Authentication hashes are stored and kept by operating systems. Really, they are just hashed values of passwords. It might be possible to brute force these, but oftentimes you would need some sort of privileged permissions in order to obtain them, so it is somewhat of a more difficult task.
Ferragens Negrão secures all of their company’s data with Safetica and is ready for data protection regulations. Safetica also helps control company hardware and the application of control rules for machines.
Ferragens Negrão, a Brazilian agricultural and construction equipment distributor, wanted to prepare for the new Brazilian General Data Protection Law (LGPD). Furthermore, the company needed to control their data and thus facilitate collaboration amongst employees. The company chose Safetica to accomplish these goals.
Safetica helped the company keep track of their employees, both in their home offices and at company workplaces, and facilitated compliance with LGPD.
Safetica’s management reports presented Ferragens Negrão with a comprehensive overview of their data security situation, thus giving them the tools they needed to make better business decisions. Safetica provided the company with the ability to create machine-control rules, monitor activities and restrict risky behavior.
Safetica helped the company to have a better control of our users, both on home office and internal, and facilitated the fulfilment of demands coming from LGPD. Because of the management reports, Ferragens Negrão gained overview of the data security situation that supports better decision-making. Safetica lets create machine-control rules, their overview and control.
Safetica gives us more control over our data – something that is very important for collaboration within our company.
Danilo Rafael de Lima Cabral, IT at Ferragens Negrão
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Safetica
Safetica is to provide small and mid-sized companies with the same quality data protection that corporations have – affordably, and without any additional IT administration or disruptions in operation.
Our research team has put together all of the most relevant news topics in the Ransomware and IoT security fields, as well as their impacts and their expert recommendations:
Description: A new malware loader, Bumblebee, is being used as a replacement for the BazarLoader and IcedID to deliver ransomware payloads. Phishing campaigns were observed in which threat actors used Bumblebee to drop shellcode and the Cobalt Strike, Sliver, and Meterpreter frameworks.
Attack Parameters: The campaigns are delivered via phishing emails containing a link to a malicious file. For persistence, the malware uses scheduled tasks and WMI execution.
Many similarities were found between the loader and TrickBot, including the web-inject module and the evasion technique.
Impact: As BazarLoader was used in attacks in the past, Bumblebee is likely to become a popular tool for ransomware groups.
Recommendations: Following are best practices recommendations to minimize the chances of being infected by ransomware:
SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
The SCADAfence Platform also detects scheduled tasks and WMI process creation, as well as the use of Cobalt Strike and Meterpreter.
Description: Lapsus$ group breached T-Mobile’s network using stolen VPN credentials and gained access to internal systems. The stolen credentials, found on illicit platforms, allowed the attackers to access the company’s internal tools, which allowed them to conduct sim-swapping attacks.
The credentials used in the hack were disabled after discovering the breach.
Attack Parameters: Lapsus$ compromises systems to steal source code, customer lists, databases, and other valuable data, then attempts to extort the victim with ransom demands that threaten to publicly leak the data. They primarily focus on obtaining compromised credentials for initial access using the following methods:
Impact: No sensitive customer data was stolen.
Recommendations: Following are best practices recommendations:
SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
RDP connections can be tracked with the User Activity Analyzer.
SCADAfence Platform – User Activity Analyzer
Description: A new ransomware operation, Black Basta, uses a double-extortion scheme, where the threat actors demand a ransom to receive a decryptor and prevent the publishing of the victim’s stolen data.
Targets: Among the operation’s victims are the American Dental Association (ADA) and the German wind turbine giant Deutsche Windtechnik.
Attack Parameters: The malware requires administrator privileges to work, and hijacks the Windows Fax service for persistence on the infected systems. Similarities were found between Black Basta and Conti.
Impact: The ADA took affected systems offline, which disrupted various online services, telephones, email, and webchat.
Deutsche Windtechnik switched off the remote data monitoring connections to the wind turbines, but claimed the wind turbines did not suffer any damage.
Recommendations: Following are best practices recommendations:
SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
Description: Stormous gang claimed it has successfully breached some of Coca-Cola’s servers and stole over 160GB of data. There is no indication that Stormous deployed file-encrypting malware on their victims’ networks, making them closer to a data extortion group, than a ransomware group.
Attack Parameters: The group works with the tactic of double extortion, which is encryption and data theft. The stolen files are leaked if the victim does not pay the ransom.
Impact: Among the files listed, there are compressed documents, text files with admin, emails, and passwords, account and payment ZIP archives, and other types of sensitive information.
Recommendation: Following are best practices recommendations:
SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
Title: DNS Vulnerability in uClibc IoT Library (CVE-2022-30295)
Description: A new vulnerability affecting the DNS implementation of all versions of uClibc and uClibc-ng (CVE-2022-30295). This could allow an attacker to mount DNS poisoning attacks against IoT devices and routers to potentially take control of them.
Affected vendors: Both uClibc and uClibc-ng are widely used by vendors such as Netgear, Axis, and Linksys, as well as Linux distributions.
Attack Parameters: The vulnerability is caused by the predictability of transaction IDs included in the DNS requests, which may allow attackers to perform DNS poisoning attacks.
Impact: Successful exploitation could allow an attacker to alter or intercept network traffic to compromise connected devices.
This vulnerability has a broad scope not only because of the devices it potentially affects, but also because of the inherent importance of DNS to any device connecting over IP.
Recommendations: An official patch or workarounds have not yet been released.
SCADAfence Coverage: The SCADAfence Platform detects new connections, connections to and from external devices, and connections to and from the Internet. The platform also detects suspicious behavior based on IP reputation, hash reputation, and domain reputation.
DNS connections can be tracked with User Activity Analyzer.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
