f-secure - X-Industry - Red Sky Alliance2024-03-29T10:02:39Zhttps://redskyalliance.org/xindustry/feed/tag/f-secureYou thought Running out of Ink was your only Problemhttps://redskyalliance.org/xindustry/you-thought-running-out-of-ink-was-your-only-problem2021-12-02T16:40:00.000Z2021-12-02T16:40:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}9876567266,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9876567266,RESIZE_400x{{/staticFileLink}}" width="209" alt="9876567266?profile=RESIZE_400x" /></a>Don’t ignore those pesky emails from HP requesting that you download the most recent software updates. Vulnerabilities in more than 150 multi-function printers from HP demonstrate that any type of device that connects to a network can expand the perceived threat surface. Helsinki, Finland-based F-Secure <a href="https://www.f-secure.com/us-en%C2%A0">https://www.f-secure.com/us-en </a> found exploitable vulnerabilities in more than 150 HP multi-function printers. It reported its findings to HP in the spring of 2021. HP has updated the printers’ firmware and released advisories on 01 November 2021. F-Secure has now published a report on its research.</p>
<p>F-Secure’s researchers discovered two separate attack vectors one requiring physical access and another that could be triggered remotely from a malicious website. The physical attack would require no more than five minutes of access to the printer. The researchers found two exposed ports on the communications board, which could be accessed by removing a single screw. Printers are often unmonitored and sometimes in their own room. An attacker disguised as a maintenance engineer could visit the printer, compromise it, and leave the building within just a few minutes. If you have a printer in your reception desk area, move it today to a secure location.</p>
<p>If you are replacing an out of service printer, please review the following article: </p>
<p><strong><a href="https://www.pcmag.com/news/how-to-secure-dispose-of-a-printer">https://www.pcmag.com/news/how-to-secure-dispose-of-a-printer</a></strong></p>
<p>These ports can both read and write data. “If you compromise just one of the printers, you can pivot and move laterally to more interesting parts of the network,” the researchers stated.</p>
<p>Of greater potential interest to attackers was the discovery of font parsing vulnerabilities that could be exploited remotely. The font parser has been around since at least 2013, so the vulnerability has existed from at least that time. “The font parser was developed at a time when secure programming was not taken as seriously as it is today,” commented the researchers.</p>
<p>The attack consists of enticing a user to a malicious website. While connected, the attacker would be able to send a remote printing instruction to the user’s company MFT. That instruction could be to print a malicious document, introducing malware into the printer. The scenario is ideal for direct social engineering to get a user (who could be anybody within the company from any department) to visit the malicious site, or a watering hole attack just waiting for visitors.</p>
<p>Once the printer is compromised, the attacker can move laterally into other parts of the network. Or, said the researchers, “he could just sit quietly within the printer and read all the documents, letters, and reports that are sent to it for printing. If the USB port is enabled (to allow users to print from a memory stick), he can see everything else on the stick and, if he wanted to, infect the stick itself for further potential lateral movement.”</p>
<p>These font parsing vulnerabilities are also wormable. An attacker could create self-propagating malware that automatically compromises affected MFPs and then spreads to other vulnerable units on the same network. Exploiting the vulnerabilities is not easy and would require a hacker with expertise. The exposed port vulnerabilities are classified as CVE-2021-39237 (critical severity), and the font parsing vulnerabilities as CVE-2021-39238 (high severity). F-Secure has seen nothing to suggest that these vulnerabilities may have been exploited before they were fixed.<a href="#_ftn1">[1]</a></p>
<p>“It’s easy to forget that modern MFPs are fully-functional computers that threat actors can compromise just like other workstations and endpoints. And just like other endpoints, attackers can leverage a compromised device to damage an organization’s infrastructure and operations. Experienced threat actors see unsecured devices as opportunities, so organizations that don’t prioritize securing their MFPs like other endpoints leave themselves exposed to attacks like the ones documented in our research,” explained researcher Timo Hirvonen.</p>
<p>To mitigate against any physical attacks, F-Secure recommends that printers should be monitored by CCTV. This wouldn’t prevent an attack but may deter an aggressor, and would help any investigation into an attack. F-Secure further suggests that for this particular attack, anti-tamper stickers should be affixed to the printer’s communication board. A damaged sticker would immediately indicate an attempted attack.</p>
<p>To foil the font parsing attack, the researchers suggest (report PDF) that firstly, printing from a USB stick should be disabled. Secondly, printers should be placed into a separate firewalled VLAN. Workstations should communicate with a dedicated print server, and only the print server should talk to the printer. To hinder both lateral movement and C&C communication, outbound communication from the printer network segment should be allowed to only whitelisted addresses.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/critical-vulnerability-found-more-150-hp-printer-models">https://www.securityweek.com/critical-vulnerability-found-more-150-hp-printer-models</a></p></div>The BeagleBoyz are not a new “Boy Band”https://redskyalliance.org/xindustry/the-beagleboyz-are-not-a-new-boy-band2020-08-31T18:54:32.000Z2020-08-31T18:54:32.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}7756134874,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}7756134874,RESIZE_400x{{/staticFileLink}}" width="250" alt="7756134874?profile=RESIZE_400x" /></a>The Cybersecurity and Infrastructure Security Agency (CISA) and other US agencies have issued a warning about increases in bank e-thefts worldwide organized by a hacking group called "BeagleBoyz." Researchers believe this group has ties to the North Korean government. The BeagleBoyz group is a subset of the North Korean-backed hacking collective known as the Lazarus Group or Hidden Cobra. The report with details of how the BeagleBoyz have made off with an estimated $2 billion in funds and cryptocurrency since 2015, along with details on how financial institutions can protect themselves against their known patterns of attack. The subgroup, active since at least 2014, works to provide the government, which faces economic sanctions, with illicit funds, according to the joint alert. Along with the theft of massive amounts of money that the United Nations believes is used for North Korea's nuclear weapons and ballistic missile programs, the e-robberies also pose a serious risk to financial institutions' reputations, their operations, and public confidence in banking.</p>
<p>The security firm F-Secure reports that the Lazarus Group recently targeted an employee of a cryptocurrency exchange with a fake job offer to insert malware and steal virtual currency. The group has used a variety of approaches to gaining initial access: Spear phishing, watering holes, social engineering, malicious files, and even contracted third-party hacking groups have been used for initial penetration. Once inside a network, the BeagleBoyz use a wide variety of approaches to meet their objectives, establish a persistent presence, evade defense, and harvest credentials of privileged users.</p>
<p>In its latest campaign, this hacking group has used a variety of malicious tools and malware to target banks and other organizations. The threat actors typically use compromised remote access to gain an initial foothold in a network. Once the hackers have penetrated a network, they attempt to conduct an ATM cash-out scheme and use money mules to collect the funds. Additionally, the BeagleBoyz group conducts fraudulent money transfers through SWIFT the global money-transfer network.</p>
<p>The BeagleBoyz group is believed to be responsible for a series of attacks against banks since 2016 that CISA calls "FASTCash.” Researchers also believe the BeagleBoyz group played a role in the theft of $81 million from Bangladesh Bank in 2016.</p>
<p>"As opposed to typical cybercrime, the group likely conducts well-planned, disciplined and methodical cyber operations more akin to careful espionage activities," according to the joint alert from the US agencies. "Their malicious cyber operations have netted hundreds of millions of US dollars and are likely a major source of funding for the North Korean regime. The group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and procedures while evading detection."</p>
<p>VMware says that North Korean hackers have learned much of their craft from their Russian counterparts and have grown more sophisticated over the years. "They are truly formidable as they are the benefactors of tech transfer from the Russian dark web forums. It is imperative that the financial sector recognize that they have true situational awareness per the unique interdependencies of the sector and are willing to leverage counter incident response and destructive attacks to burn the evidence."</p>
<p>A VMware report indicates a BeagleBoyz hacking attempt typically starts with a spear-phishing email that targets specific bank employees. Or the hacking group uses a watering hole attack, which involves compromising legitimate websites and installing malware to target site visitors.</p>
<p>In the latest series of attacks, the BeagleBoyz group is also deploying social engineering techniques, such as fake job offers that target employees. The joint advisory notes: "Toward the end of 2018 through 2019 and in early 2020, the BeagleBoyz demonstrated the use of social engineering tactics by carrying out job application themed phishing attacks using publicly available malicious files."</p>
<p>This hacking group relies on other cybercriminal groups, such as TA505, to help gain the initial access into systems using commodity malware. Once a system gets compromised, the other group then hands overs access to BeagleBoyz for exploitation. To gain a foothold within a targeted network, the hackers use a number of techniques, including emailing malicious attachments that contain malware; exploiting weakness, bugs, and vulnerabilities in internet-facing systems; stealing credentials of a specific user or service account; and breaching third-party organizations that have access to the primary target's network, according to the alert.</p>
<p>The hacking group also deploys its own malware throughout compromised devices and networks. This includes trojans, such as Hoplight, identified in 2019. The malware comprises several proxy applications that are part of a "phone home" operation run by the hackers. The trojan can disguise the traffic that is sent back to its command-and-control server, the alert notes.</p>
<p>Malware such as Hoplight and another variant called CrowdedFlouder work with the hacking group's command-and-control infrastructure to assist with the exfiltration of data, which includes compressing and encrypting files to evade detection. </p>
<p>Red Sky Alliance can help protect with attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a></p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul></div>