EU member states request permission to surveil journalists. Vacant US cyber leadership position fuels worries from experts. DOJ announces new unit devoted to foreign cyberactivity. Read More
The CyberWire
The all in one place for non-profit security aid.
EU member states request permission to surveil journalists. Vacant US cyber leadership position fuels worries from experts. DOJ announces new unit devoted to foreign cyberactivity. Read More
The CyberWire
Malwarebytes wins every MRG Effitas award for 2 years in a row
[[{“value”:”
ThreatDown Endpoint Protection (EP) achieved the highest possible score (100%) and received certifications for Level 1, Exploit, Online Banking, and Ransomware in the most recent anti-malware efficacy assessment results for the Q3 2023 evaluation performed by MRG Effitas, a world leader in independent IT research.
These results mark the ninth time in a row ThreatDown has received all certification awards, and is now officially the only vendor to win every single certification and award from Q3 2021 through Q3 2023.
MRG Effitas assesses a product’s ability to meet today’s most pressing threats in-the-wild, such as stopping zero-day malware, ransomware, and exploits—and doing so with speedy performance and low false positives.
After unveiling their new phishing assessment in Q2 2023, MRG Effitas in Q3 2023 began awarding a full-on 360° Phishing Certification to vendors who could take down phishing threats.
ThreatDown blocked 100% of phishing attempts in the In-the-Wild (ITW) Phishing Test. In other words, ThreatDown is the only vendor to consistently receive all 4 award logos and block 100% of phishing attempts.
How we were able to do it: The signature and behavior-based detection techniques and proprietary anti-exploit technology of ThreatDown EP allowed it to detect and autoblock more malware than any other competitor on the Q3 test. In addition, the Web protection layer of our EP blocks access to and from known or suspicious Internet addresses, allowing us to ace the phishing tests.
As an integral foundation layer for ThreatDown Bundles, these results prove that ThreatDown provides reliable and comprehensive protection against a wide range of threats.
Let’s dive into where we prevented more than the rest and how we were able to do it.
Given the frequency and risks associated with phishing attacks today, it’s clear that modern endpoint security needs to protect against these attacks.
According to Verizon, attackers used phishing for initial access in 15% of data breaches in 2022. CISA also showed that, within the first 10 minutes of receiving a phishing email, 84% of employees took the bait. After successfully compromising a system through phishing, threat actors can further their attacks by dropping ransomware or stealing sensitive data, leading to costly financial and reputational damages.
ThreatDown blocked 100% of phishing attempts in the ITW Phishing Test and was only one of two vendors to score 80% or above in the Phishing Simulator Test.
How we were able to do it: ThreatDown EP, the foundation for ThreatDown Bundles, features a Web protection layer that blocks access to and from known or suspicious Internet addresses.
Using a blend of signature and signature-less technologies, the anti-ransomware layer of ThreatDown EP constantly monitors endpoint systems and automatically kills processes associated with ransomware activity.
MRG Effitas tested security products against 65 ransomware samples. In addition, they tested four ransomware simulator samples created in-house, ensuring the security product could only rely on its behavior scanning modules. To test for false positives, a device running ThreatDown EP also ran three benign programs designed to mimic ransomware behavior.
ThreatDown blocked 100 percent of ransomware threats in the MRG Effitas assessment and did so with no false positives, allowing the three benign programs to run. For this we earned the 360° Ransomware Certification.
In 2021, 37% of banking malware attacks targeted corporate users.
We were one of the few vendors who earned a 360° Online Banking Certification, which means ThreatDown EP stopped 100% of threats designed to steal financial information and money from victim’s accounts. To outperform the others, our unique detection technology again came into play.
ThreatDown EP blocked 100% of the 16 financial malware samples, the Magecart credit card-skimming attack, and Botnets designed to steal credentials.
One of the many strong suits of our detection is that it can detect malware that has never been seen before, also called zero-day malware. Again, we were one of the only vendors to detect and block these pernicious threats, which account for 80% of successful breaches.
Built on machine learning (ML) and behavioral analysis techniques, our behavior-based detection enabled ThreatDown EP to detect and block 100% of all zero-day threats. For this, as well as blocking all Botnets, we earned the 360° Level 1 Certification.
The anti-exploit feature of ThreatDown EP protects organizations from one of the most advanced cyber attacks: zero-day exploits targeting browser and application vulnerabilities.
But don’t take our word for it: MRG Effitas used 8 different exploitation techniques to try and deliver a malicious payload on a device running ThreatDown EP—but they didn’t get very far. Malwarebytes earned the 360° Exploit Certification for autoblocking 100% of Exploit/Fileless attacks, entirely protecting the system from infection.
We were one of the few to earn the 360° Exploit Certification all thanks to our proprietary anti-exploit technology, which wraps vulnerable programs in four defensive layers that prevent an exploit from installing its payload, or even executing initial shellcode.
If there is one shining take away from this accomplishment, it’s that consistency is key.
You don’t want a security solution that passes rigorous tests like MRG Effitas only some of the time. You want a solution that passes them with flying colors all of the time. Clearly, ThreatDown EP, and by extension our ThreatDown Bundles, is that solution.
For organizations that are concerned their current solution may not be up-to-par, the MRG Effitas assessment has demonstrated that ThreatDown—more consistently than anybody else—has what it takes to keep your business safe from today’s most pressing cyberthreats.
“}]] Read More
Malwarebytes
Russian Hackers Target Europe with HeadLace Malware and Credential Harvesting
The Russian GRU-backed threat actor APT28 has been attributed as behind a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages.
APT28, also known by the names BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is an advanced persistent threat (APT) group affiliated with Read More
Cactus Ransomware Exploiting Qlik Servers Vulnerability
[[{“value”:”
The Cactus ransomware gang has been exploiting vulnerable Qlik sense servers ever since November 2023 using multiple vulnerabilities such as CVE-2023-41266 (Path Traversal), CVE-2023-41265 (HTTP request Tunneling) and CVE-2023-48365 (Unauthenticated Remote Code Execution).
Though Qlik has addressed these vulnerabilities with multiple security advisories, thousands of servers remain vulnerable to exploitation.
QlikSense is a data visualization and business intelligence tool that can help businesses perform data analysis and other operations.
According to reports from Cyber Security News, threat actors were targeting these QlikSense servers with software vulnerabilities and misleading victims with cooked-up stories.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
Nevertheless, the reports from Shadowserver indicate that there are 5,200+ internet-exposed Qlik servers, among which 3,100+ are vulnerable to exploitation by the Cactus group.
241 systems were discovered in the Netherlands alone, and the threat actors have already compromised 6 of them.
Identifying the list of servers and compromised servers involved multiple research steps.
An existing Nuclei template is available, which can be used to identify vulnerable QlikSense servers exposed on the Internet.
However, the researchers used the “product-info.json” file to find vulnerable servers.
This file includes several details about the server, such as the release label and version numbers, which could reveal the exact version of the QlikSense server running.
Further, the release label parameter includes information such as “February 2022 Patch 3” that states that the last update was provided to the Qlik sense server and the relevant advisory.
To retrieve this information from the product-info.json file, the below cURL command can be used.
curl -H “Host: localhost” -vk ‘https://<ip>/resources/autogenerated/product-info.json?.ttf’
The .ttf (True Type Font file) is used in the command to point the request to a .ttf file. Font files can be accessed unauthenticated on Qlik sense servers, and the “Host:localhost” is used to bypass the HTTP response to 400 bad requests.
In a patched server, the server will return “302 Authenticate at this location” in the response, whereas a vulnerable server will reveal the information of the file with a 200 OK response.
Furthermore, a 302 response or a release label parameter from the Qlik server with content containing “November 2023” is considered a non-vulnerable server.
Document
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
As Arctic Wolf explains, the Cactus ransomware group redirects the commands’ output to a TTF file named qle.ttf.
The threat group also used the qle.woff file in some instances. Moreover, these exploit files can be accessed without authentication.
When checking for these particular kinds of files, it was revealed that there are around 122 servers, of which the United States has the highest number, 49, followed by 13 servers in Spain, 11 servers in Italy, 8 servers in the UK, 7 servers in Germany and Ireland, and 6 servers in the Netherlands.
It is recommended that organizations and users of QlikSense servers upgrade to the latest versions per the security advisories to prevent threat actors from exploiting these vulnerabilities.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo
The post Cactus Ransomware Exploiting Qlik Servers Vulnerability appeared first on Cyber Security News.
“}]] Read More
Cyber Security News