Cybersecurity Authorities Share A List of Top Initial Access Attack Vectors
Read also: Conti threatens to overthrow the Costa Rican government, the US warns of risks of hiring North Korean tech workers, and more.
Cybersecurity agencies share a list of top initial access attack vectors
Cybersecurity authorities from the US, UK, Canada, New Zealand, and the Netherlands have compiled a list of attack vectors most commonly exploited by malicious actors to gain initial access to a target network.
The list of weaknesses includes weak security controls, poor configurations, and overall poor security practices such as the lack of mandatory multi-factor authentication; incorrectly applied privileges or permissions; unpatched software; the use of default configurations or default login credentials; unprotected remote access services and cloud services; weak passwords; open ports and misconfigured services, failure to detect or block phishing attempts; poor endpoint detection and response.
The joint advisory also contains recommended practices that organizations can implement to strengthen their cybersecurity.
Conti ransomware gang raises ransom demand to $20M, threatens to overthrow the Costa Rican government
Conti, the Russian-speaking ransomware gang behind a series of attacks on the Costa Rican government bodies, has upped the ante and is now demanding a $20 million ransom, threatening to overthrow the country’s government “by means of a cyberattack.”
The devastating attack, which took place on April 19, impacted several Costa Rican government agencies, including the Ministry of Finance. On its data leak site the group claimed to have stolen 670 GB of data, 97% of which they said they have already leaked.
Following the hack, the country’s president Rodrigo Chaves declared the state of national emergency. According to Chaves, the incident affected 27 government institutions, including municipalities and state-run utilities.
55-year-old Venezuelan cardiologist charged with developing and selling Thanos and Jigsaw ransomware
The US Department of Justice announced criminal charges against a citizen of France and Venezuela for allegedly creating, using and selling ransomware.
According to the authorities, Moises Luis Zagala Gonzalez, a 55-year-old cardiologist from Venezuela, developed multiple ransomware tools, including a ransomware strain called “Jigsaw v.2,” and a “private ransomware builder” called “Thanos,” which he marketed on various darknet cyber crime forums.
The Thanos software allowed its users to create their own ransomware. The software was advertised for $500 a month with “basic options” or $800 with “full options.” Zagala also run an affiliate RaaS program and offered tech support to cybercriminals who bought his products.
If convicted, the man faces up to 10 years in prison.
Hackers are actively exploiting security vulnerabilities in Zyxel Firewalls, Spring Cloud Gateway
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two new critical security flaws to its list of Known Exploited Vulnerabilities Catalog.
Tracked as CVE-2022-30525, the first bug affects Zyxel’s ATP, VPN and USG FLEX series business firewalls. The flaw is described as an OS command injection vulnerability, which can be exploited by an unauthenticated and remote attacker to achieve arbitrary code execution as the ‘nobody’ user on impacted devices. Experts estimate that there are at least 16, 213 vulnerable devices available on the internet. The majority of them are located in Italy, France, the US, Switzerland, and Germany.
The second flaw added to the catalog is CVE-2022-22947, a code injection issue in the Spring Cloud Gateway library, an API gateway based on the popular Spring Framework, which can allow a remote, unauthenticated attacker to achieve remote code execution. Recently, Microsoft researchers have spotted a new variant of the Sysrv botnet that is leveraging bugs in the Spring Framework and WordPress plugins in order to infect Windows and Linux systems with cryptomining malware.
The US warns over risk of inadvertently hiring North Korean tech workers
Businesses and other organizations should beware of North Korean freelance IT workers that pose as non-nationals seeking to gain employment with companies in North America, Europe, and East Asia to generate revenue for the DPRK’s authoritarian regime, including its military programs, or gain access to corporate networks.
The warning comes from the US Department of State, the US Department of the Treasury, and the Federal Bureau of Investigation, who say that these workers “take advantage of existing demands for specific IT skills, such as software and mobile application development,” and in many cases represent themselves as US-based and/or non-North Korean workers.
The authorities noted that while North Korean IT workers usually don't engage in malicious cyber activities, they have been known to abuse their privileged access as contractors to enable cyber intrusions.
The joint advisory also provides red flag indicators for companies hiring freelance developers to identify DPRK IT workers, as well as general mitigation measures for organizations to better protect against inadvertently hiring or facilitating the operations of North Korean tech workers.
- Follow ImmuniWeb on Twitter and LinkedIn
- Subscribe to newsletter to get the next post automatically
- Explore 18 use cases how ImmuniWeb can help
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter