AntChain has teamed up with Intel for a Massive Data Privacy-Preserving Computing Platform (MAPPIC) for AI machine learning.
The post AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training appeared first on SecurityWeek.
The all in one place for non-profit security aid.
AntChain has teamed up with Intel for a Massive Data Privacy-Preserving Computing Platform (MAPPIC) for AI machine learning.
The post AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training appeared first on SecurityWeek.
Hackers Distribute PurpleFox Malware Using Vulnerable MS-SQL Servers
The purple fox malware has been active since 2018, adopting a new technique to deliver its payload through MS SQL servers.
The threat actors target poorly managed MS SQL servers and execute PowerShell commands to install malicious MSI files and conceal themselves as a rootkit.
Purple Fox rootkit is an active malware campaign that has been distributed using a fake malicious Telegram installer since early 2022.
AhnLab Security Emergency Response Center (ASEC) recently discovered the PurpleFox malware being installed on poorly managed MS-SQL servers detected using its AhnLab Smart Defense (ASD).
Initially, the threat actors executed PowerShell through sqlservr.exe, an obfuscated PowerShell downloaded from the URL.
The downloaded PowerShell contains MsiMake, a function written by the threat actor, and the MsiMake command is executed in the system to install this MSI file.
Powershell not only installs MSI files but also includes an executable (Invoke-Tater) that can be used to exploit a vulnerability and a PowerShell script.
Another PowerShell script (Invoke-ReflectivePEInjection) allows you to run the malware files in a fileless manner.
As a result, the threat actor can install a malicious MSI file as an admin without user intervention using the PowerShell code.
The MSI file changes a registry key to execute the PurpleFox malware with service privilege and to maintain its persistence.
The MSI package file changes a registry key for persistence and privilege escalation.
The threat actors employ this technique to schedule or delete or rename certain files and tasks.
After a system restart, the malicious code is executed via the System Event Notification System service (SENS service). Malware typically installs a rootkit and sets up a service that can only be launched in safe mode.
Security administrators with access to EDR software can prevent malware from spreading by shutting down infection vectors before they are exploited.
f725bab929df4fe2626849ba269b7fcb // MSI package
d88a9237dd21653ebb155b035aa9a33c // Obfuscated PowerShell
Stay up-to-date with the latest Cyber Security News; follow us on GoogleNews, Linkedin, Twitter, and Facebook.
The post Hackers Distribute PurpleFox Malware Using Vulnerable MS-SQL Servers appeared first on Cyber Security News.
Cyber Security News
What’s the State of Credential theft in 2023?
At a little overt halfway through 2023, credential theft is still a major thorn in the side of IT teams. The heart of the problem is the value of data to cybercriminals and the evolution of the techniques they use to get hold of it. The 2023 Verizon Data Breach Investigations Report (DBIR) revealed that 83% of breaches involved external actors, with almost all attacks being financially motivated Read More
The Hacker News | #1 Trusted Cybersecurity News Site
New VPN Port Shadow Vulnerability Let Hackers Intercept Encrypted Traffic
Researchers examined how connection tracking, a fundamental function in operating systems, can be exploited to compromise VPN security and identified a new attack method named “port shadow” that allows attackers to intercept encrypted traffic, reveal user identities, or scan devices hidden behind a VPN server.
The vulnerability stems from limitations in connection tracking and resource sharing. They built a model and verified six potential mitigations that focus on enforcing stricter process isolation.
It examines how attackers on the same VPN server can interfere with other users’ connections by exploiting a flaw in connection tracking frameworks.
The attacker can achieve this by sending packets with a spoofed source IP address that collides with another client’s connection, causing the VPN server to misroute packets.
The authors propose a formal model to analyze the attacks and design mitigations by using the non-interference property to ensure process isolation between clients.
An Adjacent-to-in-Path (ATIP) attack exploits VPN connection tracking mechanisms to redirect a target’s VPN connection request to the attacker. The attacker does this by sending packets with spoofed source and destination ports that collide with legitimate connections in the VPN server’s connection tracking table.
This collision tricks the VPN server into routing the target’s packets to the attacker instead of the VPN endpoint and then leverages this position to perform further attacks, such as DNS injection and web traffic redirection.
Three vulnerabilities in Layer 3 VPNs leverage connection tracking mechanisms to bypass VPN encryption.
The first vulnerability, the ATIP attack, exploits IP and port collisions in the connection tracking table to redirect a client’s DNS request to the attacker.
The attacker can then inject a DNS response to route the client’s traffic outside of the VPN tunnel.
The second vulnerability, the eviction ports reroute attack, exploits the mutability of connection tracking entries to reroute incoming packets to the attacker after the client disconnects from the VPN server. the ATIP
The third vulnerability abuses the shared private IP space and the way packets are routed across the VPN to scan the ports of machines behind the VPN server.
The research paper investigates the connection tracking frameworks used in VPNs and exposes several vulnerabilities.
The authors exploit these vulnerabilities to launch denial-of-service (DoS) attacks and inject malicious content into the target machine’s traffic.
They achieve this by manipulating the ephemeral port space and leveraging the way the connection tracking frameworks handle packet routing.
It also explores how an attacker can learn the target’s public IP address and the VPN server’s IP address, making these attacks more realistic, which suggests that a well-resourced attacker can potentially compromise a user’s VPN connection.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
The post New VPN Port Shadow Vulnerability Let Hackers Intercept Encrypted Traffic appeared first on Cyber Security News.