Cyber Security News — Past 24 hours | 07.07.2021
Experts Said How Cybercriminals Make Money on Russian Gamers
One of the most popular fraud schemes involves buying or selling an account in online games. An attacker can offer an account, but after transferring funds for it, the buyer does not get access to it.
Experts advise using specialized platforms for buying and selling an account, which charge a commission of about 10% for their services.
The buyer most likely will not be able to return the money.
Another method of fraud is associated with the purchase of expensive goods, such as a game console through a private classifieds service. In this case, the buyer is offered to get an e-wallet on one of the legitimate services. So, the gamer makes the transfer to scammers and remains without money and the desired product.
Another method of fraud is connected with watching streams of other gamers. Scammers copy the broadcasts of famous players and add banners with ads for easy earnings to the video.
GitLab Fixes Several Vulnerabilities Reported by Bug Bounty
With an update to its software development infrastructure, Gitlab has addressed numerous vulnerabilities — including two high-impact online security flaws.
GitLab is a web-based DevOps life cycle platform providing an open-source license from GitLab Inc. to offer wiki, problem-tracking, and continuous pipeline integration and deployment capabilities. Ukrainian programmers Dmytro Zaporozhets and Valery Sizov have designed the program.
If the target is a regular user, a successful CSRF attack can force the user to make modifications such as money transfers, email addresses, etc. CSRF can compromise the whole web application when the victim is an administration account.
The Gitlab Webhook feature could be exploited for denial- of service attacks because of a second high-level security vulnerability.
The Daily Swig was told by Ethical hackers that they had been working on a strategy for attacking webhook services.
“The webhook connections usually have timeouts set, but my badly-behaving webserver can bypass them and keep the connection open for days,” afewgoats explained. “It’s the only Denial of Service, but it could tie up huge amounts of memory on the victim servers”.
“So far it’s been successful against PHP, Ruby, and Java targets,” they added.
Microsoft’s Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability
«Several days ago, two security vulnerabilities were found in Microsoft Windows’ existing printing mechanism,» Yaniv Balmas, head of cyber research at Check Point, told The Hacker News. «These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing». PrintNightmare stems from bugs in the Windows Print Spooler service, which manages the printing process inside local networks. The main concern with the threat is that non-administrator users had the ability to load their own printer drivers.
«After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server,» Microsoft said, detailing the improvements made to mitigate the risks associated with the flaw. «Administrator credentials will be required to install unsigned printer drivers on a printer server going forward». Post the update’s release, CERT/CC vulnerability analyst Will Dormann cautioned that the patch «only appears to address the Remote Code Execution variants of the PrintNightmare, and not the Local Privilege Escalation variant,» thereby allowing attackers to abuse the latter to gain SYSTEM privileges on vulnerable systems. «Note that the Microsoft update for CVE-2021–34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1,» Dormann said Wednesday.
Microsoft, for its part, explains in its advisory that «Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible». While Microsoft has recommended the nuclear option of stopping and disabling the Print Spooler service, an alternative workaround is to enable security prompts for Point and Print, and limit printer driver installation privileges to administrators alone by configuring the «RestrictDriverInstallationToAdministrators» registry value to prevent regular users from installing printer drivers on a print server.
SideCopy Hackers Target Indian Government Officials With New Malware
A cyber-espionage group has been observed increasingly targeting Indian government personnel as part of a broad campaign to infect victims with as many as four new custom remote access trojans , signaling a «boost in their development operations». Attributed to a group tracked as SideCopy, the intrusions culminate in the deployment of a variety of modular plugins, ranging from file enumerators to browser credential stealers and keyloggers , Cisco Talos said in a report published Wednesday. «Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT also targeting India,» researchers Asheer Malhotra and Justin Thattil said. «These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections».
Past campaigns undertaken by the threat actor involve using government and military-related lures to single out Indian defense units and armed forces personnel and deliver malware capable of accessing files, clipboard data, terminating processes, and even executing arbitrary commands. Apart from military themes, SideCopy has also been found employing calls for proposals and job openings related to think tanks in India to target potential victims. «The development of new RAT malware is an indication that this group of attackers is rapidly evolving its malware arsenal and post-infection tools since 2019,» Malhotra and Thattil noted. The goal, it appears, is to steal access credentials from Indian government employees with a focus on espionage, the researchers said, adding the threat actor developed droppers for MargulasRAT that masqueraded as installers for Kavach on Windows.
«What started as a simple infection vector by SideCopy to deliver a custom RAT , has evolved into multiple variants of infection chains delivering several RATs,» the researchers concluded.
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT