Hackers Abuse Windows Error Reporting Tool to Deploy Malware
- Hackers, potentially based in China, are abusing the Windows Problem Reporting (WerFault.exe) error reporting tool to load malware into a compromised system’s memory using a dynamic link library (DLL) sideloading technique. The goal of this technique is to mask as a legitimate Windows process and then load a remote access trojan (RAT), with the Pupy RAT being used in this instance.
- The DLL provided masks as a legitimate executable signed by Microsoft. However, the malicious DLL contains additional code for the malware’s next steps making it hard to find automatically.
- In this specific instance, the malware campaign starts with the arrival of an email with an ISO attachment. When clicked, the ISO will mount itself as a new drive letter containing a legitimate copy of the Windows WerFault.exe executable, a DLL file (‘faultrep.dll’), an XLS file (‘File.xls’), and a shortcut file (‘inventory & our specialties.lnk’). From there, the victim continues the infection process by clicking the shortcut file and running the executable.
Windows 7 to Stop Receiving Extended Security Updates on Tuesday
- Windows 7 Professional and Enterprise editions will no longer receive extended security updates for critical and important vulnerabilities starting Tuesday, January 10, 2023. Additionally, Windows 8.1 will reach the end of service on Tuesday as well.
- Before trying to update to a newer version of Windows, Microsoft encourages users to keep in mind that most Windows 7 devices won’t meet Windows 11 hardware requirements and Windows 10 is set to reach its end of support date in 2025.
- According to Statcounter Globalstats, Windows 7 runs on over 11% of Windows systems worldwide and Windows 8.1 is used by 2.59% of Microsoft customers.
Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub
- According to Palo Alto’s Unit 42, a South African threat actor known as Automated Libra has been observed employing CAPTCHA bypass techniques to create thousands of accounts on GitHub and other cloud resource platforms. These accounts then use free cloud resources to perform crypto mining operations for free.
- The threat actors take advantage of legitimate tools like xdotool, which simulates mouse and keyboard input, and ImageMagick, which converts CAPTCHA images to their RGB complements and uses the shown values to bypass CAPTCHAs.
- Unit 42 highlighted that the group was able to make 3 to 5 accounts every minute, with a total of 130,00 fake accounts created across GitHub, Heroku, and Togglebox.
- Link to Unit 42’s full report: https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/
Data Backup is no Longer Just About Operational Fallback
- Data backup has traditionally been in the operational domain of IT, while security teams have been responsible for threats to data from attacks. As these attacks have become more sophisticated, backups have come under threat and vendors have had to incorporate new features into their software to address attacks and protect data.
- With advances in the world of data backups, navigating between different providers can be challenging. As a result, researchers from Info-Tech Research Group suggest considering the following features in backup solutions: Continuous data protection (CDP), a zero-trust framework, air gapping, disaster recovery orchestration, threat prevention & detection, all the other cloud, and cloud to cloud.
FCC Wants Telecom Carriers to Report Data Breaches Faster
- The U.S. Federal Communications Commission (FCC) wants to strengthen federal law enforcement’s role and modernize breach notification requirements for telecommunications companies so that they notify customers of security breaches faster. The current ruleset was developed in 2007.
- The FCC intends to review the current rules and update them to better suit the ever-evolving threat landscape. Specifically, this includes reviewing the “outdated” seven business day mandatory customer breach notification wait time, clarifying the overarching rules pertaining to consumer breach notifications by carriers, and requiring that all breaches that require notification be reported to the FCC, FBI, and U.S. Secret Service.
- The move to update the rules derive from a string of telecom data breaches, including several occurring at AT&T prior to 2016, at least seven at T-Mobile since 2018, and breaches at Verizon and Comcast Xfinity in late 2022.
- Link to the FCC’s full news release: https://www.fcc.gov/document/fcc-proposes-updated-data-breach-reporting-requirements
How to Start Planning for Disaster Recovery
- In the majority of incident response work, recovery costs as much as identification, containment, and eradication put together. However, the cost in terms of people, stress, and reputational damage is unfathomable. Many organizations try to push the issue of backups onto vendors like Azure or AWS; however, this doesn’t cover every aspect of recovery planning, especially in regard to the responses from HR, PR, Legal, and an organization’s IT team.
- For most organizations, everything is connected to some degree. In other words, a disaster recovery plan won’t just save your business (or job), but will ensure that the hundreds, thousands, and even millions of customers who rely on your business every day can sleep soundly as well.
- It’s important to know that the time to recover varies by organization. As a result, it’s vital to review what resources are at the organization’s disposal during an incident. From there, develop an easy to understand, yet detailed, plan that accounts for all relevant business units.
What Are Some Ways to Make APIs More Secure?
- Businesses of all sizes and across all industries routinely rely on internal and external application programming interfaces (APIs). Likewise, many APIs frequently have access to multiple applications and services across business assets.
- As APIs have become a common tool for businesses to use, they have also grown into a popular attack vector. According to Salt Labs, API attacks have grown by 681% over the past year. OWASP has released recommendations for addressing API risk; however, this is seen as merely a good first step.
- The article highlights four additional practices that can further protect APIs from being compromised. These include adopting risk-based authentication, adding biometric authentication, enforcing authentication externally, and balancing API security with usability.
- Link to Salt Labs report: https://salt.security/api-security-trends
- Link to OWASP’s API best practices: https://owasp.org/www-project-api-security/