Eliana Willis

Cybercriminals are getting spooked by the sudden disappearance of a number of prominent dark web marketplaces, leading some to wonder if time is up on their illegal, underground activities.Cybersecurity researchers at Digital Shadows have analysed activity on carding forums – dark web marketplaces where criminals buy and sell stolen credit card information and other personal data – and discovered that clients are despondent, following a series seizures and forums going dark.This comes at a time when some ransomware affiliates have been getting worried after action targeting REvil and other ransomware groups.On January 2022, a message appeared on a prominent carding forum stating that the Russian Internal Affairs Ministry had shut down the site as part of a “special law enforcement operation”. In a joint cooperation with US agencies, Russia’s Federal Security Service (FSB) identified alleged members of hacking group “The Infraud Organization,” including someone who served as administrator for the forum.A few days later, it was announced that six more suspects had been arrested on charges linked to selling stolen credit card information, and the same seizure notice appeared on more carding forums.SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happenedOther forums appear to have voluntarily gone on a temporary hiatus in what could be an effort to avoid being targeted. “Due to recent events, we are going on vacation for 2 weeks,” said the admins of one carding site, adding: “Thank you for understanding! We’ll be back soon, so don’t worry!” The marketplace hasn’t returned and the ability to get refunds has been cancelled.

One prominent dark web carding market that had been active for almost a decade has also recently shut down – in this case, the operators claimed they were retiring, having made enough money.But the shutdowns and disappearances appear to be having an impact on some users, who are starting to get worried.One described it as “most scary moment in the carding history” and a “nightmare for people involved in this business”. Another suggested that “at this tempo there won’t be a Russian darknet by the end of the year.” Others are more confident that the string of shutdowns is a temporary blip and that, as previously, other marketplaces will rise up to fill the void. “Some partial restore will happen in some days or weeks,” said one user. Others suggest that the future of carding will move to other platforms, like Telegram – although not all users trust the instant messaging service.The shutdowns have led to discussions about operational security, as some forum members fear they could also be arrested. “Hard times have come. Take care of yourself and remember your safety,” said one user. “EVERYTHING has changed, go on vacation!” warned another.Shutdowns and takedowns make engaging in cybercriminal activity more difficult, but there’s likely always to be some who will continue on, viewing the risk as worthwhile because of the money that can be made.”It seems unlikely that cybercriminals will do as some forum users joked and go to work in the ‘factories,'” Digital Shadows researchers said. “We saw one threat actor commenting that, although now would be a ‘great time’ if ‘someone has long wanted to retire,’ the carding world would ‘be ok for the rest of the hard workers.'”MORE ON CYBERSECURITY More

Microsoft has laid out some key documents for federal agencies to use as they implement the White House’s ‘zero trust’ goals within the new US cybersecurity strategy.In January, the Biden Administration released its new cybersecurity strategy following President Biden’s May 2021 executive order (EO 14028), signed in the wake of the SolarWinds software supply chain attack and ransomware attacks on critical infrastructure like Colonial Pipeline.

ZDNet Recommends

Core to that strategy are ‘zero trust’ architectures, for which US tech and cybersecurity vendors were canvassed for suggestions by the US National Institute of Standards and Technology (NIST), specifically about how to protect software supply chains from attack. Zero trust assumes breach and that basically nothing should be trusted.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)But even as supply chains are targeted, email phishing remains one of the main methods that attackers use to breach a network, creating the starting point for a later supply chain attack.In May, it wasn’t known whether Russian intelligence hackers used a targeted email phishing attack to breach SolarWinds’ software build systems. But the attack group, tagged Nobelium by Microsoft, has subsequently relied heavily on credential stuffing, phishing, API abuse, and token theft in attempts to obtain account credentials to victims’ networks.Despite the onslaught of state-sponsored and criminal attackers targeting work account credentials, Microsoft earlier this month warned that just 22% of customers using Azure Active Directory (AAD) had implemented strong identity authentication, such as multi-factor authentication (MFA). In 2021, Microsoft blocked 25.6 billion AAD brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365.  

