces like FireEye, had the same software as well? What classified intelligence has been lost here?
Let that sink in…
Also, on the critical infrastructure end, I am not worried that the power will go off nationally, but, the Russians could mount more, and working attacks against regions with the right kind of access vis a vis this kind of hack.
Think about that too.
Gotta hand it to the Russians man, they play a good long game. Expect to be hearing about fallout on this for quite a long time. If you want to kind of get a sense of the scope of this, I would recommend watching “Sneakers” the whole McGuffin of the movie is the little black box that the mathematician created that decrypts all the things. This hack is kinda like that. With one box, the Russians decrypted EVERYTHING and then, like the Grinch, took it all up the chimney.
Here’s a reading list too for you all to follow along with:
Someone put out a tweet earlier that is very prescient;
This is an important context to have. Russia has used Ukraine as their down range test bed. If you remember back to NotPetya, you can see this exact supply chain attack cycle being leveraged there first, and tested. The Russians are old hands at this now.
Supermicro and Pulse Secure have released advisories warning that some of their motherboards are vulnerable to the TrickBot malware’s UEFI firmware-infecting module, known as TrickBoot. […] BleepingComputer