Cyber Security News — Past 24 hours | 28.05.2021

NVIDIA Teases GeForce RTX 3080Ti And 3070Ti Graphics Cards

NVIDIA on Wednesday released a teaser campaign for the upcoming GeForce event on May 31st. The chipmaker is rumored to announce its new GeForce RTX 3080 Ti and RTX 3070 Ti graphics cards on May 31st at 10 P.M. PDT during the Computex 2021 keynote. Powered by Ampere GA102–225 GPU, the RTX 3080 Ti will feature the PG132-SKU18 PCB design. It will reportedly include 12GB of GDDR6X memory, which is a 2GB increase over the existing RTX 3080. The graphic card will sport 10,240 CUDA cores within a total of 80 SM units along with a wider 384-bit memory interface. Also, the GPU will feature a clock speed of 1365 MHz base and a 1665 MHz boost.Further, the GeForce RTX 3080 Ti is said to retain the same memory speeds and TGP for the card as RTX 3080 at 19 Gbps and 320 watts respectively. On the other hand, the RTX 3070 Ti will feature GA104–400 GPU and will utilize the PG141-SKU10 board. The Ampere GPU will sport 6144 CUDA cores or 48 SMs. It will also feature 8GB of GDDR6X memory, which is an upgrade over GDDR6 memory on the RTX 3070 non-Ti model. It is also likely to retain the 256-bit memory bus. The RTX 3070 Ti is expected to have a TGP of around 250–275W and pin speeds of 19 Gbps just like the GeForce RTX 3080 and the RTX 3080 Ti. Both the RTX 3080 Ti and RTX 3070 Ti graphics cards will have “Lite Hash Rate” or “LHR” enabled.

Source — https://www.techworm.net/2021/05/nvidia-geforce-rtx-3080ti-and-3070ti.html

The FBI revealed that foreign hackers compromised the network of a local US municipal government by exploiting flaws in an unpatched Fortinet VPN.

The Federal Bureau of Investigation (FBI) reported that an APT group had breached the network of a local US municipal government by exploiting vulnerabilities in an unpatched Fortinet VPN. “The FBI is continuing to warn about Advanced Persistent Threat (APT) actors exploiting Fortinet vulnerabilities. As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government.” reads the alert issued by the FBI. The feds uncovered the attack in May 2021, government experts reported that the threat actors likely created an account with the username “elie” to gain persistence on the network. In April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) previously warned of attacks carried out by APT groups targeting Fortinet FortiOS servers using multiple exploits. The alert published by the FBI provides technical details about the attack against the US municipal government. Experts noticed that the APT group established new user accounts that look similar to other existing accounts on the network. The threat actors may also have made modifications to the Task Scheduler that may display as unrecognized scheduled tasks or “actions.” In the attack analyzed by the experts the hackers have created “SynchronizeTimeZone” task.

Source — https://securityaffairs.co/wordpress/118338/apt/fortinet-vpn-us-municipal-government.html

How Hackers Steal Web Session Cookies From Facebook in Chrome?

As a lover of cookies, I’d certainly notice if someone stole a chocolate chip cookie from me. Keeping a close eye on browser cookies is not nearly as tasty and certainly overlooked. I will show you how your cookies work and a few things you can do to keep yourself protected. MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. One of the 15 Credential Access attack techniques they specifically call out is Stealing Web Session Cookies. Cookies are simply small pieces of data your web browser uses to for a better web surfing experience. Cookies are stored in memory and the hard drive of your computer. They provide a website with a method to remember what you’ve done in the past. It is literally just a small text file that is encrypted with DPAPI. The beautiful thing about a web session cookie is you can click the keep me logged in button. When you leave Facebook’s website and come back, there is no need to be inconvenienced with entering your username and password. At face value, cookies seem awesome, and they are, but like anything, there is a risk associated with ease of access. Someone could steal your session cookies and log in from another browser, not knowing your actual password for as long as that session cookie is valid. First off, let’s take a quick look at where your cookies are stored. If you go to Facebook.com in Chrome, you can hit Ctrl + Shift + I, and this will open the Developer tools. Click on Application along the top, and you’ll find Cookies listed under Storage on the left side, where you’ll click on https://www.facebook.com. You are now looking at your cookies, and Facebook uses these values to know how to deliver a richer surfing experience. Since we’re talking security, let’s focus on 2 cookies listed as c_user and xs. Your User ID is the value under c_user, and xs is the session secret. The combo of these 2 cookies lets Facebook’s website know if you are logged in or not. If you clicked the remember me check box when you logged in, the session secret cookie would stay the same for the next 90 days. Knowing this info, we can copy and paste the c_user and xs info, as I’ve done on the Notepad. Moving to another browser, you see we are not currently logged in. We open the developer tools, and you see there is not a c_user or xs cookie listed. Since we saved our User ID (the c_user) and our Session Secret (the xs) when we did the copy-paste, we’ll simply add the Name and Value in. We can close the developer tools, hit browser refresh, and we’ve now logged in without using a username or password. Pretty cool and kind of creepy.

Source — https://gbhackers.com/how-hackers-steal-web-session-cookies-from-facebook-in-chrome/

Over 50,000 IPs Across Multiple Kubernetes Clusters Were Compromised by The TeamTNT Threat Actors

The cybersecurity researchers of Trend Micro have recently detected a new threat attack in which the Cryptojacking attack group named TeamTNT has compromised over 50,000 IPs across various Kubernetes Clusters. Kubernetes is one of the most famous approved open-sour container-orchestration platforms that is specifically used for automating the deployment, management of containerized applications, and scaling. Kubernetes is always been one of the attractive targets for the threat actors because they are always misconfigured, particularly all those applications that are running primarily in cloud environments along with the access to infinite resources. After a long investigation, the researchers at Trend Micro security have luckily collected a file from the servers of the threat actors. The file named kube.lateral.sh, as per the experts this file has a very low detection rate in VirusTotal. For setting the environment, the hackers initially disable the bash history of the host they have targeted. However, the scripts were mainly used to install the crypto miner later as well as the binary of the XMRig Monero miner. The tools were the network scanning tool masscan which is being developed in C, and another one is the banner-grabbing, deprecated Zgra that is developed in Go. Moreover, these scripts have a large base64 encoded code block, that helps the hackers to install the IRC bot, and it is written in C, which is specifically based on a famous IRC bot named Kaiten. After all this, the experts noticed the function kube_pwn() on the last part of the script. This function uses Masscan to see whether any hosts are open with port 10250 or not. However, Kubelets is not appraised as one of the best methods that should run in application pods on the control plane and nodes of a cluster. Kubelet is one of the agents that specifically runs on every node to ensure that each container is being organized in a Pod.

As we said above regarding the kube_pwn() function, it lists all the current pods that are being run inside the node in a JSON format. However, to run some commands the pods take advantage of the /run endpoint that is present on the kubelet API.For the threat actors Exploit Public-Facing Applications (T1190) is one of the entry points, since, through the RBAC misconfiguration or a cluster’s vulnerable version it allows the attackers to take over a cluster of any organization. However, one can easily check from an external IP by hitting on the API server, as doing so will show you if the API is exposed or not. Moreover, the targets are increasing, as this is not the first case of Cryptohijacking, and that’s why the experts are trying their best to monitor the attacks properly.

Source — https://gbhackers.com/over-50000-ips-across-multiple-kubernetes-clusters-were-compromised/

Stay Focused. Stay Vigilant.

Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store