Connect with us
CCW 2024

Cyber Security

Kaspersky Discovers a New Backdoor Targeting Governments and NGOs Across META

Published

on

Kaspersky experts have brought to light a poorly detected SessionManager backdoor that was set up as a malicious module within the Internet Information Services (IIS), a popular web server edited by Microsoft. Once propagated, SessionManager enables a wide range of malicious activities, starting from collecting emails to complete control over the victim’s infrastructure. First leveraged in late March 2021, the newly discovered backdoor has hit governmental institutions and NGOs across the globe with victims in eight countries from the Middle East, Turkey, and Africa region, including Kuwait, Saudi Arabia, Nigeria, Kenya, and Turkey.

In December 2021, Kaspersky uncovered “Owowa”, a previously unknown IIS module that steals credentials entered by a user when logging into Outlook Web Access (OWA). Since then, the company’s experts have kept an eye on the new opportunity for cybercriminal activity – it has become clear that deploying a backdoor within IIS is a trend for threat actors, who previously exploited one of the “ProxyLogon-type” vulnerabilities within Microsoft Exchange servers. In a recent investigation, Kaspersky experts came across a new unwanted module backdoor, dubbed SessionManager.

The SessionManager backdoor enables threat actors to keep persistent, update-resistant, and rather stealthy access to the IT infrastructure of a targeted organization. Once dropped into the victim’s system, cybercriminals behind the backdoor can gain access to company emails, and update further malicious access by installing other types of malware or clandestinely managing compromised servers, which can be leveraged as malicious infrastructure.

A distinctive feature of SessionManager is its poor detection rate. First discovered by Kaspersky researchers in early 2022, some of the backdoor samples were still not flagged as malicious in most popular online file scanning services. To date, SessionManager is still deployed in more than 90% of targeted organizations according to an Internet scan carried out by Kaspersky researchers.

Overall, 34 servers of 24 organizations from Europe, the Middle East, South Asia, and Africa were compromised by SessionManager. The threat actor who operates SessionManager shows a special interest in NGOs and government entities, but medical organizations, oil companies, and transportation companies, among others, have been targeted as well. Because of similar victimology and the use of the common “OwlProxy” variant, Kaspersky experts believe that the malicious IIS module might have been leveraged by the GELSEMIUM threat actor, as part of its espionage operations.

“The exploitation of exchange server vulnerabilities has been a favorite of cybercriminals looking to get into targeted infrastructure since Q1 2021. It notably enabled a series of long unnoticed cyberespionage campaigns. The recently discovered SessionManager was poorly detected for a year. Facing massive and unprecedented server-side vulnerability exploitation, most cybersecurity actors were busy investigating and responding to the first identified offenses. As a result, it is still possible to discover related malicious activities months or years later, and this will probably be the case for a long time,” said Pierre Delcher, Senior Security Researcher at Kaspersky’s Global Research and Analysis team.

“Gaining visibility into actual and recent cyberthreats is paramount for companies to protect their assets. Such attacks may result in significant financial or reputational losses and may disrupt a target’s operations. Threat intelligence is the only component that can enable reliable and timely anticipation of such threats. In the case of Exchange servers, we cannot stress it enough: the past year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” added Pierre.

To protect your businesses from such threats, experts also recommend that you:

  1. Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite. Check for such modules as part of your threat hunting activities every time a major vulnerability is announced on Microsoft server products.
  2. Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency.
  3. Use solutions that help to identify and stop the attack in the early stages, before the attackers achieve their goals.
  4. Use a reliable endpoint security solution, that is powered by exploit prevention, behavior detection, and a remediation engine that is able to roll back malicious actions.

Cyber Security

Kaspersky Warns of Android Malware Exhibiting Diverse Features

Published

on

Three new dangerous Android malware variants have been analyzed by Kaspersky researchers. The Tambir, Dwphon, and Gigabud malicious programs exhibit diverse features, ranging from downloading other programs and credential theft to bypassing two-factor authentication and screen recording, jeopardizing user privacy and security.