To help protect cross-organization collaboration against phishing, Microsoft this month announced a public preview of cross-tenant access settings for inbound and outbound access when both organizations use AAD, as well as reducing MFA requirements for trusted users across AAD-using organizations.”Inbound trust settings let you trust the MFA external users perform in their home directories,” Microsoft explains.  Upcoming zero trust capabilities aimed at countering phishing threats for organizations that collaborate with business partners and suppliers include the “ability to enforce phishing-resistant authentication for employees, business partners, and vendors for hybrid and multi-cloud environments.”Microsoft also plans to boost phishing-resistant MFA support, including in remote desktop protocol (RDP) scenarios. RDP is one of the most common entry points for ransomware attackers.SEE: Linux malware attacks are on the rise, and businesses aren’t ready for itMicrosoft has previously outlined how its zero trust approach aligns with the NIST’s goal to develop “practical, interoperable approaches” to zero trust architectures. The Cybersecurity and Infrastructure Security Agency (CISA) is also providing agencies with technical support and operational expertise in implementing zero trust. The US government hopes the private sector will also follow the federal government’s lead. For its government customers, Microsoft has now published five ‘cybersecurity assets’ explaining how to achieve a zero trust architecture from a Microsoft technology perspective. It covers: cloud adoption for Azure; rapid modernization plans; architecture scenarios mapped to NIST standards; a multi-factor authentication (MFA) deployment guide focussing on Azure Active Directory (AAD); and an “interactive guide” on the EO.It’s mostly a collection of existing documents, blogposts and Microsoft help articles, but it nonetheless provides a central repository for agencies moving to comply with the new federal rules. More

A father who used a signal jammer to rein in his children’s internet use managed to wipe out an entire town’s connectivity by mistake.The French Agence Nationale des Fréquences, the organization responsible for managing radio frequencies in the country, received a strange complaint (translated) from a mobile phone operator. 

The carrier had detected odd signal drops that were impacting the telephone and internet services of residents in the French town of Messanges.  According to the ANFR (via Bleeping Computer), there was one strange detail that stood out in the report: services were cut consistently from midnight to roughly around 3am every day.  As residents slept, a member of the Toulouse Regional Service of the ANFR began walking the streets to investigate. While the examiner watched the clock tick over to midnight, their spectrum analyzer equipment took on a familiar shape — revealing a jammer was in use.  The waves emitted by the device were followed to a house in a neighboring town. The next day, one of the residents admitted responsibility and revealed that he had purchased a multi-band jammer to prevent his teenage children from going online at night without permission. 

The father claimed that his teenagers had become “addicted” to social media and browsing the web since the start of the COVID-19 pandemic, a situation potentially made worse due to social restrictions and lockdowns.  The jammer was intended to stop them from covertly using their smartphones to go online when they were meant to be asleep. However, the jammer also managed to wreck connectivity havoc for other residents and the neighboring town.  “By wanting to ban the internet in his home, he applied the same sentence to his entire neighborhood,” the agency said.  The problem is that using a jammer is not legal in France, and as a result, the man faces a maximum fine of €30,000 and even a jail term of up to six months.  In another example of a town resident’s use of technology having inadvertent consequences, in 2020, telecoms engineers spent 18 months frustrated and perplexed over the sudden but consistent disappearance of a Welsh village’s internet at 7am every morning.  It turned out that all of the broadband and BT service issues endured by hundreds of residents were caused by one individual who was turning on an old, secondhand television set at that time every day. The TV was sending out electrical bursts capable of disrupting signals.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Adobe has updated its advisory on an actively-exploited critical vulnerability in the Magento and Commerce Open Source platforms to include another RCE bug.

The tech giant published revisions to the advisory on February 17. Adobe originally issued an out-of-band patch on February 13 to resolve CVE-2022-24086, a critical pre-auth vulnerability that can be exploited by attackers to remotely execute arbitrary code.  CVE-2022-24086 has been issued a CVSS severity score of 9.8. Adobe said the security flaw was being actively exploited “in very limited attacks targeting Adobe Commerce merchants.” Now, Adobe has added a further vulnerability to the advisory, CVE-2022-24087.  “We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087),” Adobe said.  The vulnerability has also been issued a CVSS score of 9.8 and impacts the same products in the same manner. 

