Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor

 A Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.

"RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally.

"The group has shown the ability to rapidly weaponize newly reported vulnerabilities (e.g. Log4Shell and ProxyLogon) and has a history of developing and using a large range of custom malware families."

The use of KEYPLUG by Chinese threat actors was first disclosed by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022.

Then in October 2022, Malwarebytes detailed a separate set of attacks targeting government entities in Sri Lanka in early August that leveraged a novel implant dubbed DBoxAgent to deploy KEYPLUG.

Both these campaigns were attributed to Winnti (aka APT41, Barium, Bronze Atlas, or Wicked Panda), which Recorded Future said "closely overlaps" with RedGolf.

"We have not observed specific victimology as part of the latest highlighted RedGolf activity," Recorded Future said. "However, we believe this activity is likely being conducted for intelligence purposes rather than financial gain due to the overlaps with previously reported cyber espionage campaigns."

The cybersecurity firm, in addition to detecting a cluster of KEYPLUG samples and operational infrastructure (codenamed GhostWolf) used by the hacking group from at least 2021 to 2023, noted its use of other tools like Cobalt Strike and PlugX.

The GhostWolf infrastructure, for its part, consists of 42 IP addresses that function as KEYPLUG command-and-control. The adversarial collective has also been observed utilizing a mixture of both traditionally registered domains and Dynamic DNS domains, often featuring a technology theme, to act as communication points for Cobalt Strike and PlugX.

"RedGolf will continue to demonstrate a high operational tempo and rapidly weaponize vulnerabilities in external-facing corporate appliances (VPNs, firewalls, mail servers, etc.) to gain initial access to target networks," the company said.

"Additionally, the group will likely continue to adopt new custom malware families to add to existing tooling such as KEYPLUG."

To defend against RedGolf attacks, organizations are recommended to apply patches regularly, monitor access to external facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detections.

The findings come as Trend Micro revealed that it discovered more than 200 victims of Mustang Panda (aka Earth Preta) attacks as part of a far-reaching cyber espionage effort orchestrated by various sub-groups associated with the threat actor since 2022.

A majority of the cyber strikes have been detected in Asia, followed by Africa, Europe, the Middle East, Oceania, North America, and South America.

"There are strong indications of intertwined traditional intelligence tradecraft and cyber collection efforts, indicative of a highly coordinated and sophisticated cyber espionage operation," Trend Micro said.

Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk

 Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress.

The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22.

"Improved code security enforcement in WooCommerce components," the Tel Aviv-based company said in its release notes. The premium plugin is estimated to be used on over 12 million sites.

Successful exploitation of the high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled.

"This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to the administrator so they can create an account that instantly has the administrator privileges," Patchstack said in an alert of March 30, 2023.

"After this, they are likely to either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the site."

Credited with discovering and reporting the vulnerability on March 18, 2023, is NinTechNet security researcher Jerome Bruandet.

Patchstack further noted that the flaw is currently being abused in the wild by several IP addresses intending to upload arbitrary PHP and ZIP archive files.

Users of the Elementor Pro plugin are recommended to update to 3.11.7 or 3.12.0, which is the latest version, as soon as possible to mitigate potential threats.

The advisory comes over a year after the Essential Addons for Elementor plugin was found to contain a critical vulnerability that could result in the execution of arbitrary code on compromised websites.

Last week, WordPress issued auto-updates to remediate another critical bug in the WooCommerce Payments plugin that allowed unauthenticated attackers to gain administrator access to vulnerable sites.

Microsoft Fixes New Azure AD Vulnerability Impacting Bing Search and Major Apps

 Microsoft has patched a misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service that exposed several "high-impact" applications to unauthorized access.

"One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results but also launch high-impact XSS attacks on Bing users," cloud security firm Wiz said in a report. "Those attacks could compromise users' personal data, including Outlook emails and SharePoint documents."

The issues were reported to Microsoft in January and February 2022, following which the tech giant applied fixes and awarded Wiz a $40,000 bug bounty. Redmond said it found no evidence that the misconfigurations were exploited in the wild.

The crux of the vulnerability stems from what's called "Shared Responsibility confusion," wherein an Azure app can be incorrectly configured to allow users from any Microsoft tenant, leading to a potential case of unintended access.

Interestingly, a number of Microsoft's own internal apps were found to exhibit this behavior, thereby permitting external parties to obtain read and write to the affected applications.

This includes the Bing Trivia app, which the cybersecurity firm exploited to alter search results in Bing and even manipulate content on the homepage as part of an attack chain dubbed BingBang.

To make matters worse, the exploit could be weaponized to trigger a cross-site scripting (XSS) attack on Bing.com and extract a victim's Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files.

A malicious actor with the same access could've hijacked the most popular search results with the same payload and leak sensitive data from millions of users," Wiz researcher Hillai Ben-Sasson noted.

Other apps that were found susceptible to the misconfiguration issue include Mag News, Central Notification Service (CNS), Contact Center, PoliCheck, Power Automate Blog, and COSMOS.

The development comes as enterprise penetration testing firm NetSPI revealed details of a cross-tenant vulnerability in Power Platform connectors that could be abused to gain access to sensitive data.

Cyber Police of Ukraine Busted Phishing Gang Responsible for $4.33 Million Scam

 The Cyber Police of Ukraine, in collaboration with law enforcement officials from Czechia, has arrested several members of a cybercriminal gang that set up phishing sites to target European users.

Two of the apprehended affiliates are believed to be organizers, with 10 others detained in other territories across the European Union.

The suspects are alleged to have created more than 100 phishing portals aimed at users in France, Spain, Poland, Czechia, Portugal, and other nations in the region.

These websites masqueraded as online portals offering heavily discounted products below market prices to lure unsuspecting users into placing fake "orders."

In reality, the financial information entered on those websites to complete the payments was used to siphon money from the victims' accounts.

"For the fraudulent scheme, the participants also created two call centers, in Vinnytsia and in Lviv, and involved operators in their work," the Cyber Police said. "Their role was to convince customers to make purchases."

The nefarious scheme is estimated to have duped over 1,000 individuals, earning the operators approximately $4.33 million in illicit profits.

As part of the probe, law enforcement authorities carried out over 30 searches and confiscated mobile phones, SIM cards, and computer equipment used to carry out the activities.

Criminal proceedings have been initiated against the perpetrators, who may face a maximum sentence of up to 12 years in prison.

The Future of Network Security: Predictive Analytics and ML-Driven Solutions

 As the digital age evolves and continues to shape the business landscape, corporate networks have become increasingly complex and distributed. The amount of data a company collects to detect malicious behavior constantly increases, making it challenging to detect deceptive and unknown attack patterns and the so-called "needle in the haystack". With a growing number of cybersecurity threats, such as data breaches, ransomware attacks, and malicious insiders, organizations are facing significant challenges in successfully monitoring and securing their networks. Furthermore, the talent shortage in the field of cybersecurity makes manual threat hunting and log correlation a cumbersome and difficult task. To address these challenges, organizations are turning to predictive analytics and Machine Learning (ML) driven network security solutions as essential tools for securing their networks against cyber threats and the unknown bad.

The Role of ML-Driven Network Security Solutions#

ML-driven network security solutions in cybersecurity refer to the use of self-learning algorithms and other predictive technologies (statistics, time analysis, correlations etc.) to automate various aspects of threat detection. The use of ML algorithms is becoming increasingly popular for scalable technologies due to the limitations present in traditional rule-based security solutions. This results in the processing of data through advanced algorithms that can identify patterns, anomalies, and other subtle indicators of malicious activity, including new and evolving threats that may not have known bad indicators or existing signatures.

Detecting known threat indicators and blocking established attack patterns is still a crucial part of overall cyber hygiene. However, traditional approaches using threat feeds and static rules can become time-consuming when it comes to maintaining and covering all the different log sources. In addition, Indicators of Attack (IoA) or Indicators of Compromise (IoC) may not be available at the time of an attack or are quickly outdated. Consequently, companies require other approaches to fill this gap in their cybersecurity posture.

In summary, the mentioned drawbacks of rule-based security solutions highlight the significance of taking a more holistic approach to network security, which should nowadays include ML-powered Network Detection and Response (NDR) solutions to complement traditional detection capabilities and preventive security measures.