In 2023, Kaspersky Solutions blocked nearly 33.8 million attacks on mobile devices from malware, adware, and riskware, highlighting a 50% global increase in such attacks from the previous year’s figures. Android malware and riskware activity surged in 2023 after two years of relative calm, returning to early 2021 levels by the end of the year. That said, the number of unique installation packages dropped from 2022, suggesting that malicious actors were more frequently using the same packages to infect different victims: last year Kaspersky detected more than 1.3 million unique malicious installation packages targeting the Android platform and distributed in various ways. Among these were Tambir, Dwphon and Gigabud malicious programs with the diverse features below described.

Tambir is a spyware application disguised as an IPTV app. It collects sensitive user information, such as SMS messages and keystrokes, after obtaining the appropriate permissions. The malware supports over 30 commands retrieved from its Command and Control server and has been compared to the GodFather malware, both targeting users mainly in Turkey, though several other countries were also affected.

Gigabud, active since mid-2022, was initially focused on stealing banking credentials from users in Southeast Asia, but later crossed borders into other countries and regions. It has since evolved into fake loan malware and is capable of screen recording and mimicking tapping by users to bypass two-factor authentication.

Dwphon, discovered in November 2023, targets cell phones from Chinese OEM manufacturers, primarily targeting the Russian market. The same malware earlier had been found in the firmware of a kids’ smartwatch by an Israeli manufacturer distributed mainly in Europe and the Middle East. Dwphon is distributed as a component of a system update application and collects information about the device as well as personal data. It also gathers information regarding installed third-party applications and is capable of downloading, installing and deleting other applications on the device. One of the analyzed samples also included the Triada trojan, one of the most widespread mobile trojans of 2023, which suggests that Dwphon modules are Triada-related.

“As Kaspersky’s mobile threats report shows, Android malware and riskware activity surged in 2023 after two years of relative calm, returning to levels seen in 2021 by the end of the year. Users should exercise caution and should avoid downloading apps from unofficial sources, meticulously reviewing app permissions. Frequently, these apps lack exploitation functionality and depend solely on permissions granted by the user. Furthermore, using anti-malware tools can help preserve the integrity of your Android device,” comments Jornt van der Wiel, senior security researcher at Kaspersky’s GReAT.

Continue Reading

Cyber Security

Intercede Intros MyID MFA v5

Published

on

Intercede has announced the launch of MyID MFA (Multi-Factor Authentication) 5.0. The latest addition to the MyID product family raises the security bar, by enabling organizations to protect on-premise and cloud-based applications, as well as the Windows desktop logon (on and off-line) with a range of phishing-resistant MFA options including OTP (one-time passwords), mobile apps, syncable FIDO passkeys and biometric protected hardware devices.

Bringing enterprise-managed FIDO passkeys into MyID MFA makes it easy to FIDO-enable multiple applications and deploy passkeys to end users, enhancing security and improving the user experience. MyID MFA acts as both a FIDO authentication server and a passkey issuance solution. End users authenticate to MyID MFA with their passkey, and by support for standard federated identity protocols, MyID MFA provides authentication services to multiple applications including cloud, on-premise and Windows desktop logon.

Organizations can choose from syncable passkeys, that use the FIDO protocol built into mobile devices and web browsers, to deliver a simple, secure and passwordless authentication process, via fingerprint, face ID or PIN. For organizations requiring higher levels of security and control, MyID MFA supports device-bound passkeys, such as Yubikey and the innovative YubiKey Bio device, which delivers a similarly seamless authentication experience while ensuring the highest level of security.

MyID MFA also enables the federation of applications (the ability to share identity and authentication information between systems in a managed way), be they cloud-based or on-premise, with support for standards-based protocols such as OpenID Connect and SAML. With federated identity provider (IDP) capabilities built into MyID MFA, it is a natural successor to Microsoft ADFS (Active Directory Federation Services). In addition to acting as an IDP, MyID MFA enables federations with an organisation’s existing credentials and identity providers, including Google and Microsoft Authenticator apps. This allows users to use the apps they are already familiar with and enables organisations to use credentials that are already deployed, reducing operational costs and speeding up the time to deployment.

