The technology conglomerate has until later this year to end its transfer of European user’s data across the Atlantic. Read More
Related Posts
Hackers Targeting Microsoft’s MS SQL Servers Extensively – New Study
Hackers Targeting Microsoft’s MS SQL Servers Extensively – New Study
The rapid rise of digital and technological advances brought several innovative improvements.
Still, besides this, the security of databases has also become extremely important, as with digital advancements, security threats are also growing rapidly.
A honeypot can be a practical resource for identifying and examining possible risks.
Trustwave has strategically deployed a network of honeypots across different countries worldwide to understand global attacks better.
Sensor Locations & Databases
According to the report shared with Cyber Security News, Trustwave placed honeypot servers as sensors in major regions worldwide at the beginning of December 2022.
But, apart from this, the security analysts mainly focused on the tense situation associated with Central Europe.
Here below, we have mentioned all the major regions:-
Russia
Ukraine
Poland
UK
China
The United States
Here the cybersecurity researchers opted for nine popular database systems, and here they are mentioned below:-
MS SQL Server (MSSQL)
MySQL
Redis
MongoDB
PostgreSQL
Oracle DB
IBM DB2 (Unix/Win)
Cassandra
Couchbase
The ‘database servers’ used the default TCP ports to listen for incoming connections.
It seems that MSSQL has exhibited significantly higher activity levels when compared to other databases.
The difference is significant, with a majority exceeding 93%, making it challenging at times to compare it to other DBMSs.
The hidden values within MySQL reveal the complete tally of login attempts, covering MariaDB, Percona for MySQL, and other DBMS versions that follow the MySQL standard protocol.
MS SQL Extensively Targeted
To prevent overlap, the experts deployed two sensors in each country, carefully selecting country-range IP addresses that were as far apart as possible from the first sensor.
The sensors experience a high frequency and varying intensity of attacks, which fluctuate over time.
A remarkable component was the significant variation in attack occurrence among the sensors.
A few weeks before December 06, 2022, all the sensors were in place and functioning smoothly.
Redis, unexpectedly, turned out to be the second most targeted database following MySQL in terms of attacks.
However, the intensity of the attacks targeting MSSQL instances was extremely high.
Moreover, the total number of MySQL instances that can be accessed has reached over 3.6 million.
This project aimed to validate the occurrence of botnet activity during MySQL attacks as one of its goals.
However, MySQL remains one of the most luring targets for the threat actors. In contrast to MSSQL and the ‘sa’ (username for the main tested account) account, MySQL presents a different scenario.
The level of intensity in the attacks varied across different databases. Unlike Oracle or IBM DB2, most unauthorized access attempts were experienced by MSSQL and MySQL.
Recommendations
Here below, we have mentioned all the provided recommendations:-
Make sure to use strong and unique passwords.
Always opt for unusual usernames.
Make sure to use a strong and secure authentication method.
The default accounts must be disabled.
Always keep enabling the MFA mechanism.
Make sure to monitor who is trying to access the system and other activities.
Limit elevated privileges for other users,
Make sure to keep the system and software updated.
Always conduct security audits frequently.
Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus
The post Hackers Targeting Microsoft’s MS SQL Servers Extensively – New Study appeared first on Cyber Security News.
Cyber Security News
PyPI Halts Sign-Ups Amid Surge of Malicious Package Uploads Targeting Developers
PyPI Halts Sign-Ups Amid Surge of Malicious Package Uploads Targeting Developers
[[{“value”:”The maintainers of the Python Package Index (PyPI) repository briefly suspended new user sign-ups following an influx of malicious projects uploaded as part of a typosquatting campaign.
It said "new project creation and new user registration" was temporarily halted to mitigate what it said was a "malware upload campaign." The incident was resolved 10 hours later, on March 28, 2024, at”}]] Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Charming Kitten Hackers Uses Weaponized MS Word Doc to Deploy Powershell Backdoor
Charming Kitten Hackers Uses Weaponized MS Word Doc to Deploy Powershell Backdoor
Charming Kitten, also known as TA453, is an Iranian government-based cyberwarfare group that has conducted several attacks since 2017.
In the middle of May 2023, these threat actors sent a benign email posing as a Senior Fellow of the Royal United Services Institute (RUSI) regarding feedback for a project called “Iran in the Global Security Context.”
The email also consisted of other nuclear security experts which threat actors have contacted as part of credulous to the victims. The email accounts used for this email campaign are found to be created and not compromised.
Charming Kitten – Overview of their TTPs
After the initial email, the threat actors send Google script macros to their targets which redirects the victims to a Dropbox URL that consists of a password-encrypted .rar file (Abraham Accords & MENA.rar) and .LNK file (Abraham Accords & MENA.pdf.lnk).
Full-infection chain Source[Proofpoint]
Dropper and Additional Malware
The .LNK file (Abraham Accords & MENA.pdf.lnk) acts as the dropper which uses the Gorjol function and executes several PowerShell commands to establish connection to the C2 server. Once the connection is established, it downloads a base64 encoded .txt file (first Borjol function) from the server.
Once this Borjol function is decoded, the function communicates with the C2 located at fuschia-rhinestone.cleverapps[.]io to download another encrypted Borjol function (second Borjol function) that uses the same variables in the first Borjol function.
This second Borjol function decrypts the PowerShell Backdoor (GorjolEcho) that is used by threat actors to gain persistence in the system. This backdoor is initiated with a decoy PDF before the exfiltration of data to the C2.
Mac Malware
As per the research from Proofpoint, the malware did not run on an Apple computer. However, a week after the initial communication, the threat actors sent another new infection chain that could also attack Mac operating systems.
This time they sent malware disguised as a RUSI VPN Solution, which executes an Apple script file and uses the curl command to download the function with the C2 (library-store[.]camdvr[.]org/DMPR/[alphanumeric string]) resolving to 144.217.129[.]176, an OVH IP.
Instead of a PowerShell backdoor, this time a bash script (NokNok) was used to gain persistence in the system.
Mac system infection chain
Indicators of Compromise
Indicator 464c5cd7dd4f32a0893b9fff412b52165855a94d193c08b114858430c26a9f1d ddead6e794b72af26d23065c463838c385a8fdffofb1b8940cd2c23c3569e43b1fb7f1bf97b72379494ea140c42d6ddd53f0a78ce22e9192cfba3bae58251dade98afa8550f81196e456c0cd4397120469212e190027e33a1131f602892b5f795dc7e84813f0dae2e72508d178aed241f8508796e59e33da63bd6b481f507026b6916b5980e79a2d20b4c433ad8e5e34fe9683ee61a42b0730effc6f056191ebacfa8a5306b702d610620a07040262538dd59820d5a42cf01fd9094ce5cc3487clibrary-store[.]Jcamdvrl[.Jorg 144.217.129[.]176 filemanager.theworkpc[.Jcom fuschia-rhinestone.cleverappsl.]io
A complete detailed analysis of this threat group has been published by Proofpoint.
“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.
The post Charming Kitten Hackers Uses Weaponized MS Word Doc to Deploy Powershell Backdoor appeared first on Cyber Security News.
Cyber Security News