The security flaws do not require any administrative privileges to trigger and both are described as improper input validation bugs leading to remote code execution (RCE). As CVE-2022-24086 is being abused in the wild, Adobe has not released any further technical details. However, cybersecurity researchers from the Positive Technologies Offensive Team say they have been able to reproduce the vulnerability. Adobe Commerce and Magento Open Source 2.3.3-p1 – 2.3.7-p2, and 2.4.0 – 2.4.3-p1 are impacted. However, versions 2.3.0 to 2.3.3 are not affected by the vulnerabilities, according to the company.  Adobe has provided a guide for users to manually install the necessary security patches.  Researchers Eboda and Blaklis were credited with the discovery of CVE-2022-24087. In a tweet, Blaklis said the first patch to resolve CVE-2022-24086 is “not sufficient” and has urged Magento & Commerce users to apply the new fixes.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Updates have been released for UpdraftPlus, a WordPress plugin with over 3 million installations, after a vulnerability was discovered by security researcher Marc Montpas. In a blog post, the Wordfence Threat Intelligence team explained that the vulnerability allows any logged-in user, including subscriber-level users, to download backups made with the plugin. Backups are a treasure trove of sensitive information, and frequently include configuration files which can be used to access the site database as well as the contents of the database itself, the WordPress security company explained. The researchers examined the patch and were able to create a proof of concept. In an original version of the blog, Wordfence said the attacker would need to begin their attack when a backup was in progress, and would need to guess the appropriate timestamp to download a backup. But it was later updated to say Wordfence found that it is possible to obtain a full log containing a backup nonce and timestamp at any time, “making this vulnerability significantly more exploitable.”UpdraftPlus patched the vulnerability on Thursday in version 1.22.3 and they urged users to check their website to make sure they were running the latest version. “UpdraftPlus is a popular back-up plugin for WordPress sites and as such it is expected that the plugin would allow you to download your backups. One of the features that the plugin implemented was the ability to send back-up download links to an email of the site owner’s choice. Unfortunately, this functionality was insecurely implemented making it possible for low-level authenticated users like subscribers to craft a valid link that would allow them to download backup files,” Wordfence explained. “The attack starts with the WordPress heartbeat function. The attacker needs to send a specially crafted heartbeat request containing a data[updraftplus] parameter. By supplying the appropriate subparameters, an attacker is able to obtain a backup log containing a backup nonce and timestamp which they can then use to download a backup.”

The company said the issue revolves around the UpdraftPlus_Options::admin_page() === $pagenow check. Attackers can can fool the $pagenow check into thinking that the request is to options-general.php, while WordPress still sees the request as being to an allowed endpoint of admin-post.php, according to Wordfence. Wordfence added that in order to exploit the vulnerability, the hacker would need an active account on the target system.”As such it is likely only to be used in targeted attacks. The consequences of a successful targeted attack are likely to be severe, as they could include leaked passwords and PII, and in some cases site takeover if the attacker is able to obtain database credentials from a configuration file and successfully access the site database,” Wordfence said. “As such we urge all users running the UpdraftPlus plugin to update to the latest version of the plugin, which is version 1.22.3 as of this writing, as soon as possible, if you have not already done so, since the consequences of a successful exploit would be severe.”Netenrich’s John Bambenek told ZDNet that WordPress represents one of the largest backends of websites on the Internet and the security problems come from its vast ecosystem of plugins that run the gamut from capable developers to hobbyists. “Access to the backups and database will likely first be used for credential theft but there are many possibilities for attackers to take advantage of the information,” Bambenek said. Vulcan Cyber engineer Mike Parkin suggested creating a firewall rule to mitigate this vulnerability until the patch is applied More

Security researchers with Qualys have discovered several vulnerabilities affecting Canonical’s Snap software packaging and deployment system. In a blog post, Qualys director of vulnerability and threat research Bharat Jogi explained that they found multiple vulnerabilities in the snap-confine function on Linux operating systems, “the most important of which can be exploited to escalate privilege to gain root privileges.” Jogi added that Snap was developed by Canonical for operating systems that use the Linux kernel. “The packages, called snaps, and the tool for using them, snapd, work across a range of Linux distributions and allow upstream software developers to distribute their applications directly to users. Snaps are self-contained applications running in a sandbox with mediated access to the host system. Snap-confine is a program used internally by snapd to construct the execution environment for snap applications,” Jogi said, noting that the main issue was CVE-2021-44731. “Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu.”After discovering the vulnerabilities and sending an advisory to Ubuntu in October, the Qualys Research Team worked with Canonical, Red Hat and others to address the issue. Canonical did not respond to requests for comment. In addition to CVE-2021-44731, Qualys discovered six other vulnerabilities. They provided a detailed breakdown of each issue and urged all users to patch as soon as possible.
Qualys
There are no mitigations for CVE-2021-44731 and Jogi noted that while the vulnerability is not remotely exploitable, an attacker can log in as any unprivileged user and the vulnerability can be quickly exploited to gain root privileges.

Vulcan Cyber engineer Mike Parkin said Snap has become reasonably widespread in the Linux world, with a number of major vendors distributing packages using it. While any exploit that can give root access is problematic, being a local exploit reduces the risk somewhat, Parkin explained, adding that patching vulnerable systems should be a priority.”This is both very widespread and also very dangerous, given that it enables a cyber criminal to escalate their privileges to gain root access.  With that access threat actors can distribute malware, plant deepfakes, move laterally within corporate networks, and many other forms of being compromised,” said Viakoo CEO Bud Broomhead. “Linux is widely used as the embedded operating system for IoT devices, which typically there are 5-10X more of than traditional IT devices in an organization.  Currently there is no mitigation for this vulnerability, but when one becomes available it will likely remain exploitable for some time.  Unlike IT systems, IoT devices often lack automated methods of remediating vulnerabilities, giving the potential for this vulnerability to be present for a long time.” More