MyID MFA supports the delivery of a unified authentication experience across the entire application suite, including authentication to applications, accessing self-service portals (to reset credentials), as well as logging on to the Windows desktop. The Windows Desktop Agent has been enhanced in v5.0 with added support for federation, the inclusion of third-party authenticators and FIDO passkeys, meaning organizations have a wider choice than ever on how to protect the primary gateway to their data, networks and applications, regardless of whether they are on Windows 11 or Windows 10 devices.

Allen Storey, Chief Product Officer at Intercede, states: “It is our mission to help organizations protect themselves against data breach by deploying stronger authentication simply, securely and at scale, whether they are SMBs with hundreds of users, larger enterprises, or federal authorities with thousands of users. MyID MFA is the simplest way for any organization to protect their applications, data and networks against cyber-attacks, with phishing-resistant authentication that is easy to deploy, manage and use.”

MyID MFA is part of the MyID product family that includes MyID PSM (Password Security Management) and MyID CMS (Credential Management System), which enables organisations to choose the level of security that best fits their needs, from passwords to one-time codes, mobile apps, FIDO passkeys and public key infrastructure (PKI).

Continue Reading

Artificial Intelligence

Check Point to Secure AI Cloud Infrastructure with NVIDIA

Published

on

Check Point Software Technologies has announced it is collaborating with NVIDIA to enhance the security of AI cloud infrastructure. Integrating with NVIDIA DPUs, the new Check Point AI Cloud Protect solution will help prevent threats at both the network and host levels.

“AI provides great benefits across healthcare, education, finance and more. At the same time, the rate and sophistication of cyber attacks are increasing, with threat actors increasingly looking at ways to disrupt AI workloads in the cloud,” said Gera Dorfman, Vice President of Network Security at Check Point Software Technologies. “We are working with NVIDIA to deliver a new secure AI cloud solution with Check Point AI Cloud Protect that guards even the most sensitive and private AI workloads against cyber threats.”

The rapid proliferation of AI has brought about a revolution in workplace efficiency and innovation. However, this growth also creates additional attack vectors specifically targeting AI, such as backdooring AI models to control a model’s output or to gain unauthorized access to the environment, data exfiltration to expose intellectual property, and denial of service to degrade performance and reduce capacity.

These threats compromise the integrity and security of AI systems and pose risks to business outcomes. They can also erode the foundational trust in AI operations, while potentially affecting other aspects of the data center. There is a critical need for a revamped security approach to protect not only the data in its traditional form but also the AI models themselves, which are central to innovation and competitive edge.

Check Point aims to address these challenges with NVIDIA by integrating network and host-level security insights, offering a comprehensive solution that protects AI infrastructures from both conventional and novel cyber threats. This integrated approach helps ensure the security system is cognizant of network activities and host-level processes, which is crucial for safeguarding AI’s future.

As AI becomes more pervasive, securing AI clouds becomes paramount,” said Yael Shenhav, Vice President of Networking Products at NVIDIA. “NVIDIA BlueField 3 enables innovators such as Check Point to offer robust cyber defence measures to secure AI cloud data centres, while also ensuring peak AI performance.”

In response to these emerging challenges, AI Cloud Protect emerges as a strategic solution, addressing the dynamic security requirements of the AI era. Designed for easy deployment and adaptability, it offers out-of-the-box security without impacting AI performance. Designed for effortless integration and scalability, the AI Cloud Protect provides a robust shield against sophisticated cyber threats.

Engineered with the NVIDIA BlueField 3 DPU, which powers a new class of AI cloud data centres, and the NVIDIA DOCA software framework, AI Cloud Protect is designed to seamlessly integrate into NVIDIA’s AI ecosystems, providing:

  • Robust Defense Against AI-Specific Threats: Empowers organizations to efficiently shield against model inversion, model theft and other attack vectors with unprecedented efficiency.
  • Scalable, Seamless Integration: Facilitates easy deployment across diverse AI environments, ensuring security measures grow in tandem with organizational needs.
  • Optimized Performance with Zero Compromise: Ensures AI operations continue unhindered, with security processes running discreetly, leveraging NVIDIA’s technological infrastructure without impacting AI performance.
Continue Reading
Advertisement CCW 2024

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.