Warning: Cisco Reports Widespread VPN Hacking Attempts
This week, Cisco Talos published an advisory warning of a significant global increase in brute-force attacks targeting various VPN and SSH servers since mid-March.
The attacks, which originate from Tor exit nodes and other anonymizing proxies, attempt to gain unauthorized access to a range of services using common login credentials. If successful, they may lead to account lockouts or denial-of-service conditions.
Cisco has shared a list of known sources used in the attacks, as well as a list of affected vendors and recommendations for mitigation. The advisory emphasizes that the source IP addresses are likely to change, and the attacks are expected to continue escalating.
Bleeping Computer and Hacker News have more.
When we analyzed the National Vulnerabilities Database, we found that VPN vulnerabilities had increased by almost 50% last year and that Cisco had reported more vulnerabilities over the past 3 years than any other vendor.
And while this doesn’t necessarily mean their products are the least secure, it’s an important reminder to keep on top of vendor’s disclosures and regularly update your software.
If you’re concerned about these attacks, it’s worth reading this primer from the UK’s National Cyber Security Centre on securing your network’s perimeter.
Consumer VPN Updates
ExpressVPN has uncovered a nuanced issue with how DNS leaks are categorized and tested across the VPN industry, publishing this technical paper to help raise awareness.
IVPN also recently published results from its annual security audit this week. The audit found two vulnerabilities, both of low severity, and two general issues which have now been fixed.
Atlas VPN services will be closing next week, with all existing paid users being transferred to NordVPN. You can read more about the move here.
What We’ve Been Reading
The Register: Exploit code for Palo Alto Networks zero-day now public
Proof-of-concept (PoC) exploits for a critical vulnerability in Palo Alto Networks' PAN-OS, have been made public. The vulnerability, which allows for remote code execution through a combination of directory traversal and command injection, is expected to lead to mass exploitation.
Forbes: Gmail And YouTube Hackers Bypass Google’s 2FA Account Security
Hackers are taking over Google accounts like Gmail and YouTube despite users having two-factor authentication enabled, likely by hijacking session cookies, and then locking the legitimate users out while using the compromised accounts to promote cryptocurrency scams.
WIRED: The US Government Has a Microsoft Problem
The US government's reliance on Microsoft products and services, despite the company's repeated cybersecurity issues, has allowed foreign hackers to breach its systems. Microsoft's dominance and essential role as a partner in cybersecurity initiatives has insulated it from serious accountability or consequences from the government, even as experts call for more oversight and diversification away from an overreliance on a single technology vendor.
Forbes: FBI Issues New Warning If You Pay Highway Tolls Online Or By Phone
The FBI has issued a new warning about "smishing" scams targeting users with fraudulent texts claiming to represent road toll collection services, urging recipients to pay outstanding toll amounts via deceptive links. These scams exploit the simplicity and ubiquity of SMS communication, with the FBI advising public caution and verifying through official channels before responding to such messages.
The Register: Change Healthcare’s ransomware attack costs edge toward $1B so far
UnitedHealth has reported that the costs associated with a ransomware attack on Change Healthcare in February 2024 have so far reached $872 million, with total costs expected to potentially exceed $1 billion. This cyberattack, attributed to the ALPHV/BlackCat-affiliated criminals, has severely impacted hospitals and pharmacies across the U.S., leading to significant business disruption and repair costs.
The Hollywood Reporter: Roku Says 576K Accounts Compromised in Data Breach
Roku has reported a second data breach affecting 576,000 accounts discovered during the investigation of a previous breach that compromised 15,000 accounts. The breach was caused by credential stuffing rather than direct hacking and Roku has responded by resetting passwords, alerting affected users, and planning to implement two-factor authentication for all accounts.
Our Rights Online
The Guardian: The US isn’t just reauthorizing its surveillance laws – it’s vastly expanding them
The U.S. House of Representatives has approved a reauthorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA). Critics, including Senator Ron Wyden and various civil liberties groups, argue this move will undermine free speech and drastically increase the government's ability to surveil Americans without meaningful safeguards.
Article 19: China: The rise of digital repression in the Indo-Pacific
Article 19's new report highlights China's expansion of its digital authoritarianism across the Indo-Pacific, revealing the nation's shift towards supporting smaller, technology-focused projects as part of its Belt and Road Initiative. The strategy risks internet freedom and the right to privacy in Cambodia, Malaysia, Nepal, and Thailand.
The Hacker News: Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users
Cybersecurity researchers have unveiled a renewed espionage campaign utilizing LightSpy iOS spyware, specifically targeting South Asian iPhone users, with enhanced capabilities for extensive spying including data theft and audio surveillance. The campaign, potentially linked to the Chinese nation-state group APT41, leverages compromised news websites for distribution and poses a significant threat to privacy and security in the region, with its ability to execute shell commands and extract sensitive information from infected devices.
Rest of World: 2024 AI Elections Tracker
Rest of World is tracking the use of artificial intelligence-generated content in elections across 50 countries, highlighting its role in spreading misinformation, confusion, and entertainment among voters. The initiative documents notable incidents, including fake endorsements and manipulated content, as part of a broader effort to understand AI's impact on global electoral processes in 2024.
404 Media: A Spy Site Is Scraping Discord and Selling Users’ Messages
An online service named Spy Pet is scraping and selling Discord users' messages and activities across thousands of servers, posing significant privacy concerns and highlighting the vulnerability of Discord messages to monitoring. Spy Pet, which claims to scrape over ten thousand servers and track more than 600 million users, is offering the data for various purposes, including AI model training and law enforcement assistance, for as little as $5.
Internet Society Pulse: Charting The Internet’s Dependence on Internet Exchange Points
Internet Exchange Points (IXPs) have become critical to the Internet's structure, allowing for direct connections between networks to minimize latency and costs. Research from IIJ Research Laboratory and the National Institute of Informatics in Japan reveals the significant role of IXPs in the Internet topology, with some acting as major international transit hubs impacting networks across countries, challenging the traditional notion that IXPs primarily serve to keep local traffic local.
Tools of The Week
hauditor: This tool evaluates the security headers of web pages to identify potentially dangerous configurations, such as those that could allow cross-site scripting (XSS) attacks. It features the ability to analyze multiple pages and domains, bypass web application firewalls (WAFs), and supports various options for specifying targets, proxies, and custom headers.
AppTotal: AppTotal analyzes suspicious OAuth apps, browser extensions, and SaaS add-ons to detect harmful applications, risky permissions, and other security issues across various platforms. It assesses third-party apps, uncovers real publishers behind OAuth client IDs, analyzes app behaviors and leverages Canonic Security's sandboxing technology for dynamic risk assessment.
Malware Next-Generation Analysis: CISA's Malware Next-Generation Analysis platform offers automated malware analysis support, combining static and dynamic analysis tools in a secure environment to assist U.S. government agencies at all levels. This service is available to authorized users who register and consent to monitoring, providing analysis results in PDF and STIX 2.1 data formats.