The Benefits of ML for Network Security#

So, how is Machine Learning (ML) shaping the future of network security? The truth is that ML-powered security solutions are bringing about a significant transformation in network security by providing security teams with numerous benefits and enhancing the overall threat detection capabilities of organizations:

• Big data analytics: With the ever-increasing amount of data and different log sources, organizations must be able to process vast amounts of information in real time, including network traffic logs, endpoints, and other sources of information related to cyber threats. In this regard, ML algorithms can aid in the detection of security threats by identifying patterns and anomalies that may otherwise go unnoticed. Consequently, the ability and flexibility of a solution to incorporate different log sources should be a key requirement for threat detection capabilities.
• Automated analysis of anomalous behavior: AI enables a much-required health monitoring of network activity by utilizing the analysis of normal network traffic as a baseline. With the help of automated correlation and clustering, outliers and unusual behavior can be detected, reducing the need for manual detection engineering and threat hunting. Key questions to be answered include "what is the activity of other clients in the network?" and "is a client's behavior in line with its own previous activities?" These approaches allow for the detection of unusual behaviors like domain-generated algorithms (DGA) domains, volume-based irregularities in network connections, and unusual communication patterns (e.g., lateral movement) in the network. Therefore, comparing a client's current behavior with that of their peers serves as a suitable baseline for identifying subtle anomalies.
• Detect unknown attacks in real-time: While it is relatively easy to directly detect known bad indicators (specific IP addresses, domains, etc.), many attacks can go undetected when these indicators are not present. If that is the case, statistics, time, and correlation-based detections are of enormous value to detect unknown attack patterns in an automated manner. By incorporating algorithmic approaches, traditional security solutions based on signatures and indicators of compromise (IoC) can be enhanced to become more self-sufficient and less reliant on known malware indicators.
• Self-learning detection capabilities: ML-driven solutions learn from past events in order to continuously improve their threat detection capabilities, threat scoring, clustering, and network visualizations. This may involve training the algorithms themselves or adjusting how information is presented based on feedback from analysts.
• Enhance Incident Response: By learning from an analyst's past incident response activities, ML can automate certain aspects of the incident response process, minimizing the time and resources required to address a security breach. This can involve using algorithms to analyze text and evidence, identifying root causes and attack patterns.

Example of an ML-driven Network Security Solution#

When it comes to ML-driven Network Detection & Response (NDR) solutions that incorporate the outlined benefits, ExeonTrace stands out as a leading network security solution in Europe. Based on award-winning ML algorithms, which incorporate a decade of academic research, ExeonTrace provides organizations with advanced ML threat detection capabilities, complete network visibility, flexible log source integration, and big data analytics. In addition, the algorithms rely on metadata analysis instead of actual payloads which makes them unaffected by encryption, completely hardware-free, and compatible with most cybersecurity infrastructures. As a result, ExeonTrace is able to process raw log data into powerful graph databases, which are then analyzed by supervised and unsupervised ML models. Through correlation and event fusion, the algorithms can accurately pinpoint high-fidelity anomalies and subtle cues of malicious behavior, even when dealing with novel or emerging cyber threats that may lack established signatures or known malicious indicators.

Conclusion#

As the threat of cyber-attacks becomes increasingly complex, organizations must go beyond traditional security measures to protect their networks. As a result, many companies are now turning to Machine Learning (ML) and predictive analytics to strengthen their security defenses. In this regard, ML-driven Network Detection & Response (NDR) solutions, such as ExeonTrace, are designed to help organizations stay ahead of the ever-evolving threat landscape. By utilizing advanced ML algorithms that analyze network traffic and application logs, ExeonTrace offers organizations quick detection and response to even the most sophisticated cyberattacks.

Web Development Services

 Full-cycle website design and development 

Creating a website from scratch, including requirements gathering, design, implementation, quality assurance as well as maintenance and support. 

Redesign

Porting your legacy website, including all the data, to a new, modern solution (it can be another content management system) with a slick and responsive user interface. 

Web application development and integration

Enriching your website with out-of-the-box and custom social networking apps, payment solutions, advanced analytics, and other tools to increase user engagement. 

Migration to the cloud 

Moving your existing website and applications to Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, and other cloud services to improve scalability and administration and lessen costs.

Maintenance and support

Creating new features and fixing bugs; 

Enhancing scalability and performance to welcome the growing number of visitors and data;

Improving the website structure to better address user demand; 

Increasing compliance with SEO standards for advanced content marketing strategies; 

Performing security audits and updates to protect data and users.

Mobile-driven development

Adapting your website for mobile phones and tablets of all platforms and screen sizes as well as using the portal as a back-end for a mobile app.

A Scripting Language

Scripting languages are interpreted by another program at runtime (no need for compilation). Scripting languages can either be interpreted server-side or client-side (in the browser).

Server-Side

PHP is a server-side scripting language, processed by a PHP interpreter on a web server; the result (the output) is sent to the web browser as plain HTML.

Open-Source

PHP is freely available to download and use. 

Object-Oriented

Object-Oriented Programming (OOP) leverages the concept of “objects” to contain data and functions to help build more complex, reusable web applications. OOP was added to PHP5. 

Fast 

PHP uses its own memory, minimizing server workload and increasing performance. PHP can be up to 382% faster than Python and 195% faster than Ruby. 

Simple 

The PHP syntax is easily understood and learned, whether you’re building from scratch or leveraging existing frameworks or add-ons. 

Well Supported

PHP supports all leading databases (MySQL, SQLite, ODBC), is compatible with most servers (Apache, IIS, etc), is portable across all platforms (Windows, Mac OS, Linux, etc), and can be further supported by PHP frameworks (Laravel, CodeIgniter, Symfony) and many well-stocked and vetted libraries. 

Why Choose PHP?

For more than a decade, we’ve seen articles that ask, “Is PHP Dead?,” with competitors such as JavaScript hoping to take its place. Over the years, PHP has held its dominant spot as the backbone to 80% of websites, give or take a few percentage points — a sign that PHP is here to stay. And there’s a very good reason why.

While PHP is an older programming language lacking some of the features of newer programming languages, it has continued to evolve. With that evolution comes a level of maturity: PHP is well-documented, well-supported, and easy to use.

PHP developers have access to rich frameworks, databases, and libraries to support their work, with the flexibility to set up on any Linux, Windows, or Unix OS. Most web hosting providers offer PHP, and, when it comes to cost, PHP often comes out ahead in both development time as well as overall cost to run and maintain. As an efficient language, PHP is able to deliver on the high-performance times demanded by today’s consumers. 

During your product development planning, PHP often comes out ahead because it is well documented in APIs. Your PHP-based website can easily be integrated with all CMS programs and add-ons to create dynamic, interactive, feature-rich experiences. 

You should choose PHP for your website, eCommerce marketplace, or application if you want a language that is:

Flexible 

Compatible 

Scalable 

Secure

High-Performing 

Affordable

Well-Supported

Easy to Maintain

Easy to Find Developers

Contact Us: 03342981124

Email: Info@5starcybersecurity.Com

Ransomware and how can you defend your business from it

 Ransomware is a kind of malware used by cybercriminals to stop users from accessing their systems or files; the cybercriminals then threaten to leak, destroy or withhold sensitive information unless a ransom is paid.

Ransomware attacks can target either the data held on computer systems (known as locker ransomware) or devices (crypto-ransomware). In both instances, once a ransom is paid, threat actors typically provide victims with a decryption key or tool to unlock their data or device, though this is not guaranteed.

Oliver Pinson-Roxburgh, CEO of Defense.com, the all-in-one cybersecurity platform, shares knowledge and advice in this article on how ransomware works, how damaging it can be, and how your business can mitigate ransomware attacks from occurring.

Ransomware attack comprise

There are three key elements to a ransomware attack:

Access-In order to deploy malware to encrypt files and gain control, cybercriminals need to initially gain access to an organization's systems.

Trigger-The attackers have control of the data as soon as the malicious software is activated. The data is encrypted and no longer accessible by the targeted organization.

Demand-The victims will receive an alert that their data is encrypted and cannot be accessed until a ransom is paid.

What is the cost of being targeted by ransomware?

The average pay-out from ransomware attacks has risen from $312,000/£260,000 in 2020 to $570,000/£476,000 in 2021 – an increase of 83%. One report also showed that 66% of organisations surveyed were victims of ransomware attacks in 2021, nearly double that of 2020 (37%). This highlights the need for businesses to understand the risks and implement stronger defenses to combat the threats.

Ransomware continues to rank amongst the most common cyberattacks in 2022, due to its lucrative nature and fairly low level of effort required from the perpetrators. This debilitating attack causes an average downtime of 3 weeks and can have major repercussions for an organization, for its finances, operations and reputation.

Because there is no guarantee that cybercriminals will release data after a ransom is paid, it is crucial to protect your data and keep offline backups of your files. It's also very important to proactively monitor and protect entry points that a hacker may exploit, to reduce the possibility of being targeted in the first place.

Who is at risk of being a target of ransomware?

In the past, cybercriminals have typically targeted high-profile organizations, large corporations and government agencies with ransomware. This is known as 'big game hunting' and works on the premise that these companies are far more likely to pay higher ransoms and avoid unwanted scrutiny from the media and public. Certain organizations, such as hospitals, are higher-value targets because they are far more likely to pay a ransom and to do so quickly because they need access to important data urgently.

However, ransomware groups are now shifting their focus to smaller businesses, in response to increased pressure from law enforcement who are cracking down on well-known ransomware groups such as REvil and Conti. Smaller companies are seen as easy targets that may lack effective cybersecurity defenses to prevent a ransomware attack, making it easier to penetrate and exploit them.

Ultimately, threat actors are opportunists and will consider most organizations as targets, regardless of their size. If a cybercriminal notices a vulnerability, the company is fair game.

How is ransomware deployed?

Phishing attacks

The most common delivery method of ransomware is via phishing attacks. Phishing is a form of social engineering and is an effective method of attack as it relies on deceit and creating a sense of urgency. Threat actors trick employees into opening suspicious attachments in emails and this is often achieved by imitating either senior-level employees or other trusted figures of authority.

Malvertising

Malicious advertising is another tactic used by cybercriminals to deploy ransomware, where ad space is purchased and infected with malware that is then displayed on trusted and legitimate websites. Once the ad is clicked, or even in some cases when a user accesses a website that's hosting malware, that device is infected by malware that scans the device for vulnerabilities to exploit.

Exploiting vulnerable systems

Ransomware can also be deployed by exploiting unpatched and outdated systems, as was the case in 2017, when a security vulnerability in Microsoft Windows, EternalBlue (MS17-010), led to the global WannaCry ransomware attack that spread to over 150 countries.

It was the biggest cyberattack to hit the NHS: it cost £92m in damages plus the added costs of IT support restoring data and systems affected by the attack, and it directly impacted patient care through cancelled appointments.

Four key methods to defend your business against ransomware

It is crucial that businesses are aware of how a ransomware attack may affect their organization, and how they can prevent cybercriminals from breaching their systems and holding sensitive data to ransom. Up to 61% of organizations with security teams consisting of 11–25 employees are said to be most concerned about ransomware attacks.

The NHS could have avoided being impacted by the WannaCry ransomware attack in 2017 by heeding warnings and migrating away from outdated software, ensuring strategies were in place to strengthen their security posture.

It's essential that your business takes a proactive approach to cybersecurity by implementing the correct tools to help monitor, detect, and mitigate suspicious activity across your network and infrastructure. This will reduce the number and impact of data breaches and cyberattacks.

Defense.com recommend these four fundamental tactics to help prevent ransomware attacks and stay one step ahead of the hackers:

1 — Training

Cybersecurity awareness training is pivotal for businesses of all sizes as it helps employees to spot potentially malicious emails or activity.

Social engineering tactics, such as phishing and tailgating, are common and successful due to human error and employees not spotting the risks. It's vital for employees to be vigilant around emails that contain suspicious links or contain unusual requests to share personal data, often sent by someone pretending to be a senior-level employee.

Security training also encourages employees to query visitors to your offices to prevent ransomware attacks via physical intrusion.

Implementing cybersecurity awareness training will help your business routinely educate and assess your employees on fundamental security practices, ultimately creating a security culture to reduce the risk of data breaches and security incidents.

2 — Phishing simulators

These simulator tools support your security awareness training by delivering fake but realistic phishing emails to employees. Understanding how prone your staff are to falling for a real cybercriminal's tactics allows you to fill gaps in their training.

When you combine phishing simulators with security training, your organization can lessen the chance of falling victim to a ransomware attack. The combination of training and testing puts you in a better position to prevent the cunning attempts of cybercriminals to infiltrate your IT systems and plant malware.

3 — Threat monitoring

You can make your business less of a target for cybercriminals by actively monitoring potential threats. Threat Intelligence is a threat monitoring tool that collates data from various sources, such as penetration tests and vulnerability scans, and uses this information to help you defend against potential malware and ransomware attacks. This overview of your threat landscape shows which areas are most at risk of a cyberattack or a data breach.

Being proactive ensures you stay one step ahead of hackers and by introducing threat monitoring tools to your organization, you ensure any suspicious behaviour is detected early for remediation.

4 — Endpoint protection

Endpoint protection is key to understanding which of your assets are vulnerable, to help protect them and repel malware attacks like ransomware. More than just your typical antivirus software, endpoint protection offers advanced security features that protect your network, and the devices on it, against threats such as malware and phishing campaigns.

Anti-ransomware capabilities should be included in endpoint protection so it can effectively prevent attacks by monitoring suspicious behaviour such as file changes and file encryption. The ability to isolate or quarantine any affected devices can also be a very useful feature for stopping the spread of malware.

This article is written and contributed by Oliver Pinson-Roxburgh, CEO at Defense.com.

read more news 

www.5starcybersecurity.uk